diff options
Diffstat (limited to 'nixos')
155 files changed, 4283 insertions, 1029 deletions
diff --git a/nixos/doc/manual/development/activation-script.section.md b/nixos/doc/manual/development/activation-script.section.md new file mode 100644 index 00000000000..df683662404 --- /dev/null +++ b/nixos/doc/manual/development/activation-script.section.md @@ -0,0 +1,72 @@ +# Activation script {#sec-activation-script} + +The activation script is a bash script called to activate the new +configuration which resides in a NixOS system in `$out/activate`. Since its +contents depend on your system configuration, the contents may differ. +This chapter explains how the script works in general and some common NixOS +snippets. Please be aware that the script is executed on every boot and system +switch, so tasks that can be performed in other places should be performed +there (for example letting a directory of a service be created by systemd using +mechanisms like `StateDirectory`, `CacheDirectory`, ... or if that's not +possible using `preStart` of the service). + +Activation scripts are defined as snippets using +[](#opt-system.activationScripts). They can either be a simple multiline string +or an attribute set that can depend on other snippets. The builder for the +activation script will take these dependencies into account and order the +snippets accordingly. As a simple example: + +```nix +system.activationScripts.my-activation-script = { + deps = [ "etc" ]; + # supportsDryActivation = true; + text = '' + echo "Hallo i bims" + ''; +}; +``` + +This example creates an activation script snippet that is run after the `etc` +snippet. The special variable `supportsDryActivation` can be set so the snippet +is also run when `nixos-rebuild dry-activate` is run. To differentiate between +real and dry activation, the `$NIXOS_ACTION` environment variable can be +read which is set to `dry-activate` when a dry activation is done. + +An activation script can write to special files instructing +`switch-to-configuration` to restart/reload units. The script will take these +requests into account and will incorperate the unit configuration as described +above. This means that the activation script will "fake" a modified unit file +and `switch-to-configuration` will act accordingly. By doing so, configuration +like [systemd.services.\<name\>.restartIfChanged](#opt-systemd.services) is +respected. Since the activation script is run **after** services are already +stopped, [systemd.services.\<name\>.stopIfChanged](#opt-systemd.services) +cannot be taken into account anymore and the unit is always restarted instead +of being stopped and started afterwards. + +The files that can be written to are `/run/nixos/activation-restart-list` and +`/run/nixos/activation-reload-list` with their respective counterparts for +dry activation being `/run/nixos/dry-activation-restart-list` and +`/run/nixos/dry-activation-reload-list`. Those files can contain +newline-separated lists of unit names where duplicates are being ignored. These +files are not create automatically and activation scripts must take the +possiblility into account that they have to create them first. + +## NixOS snippets {#sec-activation-script-nixos-snippets} + +There are some snippets NixOS enables by default because disabling them would +most likely break you system. This section lists a few of them and what they +do: + +- `binsh` creates `/bin/sh` which points to the runtime shell +- `etc` sets up the contents of `/etc`, this includes systemd units and + excludes `/etc/passwd`, `/etc/group`, and `/etc/shadow` (which are managed by + the `users` snippet) +- `hostname` sets the system's hostname in the kernel (not in `/etc`) +- `modprobe` sets the path to the `modprobe` binary for module auto-loading +- `nix` prepares the nix store and adds a default initial channel +- `specialfs` is responsible for mounting filesystems like `/proc` and `sys` +- `users` creates and removes users and groups by managing `/etc/passwd`, + `/etc/group` and `/etc/shadow`. This also creates home directories +- `usrbinenv` creates `/usr/bin/env` +- `var` creates some directories in `/var` that are not service-specific +- `wrappers` creates setuid wrappers like `ping` and `sudo` diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml index 0b2ad60a878..21286cdbd2b 100644 --- a/nixos/doc/manual/development/development.xml +++ b/nixos/doc/manual/development/development.xml @@ -12,6 +12,7 @@ <xi:include href="../from_md/development/sources.chapter.xml" /> <xi:include href="../from_md/development/writing-modules.chapter.xml" /> <xi:include href="../from_md/development/building-parts.chapter.xml" /> + <xi:include href="../from_md/development/what-happens-during-a-system-switch.chapter.xml" /> <xi:include href="../from_md/development/writing-documentation.chapter.xml" /> <xi:include href="../from_md/development/building-nixos.chapter.xml" /> <xi:include href="../from_md/development/nixos-tests.chapter.xml" /> diff --git a/nixos/doc/manual/development/unit-handling.section.md b/nixos/doc/manual/development/unit-handling.section.md new file mode 100644 index 00000000000..d477f2c860f --- /dev/null +++ b/nixos/doc/manual/development/unit-handling.section.md @@ -0,0 +1,57 @@ +# Unit handling {#sec-unit-handling} + +To figure out what units need to be started/stopped/restarted/reloaded, the +script first checks the current state of the system, similar to what `systemctl +list-units` shows. For each of the units, the script goes through the following +checks: + +- Is the unit file still in the new system? If not, **stop** the service unless + it sets `X-StopOnRemoval` in the `[Unit]` section to `false`. + +- Is it a `.target` unit? If so, **start** it unless it sets + `RefuseManualStart` in the `[Unit]` section to `true` or `X-OnlyManualStart` + in the `[Unit]` section to `true`. Also **stop** the unit again unless it + sets `X-StopOnReconfiguration` to `false`. + +- Are the contents of the unit files different? They are compared by parsing + them and comparing their contents. If they are different but only + `X-Reload-Triggers` in the `[Unit]` section is changed, **reload** the unit. + The NixOS module system allows setting these triggers with the option + [systemd.services.\<name\>.reloadTriggers](#opt-systemd.services). If the + unit files differ in any way, the following actions are performed: + + - `.path` and `.slice` units are ignored. There is no need to restart them + since changes in their values are applied by systemd when systemd is + reloaded. + + - `.mount` units are **reload**ed. These mostly come from the `/etc/fstab` + parser. + + - `.socket` units are currently ignored. This is to be fixed at a later + point. + + - The rest of the units (mostly `.service` units) are then **reload**ed if + `X-ReloadIfChanged` in the `[Service]` section is set to `true` (exposed + via [systemd.services.\<name\>.reloadIfChanged](#opt-systemd.services)). + + - If the reload flag is not set, some more flags decide if the unit is + skipped. These flags are `X-RestartIfChanged` in the `[Service]` section + (exposed via + [systemd.services.\<name\>.restartIfChanged](#opt-systemd.services)), + `RefuseManualStop` in the `[Unit]` section, and `X-OnlyManualStart` in the + `[Unit]` section. + + - The rest of the behavior is decided whether the unit has `X-StopIfChanged` + in the `[Service]` section set (exposed via + [systemd.services.\<name\>.stopIfChanged](#opt-systemd.services)). This is + set to `true` by default and must be explicitly turned off if not wanted. + If the flag is enabled, the unit is **stop**ped and then **start**ed. If + not, the unit is **restart**ed. The goal of the flag is to make sure that + the new unit never runs in the old environment which is still in place + before the activation script is run. + + - The last thing that is taken into account is whether the unit is a service + and socket-activated. Due to a bug, this is currently only done when + `X-StopIfChanged` is set. If the unit is socket-activated, the socket is + stopped and started, and the service is stopped and to be started by socket + activation. diff --git a/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md b/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md new file mode 100644 index 00000000000..aad82831a3c --- /dev/null +++ b/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md @@ -0,0 +1,53 @@ +# What happens during a system switch? {#sec-switching-systems} + +Running `nixos-rebuild switch` is one of the more common tasks under NixOS. +This chapter explains some of the internals of this command to make it simpler +for new module developers to configure their units correctly and to make it +easier to understand what is happening and why for curious administrators. + +`nixos-rebuild`, like many deployment solutions, calls `switch-to-configuration` +which resides in a NixOS system at `$out/bin/switch-to-configuration`. The +script is called with the action that is to be performed like `switch`, `test`, +`boot`. There is also the `dry-activate` action which does not really perform +the actions but rather prints what it would do if you called it with `test`. +This feature can be used to check what service states would be changed if the +configuration was switched to. + +If the action is `switch` or `boot`, the bootloader is updated first so the +configuration will be the next one to boot. Unless `NIXOS_NO_SYNC` is set to +`1`, `/nix/store` is synced to disk. + +If the action is `switch` or `test`, the currently running system is inspected +and the actions to switch to the new system are calculated. This process takes +two data sources into account: `/etc/fstab` and the current systemd status. +Mounts and swaps are read from `/etc/fstab` and the corresponding actions are +generated. If a new mount is added, for example, the proper `.mount` unit is +marked to be started. The current systemd state is inspected, the difference +between the current system and the desired configuration is calculated and +actions are generated to get to this state. There are a lot of nuances that can +be controlled by the units which are explained here. + +After calculating what should be done, the actions are carried out. The order +of actions is always the same: +- Stop units (`systemctl stop`) +- Run activation script (`$out/activate`) +- See if the activation script requested more units to restart +- Restart systemd if needed (`systemd daemon-reexec`) +- Forget about the failed state of units (`systemctl reset-failed`) +- Reload systemd (`systemctl daemon-reload`) +- Reload systemd user instances (`systemctl --user daemon-reload`) +- Set up tmpfiles (`systemd-tmpfiles --create`) +- Reload units (`systemctl reload`) +- Restart units (`systemctl restart`) +- Start units (`systemctl start`) +- Inspect what changed during these actions and print units that failed and + that were newly started + +Most of these actions are either self-explaining but some of them have to do +with our units or the activation script. For this reason, these topics are +explained in the next sections. + +```{=docbook} +<xi:include href="unit-handling.section.xml" /> +<xi:include href="activation-script.section.xml" /> +``` diff --git a/nixos/doc/manual/from_md/development/activation-script.section.xml b/nixos/doc/manual/from_md/development/activation-script.section.xml new file mode 100644 index 00000000000..0d9e911216e --- /dev/null +++ b/nixos/doc/manual/from_md/development/activation-script.section.xml @@ -0,0 +1,150 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-activation-script"> + <title>Activation script</title> + <para> + The activation script is a bash script called to activate the new + configuration which resides in a NixOS system in + <literal>$out/activate</literal>. Since its contents depend on your + system configuration, the contents may differ. This chapter explains + how the script works in general and some common NixOS snippets. + Please be aware that the script is executed on every boot and system + switch, so tasks that can be performed in other places should be + performed there (for example letting a directory of a service be + created by systemd using mechanisms like + <literal>StateDirectory</literal>, + <literal>CacheDirectory</literal>, … or if that’s not possible using + <literal>preStart</literal> of the service). + </para> + <para> + Activation scripts are defined as snippets using + <xref linkend="opt-system.activationScripts" />. They can either be + a simple multiline string or an attribute set that can depend on + other snippets. The builder for the activation script will take + these dependencies into account and order the snippets accordingly. + As a simple example: + </para> + <programlisting language="bash"> +system.activationScripts.my-activation-script = { + deps = [ "etc" ]; + # supportsDryActivation = true; + text = '' + echo "Hallo i bims" + ''; +}; +</programlisting> + <para> + This example creates an activation script snippet that is run after + the <literal>etc</literal> snippet. The special variable + <literal>supportsDryActivation</literal> can be set so the snippet + is also run when <literal>nixos-rebuild dry-activate</literal> is + run. To differentiate between real and dry activation, the + <literal>$NIXOS_ACTION</literal> environment variable can be read + which is set to <literal>dry-activate</literal> when a dry + activation is done. + </para> + <para> + An activation script can write to special files instructing + <literal>switch-to-configuration</literal> to restart/reload units. + The script will take these requests into account and will + incorperate the unit configuration as described above. This means + that the activation script will <quote>fake</quote> a modified unit + file and <literal>switch-to-configuration</literal> will act + accordingly. By doing so, configuration like + <link linkend="opt-systemd.services">systemd.services.<name>.restartIfChanged</link> + is respected. Since the activation script is run + <emphasis role="strong">after</emphasis> services are already + stopped, + <link linkend="opt-systemd.services">systemd.services.<name>.stopIfChanged</link> + cannot be taken into account anymore and the unit is always + restarted instead of being stopped and started afterwards. + </para> + <para> + The files that can be written to are + <literal>/run/nixos/activation-restart-list</literal> and + <literal>/run/nixos/activation-reload-list</literal> with their + respective counterparts for dry activation being + <literal>/run/nixos/dry-activation-restart-list</literal> and + <literal>/run/nixos/dry-activation-reload-list</literal>. Those + files can contain newline-separated lists of unit names where + duplicates are being ignored. These files are not create + automatically and activation scripts must take the possiblility into + account that they have to create them first. + </para> + <section xml:id="sec-activation-script-nixos-snippets"> + <title>NixOS snippets</title> + <para> + There are some snippets NixOS enables by default because disabling + them would most likely break you system. This section lists a few + of them and what they do: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>binsh</literal> creates <literal>/bin/sh</literal> + which points to the runtime shell + </para> + </listitem> + <listitem> + <para> + <literal>etc</literal> sets up the contents of + <literal>/etc</literal>, this includes systemd units and + excludes <literal>/etc/passwd</literal>, + <literal>/etc/group</literal>, and + <literal>/etc/shadow</literal> (which are managed by the + <literal>users</literal> snippet) + </para> + </listitem> + <listitem> + <para> + <literal>hostname</literal> sets the system’s hostname in the + kernel (not in <literal>/etc</literal>) + </para> + </listitem> + <listitem> + <para> + <literal>modprobe</literal> sets the path to the + <literal>modprobe</literal> binary for module auto-loading + </para> + </listitem> + <listitem> + <para> + <literal>nix</literal> prepares the nix store and adds a + default initial channel + </para> + </listitem> + <listitem> + <para> + <literal>specialfs</literal> is responsible for mounting + filesystems like <literal>/proc</literal> and + <literal>sys</literal> + </para> + </listitem> + <listitem> + <para> + <literal>users</literal> creates and removes users and groups + by managing <literal>/etc/passwd</literal>, + <literal>/etc/group</literal> and + <literal>/etc/shadow</literal>. This also creates home + directories + </para> + </listitem> + <listitem> + <para> + <literal>usrbinenv</literal> creates + <literal>/usr/bin/env</literal> + </para> + </listitem> + <listitem> + <para> + <literal>var</literal> creates some directories in + <literal>/var</literal> that are not service-specific + </para> + </listitem> + <listitem> + <para> + <literal>wrappers</literal> creates setuid wrappers like + <literal>ping</literal> and <literal>sudo</literal> + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/development/unit-handling.section.xml b/nixos/doc/manual/from_md/development/unit-handling.section.xml new file mode 100644 index 00000000000..a6a654042f6 --- /dev/null +++ b/nixos/doc/manual/from_md/development/unit-handling.section.xml @@ -0,0 +1,119 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-unit-handling"> + <title>Unit handling</title> + <para> + To figure out what units need to be + started/stopped/restarted/reloaded, the script first checks the + current state of the system, similar to what + <literal>systemctl list-units</literal> shows. For each of the + units, the script goes through the following checks: + </para> + <itemizedlist> + <listitem> + <para> + Is the unit file still in the new system? If not, + <emphasis role="strong">stop</emphasis> the service unless it + sets <literal>X-StopOnRemoval</literal> in the + <literal>[Unit]</literal> section to <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + Is it a <literal>.target</literal> unit? If so, + <emphasis role="strong">start</emphasis> it unless it sets + <literal>RefuseManualStart</literal> in the + <literal>[Unit]</literal> section to <literal>true</literal> or + <literal>X-OnlyManualStart</literal> in the + <literal>[Unit]</literal> section to <literal>true</literal>. + Also <emphasis role="strong">stop</emphasis> the unit again + unless it sets <literal>X-StopOnReconfiguration</literal> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + Are the contents of the unit files different? They are compared + by parsing them and comparing their contents. If they are + different but only <literal>X-Reload-Triggers</literal> in the + <literal>[Unit]</literal> section is changed, + <emphasis role="strong">reload</emphasis> the unit. The NixOS + module system allows setting these triggers with the option + <link linkend="opt-systemd.services">systemd.services.<name>.reloadTriggers</link>. + If the unit files differ in any way, the following actions are + performed: + </para> + <itemizedlist> + <listitem> + <para> + <literal>.path</literal> and <literal>.slice</literal> units + are ignored. There is no need to restart them since changes + in their values are applied by systemd when systemd is + reloaded. + </para> + </listitem> + <listitem> + <para> + <literal>.mount</literal> units are + <emphasis role="strong">reload</emphasis>ed. These mostly + come from the <literal>/etc/fstab</literal> parser. + </para> + </listitem> + <listitem> + <para> + <literal>.socket</literal> units are currently ignored. This + is to be fixed at a later point. + </para> + </listitem> + <listitem> + <para> + The rest of the units (mostly <literal>.service</literal> + units) are then <emphasis role="strong">reload</emphasis>ed + if <literal>X-ReloadIfChanged</literal> in the + <literal>[Service]</literal> section is set to + <literal>true</literal> (exposed via + <link linkend="opt-systemd.services">systemd.services.<name>.reloadIfChanged</link>). + </para> + </listitem> + <listitem> + <para> + If the reload flag is not set, some more flags decide if the + unit is skipped. These flags are + <literal>X-RestartIfChanged</literal> in the + <literal>[Service]</literal> section (exposed via + <link linkend="opt-systemd.services">systemd.services.<name>.restartIfChanged</link>), + <literal>RefuseManualStop</literal> in the + <literal>[Unit]</literal> section, and + <literal>X-OnlyManualStart</literal> in the + <literal>[Unit]</literal> section. + </para> + </listitem> + <listitem> + <para> + The rest of the behavior is decided whether the unit has + <literal>X-StopIfChanged</literal> in the + <literal>[Service]</literal> section set (exposed via + <link linkend="opt-systemd.services">systemd.services.<name>.stopIfChanged</link>). + This is set to <literal>true</literal> by default and must + be explicitly turned off if not wanted. If the flag is + enabled, the unit is + <emphasis role="strong">stop</emphasis>ped and then + <emphasis role="strong">start</emphasis>ed. If not, the unit + is <emphasis role="strong">restart</emphasis>ed. The goal of + the flag is to make sure that the new unit never runs in the + old environment which is still in place before the + activation script is run. + </para> + </listitem> + <listitem> + <para> + The last thing that is taken into account is whether the + unit is a service and socket-activated. Due to a bug, this + is currently only done when + <literal>X-StopIfChanged</literal> is set. If the unit is + socket-activated, the socket is stopped and started, and the + service is stopped and to be started by socket activation. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/from_md/development/what-happens-during-a-system-switch.chapter.xml b/nixos/doc/manual/from_md/development/what-happens-during-a-system-switch.chapter.xml new file mode 100644 index 00000000000..66ba792ddac --- /dev/null +++ b/nixos/doc/manual/from_md/development/what-happens-during-a-system-switch.chapter.xml @@ -0,0 +1,122 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" xml:id="sec-switching-systems"> + <title>What happens during a system switch?</title> + <para> + Running <literal>nixos-rebuild switch</literal> is one of the more + common tasks under NixOS. This chapter explains some of the + internals of this command to make it simpler for new module + developers to configure their units correctly and to make it easier + to understand what is happening and why for curious administrators. + </para> + <para> + <literal>nixos-rebuild</literal>, like many deployment solutions, + calls <literal>switch-to-configuration</literal> which resides in a + NixOS system at <literal>$out/bin/switch-to-configuration</literal>. + The script is called with the action that is to be performed like + <literal>switch</literal>, <literal>test</literal>, + <literal>boot</literal>. There is also the + <literal>dry-activate</literal> action which does not really perform + the actions but rather prints what it would do if you called it with + <literal>test</literal>. This feature can be used to check what + service states would be changed if the configuration was switched + to. + </para> + <para> + If the action is <literal>switch</literal> or + <literal>boot</literal>, the bootloader is updated first so the + configuration will be the next one to boot. Unless + <literal>NIXOS_NO_SYNC</literal> is set to <literal>1</literal>, + <literal>/nix/store</literal> is synced to disk. + </para> + <para> + If the action is <literal>switch</literal> or + <literal>test</literal>, the currently running system is inspected + and the actions to switch to the new system are calculated. This + process takes two data sources into account: + <literal>/etc/fstab</literal> and the current systemd status. Mounts + and swaps are read from <literal>/etc/fstab</literal> and the + corresponding actions are generated. If a new mount is added, for + example, the proper <literal>.mount</literal> unit is marked to be + started. The current systemd state is inspected, the difference + between the current system and the desired configuration is + calculated and actions are generated to get to this state. There are + a lot of nuances that can be controlled by the units which are + explained here. + </para> + <para> + After calculating what should be done, the actions are carried out. + The order of actions is always the same: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Stop units (<literal>systemctl stop</literal>) + </para> + </listitem> + <listitem> + <para> + Run activation script (<literal>$out/activate</literal>) + </para> + </listitem> + <listitem> + <para> + See if the activation script requested more units to restart + </para> + </listitem> + <listitem> + <para> + Restart systemd if needed + (<literal>systemd daemon-reexec</literal>) + </para> + </listitem> + <listitem> + <para> + Forget about the failed state of units + (<literal>systemctl reset-failed</literal>) + </para> + </listitem> + <listitem> + <para> + Reload systemd (<literal>systemctl daemon-reload</literal>) + </para> + </listitem> + <listitem> + <para> + Reload systemd user instances + (<literal>systemctl --user daemon-reload</literal>) + </para> + </listitem> + <listitem> + <para> + Set up tmpfiles (<literal>systemd-tmpfiles --create</literal>) + </para> + </listitem> + <listitem> + <para> + Reload units (<literal>systemctl reload</literal>) + </para> + </listitem> + <listitem> + <para> + Restart units (<literal>systemctl restart</literal>) + </para> + </listitem> + <listitem> + <para> + Start units (<literal>systemctl start</literal>) + </para> + </listitem> + <listitem> + <para> + Inspect what changed during these actions and print units that + failed and that were newly started + </para> + </listitem> + </itemizedlist> + <para> + Most of these actions are either self-explaining but some of them + have to do with our units or the activation script. For this reason, + these topics are explained in the next sections. + </para> + <xi:include href="unit-handling.section.xml" /> + <xi:include href="activation-script.section.xml" /> +</chapter> diff --git a/nixos/doc/manual/from_md/installation/installing-pxe.section.xml b/nixos/doc/manual/from_md/installation/installing-pxe.section.xml index 1dd15ddacba..94172de65ea 100644 --- a/nixos/doc/manual/from_md/installation/installing-pxe.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-pxe.section.xml @@ -7,11 +7,11 @@ <para> These instructions assume that you have an existing PXE or iPXE infrastructure and simply want to add the NixOS installer as another - option. To build the necessary files from a recent version of + option. To build the necessary files from your current version of nixpkgs, you can run: </para> <programlisting> -nix-build -A netboot.x86_64-linux nixos/release.nix +nix-build -A netboot.x86_64-linux '<nixpkgs/nixos/release.nix>' </programlisting> <para> This will create a <literal>result</literal> directory containing: * diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index e99f786b33c..7502214c86b 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -42,6 +42,14 @@ upgrade notes</link>. </para> </listitem> + <listitem> + <para> + systemd services can now set + <link linkend="opt-systemd.services">systemd.services.<name>.reloadTriggers</link> + instead of <literal>reloadIfChanged</literal> for a more + granular distinction between reloads and restarts. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-new-services"> @@ -81,6 +89,12 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>, + a kernel module for mounting the Apple File System (APFS). + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://frrouting.org/">FRRouting</link>, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as @@ -110,6 +124,14 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/sezanzeb/input-remapper">input-remapper</link>, + an easy to use tool to change the mapping of your input device + buttons. Available at + <link xlink:href="options.html#opt-services.input-remapper.enable">services.input-remapper</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://invoiceplane.com">InvoicePlane</link>, web application for managing and creating invoices. Available at @@ -140,6 +162,14 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/mbrubeck/agate">agate</link>, + a very simple server for the Gemini hypertext protocol. + Available as + <link xlink:href="options.html#opt-services.agate.enable">services.agate</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>, a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as @@ -164,6 +194,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://moosefs.com">moosefs</link>, fault + tolerant petabyte distributed file system. Available as + <link linkend="opt-services.moosefs">moosefs</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/ThomasLeister/prosody-filer">prosody-filer</link>, a server for handling XMPP HTTP Upload requests. Available at <link linkend="opt-services.prosody-filer.enable">services.prosody-filer</link>. @@ -171,6 +208,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>, + an online collaborative spreadsheet. Available as + <link xlink:href="options.html#opt-services.ethercalc.enable">services.ethercalc</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://timetagger.app">timetagger</link>, an open source time-tracker with an intuitive user experience and powerful reporting. @@ -185,6 +229,22 @@ <link xlink:href="options.html#opt-services.rstudio-server.enable">services.rstudio-server</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/juanfont/headscale">headscale</link>, + an Open Source implementation of the + <link xlink:href="https://tailscale.io">Tailscale</link> + Control Server. Available as + <link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, + fast and lightweight DNS proxy as ad-blocker for local network + with many features. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-incompatibilities"> @@ -213,6 +273,36 @@ </listitem> <listitem> <para> + <literal>pkgs.ghc.withPackages</literal> as well as + <literal>haskellPackages.ghcWithPackages</literal> etc. now + needs be overridden directly, as opposed to overriding the + result of calling it. Additionally, the + <literal>withLLVM</literal> parameter has been renamed to + <literal>useLLVM</literal>. So instead of + <literal>(ghc.withPackages (p: [])).override { withLLVM = true; }</literal>, + one needs to use + <literal>(ghc.withPackages.override { useLLVM = true; }) (p: [])</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>home-assistant</literal> module now requires + users that don’t want their configuration to be managed + declaratively to set + <literal>services.home-assistant.config = null;</literal>. + This is required due to the way default settings are handled + with the new settings style. + </para> + <para> + Additionally the default list of + <literal>extraComponents</literal> now includes the minimal + dependencies to successfully complete the + <link xlink:href="https://www.home-assistant.io/getting-started/onboarding/">onboarding</link> + procedure. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.emacsPackages.orgPackages</literal> is removed because org elpa is deprecated. The packages in the top level of <literal>pkgs.emacsPackages</literal>, such as org and @@ -230,6 +320,34 @@ </listitem> <listitem> <para> + <literal>services.kubernetes.scheduler.{port,address}</literal> + now set <literal>--secure-port</literal> and + <literal>--bind-address</literal> instead of + <literal>--port</literal> and <literal>--address</literal>, + since the former have been deprecated and are no longer + functional in kubernetes>=1.23. Ensure that you are not + relying on the insecure behaviour before upgrading. + </para> + </listitem> + <listitem> + <para> + The DHCP server (<literal>services.dhcpd4</literal>, + <literal>services.dhcpd6</literal>) has been hardened. The + service is now using the systemd’s + <literal>DynamicUser</literal> mechanism to run as an + unprivileged dynamically-allocated user with limited + capabilities. The dhcpd state files are now always stored in + <literal>/var/lib/dhcpd{4,6}</literal> and the + <literal>services.dhcpd4.stateDir</literal> and + <literal>service.dhcpd6.stateDir</literal> options have been + removed. If you were depending on root privileges or + set{uid,gid,cap} binaries in dhcpd shell hooks, you may give + dhcpd more capabilities with e.g. + <literal>systemd.services.dhcpd6.serviceConfig.AmbientCapabilities</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>mailpile</literal> email webclient (<literal>services.mailpile</literal>) has been removed due to its reliance on python2. @@ -273,6 +391,22 @@ </listitem> <listitem> <para> + <literal>buildGoModule</literal> was updated to use + <literal>go_1_17</literal>, third party derivations that + specify >= go 1.17 in the main <literal>go.mod</literal> + will need to regenerate their <literal>vendorSha256</literal> + hash. + </para> + </listitem> + <listitem> + <para> + The <literal>gnome-passwordsafe</literal> package updated to + <link xlink:href="https://gitlab.gnome.org/World/secrets/-/tags/6.0">version + 6.x</link> and renamed to <literal>gnome-secrets</literal>. + </para> + </listitem> + <listitem> + <para> If you previously used <literal>/etc/docker/daemon.json</literal>, you need to incorporate the changes into the new option @@ -281,6 +415,15 @@ </listitem> <listitem> <para> + Ntopng (<literal>services.ntopng</literal>) is updated to + 5.2.1 and uses a separate Redis instance if + <literal>system.stateVersion</literal> is at least + <literal>22.05</literal>. Existing setups shouldn’t be + affected. + </para> + </listitem> + <listitem> + <para> The backward compatibility in <literal>services.wordpress</literal> to configure sites with the old interface has been removed. Please use @@ -384,6 +527,11 @@ </listitem> <listitem> <para> + <literal>tilp2</literal> was removed together with its module + </para> + </listitem> + <listitem> + <para> The options <literal>networking.interfaces.<name>.ipv4.routes</literal> and @@ -430,6 +578,20 @@ </listitem> <listitem> <para> + The existing <literal>pkgs.opentelemetry-collector</literal> + has been moved to + <literal>pkgs.opentelemetry-collector-contrib</literal> to + match the actual source being the <quote>contrib</quote> + edition. <literal>pkgs.opentelemetry-collector</literal> is + now the actual core release of opentelemetry-collector. If you + use the community contributions you should change the package + you refer to. If you don’t need them update your commands from + <literal>otelcontribcol</literal> to + <literal>otelcorecol</literal> and enjoy a 7x smaller binary. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.noto-fonts-cjk</literal> is now deprecated in favor of <literal>pkgs.noto-fonts-cjk-sans</literal> and <literal>pkgs.noto-fonts-cjk-serif</literal> because they each @@ -456,6 +618,15 @@ honors <literal>restartIfChanged</literal> and <literal>reloadIfChanged</literal> of the units. </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Preferring to reload instead of restarting can still + be achieved using + <literal>/run/nixos/activation-reload-list</literal>. + </para> + </listitem> + </itemizedlist> </listitem> <listitem> <para> @@ -515,6 +686,14 @@ wrapper for <literal>assert</literal> conditions. </para> </listitem> + <listitem> + <para> + <literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to + <link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link> + (formerly refers to + <link xlink:href="https://github.com/olimorris/onedarkpro.nvim">olimorris/onedarkpro.nvim</link>). + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-notable-changes"> @@ -702,6 +881,13 @@ </listitem> <listitem> <para> + <literal>nixos-generate-config</literal> now puts the dhcp + configuration in <literal>hardware-configuration.nix</literal> + instead of <literal>configuration.nix</literal>. + </para> + </listitem> + <listitem> + <para> <literal>fetchFromSourcehut</literal> now allows fetching repositories recursively using <literal>fetchgit</literal> or <literal>fetchhg</literal> if the argument @@ -734,6 +920,14 @@ </listitem> <listitem> <para> + The default value for + <literal>programs.spacefm.settings.graphical_su</literal> got + unset. It previously pointed to <literal>gksu</literal> which + has been removed. + </para> + </listitem> + <listitem> + <para> A new module was added for the <link xlink:href="https://starship.rs/">Starship</link> shell prompt, providing the options @@ -786,6 +980,17 @@ </listitem> <listitem> <para> + The option + <link linkend="opt-services.networking.networkmanager.enableFccUnlock">services.networking.networkmanager.enableFccUnlock</link> + was added to support FCC unlock procedures. Since release + 1.18.4, the ModemManager daemon no longer automatically + performs the FCC unlock procedure by default. See + <link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the + docs</link> for more details. + </para> + </listitem> + <listitem> + <para> <literal>programs.tmux</literal> has a new option <literal>plugins</literal> that accepts a list of packages from the <literal>tmuxPlugins</literal> group. The specified diff --git a/nixos/doc/manual/installation/installing-pxe.section.md b/nixos/doc/manual/installation/installing-pxe.section.md index 2016a258251..4fbd6525f8c 100644 --- a/nixos/doc/manual/installation/installing-pxe.section.md +++ b/nixos/doc/manual/installation/installing-pxe.section.md @@ -5,11 +5,11 @@ setup. These instructions assume that you have an existing PXE or iPXE infrastructure and simply want to add the NixOS installer as another -option. To build the necessary files from a recent version of nixpkgs, +option. To build the necessary files from your current version of nixpkgs, you can run: ```ShellSession -nix-build -A netboot.x86_64-linux nixos/release.nix +nix-build -A netboot.x86_64-linux '<nixpkgs/nixos/release.nix>' ``` This will create a `result` directory containing: \* `bzImage` -- the diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index a8b717c6f84..c96f898505a 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -17,6 +17,8 @@ In addition to numerous new and upgraded packages, this release has the followin Migrations may take a while, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release) and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html). +- systemd services can now set [systemd.services.\<name\>.reloadTriggers](#opt-systemd.services) instead of `reloadIfChanged` for a more granular distinction between reloads and restarts. + ## New Services {#sec-release-22.05-new-services} - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). @@ -27,6 +29,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable). +- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). + - [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.ffr.babel.enable) - [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable). @@ -35,6 +39,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable). +- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](options.html#opt-services.input-remapper.enable). + - [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](options.html#opt-services.invoiceplane.enable). - [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable). @@ -43,18 +49,30 @@ In addition to numerous new and upgraded packages, this release has the followin - [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). +- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](options.html#opt-services.agate.enable). + - [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable). - [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable). - [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable). +- [moosefs](https://moosefs.com), fault tolerant petabyte distributed file system. + Available as [moosefs](#opt-services.moosefs). + - [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable). +- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative + spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable). + - [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable). - [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable). +- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable) + +- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} @@ -71,6 +89,21 @@ In addition to numerous new and upgraded packages, this release has the followin instead to ensure cross compilation keeps working (or switch to `haskellPackages.callPackage`). +- `pkgs.ghc.withPackages` as well as `haskellPackages.ghcWithPackages` etc. + now needs be overridden directly, as opposed to overriding the result of + calling it. Additionally, the `withLLVM` parameter has been renamed to + `useLLVM`. So instead of `(ghc.withPackages (p: [])).override { withLLVM = true; }`, + one needs to use `(ghc.withPackages.override { useLLVM = true; }) (p: [])`. + +- The `home-assistant` module now requires users that don't want their + configuration to be managed declaratively to set + `services.home-assistant.config = null;`. This is required + due to the way default settings are handled with the new settings style. + + Additionally the default list of `extraComponents` now includes the minimal + dependencies to successfully complete the [onboarding](https://www.home-assistant.io/getting-started/onboarding/) + procedure. + - `pkgs.emacsPackages.orgPackages` is removed because org elpa is deprecated. The packages in the top level of `pkgs.emacsPackages`, such as org and org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and @@ -78,6 +111,13 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.kubernetes.addons.dashboard` was removed due to it being an outdated version. +- `services.kubernetes.scheduler.{port,address}` now set `--secure-port` and `--bind-address` instead of `--port` and `--address`, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. + +- The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened. + The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. + The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed. + If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. `systemd.services.dhcpd6.serviceConfig.AmbientCapabilities`. + - The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2. - The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs. @@ -90,8 +130,14 @@ In addition to numerous new and upgraded packages, this release has the followin - The `writers.writePython2` and corresponding `writers.writePython2Bin` convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter. Scripts have to be converted to Python 3 for use with `writers.writePython3` or `writers.writePyPy2` needs to be used. +- `buildGoModule` was updated to use `go_1_17`, third party derivations that specify >= go 1.17 in the main `go.mod` will need to regenerate their `vendorSha256` hash. + +- The `gnome-passwordsafe` package updated to [version 6.x](https://gitlab.gnome.org/World/secrets/-/tags/6.0) and renamed to `gnome-secrets`. + - If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`. +- Ntopng (`services.ntopng`) is updated to 5.2.1 and uses a separate Redis instance if `system.stateVersion` is at least `22.05`. Existing setups shouldn't be affected. + - The backward compatibility in `services.wordpress` to configure sites with the old interface has been removed. Please use `services.wordpress.sites` instead. @@ -126,15 +172,26 @@ In addition to numerous new and upgraded packages, this release has the followin - `pkgs.docbookrx` was removed since it's unmaintained +- `tilp2` was removed together with its module + - The options `networking.interfaces.<name>.ipv4.routes` and `networking.interfaces.<name>.ipv6.routes` are no longer ignored when using networkd instead of the default scripted network backend by setting `networking.useNetworkd` to `true`. - MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`. + - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under `$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does). This breaks back-compat so it's not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from [nixpkgs-terraform-providers-bin](https://github.com/numtide/nixpkgs-terraform-providers-bin) directly. +- The existing `pkgs.opentelemetry-collector` has been moved to + `pkgs.opentelemetry-collector-contrib` to match the actual source being the + "contrib" edition. `pkgs.opentelemetry-collector` is now the actual core + release of opentelemetry-collector. If you use the community contributions + you should change the package you refer to. If you don't need them update your + commands from `otelcontribcol` to `otelcorecol` and enjoy a 7x smaller binary. + + - `pkgs.noto-fonts-cjk` is now deprecated in favor of `pkgs.noto-fonts-cjk-sans` and `pkgs.noto-fonts-cjk-serif` because they each have different release schedules. To maintain compatibility with prior releases of Nixpkgs, @@ -143,6 +200,7 @@ In addition to numerous new and upgraded packages, this release has the followin - `switch-to-configuration` (the script that is run when running `nixos-rebuild switch` for example) has been reworked * The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file `/run/nixos/activation-restart-list` that honors `restartIfChanged` and `reloadIfChanged` of the units. + * Preferring to reload instead of restarting can still be achieved using `/run/nixos/activation-reload-list`. * The script now uses a proper ini-file parser to parse systemd units. Some values are now only searched in one section instead of in the entire unit. This is only relevant for units that don't use the NixOS systemd moule. * `RefuseManualStop`, `X-OnlyManualStart`, `X-StopOnRemoval`, `X-StopOnReconfiguration` are only searched in the `[Unit]` section * `X-ReloadIfChanged`, `X-RestartIfChanged`, `X-StopIfChanged` are only searched in the `[Service]` section @@ -157,6 +215,9 @@ In addition to numerous new and upgraded packages, this release has the followin - `lib.assertMsg` and `lib.assertOneOf` no longer return `false` if the passed condition is `false`, `throw`ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for `assert` conditions. +- `pkgs.vimPlugins.onedark-nvim` now refers to [navarasu/onedark.nvim](https://github.com/navarasu/onedark.nvim) + (formerly refers to [olimorris/onedarkpro.nvim](https://github.com/olimorris/onedarkpro.nvim)). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Other Notable Changes {#sec-release-22.05-notable-changes} @@ -235,6 +296,8 @@ In addition to numerous new and upgraded packages, this release has the followin - A new option `boot.initrd.extraModprobeConfig` has been added which can be used to configure kernel modules that are loaded in the initrd. +- `nixos-generate-config` now puts the dhcp configuration in `hardware-configuration.nix` instead of `configuration.nix`. + - `fetchFromSourcehut` now allows fetching repositories recursively using `fetchgit` or `fetchhg` if the argument `fetchSubmodules` is set to `true`. @@ -245,6 +308,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `services.mbpfan` module was converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. +- The default value for `programs.spacefm.settings.graphical_su` got unset. It previously pointed to `gksu` which has been removed. + - A new module was added for the [Starship](https://starship.rs/) shell prompt, providing the options `programs.starship.enable` and `programs.starship.settings`. @@ -260,6 +325,12 @@ In addition to numerous new and upgraded packages, this release has the followin Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning. +- The option + [services.networking.networkmanager.enableFccUnlock](#opt-services.networking.networkmanager.enableFccUnlock) + was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager + daemon no longer automatically performs the FCC unlock procedure by default. See + [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details. + - `programs.tmux` has a new option `plugins` that accepts a list of packages from the `tmuxPlugins` group. The specified packages are added to the system and loaded by `tmux`. <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index e3eb88a60eb..2daaa8a1186 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -21,6 +21,7 @@ evalConfigArgs@ , # !!! See comment about args in lib/modules.nix specialArgs ? {} , modules +, modulesLocation ? (builtins.unsafeGetAttrPos "modules" evalConfigArgs).file or null , # !!! See comment about check in lib/modules.nix check ? true , prefix ? [] @@ -74,7 +75,18 @@ let _module.check = lib.mkDefault check; }; }; - allUserModules = modules ++ legacyModules; + + allUserModules = + let + # Add the invoking file (or specified modulesLocation) as error message location + # for modules that don't have their own locations; presumably inline modules. + locatedModules = + if modulesLocation == null then + modules + else + map (lib.setDefaultModuleLocation modulesLocation) modules; + in + locatedModules ++ legacyModules; noUserModules = evalModulesMinimal ({ inherit prefix specialArgs; diff --git a/nixos/lib/qemu-common.nix b/nixos/lib/qemu-common.nix index 964814e8c60..20bbe9ff5d9 100644 --- a/nixos/lib/qemu-common.nix +++ b/nixos/lib/qemu-common.nix @@ -22,7 +22,7 @@ rec { else throw "Unknown QEMU serial device for system '${pkgs.stdenv.hostPlatform.system}'"; qemuBinary = qemuPkg: { - x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu qemu64"; + x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu max"; armv7l-linux = "${qemuPkg}/bin/qemu-system-arm -enable-kvm -machine virt -cpu host"; aarch64-linux = "${qemuPkg}/bin/qemu-system-aarch64 -enable-kvm -machine virt,gic-version=host -cpu host"; powerpc64le-linux = "${qemuPkg}/bin/qemu-system-ppc64 -machine powernv"; diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix index db4c3551187..ab166d7327c 100644 --- a/nixos/lib/systemd-lib.nix +++ b/nixos/lib/systemd-lib.nix @@ -11,6 +11,9 @@ in rec { mkPathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""]; + # a type for options that take a unit name + unitNameType = types.strMatching "[a-zA-Z0-9@%:_.\\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)"; + makeUnit = name: unit: if unit.enable then pkgs.runCommand "unit-${mkPathSafeName name}" diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix index 832a33d6429..8029ba0e3f6 100644 --- a/nixos/lib/systemd-unit-options.nix +++ b/nixos/lib/systemd-unit-options.nix @@ -45,7 +45,7 @@ in rec { requiredBy = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' Units that require (i.e. depend on and need to go down with) this unit. The discussion under <literal>wantedBy</literal> @@ -56,7 +56,7 @@ in rec { wantedBy = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option @@ -73,7 +73,7 @@ in rec { aliases = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = "Aliases of that unit."; }; @@ -110,7 +110,7 @@ in rec { requires = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail. @@ -119,7 +119,7 @@ in rec { wants = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' Start the specified units when this unit is started. ''; @@ -127,7 +127,7 @@ in rec { after = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' If the specified units are started at the same time as this unit, delay this unit until they have started. @@ -136,7 +136,7 @@ in rec { before = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' If the specified units are started at the same time as this unit, delay them until this unit has started. @@ -145,7 +145,7 @@ in rec { bindsTo = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well. @@ -154,7 +154,7 @@ in rec { partOf = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' If the specified units are stopped or restarted, then this unit is stopped or restarted as well. @@ -163,7 +163,7 @@ in rec { conflicts = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' If the specified units are started, then this unit is stopped and vice versa. @@ -172,7 +172,7 @@ in rec { requisite = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail. @@ -201,9 +201,20 @@ in rec { ''; }; + reloadTriggers = mkOption { + default = []; + type = types.listOf unitOption; + description = '' + An arbitrary list of items such as derivations. If any item + in the list changes between reconfigurations, the service will + be reloaded. If anything but a reload trigger changes in the + unit file, the unit will be restarted instead. + ''; + }; + onFailure = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf unitNameType; description = '' A list of one or more units that are activated when this unit enters the "failed" state. @@ -338,6 +349,11 @@ in rec { configuration switch if its definition has changed. If enabled, the value of <option>restartIfChanged</option> is ignored. + + This option should not be used anymore in favor of + <option>reloadTriggers</option> which allows more granular + control of when a service is reloaded and when a service + is restarted. ''; }; diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index a41c419ebe6..569a0f3c61e 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -241,9 +241,15 @@ class LegacyStartCommand(StartCommand): cdrom: Optional[str] = None, usb: Optional[str] = None, bios: Optional[str] = None, + qemuBinary: Optional[str] = None, qemuFlags: Optional[str] = None, ): - self._cmd = "qemu-kvm -m 384" + if qemuBinary is not None: + self._cmd = qemuBinary + else: + self._cmd = "qemu-kvm" + + self._cmd += " -m 384" # networking net_backend = "-netdev user,id=net0" @@ -381,6 +387,7 @@ class Machine: cdrom=args.get("cdrom"), usb=args.get("usb"), bios=args.get("bios"), + qemuBinary=args.get("qemuBinary"), qemuFlags=args.get("qemuFlags"), ) @@ -543,11 +550,11 @@ class Machine: Should only be used during test development, not in the production test.""" self.connect() - self.log("Terminal is ready (there is no prompt):") + self.log("Terminal is ready (there is no initial prompt):") assert self.shell subprocess.run( - ["socat", "READLINE", f"FD:{self.shell.fileno()}"], + ["socat", "READLINE,prompt=$ ", f"FD:{self.shell.fileno()}"], pass_fds=[self.shell.fileno()], ) diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index bbebf8ba35a..190c4db4d49 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -149,10 +149,16 @@ rec { if [[ -h '${output}' ]]; then rm '${output}' fi + + inherit_errexit_restore=$(shopt -p inherit_errexit) + shopt -s inherit_errexit '' + concatStringsSep "\n" - (imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')") + (imap1 (index: name: '' + secret${toString index}=$(<'${secrets.${name}}') + export secret${toString index} + '') (attrNames secrets)) + "\n" + "${pkgs.jq}/bin/jq >'${output}' '" @@ -164,6 +170,7 @@ rec { ' <<'EOF' ${builtins.toJSON set} EOF + $inherit_errexit_restore ''; systemdUtils = { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 2470d8b5bfe..b0f96c754fa 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -449,16 +449,10 @@ in { imports = [ (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) - (mkChangedOptionModule - [ "security" "initialRootPassword" ] - [ "users" "users" "root" "initialHashedPassword" ] - (cfg: if cfg.security.initialRootPassword == "!" - then null - else cfg.security.initialRootPassword)) + (mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"]) ]; ###### interface - options = { users.mutableUsers = mkOption { @@ -526,6 +520,17 @@ in { ''; }; + + users.allowNoPasswordLogin = mkOption { + type = types.bool; + default = false; + description = '' + Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using + a password or an SSH key. + + WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing. + ''; + }; }; @@ -540,6 +545,7 @@ in { home = "/root"; shell = mkDefault cfg.defaultUserShell; group = "root"; + initialHashedPassword = mkDefault "!"; }; nobody = { uid = ids.uids.nobody; @@ -616,9 +622,11 @@ in { # there is at least one "privileged" account that has a # password or an SSH authorized key. Privileged accounts are # root and users in the wheel group. - assertion = !cfg.mutableUsers -> - any id ((mapAttrsToList (_: cfg: - (cfg.name == "root" + # The check does not apply when users.disableLoginPossibilityAssertion + # The check does not apply when users.mutableUsers + assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin -> + any id (mapAttrsToList (name: cfg: + (name == "root" || cfg.group == "wheel" || elem "wheel" cfg.extraGroups) && @@ -627,12 +635,16 @@ in { || cfg.passwordFile != null || cfg.openssh.authorizedKeys.keys != [] || cfg.openssh.authorizedKeys.keyFiles != []) - ) cfg.users) ++ [ + ) cfg.users ++ [ config.security.googleOsLogin.enable ]); message = '' Neither the root account nor any wheel user has a password or SSH authorized key. - You must set one to prevent being locked out of your system.''; + You must set one to prevent being locked out of your system. + If you really want to be locked out of your system, set users.allowNoPasswordLogin = true; + However you are most probably better off by setting users.mutableUsers = true; and + manually running passwd root to set the root password. + ''; } ] ++ flatten (flip mapAttrsToList cfg.users (name: user: [ diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 24d5b7bc2b2..99bdb11b011 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -57,7 +57,6 @@ in { rtl8723bs-firmware rtl8761b-firmware rtw88-firmware - rtw89-firmware zd1211fw alsa-firmware sof-firmware @@ -65,6 +64,8 @@ in { ] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ rtl8723bs-firmware + ] ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "5.16") [ + rtw89-firmware ]; hardware.wirelessRegulatoryDatabase = true; }) diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index ff4225dc29a..c0ba60e49a7 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -179,11 +179,6 @@ in in mkIf enabled { assertions = [ { - assertion = with config.services.xserver.displayManager; (gdm.enable && gdm.nvidiaWayland) -> cfg.modesetting.enable; - message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`"; - } - - { assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == ""; message = '' You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor. diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 065cea470fb..31aeaad80d6 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/hapw7q1fkjxvprnkcgw9ppczavg4daj2-nix-2.4"; - i686-linux = "/nix/store/8qlvh8pp5j8wgrzj3is2jlbhgrwgsiy9-nix-2.4"; - aarch64-linux = "/nix/store/h48lkygcqj4hdibbdnpl67q7ks6vkrd6-nix-2.4"; - x86_64-darwin = "/nix/store/c3mvzszvyzakvcp9spnjvsb8m2bpjk7m-nix-2.4"; - aarch64-darwin = "/nix/store/hbfqs62r0hga2yr4zi5kc7fzhf71bq9n-nix-2.4"; + x86_64-linux = "/nix/store/67amfijcvhqfgz4bwf2izsvbnklwjbvk-nix-2.6.0"; + i686-linux = "/nix/store/kinl99f619b2xsma4qnzhidbp65axyzm-nix-2.6.0"; + aarch64-linux = "/nix/store/8zpm63nn7k4n1alp9a0fcilpgc8j014z-nix-2.6.0"; + x86_64-darwin = "/nix/store/hw5v03wnc0k1pwgiyhblwlxb1fx5zyx8-nix-2.6.0"; + aarch64-darwin = "/nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0"; } diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index fe8c4fb1a6b..57aef50a0f6 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -279,7 +279,7 @@ if (`lsblk -o TYPE` =~ "lvm") { push @initrdKernelModules, "dm-snapshot"; } -my $virt = `systemd-detect-virt`; +my $virt = `@detectvirt@`; chomp $virt; @@ -398,7 +398,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) { # Maybe this is a bind-mount of a filesystem we saw earlier? if (defined $fsByDev{$fields[2]}) { # Make sure this isn't a btrfs subvolume. - my $msg = `btrfs subvol show $rootDir$mountPoint`; + my $msg = `@btrfs@ subvol show $rootDir$mountPoint`; if ($? != 0 || $msg =~ /ERROR:/s) { my $path = $fields[3]; $path = "" if $path eq "/"; my $base = $fsByDev{$fields[2]}; @@ -436,7 +436,7 @@ EOF # Is this a btrfs filesystem? if ($fsType eq "btrfs") { - my ($status, @info) = runCommand("btrfs subvol show $rootDir$mountPoint"); + my ($status, @info) = runCommand("@btrfs@ subvol show $rootDir$mountPoint"); if ($status != 0 || join("", @info) =~ /ERROR:/) { die "Failed to retrieve subvolume info for $mountPoint\n"; } @@ -558,6 +558,8 @@ if (!$noFilesystems) { $fsAndSwap .= "swapDevices =" . multiLineList(" ", @swapDevices) . ";\n"; } +my $networkingDhcpConfig = generateNetworkingDhcpConfig(); + my $hwConfig = <<EOF; # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes @@ -572,6 +574,7 @@ my $hwConfig = <<EOF; boot.kernelModules = [$kernelModules ]; boot.extraModulePackages = [$modulePackages ]; $fsAndSwap +$networkingDhcpConfig ${\join "", (map { " $_\n" } (uniq @attrs))}} EOF @@ -580,13 +583,13 @@ sub generateNetworkingDhcpConfig { # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. - networking.useDHCP = false; + networking.useDHCP = lib.mkDefault false; EOF foreach my $path (glob "/sys/class/net/*") { my $dev = basename($path); if ($dev ne "lo") { - $config .= " networking.interfaces.$dev.useDHCP = true;\n"; + $config .= " networking.interfaces.$dev.useDHCP = lib.mkDefault true;\n"; } } diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 2f3b0cdd48f..71aaf7f253d 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -33,8 +33,9 @@ let nixos-generate-config = makeProg { name = "nixos-generate-config"; src = ./nixos-generate-config.pl; - path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ]; perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl"; + detectvirt = "${pkgs.systemd}/bin/systemd-detect-virt"; + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; inherit (config.system.nixos-generate-config) configuration desktopConfiguration; xserverEnabled = config.services.xserver.enable; }; @@ -133,12 +134,13 @@ in $bootLoaderConfig # networking.hostName = "nixos"; # Define your hostname. + # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Set your time zone. # time.timeZone = "Europe/Amsterdam"; - $networkingDhcpConfig # Configure network proxy if necessary # networking.proxy.default = "http://user:password\@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; @@ -148,6 +150,7 @@ in # console = { # font = "Lat2-Terminus16"; # keyMap = "us"; + # useXkbConfig = true; # use xkbOptions in tty. # }; $xserverConfig @@ -155,7 +158,10 @@ in $desktopConfiguration # Configure keymap in X11 # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; + # services.xserver.xkbOptions = { + # "eurosign:e"; + # "caps:escape" # map caps to escape. + # }; # Enable CUPS to print documents. # services.printing.enable = true; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c2b1e886686..ca82ddfb586 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -203,7 +203,6 @@ ./programs/sway.nix ./programs/system-config-printer.nix ./programs/thefuck.nix - ./programs/tilp2.nix ./programs/tmux.nix ./programs/traceroute.nix ./programs/tsm-client.nix @@ -357,7 +356,6 @@ ./services/desktops/cpupower-gui.nix ./services/desktops/dleyna-renderer.nix ./services/desktops/dleyna-server.nix - ./services/desktops/pantheon/files.nix ./services/desktops/espanso.nix ./services/desktops/flatpak.nix ./services/desktops/geoclue2.nix @@ -452,6 +450,7 @@ ./services/hardware/undervolt.nix ./services/hardware/vdr.nix ./services/hardware/xow.nix + ./services/home-automation/home-assistant.nix ./services/logging/SystemdJournal2Gelf.nix ./services/logging/awstats.nix ./services/logging/filebeat.nix @@ -547,8 +546,8 @@ ./services/misc/headphones.nix ./services/misc/heisenbridge.nix ./services/misc/greenclip.nix - ./services/misc/home-assistant.nix ./services/misc/ihaskell.nix + ./services/misc/input-remapper.nix ./services/misc/irkerd.nix ./services/misc/jackett.nix ./services/misc/jellyfin.nix @@ -597,6 +596,7 @@ ./services/misc/redmine.nix ./services/misc/rippled.nix ./services/misc/ripple-data-api.nix + ./services/misc/rmfakecloud.nix ./services/misc/serviio.nix ./services/misc/safeeyes.nix ./services/misc/sdrplay.nix @@ -684,6 +684,7 @@ ./services/network-filesystems/litestream/default.nix ./services/network-filesystems/netatalk.nix ./services/network-filesystems/nfsd.nix + ./services/network-filesystems/moosefs.nix ./services/network-filesystems/openafs/client.nix ./services/network-filesystems/openafs/server.nix ./services/network-filesystems/orangefs/server.nix @@ -717,6 +718,7 @@ ./services/networking/bird.nix ./services/networking/bitlbee.nix ./services/networking/blockbook-frontend.nix + ./services/networking/blocky.nix ./services/networking/charybdis.nix ./services/networking/cjdns.nix ./services/networking/cntlm.nix @@ -760,10 +762,10 @@ ./services/networking/go-neb.nix ./services/networking/go-shadowsocks2.nix ./services/networking/gobgpd.nix - ./services/networking/gogoclient.nix ./services/networking/gvpe.nix ./services/networking/hans.nix ./services/networking/haproxy.nix + ./services/networking/headscale.nix ./services/networking/hostapd.nix ./services/networking/htpdate.nix ./services/networking/hylafax/default.nix @@ -914,6 +916,7 @@ ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix ./services/networking/websockify.nix + ./services/networking/wg-netmanager.nix ./services/networking/wg-quick.nix ./services/networking/wireguard.nix ./services/networking/wpa_supplicant.nix @@ -1005,6 +1008,7 @@ ./services/web-apps/documize.nix ./services/web-apps/dokuwiki.nix ./services/web-apps/engelsystem.nix + ./services/web-apps/ethercalc.nix ./services/web-apps/fluidd.nix ./services/web-apps/galene.nix ./services/web-apps/gerrit.nix @@ -1054,6 +1058,7 @@ ./services/web-apps/wordpress.nix ./services/web-apps/youtrack.nix ./services/web-apps/zabbix.nix + ./services/web-servers/agate.nix ./services/web-servers/apache-httpd/default.nix ./services/web-servers/caddy/default.nix ./services/web-servers/darkhttpd.nix @@ -1073,7 +1078,6 @@ ./services/web-servers/phpfpm/default.nix ./services/web-servers/pomerium.nix ./services/web-servers/unit/default.nix - ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix ./services/web-servers/trafficserver/default.nix @@ -1156,12 +1160,13 @@ ./system/boot/systemd-nspawn.nix ./system/boot/timesyncd.nix ./system/boot/tmp.nix - ./system/etc/etc.nix + ./system/etc/etc-activation.nix ./tasks/auto-upgrade.nix ./tasks/bcache.nix ./tasks/cpu-freq.nix ./tasks/encrypted-devices.nix ./tasks/filesystems.nix + ./tasks/filesystems/apfs.nix ./tasks/filesystems/bcachefs.nix ./tasks/filesystems/btrfs.nix ./tasks/filesystems/cifs.nix diff --git a/nixos/modules/programs/calls.nix b/nixos/modules/programs/calls.nix index 59961625e5d..08a223b408d 100644 --- a/nixos/modules/programs/calls.nix +++ b/nixos/modules/programs/calls.nix @@ -14,6 +14,8 @@ in { }; config = mkIf cfg.enable { + programs.dconf.enable = true; + environment.systemPackages = [ pkgs.calls ]; diff --git a/nixos/modules/programs/command-not-found/command-not-found.pl b/nixos/modules/programs/command-not-found/command-not-found.pl index 220d057b7f4..72e246c81ae 100644 --- a/nixos/modules/programs/command-not-found/command-not-found.pl +++ b/nixos/modules/programs/command-not-found/command-not-found.pl @@ -21,11 +21,24 @@ my $res = $dbh->selectall_arrayref( "select package from Programs where system = ? and name = ?", { Slice => {} }, $system, $program); -if (!defined $res || scalar @$res == 0) { +my $len = !defined $res ? 0 : scalar @$res; + +if ($len == 0) { print STDERR "$program: command not found\n"; -} elsif (scalar @$res == 1) { +} elsif ($len == 1) { my $package = @$res[0]->{package}; if ($ENV{"NIX_AUTO_RUN"} // "") { + if ($ENV{"NIX_AUTO_RUN_INTERACTIVE"} // "") { + while (1) { + print STDERR "'$program' from package '$package' will be run, confirm? [yn]: "; + chomp(my $comfirm = <STDIN>); + if (lc $comfirm eq "n") { + exit 0; + } elsif (lc $comfirm eq "y") { + last; + } + } + } exec("nix-shell", "-p", $package, "--run", shell_quote("exec", @ARGV)); } else { print STDERR <<EOF; @@ -35,11 +48,30 @@ ephemeral shell by typing: EOF } } else { - print STDERR <<EOF; + if ($ENV{"NIX_AUTO_RUN"} // "") { + print STDERR "Select a package that provides '$program':\n"; + for my $i (0 .. $len - 1) { + print STDERR " [", $i + 1, "]: @$res[$i]->{package}\n"; + } + my $choice = 0; + while (1) { # exec will break this loop + no warnings "numeric"; + print STDERR "Your choice [1-${len}]: "; + # 0 can be invalid user input like non-number string + # so we start from 1 + $choice = <STDIN> + 0; + if (1 <= $choice && $choice <= $len) { + exec("nix-shell", "-p", @$res[$choice - 1]->{package}, + "--run", shell_quote("exec", @ARGV)); + } + } + } else { + print STDERR <<EOF; The program '$program' is not in your PATH. It is provided by several packages. You can make it available in an ephemeral shell by typing one of the following: EOF - print STDERR " nix-shell -p $_->{package}\n" foreach @$res; + print STDERR " nix-shell -p $_->{package}\n" foreach @$res; + } } exit 127; diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index 298abac8afa..265c41cbbbc 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -60,7 +60,7 @@ in environment.systemPackages = [ pkgs.dconf ]; # Needed for unwrapped applications - environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; + environment.sessionVariables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; }; } diff --git a/nixos/modules/programs/spacefm.nix b/nixos/modules/programs/spacefm.nix index 822fca3ecec..f71abcaa332 100644 --- a/nixos/modules/programs/spacefm.nix +++ b/nixos/modules/programs/spacefm.nix @@ -27,13 +27,11 @@ in default = { tmp_dir = "/tmp"; terminal_su = "${pkgs.sudo}/bin/sudo"; - graphical_su = "${pkgs.gksu}/bin/gksu"; }; defaultText = literalExpression '' { tmp_dir = "/tmp"; terminal_su = "''${pkgs.sudo}/bin/sudo"; - graphical_su = "''${pkgs.gksu}/bin/gksu"; } ''; description = '' diff --git a/nixos/modules/programs/tilp2.nix b/nixos/modules/programs/tilp2.nix deleted file mode 100644 index da9e32e3e6c..00000000000 --- a/nixos/modules/programs/tilp2.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.programs.tilp2; - -in { - options.programs.tilp2 = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable tilp2 and udev rules for supported calculators. - ''; - }; - }; - - config = mkIf cfg.enable { - services.udev.packages = [ - pkgs.libticables2 - ]; - - environment.systemPackages = [ - pkgs.tilp2 - ]; - }; -} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 81843dc0f90..c271d504b77 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -32,6 +32,7 @@ with lib; '') (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") (mkRemovedOptionModule [ "networking" "wicd" ] "The corresponding package was removed from nixpkgs.") + (mkRemovedOptionModule [ "programs" "tilp2" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " + "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html")) (mkRemovedOptionModule [ "security" "hideProcessInformation" ] '' @@ -59,6 +60,9 @@ with lib; (mkRemovedOptionModule [ "services" "moinmoin" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "mwlib" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed") + (mkRemovedOptionModule [ "services" "pantheon" "files" ] '' + This module was removed, please add pkgs.pantheon.elementary-files to environment.systemPackages directly. + '') (mkRemovedOptionModule [ "services" "prey" ] '' prey-bash-client is deprecated upstream '') @@ -84,6 +88,10 @@ with lib; The racoon module has been removed, because the software project was abandoned upstream. '') + (mkRemovedOptionModule [ "services" "shellinabox" ] "The corresponding package was removed from nixpkgs.") + + (mkRemovedOptionModule [ "services" "gogoclient" ] "The corresponding package was removed from nixpkgs.") + # Do NOT add any option renames here, see top of the file ]; } diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index c2889a0f0d1..cf416035ef6 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.security.googleOsLogin; - package = pkgs.google-compute-engine-oslogin; + package = pkgs.google-guest-oslogin; in @@ -17,7 +17,7 @@ in type = types.bool; default = false; description = '' - Whether to enable Google OS Login + Whether to enable Google OS Login. The OS Login package enables the following components: AuthorizedKeysCommand to query valid SSH keys from the user's OS Login @@ -36,7 +36,7 @@ in security.pam.services.sshd = { makeHomeDir = true; googleOsLoginAccountVerification = true; - # disabled for now: googleOsLoginAuthentication = true; + googleOsLoginAuthentication = true; }; security.sudo.extraConfig = '' @@ -47,6 +47,9 @@ in "d /var/google-users.d 750 root root -" ]; + systemd.packages = [ package ]; + systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ]; + # enable the nss module, so user lookups etc. work system.nssModules = [ package ]; system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ]; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 964cfe7040c..9f295db84fd 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -444,15 +444,15 @@ let account sufficient ${pam_krb5}/lib/security/pam_krb5.so '' + optionalString cfg.googleOsLoginAccountVerification '' - account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so - account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so + account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so + account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so '' + '' # Authentication management. '' + optionalString cfg.googleOsLoginAuthentication '' - auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so + auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so '' + optionalString cfg.rootOK '' auth sufficient pam_rootok.so @@ -1091,11 +1091,11 @@ in mr ${pam_ccreds}/lib/security/pam_ccreds.so, '' + optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so, '' + optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, '' + optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) '' diff --git a/nixos/modules/services/audio/jmusicbot.nix b/nixos/modules/services/audio/jmusicbot.nix index f573bd2ab8d..e0f8d461af0 100644 --- a/nixos/modules/services/audio/jmusicbot.nix +++ b/nixos/modules/services/audio/jmusicbot.nix @@ -9,6 +9,13 @@ in services.jmusicbot = { enable = mkEnableOption "jmusicbot, a Discord music bot that's easy to set up and run yourself"; + package = mkOption { + type = types.package; + default = pkgs.jmusicbot; + defaultText = literalExpression "pkgs.jmusicbot"; + description = "JMusicBot package to use"; + }; + stateDir = mkOption { type = types.path; description = '' @@ -27,7 +34,7 @@ in after = [ "network-online.target" ]; description = "Discord music bot that's easy to set up and run yourself!"; serviceConfig = mkMerge [{ - ExecStart = "${pkgs.jmusicbot}/bin/JMusicBot"; + ExecStart = "${cfg.package}/bin/JMusicBot"; WorkingDirectory = cfg.stateDir; Restart = "always"; RestartSec = 20; diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 2a522f1db89..2d95528a6ea 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -66,12 +66,12 @@ in serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-scheduler \ - --address=${cfg.address} \ + --bind-address=${cfg.address} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ - --port=${toString cfg.port} \ + --secure-port=${toString cfg.port} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 7686ff99bfc..8cbe54c6060 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -362,6 +362,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "systemd-tmpfiles-clean.service" ]; + requires = [ "network.target" ]; serviceConfig = { Type = "forking"; @@ -371,12 +372,12 @@ in ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; LimitMEMLOCK = "infinity"; }; - - preStart = '' - mkdir -p /var/spool - ''; }; + systemd.tmpfiles.rules = mkIf cfg.client.enable [ + "d /var/spool/slurmd 755 root root -" + ]; + services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true); systemd.services.slurmctld = mkIf (cfg.server.enable) { diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix index afd85c972b5..c3bd8f99c57 100644 --- a/nixos/modules/services/continuous-integration/github-runner.nix +++ b/nixos/modules/services/continuous-integration/github-runner.nix @@ -208,6 +208,7 @@ in token=$(< "$STATE_DIRECTORY"/${newConfigTokenFilename}) RUNNER_ROOT="$STATE_DIRECTORY" ${cfg.package}/bin/config.sh \ --unattended \ + --disableupdate \ --work "$RUNTIME_DIRECTORY" \ --url ${escapeShellArg cfg.url} \ --token "$token" \ diff --git a/nixos/modules/services/desktops/gnome/glib-networking.nix b/nixos/modules/services/desktops/gnome/glib-networking.nix index 4288b6b5de6..1039605391a 100644 --- a/nixos/modules/services/desktops/gnome/glib-networking.nix +++ b/nixos/modules/services/desktops/gnome/glib-networking.nix @@ -38,7 +38,7 @@ with lib; systemd.packages = [ pkgs.glib-networking ]; - environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ]; + environment.sessionVariables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ]; }; diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix index 27864fad4f2..1aa64ea37db 100644 --- a/nixos/modules/services/desktops/gvfs.nix +++ b/nixos/modules/services/desktops/gvfs.nix @@ -57,7 +57,7 @@ in services.udev.packages = [ pkgs.libmtp.out ]; # Needed for unwrapped applications - environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ]; + environment.sessionVariables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ]; }; diff --git a/nixos/modules/services/desktops/pantheon/files.nix b/nixos/modules/services/desktops/pantheon/files.nix deleted file mode 100644 index 8cee9f42b62..00000000000 --- a/nixos/modules/services/desktops/pantheon/files.nix +++ /dev/null @@ -1,13 +0,0 @@ -# pantheon files daemon. - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - imports = [ - (mkRemovedOptionModule [ "services" "pantheon" "files" "enable" ] "Use `environment.systemPackages [ pkgs.pantheon.elementary-files ];`") - ]; - -} diff --git a/nixos/modules/services/hardware/ddccontrol.nix b/nixos/modules/services/hardware/ddccontrol.nix index 766bf12ee9f..f0b5a9c8196 100644 --- a/nixos/modules/services/hardware/ddccontrol.nix +++ b/nixos/modules/services/hardware/ddccontrol.nix @@ -20,6 +20,9 @@ in ###### implementation config = lib.mkIf cfg.enable { + # Load the i2c-dev module + boot.kernelModules = [ "i2c_dev" ]; + # Give users access to the "gddccontrol" tool environment.systemPackages = [ pkgs.ddccontrol diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index d48b5444677..61448af2d33 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -317,7 +317,8 @@ in (isYes "NET") ]; - boot.extraModprobeConfig = "options firmware_class path=${config.hardware.firmware}/lib/firmware"; + # We don't place this into `extraModprobeConfig` so that stage-1 ramdisk doesn't bloat. + environment.etc."modprobe.d/firmware.conf".text = "options firmware_class path=${config.hardware.firmware}/lib/firmware"; system.activationScripts.udevd = '' diff --git a/nixos/modules/services/hardware/undervolt.nix b/nixos/modules/services/hardware/undervolt.nix index 212c0227c0d..a743bbf21c8 100644 --- a/nixos/modules/services/hardware/undervolt.nix +++ b/nixos/modules/services/hardware/undervolt.nix @@ -164,8 +164,6 @@ in environment.systemPackages = [ cfg.package ]; systemd.services.undervolt = { - path = [ pkgs.undervolt ]; - description = "Intel Undervolting Service"; # Apply undervolt on boot, nixos generation switch and resume @@ -175,7 +173,7 @@ in serviceConfig = { Type = "oneshot"; Restart = "no"; - ExecStart = "${pkgs.undervolt}/bin/undervolt ${toString cliArgs}"; + ExecStart = "${cfg.package}/bin/undervolt ${toString cliArgs}"; }; }; diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix index 92c060147bf..81bf497c993 100644 --- a/nixos/modules/services/hardware/upower.nix +++ b/nixos/modules/services/hardware/upower.nix @@ -155,8 +155,8 @@ in default = 1200; description = '' When <literal>usePercentageForPolicy</literal> is - <literal>false</literal>, the time remaining at which UPower will - consider the battery low. + <literal>false</literal>, the time remaining in seconds at which + UPower will consider the battery low. If any value (of <literal>timeLow</literal>, <literal>timeCritical</literal> and <literal>timeAction</literal>) is @@ -169,8 +169,8 @@ in default = 300; description = '' When <literal>usePercentageForPolicy</literal> is - <literal>false</literal>, the time remaining at which UPower will - consider the battery critical. + <literal>false</literal>, the time remaining in seconds at which + UPower will consider the battery critical. If any value (of <literal>timeLow</literal>, <literal>timeCritical</literal> and <literal>timeAction</literal>) is @@ -183,8 +183,8 @@ in default = 120; description = '' When <literal>usePercentageForPolicy</literal> is - <literal>false</literal>, the time remaining at which UPower will - take action for the critical battery level. + <literal>false</literal>, the time remaining in seconds at which + UPower will take action for the critical battery level. If any value (of <literal>timeLow</literal>, <literal>timeCritical</literal> and <literal>timeAction</literal>) is diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index ac4c0222aac..f4197650ab2 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -4,35 +4,27 @@ with lib; let cfg = config.services.home-assistant; + format = pkgs.formats.yaml {}; - # cfg.config != null can be assumed here - configJSON = pkgs.writeText "configuration.json" - (builtins.toJSON (if cfg.applyDefaultConfig then - (recursiveUpdate defaultConfig cfg.config) else cfg.config)); + # Render config attribute sets to YAML + # Values that are null will be filtered from the output, so this is one way to have optional + # options shown in settings. + # We post-process the result to add support for YAML functions, like secrets or includes, see e.g. + # https://www.home-assistant.io/docs/configuration/secrets/ + filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) cfg.config or {}; configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - # Hack to support custom yaml objects, - # i.e. secrets: https://www.home-assistant.io/docs/configuration/secrets/ + cp ${format.generate "configuration.yaml" filteredConfig} $out sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out ''; + lovelaceConfig = cfg.lovelaceConfig or {}; + lovelaceConfigFile = format.generate "ui-lovelace.yaml" lovelaceConfig; - lovelaceConfigJSON = pkgs.writeText "ui-lovelace.json" - (builtins.toJSON cfg.lovelaceConfig); - lovelaceConfigFile = pkgs.runCommand "ui-lovelace.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${lovelaceConfigJSON} -o $out - ''; - + # Components advertised by the home-assistant package availableComponents = cfg.package.availableComponents; + # Components that were added by overriding the package explicitComponents = cfg.package.extraComponents; - - usedPlatforms = config: - if isAttrs config then - optional (config ? platform) config.platform - ++ concatMap usedPlatforms (attrValues config) - else if isList config then - concatMap usedPlatforms config - else [ ]; + useExplicitComponent = component: elem component explicitComponents; # Given a component "platform", looks up whether it is used in the config # as `platform = "platform";`. @@ -42,34 +34,46 @@ let # platform = "mqtt"; # ... # } ]; - useComponentPlatform = component: elem component (usedPlatforms cfg.config); + usedPlatforms = config: + if isAttrs config then + optional (config ? platform) config.platform + ++ concatMap usedPlatforms (attrValues config) + else if isList config then + concatMap usedPlatforms config + else [ ]; - useExplicitComponent = component: elem component explicitComponents; + useComponentPlatform = component: elem component (usedPlatforms cfg.config); - # Returns whether component is used in config or explicitly passed into package + # Returns whether component is used in config, explicitly passed into package or + # configured in the module. useComponent = component: hasAttrByPath (splitString "." component) cfg.config || useComponentPlatform component - || useExplicitComponent component; + || useExplicitComponent component + || builtins.elem component cfg.extraComponents; - # List of components used in config + # Final list of components passed into the package to include required dependencies extraComponents = filter useComponent availableComponents; - package = if (cfg.autoExtraComponents && cfg.config != null) - then (cfg.package.override { inherit extraComponents; }) - else cfg.package; + package = (cfg.package.override (oldArgs: { + # Respect overrides that already exist in the passed package and + # concat it with values passed via the module. + extraComponents = oldArgs.extraComponents or [] ++ extraComponents; + extraPackages = ps: (oldArgs.extraPackages or (_: []) ps) ++ (cfg.extraPackages ps); + })); +in { + imports = [ + # Migrations in NixOS 22.05 + (mkRemovedOptionModule [ "services" "home-assistant" "applyDefaultConfig" ] "The default config was migrated into services.home-assistant.config") + (mkRemovedOptionModule [ "services" "home-assistant" "autoExtraComponents" ] "Components are now parsed from services.home-assistant.config unconditionally") + (mkRenamedOptionModule [ "services" "home-assistant" "port" ] [ "services" "home-assistant" "config" "http" "server_port" ]) + ]; - # If you are changing this, please update the description in applyDefaultConfig - defaultConfig = { - homeassistant.time_zone = config.time.timeZone; - http.server_port = cfg.port; - } // optionalAttrs (cfg.lovelaceConfig != null) { - lovelace.mode = "yaml"; + meta = { + buildDocsInSandbox = false; + maintainers = teams.home-assistant.members; }; -in { - meta.maintainers = teams.home-assistant.members; - options.services.home-assistant = { # Running home-assistant on NixOS is considered an installation method that is unsupported by the upstream project. # https://github.com/home-assistant/architecture/blob/master/adr/0012-define-supported-installation-method.md#decision @@ -81,42 +85,166 @@ in { description = "The config directory, where your <filename>configuration.yaml</filename> is located."; }; - port = mkOption { - default = 8123; - type = types.port; - description = "The port on which to listen."; + extraComponents = mkOption { + type = types.listOf (types.enum availableComponents); + default = [ + # List of components required to complete the onboarding + "default_config" + "met" + "esphome" + ] ++ optionals (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) [ + # Use the platform as an indicator that we might be running on a RaspberryPi and include + # relevant components + "rpi_power" + ]; + example = literalExpression '' + [ + "analytics" + "default_config" + "esphome" + "my" + "shopping_list" + "wled" + ] + ''; + description = '' + List of <link xlink:href="https://www.home-assistant.io/integrations/">components</link> that have their dependencies included in the package. + + The component name can be found in the URL, for example <literal>https://www.home-assistant.io/integrations/ffmpeg/</literal> would map to <literal>ffmpeg</literal>. + ''; }; - applyDefaultConfig = mkOption { - default = true; - type = types.bool; + extraPackages = mkOption { + type = types.functionTo (types.listOf types.package); + default = _: []; + defaultText = literalExpression '' + python3Packages: with python3Packages; []; + ''; + example = literalExpression '' + python3Packages: with python3Packages; [ + # postgresql support + psycopg2 + ]; + ''; description = '' - Setting this option enables a few configuration options for HA based on NixOS configuration (such as time zone) to avoid having to manually specify configuration we already have. - </para> - <para> - Currently one side effect of enabling this is that the <literal>http</literal> component will be enabled. - </para> - <para> - This only takes effect if <literal>config != null</literal> in order to ensure that a manually managed <filename>configuration.yaml</filename> is not overwritten. + List of packages to add to propagatedBuildInputs. + + A popular example is <package>python3Packages.psycopg2</package> + for PostgreSQL support in the recorder component. ''; }; config = mkOption { - default = null; - # Migrate to new option types later: https://github.com/NixOS/nixpkgs/pull/75584 - type = with lib.types; let - valueType = nullOr (oneOf [ - bool - int - float - str - (lazyAttrsOf valueType) - (listOf valueType) - ]) // { - description = "Yaml value"; - emptyValue.value = {}; + type = types.submodule { + freeformType = format.type; + options = { + # This is a partial selection of the most common options, so new users can quickly + # pick up how to match home-assistants config structure to ours. It also lets us preset + # config values intelligently. + + homeassistant = { + # https://www.home-assistant.io/docs/configuration/basic/ + name = mkOption { + type = types.nullOr types.str; + default = null; + example = "Home"; + description = '' + Name of the location where Home Assistant is running. + ''; + }; + + latitude = mkOption { + type = types.nullOr (types.either types.float types.str); + default = null; + example = 52.3; + description = '' + Latitude of your location required to calculate the time the sun rises and sets. + ''; + }; + + longitude = mkOption { + type = types.nullOr (types.either types.float types.str); + default = null; + example = 4.9; + description = '' + Longitude of your location required to calculate the time the sun rises and sets. + ''; + }; + + unit_system = mkOption { + type = types.nullOr (types.enum [ "metric" "imperial" ]); + default = null; + example = "metric"; + description = '' + The unit system to use. This also sets temperature_unit, Celsius for Metric and Fahrenheit for Imperial. + ''; + }; + + temperature_unit = mkOption { + type = types.nullOr (types.enum [ "C" "F" ]); + default = null; + example = "C"; + description = '' + Override temperature unit set by unit_system. <literal>C</literal> for Celsius, <literal>F</literal> for Fahrenheit. + ''; + }; + + time_zone = mkOption { + type = types.nullOr types.str; + default = config.time.timeZone or null; + defaultText = literalExpression '' + config.time.timeZone or null + ''; + example = "Europe/Amsterdam"; + description = '' + Pick your time zone from the column TZ of Wikipedia’s <link xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones">list of tz database time zones</link>. + ''; + }; + }; + + http = { + # https://www.home-assistant.io/integrations/http/ + server_host = mkOption { + type = types.either types.str (types.listOf types.str); + default = [ + "0.0.0.0" + "::" + ]; + example = "::1"; + description = '' + Only listen to incoming requests on specific IP/host. The default listed assumes support for IPv4 and IPv6. + ''; + }; + + server_port = mkOption { + default = 8123; + type = types.port; + description = '' + The port on which to listen. + ''; + }; }; - in valueType; + + lovelace = { + # https://www.home-assistant.io/lovelace/dashboards/ + mode = mkOption { + type = types.enum [ "yaml" "storage" ]; + default = if cfg.lovelaceConfig != null + then "yaml" + else "storage"; + defaultText = literalExpression '' + if cfg.lovelaceConfig != null + then "yaml" + else "storage"; + ''; + example = "yaml"; + description = '' + In what mode should the main Lovelace panel be, <literal>yaml</literal> or <literal>storage</literal> (UI managed). + ''; + }; + }; + }; + }; example = literalExpression '' { homeassistant = { @@ -130,15 +258,19 @@ in { frontend = { themes = "!include_dir_merge_named themes"; }; - http = { }; + http = {}; feedreader.urls = [ "https://nixos.org/blogs.xml" ]; } ''; description = '' Your <filename>configuration.yaml</filename> as a Nix attribute set. - Beware that setting this option will delete your previous <filename>configuration.yaml</filename>. - <link xlink:href="https://www.home-assistant.io/docs/configuration/secrets/">Secrets</link> - are encoded as strings as shown in the example. + + YAML functions like <link xlink:href="https://www.home-assistant.io/docs/configuration/secrets/">secrets</link> + can be passed as a string and will be unquoted automatically. + + Unless this option is explicitly set to <literal>null</literal> + we assume your <filename>configuration.yaml</filename> is + managed through this module and thereby overwritten on startup. ''; }; @@ -147,16 +279,18 @@ in { type = types.bool; description = '' Whether to make <filename>configuration.yaml</filename> writable. - This only has an effect if <option>config</option> is set. + This will allow you to edit it from Home Assistant's web interface. + + This only has an effect if <option>config</option> is set. However, bear in mind that it will be overwritten at every start of the service. ''; }; lovelaceConfig = mkOption { default = null; - type = with types; nullOr attrs; - # from https://www.home-assistant.io/lovelace/yaml-mode/ + type = types.nullOr format.type; + # from https://www.home-assistant.io/lovelace/dashboards/ example = literalExpression '' { title = "My Awesome Home"; @@ -172,8 +306,8 @@ in { ''; description = '' Your <filename>ui-lovelace.yaml</filename> as a Nix attribute set. - Setting this option will automatically add - <literal>lovelace.mode = "yaml";</literal> to your <option>config</option>. + Setting this option will automatically set <literal>lovelace.mode</literal> to <literal>yaml</literal>. + Beware that setting this option will delete your previous <filename>ui-lovelace.yaml</filename> ''; }; @@ -183,8 +317,10 @@ in { type = types.bool; description = '' Whether to make <filename>ui-lovelace.yaml</filename> writable. - This only has an effect if <option>lovelaceConfig</option> is set. + This will allow you to edit it from Home Assistant's web interface. + + This only has an effect if <option>lovelaceConfig</option> is set. However, bear in mind that it will be overwritten at every start of the service. ''; }; @@ -201,11 +337,18 @@ in { type = types.package; example = literalExpression '' pkgs.home-assistant.override { - extraPackages = ps: with ps; [ colorlog ]; + extraPackages = python3Packages: with python3Packages; [ + psycopg2 + ]; + extraComponents = [ + "default_config" + "esphome" + "met" + ]; } ''; description = '' - Home Assistant package to use. By default the tests are disabled, as they take a considerable amout of time to complete. + The Home Assistant package to use. Override <literal>extraPackages</literal> or <literal>extraComponents</literal> in order to add additional dependencies. If you specify <option>config</option> and do not set <option>autoExtraComponents</option> to <literal>false</literal>, overriding <literal>extraComponents</literal> will have no effect. @@ -213,21 +356,6 @@ in { ''; }; - autoExtraComponents = mkOption { - default = true; - type = types.bool; - description = '' - If set to <literal>true</literal>, the components used in <literal>config</literal> - are set as the specified package's <literal>extraComponents</literal>. - This in turn adds all packaged dependencies to the derivation. - You might still see import errors in your log. - In this case, you will need to package the necessary dependencies yourself - or ask for someone else to package them. - If a dependency is packaged but not automatically added to this list, - you might need to specify it in <literal>extraPackages</literal>. - ''; - }; - openFirewall = mkOption { default = false; type = types.bool; @@ -240,18 +368,30 @@ in { systemd.services.home-assistant = { description = "Home Assistant"; - after = [ "network.target" ]; - preStart = optionalString (cfg.config != null) (if cfg.configWritable then '' - cp --no-preserve=mode ${configFile} "${cfg.configDir}/configuration.yaml" - '' else '' - rm -f "${cfg.configDir}/configuration.yaml" - ln -s ${configFile} "${cfg.configDir}/configuration.yaml" - '') + optionalString (cfg.lovelaceConfig != null) (if cfg.lovelaceConfigWritable then '' - cp --no-preserve=mode ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" - '' else '' - rm -f "${cfg.configDir}/ui-lovelace.yaml" - ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" - ''); + after = [ + "network-online.target" + + # prevent races with database creation + "mysql.service" + "postgresql.service" + ]; + preStart = let + copyConfig = if cfg.configWritable then '' + cp --no-preserve=mode ${configFile} "${cfg.configDir}/configuration.yaml" + '' else '' + rm -f "${cfg.configDir}/configuration.yaml" + ln -s ${configFile} "${cfg.configDir}/configuration.yaml" + ''; + copyLovelaceConfig = if cfg.lovelaceConfigWritable then '' + cp --no-preserve=mode ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" + '' else '' + rm -f "${cfg.configDir}/ui-lovelace.yaml" + ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" + ''; + in + (optionalString (cfg.config != null) copyConfig) + + (optionalString (cfg.lovelaceConfig != null) copyLovelaceConfig) + ; serviceConfig = let # List of capabilities to equip home-assistant with, depending on configured components capabilities = [ @@ -329,7 +469,7 @@ in { "zwave_js" ]; in { - ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; + ExecStart = "${package}/bin/hass --config '${cfg.configDir}'"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "hass"; Group = "hass"; diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 95c83796ece..a34bc07b6ab 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -45,7 +45,7 @@ in { Restart = "on-failure"; TimeoutStopSec = 10; - ExecStart = "${pkgs.grafana-loki}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}"; + ExecStart = "${pkgs.promtail}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}"; ProtectSystem = "strict"; ProtectHome = true; diff --git a/nixos/modules/services/matrix/mjolnir.xml b/nixos/modules/services/matrix/mjolnir.xml index d462ddf7b01..b07abe33979 100644 --- a/nixos/modules/services/matrix/mjolnir.xml +++ b/nixos/modules/services/matrix/mjolnir.xml @@ -98,7 +98,7 @@ </para> <para> To use the Antispam Module, add <package>matrix-synapse-plugins.matrix-synapse-mjolnir-antispam</package> - to the Synapse plugin list and enable the <literal>mjolnir.AntiSpam</literal> module. + to the Synapse plugin list and enable the <literal>mjolnir.Module</literal> module. </para> <programlisting> { @@ -108,7 +108,7 @@ ]; extraConfig = '' modules: - - module: mjolnir.AntiSpam + - module: mjolnir.Module config: # Prevent servers/users in the ban lists from inviting users on this # server to rooms. Default true. diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 5a5c30a4123..2b9c6d80abb 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -39,9 +39,11 @@ in { default = "127.0.0.1"; description = '' The host name or IP address on which to bind Airsonic. - Only relevant if you have multiple network interfaces and want - to make Airsonic available on only one of them. The default value - will bind Airsonic to all available network interfaces. + The default value is appropriate for first launch, when the + default credentials are easy to guess. It is also appropriate + if you intend to use the virtualhost option in the service + module. In other cases, you may want to change this to a + specific IP or 0.0.0.0 to listen on all interfaces. ''; }; diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index 95cee5046e8..a65c5c9d11c 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -43,6 +43,7 @@ in { ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}"; Type = "oneshot"; RemainAfterExit = false; + KillMode = "process"; }; }; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 6f6a9e3110a..e48444f7161 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -72,7 +72,7 @@ let redis = { bin = "${pkgs.redis}/bin/redis-cli"; host = "127.0.0.1"; - port = 6379; + port = config.services.redis.servers.gitlab.port; database = 0; namespace = "resque:gitlab"; }; @@ -450,7 +450,8 @@ in { redisUrl = mkOption { type = types.str; - default = "redis://localhost:6379/"; + default = "redis://localhost:${toString config.services.redis.servers.gitlab.port}/"; + defaultText = literalExpression ''redis://localhost:''${toString config.services.redis.servers.gitlab.port}/''; description = "Redis URL for all GitLab services except gitlab-shell"; }; @@ -961,7 +962,11 @@ in { }; # Redis is required for the sidekiq queue runner. - services.redis.enable = mkDefault true; + services.redis.servers.gitlab = { + enable = mkDefault true; + port = mkDefault 31636; + bind = mkDefault "127.0.0.1"; + }; # We use postgres as the main data store. services.postgresql = optionalAttrs databaseActuallyCreateLocally { @@ -1131,8 +1136,8 @@ in { ExecStartPre = let preStartFullPrivileges = '' - shopt -s dotglob nullglob - set -eu + set -o errexit -o pipefail -o nounset + shopt -s dotglob nullglob inherit_errexit chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/* if [[ -n "$(ls -A '${cfg.statePath}'/config/)" ]]; then @@ -1142,7 +1147,8 @@ in { in "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}"; ExecStart = pkgs.writeShellScript "gitlab-config" '' - set -eu + set -o errexit -o pipefail -o nounset + shopt -s inherit_errexit umask u=rwx,g=rx,o= @@ -1171,7 +1177,8 @@ in { rm -f '${cfg.statePath}/config/database.yml' ${if cfg.databasePasswordFile != null then '' - export db_password="$(<'${cfg.databasePasswordFile}')" + db_password="$(<'${cfg.databasePasswordFile}')" + export db_password if [[ -z "$db_password" ]]; then >&2 echo "Database password was an empty string!" @@ -1195,10 +1202,11 @@ in { rm -f '${cfg.statePath}/config/secrets.yml' - export secret="$(<'${cfg.secrets.secretFile}')" - export db="$(<'${cfg.secrets.dbFile}')" - export otp="$(<'${cfg.secrets.otpFile}')" - export jws="$(<'${cfg.secrets.jwsFile}')" + secret="$(<'${cfg.secrets.secretFile}')" + db="$(<'${cfg.secrets.dbFile}')" + otp="$(<'${cfg.secrets.otpFile}')" + jws="$(<'${cfg.secrets.jwsFile}')" + export secret db otp jws jq -n '{production: {secret_key_base: $ENV.secret, otp_key_base: $ENV.otp, db_key_base: $ENV.db, @@ -1232,7 +1240,8 @@ in { RemainAfterExit = true; ExecStart = pkgs.writeShellScript "gitlab-db-config" '' - set -eu + set -o errexit -o pipefail -o nounset + shopt -s inherit_errexit umask u=rwx,g=rx,o= initial_root_password="$(<'${cfg.initialRootPasswordFile}')" @@ -1245,13 +1254,13 @@ in { systemd.services.gitlab-sidekiq = { after = [ "network.target" - "redis.service" + "redis-gitlab.service" "postgresql.service" "gitlab-config.service" "gitlab-db-config.service" ]; bindsTo = [ - "redis.service" + "redis-gitlab.service" "gitlab-config.service" "gitlab-db-config.service" ] ++ optional (cfg.databaseHost == "") "postgresql.service"; @@ -1366,7 +1375,7 @@ in { systemd.services.gitlab-mailroom = mkIf (gitlabConfig.production.incoming_email.enabled or false) { description = "GitLab incoming mail daemon"; - after = [ "network.target" "redis.service" "gitlab-config.service" ]; + after = [ "network.target" "redis-gitlab.service" "gitlab-config.service" ]; bindsTo = [ "gitlab-config.service" ]; wantedBy = [ "gitlab.target" ]; partOf = [ "gitlab.target" ]; @@ -1387,12 +1396,12 @@ in { after = [ "gitlab-workhorse.service" "network.target" - "redis.service" + "redis-gitlab.service" "gitlab-config.service" "gitlab-db-config.service" ]; bindsTo = [ - "redis.service" + "redis-gitlab.service" "gitlab-config.service" "gitlab-db-config.service" ] ++ optional (cfg.databaseHost == "") "postgresql.service"; diff --git a/nixos/modules/services/misc/input-remapper.nix b/nixos/modules/services/misc/input-remapper.nix new file mode 100644 index 00000000000..c2da0d616a3 --- /dev/null +++ b/nixos/modules/services/misc/input-remapper.nix @@ -0,0 +1,29 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let cfg = config.services.input-remapper; in +{ + options = { + services.input-remapper = { + enable = mkEnableOption "input-remapper, an easy to use tool to change the mapping of your input device buttons."; + package = mkOption { + type = types.package; + default = pkgs.input-remapper; + defaultText = literalExpression "pkgs.input-remapper"; + description = '' + The input-remapper package to use. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + # FIXME: udev rule hangs sometimes when lots of devices connected, so let's not use it + # config.services.udev.packages = mapper-pkg; + services.dbus.packages = cfg.package; + systemd.packages = cfg.package; + environment.systemPackages = cfg.package; + systemd.services.input-remapper.wantedBy = [ "graphical.target" ]; + }; +} diff --git a/nixos/modules/services/misc/matrix-conduit.nix b/nixos/modules/services/misc/matrix-conduit.nix index d6cd575ee9a..108f64de7aa 100644 --- a/nixos/modules/services/misc/matrix-conduit.nix +++ b/nixos/modules/services/misc/matrix-conduit.nix @@ -86,6 +86,15 @@ in and is set to be read only. ''; }; + global.database_backend = mkOption { + type = types.enum [ "sqlite" "rocksdb" ]; + default = "sqlite"; + example = "rocksdb"; + description = '' + The database backend for the service. Switching it on an existing + instance will require manual migration of data. + ''; + }; }; }; default = {}; diff --git a/nixos/modules/services/misc/mbpfan.nix b/nixos/modules/services/misc/mbpfan.nix index d2b0f0da2ad..e0a4d8a13e7 100644 --- a/nixos/modules/services/misc/mbpfan.nix +++ b/nixos/modules/services/misc/mbpfan.nix @@ -6,7 +6,7 @@ let cfg = config.services.mbpfan; verbose = if cfg.verbose then "v" else ""; settingsFormat = pkgs.formats.ini {}; - settingsFile = settingsFormat.generate "config.conf" cfg.settings; + settingsFile = settingsFormat.generate "mbpfan.ini" cfg.settings; in { options.services.mbpfan = { @@ -36,29 +36,35 @@ in { freeformType = settingsFormat.type; options.general.min_fan1_speed = mkOption { - type = types.int; + type = types.nullOr types.int; default = 2000; - description = "The minimum fan speed."; + description = '' + The minimum fan speed. Setting to null enables automatic detection. + Check minimum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_min". + ''; }; options.general.max_fan1_speed = mkOption { - type = types.int; + type = types.nullOr types.int; default = 6199; - description = "The maximum fan speed."; + description = '' + The maximum fan speed. Setting to null enables automatic detection. + Check maximum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_max". + ''; }; options.general.low_temp = mkOption { type = types.int; default = 55; - description = "The low temperature."; + description = "Temperature below which fan speed will be at minimum. Try ranges 55-63."; }; options.general.high_temp = mkOption { type = types.int; default = 58; - description = "The high temperature."; + description = "Fan will increase speed when higher than this temperature. Try ranges 58-66."; }; options.general.max_temp = mkOption { type = types.int; default = 86; - description = "The maximum temperature."; + description = "Fan will run at full speed above this temperature. Do not set it > 90."; }; options.general.polling_interval = mkOption { type = types.int; diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index ea9ffbb8677..ee5c0ef8d27 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -217,7 +217,6 @@ in { package = mkOption { type = types.package; - example = literalExpression "pkgs.mediatomb"; default = pkgs.gerbera; defaultText = literalExpression "pkgs.gerbera"; description = '' @@ -367,6 +366,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${binaryCommand} --port ${toString cfg.port} ${interfaceFlag} ${configFlag} --home ${cfg.dataDir}"; serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; }; users.groups = optionalAttrs (cfg.group == "mediatomb") { diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 10f9a4afb36..a401458c416 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -69,7 +69,8 @@ let set -e set +o pipefail NIX_CONF_DIR=$PWD \ - ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net --option experimental-features nix-command"} \ + ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ + ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ |& sed -e 's/^warning:/error:/' \ | (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}') set -o pipefail @@ -88,7 +89,7 @@ let requireSignedBinaryCaches = "require-sigs"; trustedUsers = "trusted-users"; allowedUsers = "allowed-users"; - systemFeatures = "system-feature"; + systemFeatures = "system-features"; }; semanticConfType = with types; @@ -673,16 +674,16 @@ in text = concatMapStrings (machine: - (concatStringsSep " " [ + (concatStringsSep " " ([ "${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") (if machine.sshKey != null then machine.sshKey else "-") (toString machine.maxJobs) (toString machine.speedFactor) - (concatStringsSep "," machine.supportedFeatures) + (concatStringsSep "," (machine.supportedFeatures ++ machine.mandatoryFeatures)) (concatStringsSep "," machine.mandatoryFeatures) ] - ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-")) + ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) + "\n" ) cfg.buildMachines; diff --git a/nixos/modules/services/misc/packagekit.nix b/nixos/modules/services/misc/packagekit.nix index 93bd206bd98..9191078ef9c 100644 --- a/nixos/modules/services/misc/packagekit.nix +++ b/nixos/modules/services/misc/packagekit.nix @@ -13,7 +13,7 @@ let (iniFmt.generate "PackageKit.conf" (recursiveUpdate { Daemon = { - DefaultBackend = "test_nop"; + DefaultBackend = "nix"; KeepCache = false; }; } @@ -35,7 +35,7 @@ let in { imports = [ - (mkRemovedOptionModule [ "services" "packagekit" "backend" ] "The only backend that doesn't blow up is `test_nop`.") + (mkRemovedOptionModule [ "services" "packagekit" "backend" ] "Always set to Nix.") ]; options.services.packagekit = { @@ -62,6 +62,8 @@ in services.dbus.packages = with pkgs; [ packagekit ]; + environment.systemPackages = with pkgs; [ packagekit ]; + systemd.packages = with pkgs; [ packagekit ]; environment.etc = listToAttrs (map diff --git a/nixos/modules/services/misc/paperless-ng.nix b/nixos/modules/services/misc/paperless-ng.nix index db8082f072c..44efc234a2b 100644 --- a/nixos/modules/services/misc/paperless-ng.nix +++ b/nixos/modules/services/misc/paperless-ng.nix @@ -6,12 +6,18 @@ let defaultUser = "paperless"; + hasCustomRedis = hasAttr "PAPERLESS_REDIS" cfg.extraConfig; + env = { PAPERLESS_DATA_DIR = cfg.dataDir; PAPERLESS_MEDIA_ROOT = cfg.mediaDir; PAPERLESS_CONSUMPTION_DIR = cfg.consumptionDir; GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}"; - } // lib.mapAttrs (_: toString) cfg.extraConfig; + } // ( + lib.mapAttrs (_: toString) cfg.extraConfig + ) // (optionalAttrs (!hasCustomRedis) { + PAPERLESS_REDIS = "unix://${config.services.redis.servers.paperless-ng.unixSocket}"; + }); manage = let setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); @@ -30,7 +36,7 @@ let "-/etc/hosts" "-/etc/localtime" "-/run/postgresql" - ]; + ] ++ (optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.unixSocket); BindPaths = [ cfg.consumptionDir cfg.dataDir @@ -44,8 +50,7 @@ let NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; - # Needs to connect to redis - # PrivateNetwork = true; + PrivateNetwork = true; PrivateTmp = true; PrivateUsers = true; ProcSubset = "pid"; @@ -65,6 +70,7 @@ let RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; + SupplementaryGroups = optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.user; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; # Does not work well with the temporary root @@ -190,7 +196,7 @@ in config = mkIf cfg.enable { # Enable redis if no special url is set - services.redis.enable = mkIf (!hasAttr "PAPERLESS_REDIS" env) true; + services.redis.servers.paperless-ng.enable = mkIf (!hasCustomRedis) true; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" @@ -234,6 +240,8 @@ in echo "$superuserState" > "$superuserStateFile" fi ''; + } // optionalAttrs (!hasCustomRedis) { + after = [ "redis-paperless-ng.service" ]; }; # Password copying can't be implemented as a privileged preStart script @@ -248,6 +256,8 @@ in '${cfg.passwordFile}' '${cfg.dataDir}/superuser-password' ''; Type = "oneshot"; + # Needs to talk to mail server for automated import rules + PrivateNetwork = false; }; }; @@ -279,6 +289,8 @@ in CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; # gunicorn needs setuid SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid" ]; + # Needs to serve web page + PrivateNetwork = false; }; environment = env // { PATH = mkForce cfg.package.path; diff --git a/nixos/modules/services/misc/plex.nix b/nixos/modules/services/misc/plex.nix index 2ae4e80d5c3..7000d45975f 100644 --- a/nixos/modules/services/misc/plex.nix +++ b/nixos/modules/services/misc/plex.nix @@ -6,6 +6,10 @@ let cfg = config.services.plex; in { + imports = [ + (mkRemovedOptionModule [ "services" "plex" "managePlugins" ] "Please omit or define the option: `services.plex.extraPlugins' instead.") + ]; + options = { services.plex = { enable = mkEnableOption "Plex Media Server"; @@ -42,16 +46,6 @@ in ''; }; - managePlugins = mkOption { - type = types.bool; - default = true; - description = '' - If set to true, this option will cause all of the symlinks in Plex's - plugin directory to be removed and symlinks for paths specified in - <option>extraPlugins</option> to be added. - ''; - }; - extraPlugins = mkOption { type = types.listOf types.path; default = []; @@ -59,9 +53,7 @@ in A list of paths to extra plugin bundles to install in Plex's plugin directory. Every time the systemd unit for Plex starts up, all of the symlinks in Plex's plugin directory will be cleared and this module - will symlink all of the paths specified here to that directory. If - this behavior is undesired, set <option>managePlugins</option> to - false. + will symlink all of the paths specified here to that directory. ''; }; diff --git a/nixos/modules/services/misc/rmfakecloud.nix b/nixos/modules/services/misc/rmfakecloud.nix new file mode 100644 index 00000000000..fe522653c21 --- /dev/null +++ b/nixos/modules/services/misc/rmfakecloud.nix @@ -0,0 +1,147 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.rmfakecloud; + serviceDataDir = "/var/lib/rmfakecloud"; + +in { + options = { + services.rmfakecloud = { + enable = mkEnableOption "rmfakecloud remarkable self-hosted cloud"; + + package = mkOption { + type = types.package; + default = pkgs.rmfakecloud; + defaultText = literalExpression "pkgs.rmfakecloud"; + description = '' + rmfakecloud package to use. + + The default does not include the web user interface. + ''; + }; + + storageUrl = mkOption { + type = types.str; + example = "https://local.appspot.com"; + description = '' + URL used by the tablet to access the rmfakecloud service. + ''; + }; + + port = mkOption { + type = types.port; + default = 3000; + description = '' + Listening port number. + ''; + }; + + logLevel = mkOption { + type = types.enum [ "info" "debug" "warn" "error" ]; + default = "info"; + description = '' + Logging level. + ''; + }; + + extraSettings = mkOption { + type = with types; attrsOf str; + default = { }; + example = { DATADIR = "/custom/path/for/rmfakecloud/data"; }; + description = '' + Extra settings in the form of a set of key-value pairs. + For tokens and secrets, use `environmentFile` instead. + + Available settings are listed on + https://ddvk.github.io/rmfakecloud/install/configuration/. + ''; + }; + + environmentFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/etc/secrets/rmfakecloud.env"; + description = '' + Path to an environment file loaded for the rmfakecloud service. + + This can be used to securely store tokens and secrets outside of the + world-readable Nix store. Since this file is read by systemd, it may + have permission 0400 and be owned by root. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.rmfakecloud = { + description = "rmfakecloud remarkable self-hosted cloud"; + + environment = { + STORAGE_URL = cfg.storageUrl; + PORT = toString cfg.port; + LOGLEVEL = cfg.logLevel; + } // cfg.extraSettings; + + preStart = '' + # Generate the secret key used to sign client session tokens. + # Replacing it invalidates the previously established sessions. + if [ -z "$JWT_SECRET_KEY" ] && [ ! -f jwt_secret_key ]; then + (umask 077; touch jwt_secret_key) + cat /dev/urandom | tr -cd '[:alnum:]' | head -c 48 >> jwt_secret_key + fi + ''; + + script = '' + if [ -z "$JWT_SECRET_KEY" ]; then + export JWT_SECRET_KEY="$(cat jwt_secret_key)" + fi + + ${cfg.package}/bin/rmfakecloud + ''; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + + EnvironmentFile = + mkIf (cfg.environmentFile != null) cfg.environmentFile; + + AmbientCapabilities = + mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + + DynamicUser = true; + PrivateDevices = true; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + WorkingDirectory = serviceDataDir; + StateDirectory = baseNameOf serviceDataDir; + UMask = 0027; + }; + }; + }; + + meta.maintainers = with maintainers; [ pacien ]; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix index 9e49601ce1a..bac98364538 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix @@ -42,11 +42,11 @@ in { serviceOpts = { serviceConfig = { AmbientCapabilities = [ - "CAP_RAW_SYSIO" + "CAP_SYS_RAWIO" "CAP_SYS_ADMIN" ]; CapabilityBoundingSet = [ - "CAP_RAW_SYSIO" + "CAP_SYS_RAWIO" "CAP_SYS_ADMIN" ]; DevicePolicy = "closed"; diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix index e313589134f..7a1444decaf 100644 --- a/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -181,8 +181,8 @@ in rgwMimeTypesFile = mkOption { type = with types; nullOr path; - default = "${pkgs.mime-types}/etc/mime.types"; - defaultText = literalExpression ''"''${pkgs.mime-types}/etc/mime.types"''; + default = "${pkgs.mailcap}/etc/mime.types"; + defaultText = literalExpression ''"''${pkgs.mailcap}/etc/mime.types"''; description = '' Path to mime types used by radosgw. ''; diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 5482b2aaf88..b311b91b4a0 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -260,24 +260,17 @@ in ipfs --offline config Mounts.IPNS ${cfg.ipnsMountDir} '' + optionalString cfg.autoMigrate '' ${pkgs.ipfs-migrator}/bin/fs-repo-migrations -y - '' + concatStringsSep "\n" (collect - isString - (mapAttrsRecursive - (path: value: - # Using heredoc below so that the value is never improperly quoted - '' - read value <<EOF - ${builtins.toJSON value} - EOF - ipfs --offline config --json "${concatStringsSep "." path}" "$value" - '') - ({ - Addresses.API = cfg.apiAddress; - Addresses.Gateway = cfg.gatewayAddress; - Addresses.Swarm = cfg.swarmAddress; - } // - cfg.extraConfig)) - ); + '' + '' + ipfs --offline config show \ + | ${pkgs.jq}/bin/jq '. * $extraConfig' --argjson extraConfig ${ + escapeShellArg (builtins.toJSON ({ + Addresses.API = cfg.apiAddress; + Addresses.Gateway = cfg.gatewayAddress; + Addresses.Swarm = cfg.swarmAddress; + } // cfg.extraConfig)) + } \ + | ipfs --offline config replace - + ''; serviceConfig = { ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ]; User = cfg.user; diff --git a/nixos/modules/services/network-filesystems/moosefs.nix b/nixos/modules/services/network-filesystems/moosefs.nix new file mode 100644 index 00000000000..88b2ada37e7 --- /dev/null +++ b/nixos/modules/services/network-filesystems/moosefs.nix @@ -0,0 +1,249 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.moosefs; + + mfsUser = if cfg.runAsUser then "moosefs" else "root"; + + settingsFormat = let + listSep = " "; + allowedTypes = with types; [ bool int float str ]; + valueToString = val: + if isList val then concatStringsSep listSep (map (x: valueToString x) val) + else if isBool val then (if val then "1" else "0") + else toString val; + + in { + type = with types; let + valueType = oneOf ([ + (listOf valueType) + ] ++ allowedTypes) // { + description = "Flat key-value file"; + }; + in attrsOf valueType; + + generate = name: value: + pkgs.writeText name ( lib.concatStringsSep "\n" ( + lib.mapAttrsToList (key: val: "${key} = ${valueToString val}") value )); + }; + + + initTool = pkgs.writeShellScriptBin "mfsmaster-init" '' + if [ ! -e ${cfg.master.settings.DATA_PATH}/metadata.mfs ]; then + cp ${pkgs.moosefs}/var/mfs/metadata.mfs.empty ${cfg.master.settings.DATA_PATH} + chmod +w ${cfg.master.settings.DATA_PATH}/metadata.mfs.empty + ${pkgs.moosefs}/bin/mfsmaster -a -c ${masterCfg} start + ${pkgs.moosefs}/bin/mfsmaster -c ${masterCfg} stop + rm ${cfg.master.settings.DATA_PATH}/metadata.mfs.empty + fi + ''; + + # master config file + masterCfg = settingsFormat.generate + "mfsmaster.cfg" cfg.master.settings; + + # metalogger config file + metaloggerCfg = settingsFormat.generate + "mfsmetalogger.cfg" cfg.metalogger.settings; + + # chunkserver config file + chunkserverCfg = settingsFormat.generate + "mfschunkserver.cfg" cfg.chunkserver.settings; + + # generic template for all deamons + systemdService = name: extraConfig: configFile: { + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} start"; + ExecStop = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} stop"; + ExecReload = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} reload"; + PIDFile = "${cfg."${name}".settings.DATA_PATH}/.mfs${name}.lock"; + } // extraConfig; + }; + +in { + ###### interface + + options = { + services.moosefs = { + masterHost = mkOption { + type = types.str; + default = null; + description = "IP or DNS name of master host."; + }; + + runAsUser = mkOption { + type = types.bool; + default = true; + example = true; + description = "Run daemons as user moosefs instead of root."; + }; + + client.enable = mkEnableOption "Moosefs client."; + + master = { + enable = mkOption { + type = types.bool; + description = '' + Enable Moosefs master daemon. + + You need to run <literal>mfsmaster-init</literal> on a freshly installed master server to + initialize the <literal>DATA_PATH</literal> direcory. + ''; + default = false; + }; + + exports = mkOption { + type = with types; listOf str; + default = null; + description = "Paths to export (see mfsexports.cfg)."; + example = [ + "* / rw,alldirs,admin,maproot=0:0" + "* . rw" + ]; + }; + + openFirewall = mkOption { + type = types.bool; + description = "Whether to automatically open the necessary ports in the firewall."; + default = false; + }; + + settings = mkOption { + type = types.submodule { + freeformType = settingsFormat.type; + + options.DATA_PATH = mkOption { + type = types.str; + default = "/var/lib/mfs"; + description = "Data storage directory."; + }; + }; + + description = "Contents of config file (mfsmaster.cfg)."; + }; + }; + + metalogger = { + enable = mkEnableOption "Moosefs metalogger daemon."; + + settings = mkOption { + type = types.submodule { + freeformType = settingsFormat.type; + + options.DATA_PATH = mkOption { + type = types.str; + default = "/var/lib/mfs"; + description = "Data storage directory"; + }; + }; + + description = "Contents of metalogger config file (mfsmetalogger.cfg)."; + }; + }; + + chunkserver = { + enable = mkEnableOption "Moosefs chunkserver daemon."; + + openFirewall = mkOption { + type = types.bool; + description = "Whether to automatically open the necessary ports in the firewall."; + default = false; + }; + + hdds = mkOption { + type = with types; listOf str; + default = null; + description = "Mount points to be used by chunkserver for storage (see mfshdd.cfg)."; + example = [ "/mnt/hdd1" ]; + }; + + settings = mkOption { + type = types.submodule { + freeformType = settingsFormat.type; + + options.DATA_PATH = mkOption { + type = types.str; + default = "/var/lib/mfs"; + description = "Directory for lock file."; + }; + }; + + description = "Contents of chunkserver config file (mfschunkserver.cfg)."; + }; + }; + }; + }; + + ###### implementation + + config = mkIf ( cfg.client.enable || cfg.master.enable || cfg.metalogger.enable || cfg.chunkserver.enable ) { + + warnings = [ ( mkIf (!cfg.runAsUser) "Running moosefs services as root is not recommended.") ]; + + # Service settings + services.moosefs = { + master.settings = mkIf cfg.master.enable { + WORKING_USER = mfsUser; + EXPORTS_FILENAME = toString ( pkgs.writeText "mfsexports.cfg" + (concatStringsSep "\n" cfg.master.exports)); + }; + + metalogger.settings = mkIf cfg.metalogger.enable { + WORKING_USER = mfsUser; + MASTER_HOST = cfg.masterHost; + }; + + chunkserver.settings = mkIf cfg.chunkserver.enable { + WORKING_USER = mfsUser; + MASTER_HOST = cfg.masterHost; + HDD_CONF_FILENAME = toString ( pkgs.writeText "mfshdd.cfg" + (concatStringsSep "\n" cfg.chunkserver.hdds)); + }; + }; + + # Create system user account for daemons + users = mkIf ( cfg.runAsUser && ( cfg.master.enable || cfg.metalogger.enable || cfg.chunkserver.enable ) ) { + users.moosefs = { + isSystemUser = true; + description = "moosefs daemon user"; + group = "moosefs"; + }; + groups.moosefs = {}; + }; + + environment.systemPackages = + (lib.optional cfg.client.enable pkgs.moosefs) ++ + (lib.optional cfg.master.enable initTool); + + networking.firewall.allowedTCPPorts = + (lib.optionals cfg.master.openFirewall [ 9419 9420 9421 ]) ++ + (lib.optional cfg.chunkserver.openFirewall 9422); + + # Ensure storage directories exist + systemd.tmpfiles.rules = + optional cfg.master.enable "d ${cfg.master.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}" + ++ optional cfg.metalogger.enable "d ${cfg.metalogger.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}" + ++ optional cfg.chunkserver.enable "d ${cfg.chunkserver.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}"; + + # Service definitions + systemd.services.mfs-master = mkIf cfg.master.enable + ( systemdService "master" { + TimeoutStartSec = 1800; + TimeoutStopSec = 1800; + Restart = "no"; + } masterCfg ); + + systemd.services.mfs-metalogger = mkIf cfg.metalogger.enable + ( systemdService "metalogger" { Restart = "on-abnormal"; } metaloggerCfg ); + + systemd.services.mfs-chunkserver = mkIf cfg.chunkserver.enable + ( systemdService "chunkserver" { Restart = "on-abnormal"; } chunkserverCfg ); + }; +} diff --git a/nixos/modules/services/network-filesystems/rsyncd.nix b/nixos/modules/services/network-filesystems/rsyncd.nix index edac86eb0e3..e72f9b54cd6 100644 --- a/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixos/modules/services/network-filesystems/rsyncd.nix @@ -79,7 +79,7 @@ in { in { services.rsync = { enable = !cfg.socketActivated; - aliases = [ "rsyncd" ]; + aliases = [ "rsyncd.service" ]; description = "fast remote file copy program daemon"; after = [ "network.target" ]; diff --git a/nixos/modules/services/networking/blocky.nix b/nixos/modules/services/networking/blocky.nix new file mode 100644 index 00000000000..7488e05fc03 --- /dev/null +++ b/nixos/modules/services/networking/blocky.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.blocky; + + format = pkgs.formats.yaml { }; + configFile = format.generate "config.yaml" cfg.settings; +in +{ + options.services.blocky = { + enable = mkEnableOption "Fast and lightweight DNS proxy as ad-blocker for local network with many features"; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Blocky configuration. Refer to + <link xlink:href="https://0xerr0r.github.io/blocky/configuration/"/> + for details on supported values. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.blocky = { + description = "A DNS proxy and ad-blocker for the local network"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.blocky}/bin/blocky --config ${configFile}"; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 8886e7a30f1..9945dc83a27 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -127,7 +127,7 @@ in { description = "ConnMan VPN service"; wantedBy = [ "multi-user.target" ]; after = [ "syslog.target" ]; - before = [ "connman" ]; + before = [ "connman.service" ]; serviceConfig = { Type = "dbus"; BusName = "net.connman.vpn"; @@ -140,7 +140,7 @@ in { description = "D-BUS Service"; serviceConfig = { Name = "net.connman.vpn"; - before = [ "connman" ]; + before = [ "connman.service" ]; ExecStart = "${cfg.package}/sbin/connman-vpnd -n"; User = "root"; SystemdService = "connman-vpn.service"; diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index 2c339350acd..3eb7ca99eaf 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -183,6 +183,20 @@ in config = mkIf enableDHCP { + assertions = [ { + # dhcpcd doesn't start properly with malloc ∉ [ libc scudo ] + # see https://github.com/NixOS/nixpkgs/issues/151696 + assertion = + dhcpcd.enablePrivSep + -> elem config.environment.memoryAllocator.provider [ "libc" "scudo" ]; + message = '' + dhcpcd with privilege separation is incompatible with chosen system malloc. + Currently only the `libc` and `scudo` allocators are known to work. + To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd + to set `enablePrivSep = false`. + ''; + } ]; + systemd.services.dhcpcd = let cfgN = config.networking; hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "") diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index 54e4f900285..3c4c0069dfd 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -28,38 +28,45 @@ let } ''; - dhcpdService = postfix: cfg: optionalAttrs cfg.enable { - "dhcpd${postfix}" = { - description = "DHCPv${postfix} server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - preStart = '' - mkdir -m 755 -p ${cfg.stateDir} - chown dhcpd:nogroup ${cfg.stateDir} - touch ${cfg.stateDir}/dhcpd.leases - ''; - - serviceConfig = - let - configFile = if cfg.configFile != null then cfg.configFile else writeConfig cfg; - args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}" - "-pf" "/run/dhcpd${postfix}/dhcpd.pid" - "-cf" "${configFile}" - "-lf" "${cfg.stateDir}/dhcpd.leases" - "-user" "dhcpd" "-group" "nogroup" - ] ++ cfg.extraFlags - ++ cfg.interfaces; - - in { - ExecStart = concatMapStringsSep " " escapeShellArg args; - Type = "forking"; - Restart = "always"; - RuntimeDirectory = [ "dhcpd${postfix}" ]; - PIDFile = "/run/dhcpd${postfix}/dhcpd.pid"; + dhcpdService = postfix: cfg: + let + configFile = + if cfg.configFile != null + then cfg.configFile + else writeConfig cfg; + leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases"; + args = [ + "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}" + "-pf" "/run/dhcpd${postfix}/dhcpd.pid" + "-cf" configFile + "-lf" leaseFile + ] ++ cfg.extraFlags + ++ cfg.interfaces; + in + optionalAttrs cfg.enable { + "dhcpd${postfix}" = { + description = "DHCPv${postfix} server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = "touch ${leaseFile}"; + serviceConfig = { + ExecStart = concatMapStringsSep " " escapeShellArg args; + Type = "forking"; + Restart = "always"; + DynamicUser = true; + User = "dhcpd"; + Group = "dhcpd"; + AmbientCapabilities = [ + "CAP_NET_RAW" # to send ICMP messages + "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) + ]; + StateDirectory = "dhcpd${postfix}"; + RuntimeDirectory = "dhcpd${postfix}"; + PIDFile = "/run/dhcpd${postfix}/dhcpd.pid"; + }; }; - }; - }; + }; machineOpts = { ... }: { @@ -102,15 +109,6 @@ let ''; }; - stateDir = mkOption { - type = types.path; - # We use /var/lib/dhcp for DHCPv4 to save backwards compatibility. - default = "/var/lib/dhcp${if postfix == "4" then "" else postfix}"; - description = '' - State directory for the DHCP server. - ''; - }; - extraConfig = mkOption { type = types.lines; default = ""; @@ -194,7 +192,13 @@ in imports = [ (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) - ]; + ] ++ flip map [ "4" "6" ] (postfix: + mkRemovedOptionModule [ "services" "dhcpd${postfix}" "stateDir" ] '' + The DHCP server state directory is now managed with the systemd's DynamicUser mechanism. + This means the directory is named after the service (dhcpd${postfix}), created under + /var/lib/private/ and symlinked to /var/lib/. + '' + ); ###### interface @@ -210,15 +214,6 @@ in config = mkIf (cfg4.enable || cfg6.enable) { - users = { - users.dhcpd = { - isSystemUser = true; - group = "dhcpd"; - description = "DHCP daemon user"; - }; - groups.dhcpd = {}; - }; - systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6; }; diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index ff023a888f2..7482e29a3fd 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -179,10 +179,6 @@ let ) cfg.allowedUDPPortRanges ) allInterfaces)} - # Accept IPv4 multicast. Not a big security risk since - # probably nobody is listening anyway. - #iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept - # Optionally respond to ICMPv4 pings. ${optionalString cfg.allowPing '' iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null) @@ -326,7 +322,7 @@ in type = types.package; default = pkgs.iptables; defaultText = literalExpression "pkgs.iptables"; - example = literalExpression "pkgs.iptables-nftables-compat"; + example = literalExpression "pkgs.iptables-legacy"; description = '' The iptables package to use for running the firewall service." diff --git a/nixos/modules/services/networking/gogoclient.nix b/nixos/modules/services/networking/gogoclient.nix deleted file mode 100644 index 1205321818b..00000000000 --- a/nixos/modules/services/networking/gogoclient.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let cfg = config.services.gogoclient; -in - -{ - - ###### interface - - options = { - services.gogoclient = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enable the gogoCLIENT IPv6 tunnel. - ''; - }; - autorun = mkOption { - type = types.bool; - default = true; - description = '' - Whether to automatically start the tunnel. - ''; - }; - - username = mkOption { - default = ""; - type = types.str; - description = '' - Your Gateway6 login name, if any. - ''; - }; - - password = mkOption { - default = ""; - type = types.str; - description = '' - Path to a file (as a string), containing your gogoNET password, if any. - ''; - }; - - server = mkOption { - type = types.str; - default = "anonymous.freenet6.net"; - example = "broker.freenet6.net"; - description = "The Gateway6 server to be used."; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - boot.kernelModules = [ "tun" ]; - - networking.enableIPv6 = true; - - systemd.services.gogoclient = { - description = "ipv6 tunnel"; - - after = [ "network.target" ]; - requires = [ "network.target" ]; - - unitConfig.RequiresMountsFor = "/var/lib/gogoc"; - - script = let authMethod = if cfg.password == "" then "anonymous" else "any"; in '' - mkdir -p -m 700 /var/lib/gogoc - cat ${pkgs.gogoclient}/share/${pkgs.gogoclient.name}/gogoc.conf.sample | \ - ${pkgs.gnused}/bin/sed \ - -e "s|^userid=|&${cfg.username}|" \ - -e "s|^passwd=|&${optionalString (cfg.password != "") "$(cat ${cfg.password})"}|" \ - -e "s|^server=.*|server=${cfg.server}|" \ - -e "s|^auth_method=.*|auth_method=${authMethod}|" \ - -e "s|^#log_file=|log_file=1|" > /var/lib/gogoc/gogoc.conf - cd /var/lib/gogoc - exec ${pkgs.gogoclient}/bin/gogoc -y -f /var/lib/gogoc/gogoc.conf - ''; - } // optionalAttrs cfg.autorun { - wantedBy = [ "multi-user.target" ]; - }; - - }; - -} diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix new file mode 100644 index 00000000000..091d2a938cd --- /dev/null +++ b/nixos/modules/services/networking/headscale.nix @@ -0,0 +1,490 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.headscale; + + dataDir = "/var/lib/headscale"; + runDir = "/run/headscale"; + + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "headscale.yaml" cfg.settings; +in +{ + options = { + services.headscale = { + enable = mkEnableOption "headscale, Open Source coordination server for Tailscale"; + + package = mkOption { + type = types.package; + default = pkgs.headscale; + defaultText = literalExpression "pkgs.headscale"; + description = '' + Which headscale package to use for the running server. + ''; + }; + + user = mkOption { + default = "headscale"; + type = types.str; + description = '' + User account under which headscale runs. + <note><para> + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the headscale service starts. + </para></note> + ''; + }; + + group = mkOption { + default = "headscale"; + type = types.str; + description = '' + Group under which headscale runs. + <note><para> + If left as the default value this group will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the headscale service starts. + </para></note> + ''; + }; + + serverUrl = mkOption { + type = types.str; + default = "http://127.0.0.1:8080"; + description = '' + The url clients will connect to. + ''; + example = "https://myheadscale.example.com:443"; + }; + + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + Listening address of headscale. + ''; + example = "0.0.0.0"; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = '' + Listening port of headscale. + ''; + example = 443; + }; + + privateKeyFile = mkOption { + type = types.path; + default = "${dataDir}/private.key"; + description = '' + Path to private key file, generated automatically if it does not exist. + ''; + }; + + derp = { + urls = mkOption { + type = types.listOf types.str; + default = [ "https://controlplane.tailscale.com/derpmap/default" ]; + description = '' + List of urls containing DERP maps. + See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps. + ''; + }; + + paths = mkOption { + type = types.listOf types.path; + default = [ ]; + description = '' + List of file paths containing DERP maps. + See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps. + ''; + }; + + + autoUpdate = mkOption { + type = types.bool; + default = true; + description = '' + Whether to automatically update DERP maps on a set frequency. + ''; + example = false; + }; + + updateFrequency = mkOption { + type = types.str; + default = "24h"; + description = '' + Frequency to update DERP maps. + ''; + example = "5m"; + }; + + }; + + ephemeralNodeInactivityTimeout = mkOption { + type = types.str; + default = "30m"; + description = '' + Time before an inactive ephemeral node is deleted. + ''; + example = "5m"; + }; + + database = { + type = mkOption { + type = types.enum [ "sqlite3" "postgres" ]; + example = "postgres"; + default = "sqlite3"; + description = "Database engine to use."; + }; + + host = mkOption { + type = types.nullOr types.str; + default = null; + example = "127.0.0.1"; + description = "Database host address."; + }; + + port = mkOption { + type = types.nullOr types.port; + default = null; + example = 3306; + description = "Database host port."; + }; + + name = mkOption { + type = types.nullOr types.str; + default = null; + example = "headscale"; + description = "Database name."; + }; + + user = mkOption { + type = types.nullOr types.str; + default = null; + example = "headscale"; + description = "Database user."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/headscale-dbpassword"; + description = '' + A file containing the password corresponding to + <option>database.user</option>. + ''; + }; + + path = mkOption { + type = types.nullOr types.str; + default = "${dataDir}/db.sqlite"; + description = "Path to the sqlite3 database file."; + }; + }; + + logLevel = mkOption { + type = types.str; + default = "info"; + description = '' + headscale log level. + ''; + example = "debug"; + }; + + dns = { + nameservers = mkOption { + type = types.listOf types.str; + default = [ "1.1.1.1" ]; + description = '' + List of nameservers to pass to Tailscale clients. + ''; + }; + + domains = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Search domains to inject to Tailscale clients. + ''; + example = [ "mydomain.internal" ]; + }; + + magicDns = mkOption { + type = types.bool; + default = true; + description = '' + Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). + Only works if there is at least a nameserver defined. + ''; + example = false; + }; + + baseDomain = mkOption { + type = types.str; + default = ""; + description = '' + Defines the base domain to create the hostnames for MagicDNS. + <option>baseDomain</option> must be a FQDNs, without the trailing dot. + The FQDN of the hosts will be + <literal>hostname.namespace.base_domain</literal> (e.g. + <literal>myhost.mynamespace.example.com</literal>). + ''; + }; + }; + + openIdConnect = { + issuer = mkOption { + type = types.str; + default = ""; + description = '' + URL to OpenID issuer. + ''; + example = "https://openid.example.com"; + }; + + clientId = mkOption { + type = types.str; + default = ""; + description = '' + OpenID Connect client ID. + ''; + }; + + clientSecretFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to OpenID Connect client secret file. + ''; + }; + + domainMap = mkOption { + type = types.attrsOf types.str; + default = { }; + description = '' + Domain map is used to map incomming users (by their email) to + a namespace. The key can be a string, or regex. + ''; + example = { + ".*" = "default-namespace"; + }; + }; + + }; + + tls = { + letsencrypt = { + hostname = mkOption { + type = types.nullOr types.str; + default = ""; + description = '' + Domain name to request a TLS certificate for. + ''; + }; + challengeType = mkOption { + type = types.enum [ "TLS_ALPN-01" "HTTP-01" ]; + default = "HTTP-01"; + description = '' + Type of ACME challenge to use, currently supported types: + <literal>HTTP-01</literal> or <literal>TLS_ALPN-01</literal>. + ''; + }; + httpListen = mkOption { + type = types.nullOr types.str; + default = ":http"; + description = '' + When HTTP-01 challenge is chosen, letsencrypt must set up a + verification endpoint, and it will be listening on: + <literal>:http = port 80</literal>. + ''; + }; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to already created certificate. + ''; + }; + keyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to key for already created certificate. + ''; + }; + }; + + aclPolicyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to a file containg ACL policies. + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + default = { }; + description = '' + Overrides to <filename>config.yaml</filename> as a Nix attribute set. + This option is ideal for overriding settings not exposed as Nix options. + Check the <link xlink:href="https://github.com/juanfont/headscale/blob/main/config-example.yaml">example config</link> + for possible options. + ''; + }; + + + }; + + }; + config = mkIf cfg.enable { + + services.headscale.settings = { + server_url = mkDefault cfg.serverUrl; + listen_addr = mkDefault "${cfg.address}:${toString cfg.port}"; + + private_key_path = mkDefault cfg.privateKeyFile; + + derp = { + urls = mkDefault cfg.derp.urls; + paths = mkDefault cfg.derp.paths; + auto_update_enable = mkDefault cfg.derp.autoUpdate; + update_frequency = mkDefault cfg.derp.updateFrequency; + }; + + # Turn off update checks since the origin of our package + # is nixpkgs and not Github. + disable_check_updates = true; + + ephemeral_node_inactivity_timeout = mkDefault cfg.ephemeralNodeInactivityTimeout; + + db_type = mkDefault cfg.database.type; + db_path = mkDefault cfg.database.path; + + log_level = mkDefault cfg.logLevel; + + dns_config = { + nameservers = mkDefault cfg.dns.nameservers; + domains = mkDefault cfg.dns.domains; + magic_dns = mkDefault cfg.dns.magicDns; + base_domain = mkDefault cfg.dns.baseDomain; + }; + + unix_socket = "${runDir}/headscale.sock"; + + # OpenID Connect + oidc = { + issuer = mkDefault cfg.openIdConnect.issuer; + client_id = mkDefault cfg.openIdConnect.clientId; + domain_map = mkDefault cfg.openIdConnect.domainMap; + }; + + tls_letsencrypt_cache_dir = "${dataDir}/.cache"; + + } // optionalAttrs (cfg.database.host != null) { + db_host = mkDefault cfg.database.host; + } // optionalAttrs (cfg.database.port != null) { + db_port = mkDefault cfg.database.port; + } // optionalAttrs (cfg.database.name != null) { + db_name = mkDefault cfg.database.name; + } // optionalAttrs (cfg.database.user != null) { + db_user = mkDefault cfg.database.user; + } // optionalAttrs (cfg.tls.letsencrypt.hostname != null) { + tls_letsencrypt_hostname = mkDefault cfg.tls.letsencrypt.hostname; + } // optionalAttrs (cfg.tls.letsencrypt.challengeType != null) { + tls_letsencrypt_challenge_type = mkDefault cfg.tls.letsencrypt.challengeType; + } // optionalAttrs (cfg.tls.letsencrypt.httpListen != null) { + tls_letsencrypt_listen = mkDefault cfg.tls.letsencrypt.httpListen; + } // optionalAttrs (cfg.tls.certFile != null) { + tls_cert_path = mkDefault cfg.tls.certFile; + } // optionalAttrs (cfg.tls.keyFile != null) { + tls_key_path = mkDefault cfg.tls.keyFile; + } // optionalAttrs (cfg.aclPolicyFile != null) { + acl_policy_path = mkDefault cfg.aclPolicyFile; + }; + + # Setup the headscale configuration in a known path in /etc to + # allow both the Server and the Client use it to find the socket + # for communication. + environment.etc."headscale/config.yaml".source = configFile; + + users.groups.headscale = mkIf (cfg.group == "headscale") { }; + + users.users.headscale = mkIf (cfg.user == "headscale") { + description = "headscale user"; + home = dataDir; + group = cfg.group; + isSystemUser = true; + }; + + systemd.services.headscale = { + description = "headscale coordination server for Tailscale"; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + + script = '' + ${optionalString (cfg.database.passwordFile != null) '' + export HEADSCALE_DB_PASS="$(head -n1 ${escapeShellArg cfg.database.passwordFile})" + ''} + + export HEADSCALE_OIDC_CLIENT_SECRET="$(head -n1 ${escapeShellArg cfg.openIdConnect.clientSecretFile})" + exec ${cfg.package}/bin/headscale serve + ''; + + serviceConfig = + let + capabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024) "CAP_NET_BIND_SERVICE"; + in + { + Restart = "always"; + Type = "simple"; + User = cfg.user; + Group = cfg.group; + + # Hardening options + RuntimeDirectory = "headscale"; + # Allow headscale group access so users can be added and use the CLI. + RuntimeDirectoryMode = "0750"; + + StateDirectory = "headscale"; + StateDirectoryMode = "0750"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + RemoveIPC = true; + UMask = "0077"; + + CapabilityBoundingSet = capabilityBoundingSet; + AmbientCapabilities = capabilityBoundingSet; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + SystemCallFilter = [ "@system-service" "~@priviledged" "@chown" ]; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + }; + }; + }; + + meta.maintainers = with maintainers; [ kradalby ]; +} diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix index 8e59c68054d..8f621b61002 100644 --- a/nixos/modules/services/networking/hylafax/options.nix +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -3,7 +3,7 @@ let inherit (lib.options) literalExpression mkEnableOption mkOption; - inherit (lib.types) bool enum ints lines attrsOf nullOr path str submodule; + inherit (lib.types) bool enum ints lines attrsOf nonEmptyStr nullOr path str submodule; inherit (lib.modules) mkDefault mkIf mkMerge; commonDescr = '' @@ -17,8 +17,6 @@ let configuration to yield an operational system. ''; - str1 = lib.types.addCheck str (s: s!=""); # non-empty string - configAttrType = # Options in HylaFAX configuration files can be # booleans, strings, integers, or list thereof @@ -37,7 +35,7 @@ let modemConfigOptions = { name, config, ... }: { options = { name = mkOption { - type = str1; + type = nonEmptyStr; example = "ttyS1"; description = '' Name of modem device, @@ -45,7 +43,7 @@ let ''; }; type = mkOption { - type = str1; + type = nonEmptyStr; example = "cirrus"; description = '' Name of modem configuration file, @@ -135,14 +133,14 @@ in }; countryCode = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "49"; description = "Country code for server and all modems."; }; areaCode = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "30"; description = "Area code for server and all modems."; @@ -279,7 +277,7 @@ in each time the spooling area is initialized. ''; faxcron.enable.frequency = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "daily"; description = '' @@ -319,7 +317,7 @@ in each time the spooling area is initialized. ''; faxqclean.enable.frequency = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "daily"; description = '' diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index e1a31a0c2ee..34fda57b23d 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -222,14 +222,12 @@ let in concatStringsSep "\n" inTunOpts))]; in pkgs.writeText "i2pd-tunnels.conf" opts; - i2pdSh = pkgs.writeScriptBin "i2pd" '' - #!/bin/sh - exec ${cfg.package}/bin/i2pd \ - ${if cfg.address == null then "" else "--host="+cfg.address} \ - --service \ - --conf=${i2pdConf} \ - --tunconf=${tunnelConf} - ''; + i2pdFlags = concatStringsSep " " ( + optional (cfg.address != null) ("--host=" + cfg.address) ++ [ + "--service" + ("--conf=" + i2pdConf) + ("--tunconf=" + tunnelConf) + ]); in @@ -686,7 +684,7 @@ in User = "i2pd"; WorkingDirectory = homeDir; Restart = "on-abort"; - ExecStart = "${i2pdSh}/bin/i2pd"; + ExecStart = "${cfg.package}/bin/i2pd ${i2pdFlags}"; }; }; }; diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index bbbe1e181bb..992678c43eb 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -294,7 +294,7 @@ in systemd.services.murmur = { description = "Murmur Chat Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target "]; + after = [ "network-online.target" ]; preStart = '' ${pkgs.envsubst}/bin/envsubst \ -o /run/murmur/murmurd.ini \ diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 73e63e2ee99..a9801036b00 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -384,6 +384,17 @@ in { so you don't need to to that yourself. ''; }; + + enableFccUnlock = mkOption { + type = types.bool; + default = false; + description = '' + Enable FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer + automatically performs the FCC unlock procedure by default. See + <link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the docs</link> + for more details. + ''; + }; }; }; @@ -438,7 +449,13 @@ in { "NetworkManager/VPN/nm-sstp-service.name".source = "${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name"; + } + // optionalAttrs cfg.enableFccUnlock + { + "ModemManager/fcc-unlock.d".source = + "${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/*"; + } // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) { "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index eb74d373b0a..b911f97491e 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -25,9 +25,10 @@ in for more information. There are other programs that use iptables internally too, such as - libvirt. + libvirt. For information on how the two firewalls interact, see [2]. [1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273 + [2]: https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F ''; }; networking.nftables.ruleset = mkOption { @@ -118,20 +119,11 @@ in flush ruleset include "${cfg.rulesetFile}" ''; - checkScript = pkgs.writeScript "nftables-check" '' - #! ${pkgs.runtimeShell} -e - if $(${pkgs.kmod}/bin/lsmod | grep -q ip_tables); then - echo "Unload ip_tables before using nftables!" 1>&2 - exit 1 - else - ${rulesScript} - fi - ''; in { Type = "oneshot"; RemainAfterExit = true; - ExecStart = checkScript; - ExecReload = checkScript; + ExecStart = rulesScript; + ExecReload = rulesScript; ExecStop = "${pkgs.nftables}/bin/nft flush ruleset"; }; }; diff --git a/nixos/modules/services/networking/ntopng.nix b/nixos/modules/services/networking/ntopng.nix index 77a004e8ab3..022fc923eda 100644 --- a/nixos/modules/services/networking/ntopng.nix +++ b/nixos/modules/services/networking/ntopng.nix @@ -6,7 +6,13 @@ let cfg = config.services.ntopng; opt = options.services.ntopng; - redisCfg = config.services.redis; + + createRedis = cfg.redis.createInstance != null; + redisService = + if cfg.redis.createInstance == "" then + "redis.service" + else + "redis-${cfg.redis.createInstance}.service"; configFile = if cfg.configText != "" then pkgs.writeText "ntopng.conf" '' @@ -15,8 +21,10 @@ let else pkgs.writeText "ntopng.conf" '' ${concatStringsSep " " (map (e: "--interface=" + e) cfg.interfaces)} - --http-port=${toString cfg.http-port} - --redis=localhost:${toString redisCfg.port} + --http-port=${toString cfg.httpPort} + --redis=${cfg.redis.address} + --data-dir=/var/lib/ntopng + --user=ntopng ${cfg.extraConfig} ''; @@ -24,6 +32,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "ntopng" "http-port" ] [ "services" "ntopng" "httpPort" ]) + ]; + options = { services.ntopng = { @@ -56,7 +68,7 @@ in ''; }; - http-port = mkOption { + httpPort = mkOption { default = 3000; type = types.int; description = '' @@ -64,6 +76,24 @@ in ''; }; + redis.address = mkOption { + type = types.str; + example = literalExpression "config.services.redis.ntopng.unixSocket"; + description = '' + Redis address - may be a Unix socket or a network host and port. + ''; + }; + + redis.createInstance = mkOption { + type = types.nullOr types.str; + default = if versionAtLeast config.system.stateVersion "22.05" then "ntopng" else ""; + description = '' + Local Redis instance name. Set to <literal>null</literal> to disable + local Redis instance. Defaults to <literal>""</literal> for + <literal>system.stateVersion</literal> older than 22.05. + ''; + }; + configText = mkOption { default = ""; example = '' @@ -95,23 +125,36 @@ in config = mkIf cfg.enable { # ntopng uses redis for data storage - services.redis.enable = true; + services.ntopng.redis.address = + mkIf createRedis config.services.redis.servers.${cfg.redis.createInstance}.unixSocket; + + services.redis.servers = mkIf createRedis { + ${cfg.redis.createInstance} = { + enable = true; + user = mkIf (cfg.redis.createInstance == "ntopng") "ntopng"; + }; + }; # nice to have manual page and ntopng command in PATH environment.systemPackages = [ pkgs.ntopng ]; + systemd.tmpfiles.rules = [ "d /var/lib/ntopng 0700 ntopng ntopng -" ]; + systemd.services.ntopng = { description = "Ntopng Network Monitor"; - requires = [ "redis.service" ]; - after = [ "network.target" "redis.service" ]; + requires = optional createRedis redisService; + after = [ "network.target" ] ++ optional createRedis redisService; wantedBy = [ "multi-user.target" ]; - preStart = "mkdir -p /var/lib/ntopng/"; serviceConfig.ExecStart = "${pkgs.ntopng}/bin/ntopng ${configFile}"; unitConfig.Documentation = "man:ntopng(8)"; }; - # ntopng drops priveleges to user "nobody" and that user is already defined - # in users-groups.nix. + users.extraUsers.ntopng = { + group = "ntopng"; + isSystemUser = true; + }; + + users.extraGroups.ntopng = { }; }; } diff --git a/nixos/modules/services/networking/seafile.nix b/nixos/modules/services/networking/seafile.nix index d7fb22edebe..2839ffb60a1 100644 --- a/nixos/modules/services/networking/seafile.nix +++ b/nixos/modules/services/networking/seafile.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: with lib; let - python = pkgs.python3Packages.python; cfg = config.services.seafile; settingsFormat = pkgs.formats.ini { }; @@ -221,9 +220,7 @@ in { ''; }; - seahub = let - penv = (pkgs.python3.withPackages (ps: with ps; [ gunicorn seahub ])); - in { + seahub = { description = "Seafile Server Web Frontend"; wantedBy = [ "seafile.target" ]; partOf = [ "seafile.target" ]; @@ -231,8 +228,7 @@ in { requires = [ "seaf-server.service" ]; restartTriggers = [ seahubSettings ]; environment = { - PYTHONPATH = - "${pkgs.python3Packages.seahub}/thirdpart:${pkgs.python3Packages.seahub}:${penv}/${python.sitePackages}"; + PYTHONPATH = "${pkgs.seahub.pythonPath}:${pkgs.seahub}/thirdpart:${pkgs.seahub}"; DJANGO_SETTINGS_MODULE = "seahub.settings"; CCNET_CONF_DIR = ccnetDir; SEAFILE_CONF_DIR = dataDir; @@ -249,7 +245,7 @@ in { LogsDirectory = "seafile"; ConfigurationDirectory = "seafile"; ExecStart = '' - ${penv}/bin/gunicorn seahub.wsgi:application \ + ${pkgs.seahub.python.pkgs.gunicorn}/bin/gunicorn seahub.wsgi:application \ --name seahub \ --workers ${toString cfg.workers} \ --log-level=info \ @@ -262,27 +258,27 @@ in { preStart = '' mkdir -p ${seahubDir}/media # Link all media except avatars - for m in `find ${pkgs.python3Packages.seahub}/media/ -maxdepth 1 -not -name "avatars"`; do + for m in `find ${pkgs.seahub}/media/ -maxdepth 1 -not -name "avatars"`; do ln -sf $m ${seahubDir}/media/ done if [ ! -e "${seafRoot}/.seahubSecret" ]; then - ${penv}/bin/python ${pkgs.python3Packages.seahub}/tools/secret_key_generator.py > ${seafRoot}/.seahubSecret + ${pkgs.seahub.python}/bin/python ${pkgs.seahub}/tools/secret_key_generator.py > ${seafRoot}/.seahubSecret chmod 400 ${seafRoot}/.seahubSecret fi if [ ! -f "${seafRoot}/seahub-setup" ]; then # avatars directory should be writable - install -D -t ${seahubDir}/media/avatars/ ${pkgs.python3Packages.seahub}/media/avatars/default.png - install -D -t ${seahubDir}/media/avatars/groups ${pkgs.python3Packages.seahub}/media/avatars/groups/default.png + install -D -t ${seahubDir}/media/avatars/ ${pkgs.seahub}/media/avatars/default.png + install -D -t ${seahubDir}/media/avatars/groups ${pkgs.seahub}/media/avatars/groups/default.png # init database - ${pkgs.python3Packages.seahub}/manage.py migrate + ${pkgs.seahub}/manage.py migrate # create admin account - ${pkgs.expect}/bin/expect -c 'spawn ${pkgs.python3Packages.seahub}/manage.py createsuperuser --email=${cfg.adminEmail}; expect "Password: "; send "${cfg.initialAdminPassword}\r"; expect "Password (again): "; send "${cfg.initialAdminPassword}\r"; expect "Superuser created successfully."' - echo "${pkgs.python3Packages.seahub.version}-sqlite" > "${seafRoot}/seahub-setup" + ${pkgs.expect}/bin/expect -c 'spawn ${pkgs.seahub}/manage.py createsuperuser --email=${cfg.adminEmail}; expect "Password: "; send "${cfg.initialAdminPassword}\r"; expect "Password (again): "; send "${cfg.initialAdminPassword}\r"; expect "Superuser created successfully."' + echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup" fi - if [ $(cat "${seafRoot}/seahub-setup" | cut -d"-" -f1) != "${pkgs.python3Packages.seahub.version}" ]; then + if [ $(cat "${seafRoot}/seahub-setup" | cut -d"-" -f1) != "${pkgs.seahub.version}" ]; then # update database - ${pkgs.python3Packages.seahub}/manage.py migrate - echo "${pkgs.python3Packages.seahub.version}-sqlite" > "${seafRoot}/seahub-setup" + ${pkgs.seahub}/manage.py migrate + echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup" fi ''; }; diff --git a/nixos/modules/services/networking/squid.nix b/nixos/modules/services/networking/squid.nix index 9d063b92aa1..4f3881af8bb 100644 --- a/nixos/modules/services/networking/squid.nix +++ b/nixos/modules/services/networking/squid.nix @@ -81,7 +81,9 @@ let http_access deny all # Squid normally listens to port 3128 - http_port ${toString cfg.proxyPort} + http_port ${ + optionalString (cfg.proxyAddress != null) "${cfg.proxyAddress}:" + }${toString cfg.proxyPort} # Leave coredumps in the first cache dir coredump_dir /var/cache/squid @@ -109,6 +111,12 @@ in description = "Whether to run squid web proxy."; }; + proxyAddress = mkOption { + type = types.nullOr types.str; + default = null; + description = "IP address on which squid will listen."; + }; + proxyPort = mkOption { type = types.int; default = 3128; diff --git a/nixos/modules/services/networking/syncplay.nix b/nixos/modules/services/networking/syncplay.nix index 27a16fb2e29..b6faf2d3f77 100644 --- a/nixos/modules/services/networking/syncplay.nix +++ b/nixos/modules/services/networking/syncplay.nix @@ -68,7 +68,7 @@ in systemd.services.syncplay = { description = "Syncplay Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target "]; + after = [ "network-online.target" ]; serviceConfig = { ExecStart = "${pkgs.syncplay}/bin/syncplay-server ${escapeShellArgs cmdArgs}"; diff --git a/nixos/modules/services/networking/wg-netmanager.nix b/nixos/modules/services/networking/wg-netmanager.nix new file mode 100644 index 00000000000..493ff7ceba9 --- /dev/null +++ b/nixos/modules/services/networking/wg-netmanager.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.wg-netmanager; +in +{ + + options = { + services.wg-netmanager = { + enable = mkEnableOption "Wireguard network manager"; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + # NOTE: wg-netmanager runs as root + systemd.services.wg-netmanager = { + description = "Wireguard network manager"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = with pkgs; [ wireguard-tools iproute2 wireguard-go ]; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + ExecStart = "${pkgs.wg-netmanager}/bin/wg_netmanager"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + ReadWritePaths = [ + "/tmp" # wg-netmanager creates files in /tmp before deleting them after use + ]; + }; + unitConfig = { + ConditionPathExists = ["/etc/wg_netmanager/network.yaml" "/etc/wg_netmanager/peer.yaml"]; + }; + }; + }; + + meta.maintainers = with maintainers; [ gin66 ]; +} diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 07dec8ea718..c2e1d37e28b 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -10,14 +10,45 @@ let cfg = config.networking.wireless; opt = options.networking.wireless; + wpa3Protocols = [ "SAE" "FT-SAE" ]; + hasMixedWPA = opts: + let + hasWPA3 = !mutuallyExclusive opts.authProtocols wpa3Protocols; + others = subtractLists wpa3Protocols opts.authProtocols; + in hasWPA3 && others != []; + + # Gives a WPA3 network higher priority + increaseWPA3Priority = opts: + opts // optionalAttrs (hasMixedWPA opts) + { priority = if opts.priority == null + then 1 + else opts.priority + 1; + }; + + # Creates a WPA2 fallback network + mkWPA2Fallback = opts: + opts // { authProtocols = subtractLists wpa3Protocols opts.authProtocols; }; + + # Networks attrset as a list + networkList = mapAttrsToList (ssid: opts: opts // { inherit ssid; }) + cfg.networks; + + # List of all networks (normal + generated fallbacks) + allNetworks = + if cfg.fallbackToWPA2 + then map increaseWPA3Priority networkList + ++ map mkWPA2Fallback (filter hasMixedWPA networkList) + else networkList; + # Content of wpa_supplicant.conf generatedConfig = concatStringsSep "\n" ( - (mapAttrsToList mkNetwork cfg.networks) + (map mkNetwork allNetworks) ++ optional cfg.userControlled.enable (concatStringsSep "\n" [ "ctrl_interface=/run/wpa_supplicant" "ctrl_interface_group=${cfg.userControlled.group}" "update_config=1" ]) + ++ [ "pmf=1" ] ++ optional cfg.scanOnLowSignal ''bgscan="simple:30:-70:3600"'' ++ optional (cfg.extraConfig != "") cfg.extraConfig); @@ -33,7 +64,7 @@ let finalConfig = ''"$RUNTIME_DIRECTORY"/wpa_supplicant.conf''; # Creates a network block for wpa_supplicant.conf - mkNetwork = ssid: opts: + mkNetwork = opts: let quote = x: ''"${x}"''; indent = x: " " + x; @@ -43,7 +74,7 @@ let else opts.pskRaw; options = [ - "ssid=${quote ssid}" + "ssid=${quote opts.ssid}" (if pskString != null || opts.auth != null then "key_mgmt=${concatStringsSep " " opts.authProtocols}" else "key_mgmt=NONE") @@ -175,6 +206,18 @@ in { ''; }; + fallbackToWPA2 = mkOption { + type = types.bool; + default = true; + description = '' + Whether to fall back to WPA2 authentication protocols if WPA3 failed. + This allows old wireless cards (that lack recent features required by + WPA3) to connect to mixed WPA2/WPA3 access points. + + To avoid possible downgrade attacks, disable this options. + ''; + }; + environmentFile = mkOption { type = types.nullOr types.path; default = null; diff --git a/nixos/modules/services/networking/yggdrasil.xml b/nixos/modules/services/networking/yggdrasil.xml index c012cd4a929..a341d5d8153 100644 --- a/nixos/modules/services/networking/yggdrasil.xml +++ b/nixos/modules/services/networking/yggdrasil.xml @@ -84,7 +84,6 @@ in { interface eth0 { AdvSendAdvert on; - AdvDefaultLifetime 0; prefix ${prefix}::/64 { AdvOnLink on; AdvAutonomous on; diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 98c35a7ec84..041d0b3c43f 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -143,6 +143,17 @@ in example = lib.literalExpression "[ pkgs.elasticsearchPlugins.discovery-ec2 ]"; }; + restartIfChanged = mkOption { + type = types.bool; + description = '' + Automatically restart the service on config change. + This can be set to false to defer restarts on a server or cluster. + Please consider the security implications of inadvertently running an older version, + and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option. + ''; + default = true; + }; + }; ###### implementation @@ -153,6 +164,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = [ pkgs.inetutils ]; + inherit (cfg) restartIfChanged; environment = { ES_HOME = cfg.dataDir; ES_JAVA_OPTS = toString cfg.extraJavaOptions; @@ -163,6 +175,8 @@ in User = "elasticsearch"; PermissionsStartOnly = true; LimitNOFILE = "1024000"; + Restart = "always"; + TimeoutStartSec = "infinity"; }; preStart = '' ${optionalString (!config.boot.isContainer) '' diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix index e5bed0a9987..6df2343b84d 100644 --- a/nixos/modules/services/security/cfssl.nix +++ b/nixos/modules/services/security/cfssl.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -11,7 +11,16 @@ in { dataDir = mkOption { default = "/var/lib/cfssl"; type = types.path; - description = "Cfssl work directory."; + description = '' + The work directory for CFSSL. + + <note><para> + If left as the default value this directory will automatically be + created before the CFSSL server starts, otherwise you are + responsible for ensuring the directory exists with appropriate + ownership and permissions. + </para></note> + ''; }; address = mkOption { @@ -22,7 +31,7 @@ in { port = mkOption { default = 8888; - type = types.ints.u16; + type = types.port; description = "Port to bind."; }; @@ -147,13 +156,12 @@ in { }; config = mkIf cfg.enable { - users.extraGroups.cfssl = { + users.groups.cfssl = { gid = config.ids.gids.cfssl; }; - users.extraUsers.cfssl = { + users.users.cfssl = { description = "cfssl user"; - createHome = true; home = cfg.dataDir; group = "cfssl"; uid = config.ids.uids.cfssl; @@ -164,41 +172,46 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = { - WorkingDirectory = cfg.dataDir; - StateDirectory = cfg.dataDir; - StateDirectoryMode = 700; - Restart = "always"; - User = "cfssl"; - - ExecStart = with cfg; let - opt = n: v: optionalString (v != null) ''-${n}="${v}"''; - in - lib.concatStringsSep " \\\n" [ - "${pkgs.cfssl}/bin/cfssl serve" - (opt "address" address) - (opt "port" (toString port)) - (opt "ca" ca) - (opt "ca-key" caKey) - (opt "ca-bundle" caBundle) - (opt "int-bundle" intBundle) - (opt "int-dir" intDir) - (opt "metadata" metadata) - (opt "remote" remote) - (opt "config" configFile) - (opt "responder" responder) - (opt "responder-key" responderKey) - (opt "tls-key" tlsKey) - (opt "tls-cert" tlsCert) - (opt "mutual-tls-ca" mutualTlsCa) - (opt "mutual-tls-cn" mutualTlsCn) - (opt "mutual-tls-client-key" mutualTlsClientKey) - (opt "mutual-tls-client-cert" mutualTlsClientCert) - (opt "tls-remote-ca" tlsRemoteCa) - (opt "db-config" dbConfig) - (opt "loglevel" (toString logLevel)) - ]; - }; + serviceConfig = lib.mkMerge [ + { + WorkingDirectory = cfg.dataDir; + Restart = "always"; + User = "cfssl"; + Group = "cfssl"; + + ExecStart = with cfg; let + opt = n: v: optionalString (v != null) ''-${n}="${v}"''; + in + lib.concatStringsSep " \\\n" [ + "${pkgs.cfssl}/bin/cfssl serve" + (opt "address" address) + (opt "port" (toString port)) + (opt "ca" ca) + (opt "ca-key" caKey) + (opt "ca-bundle" caBundle) + (opt "int-bundle" intBundle) + (opt "int-dir" intDir) + (opt "metadata" metadata) + (opt "remote" remote) + (opt "config" configFile) + (opt "responder" responder) + (opt "responder-key" responderKey) + (opt "tls-key" tlsKey) + (opt "tls-cert" tlsCert) + (opt "mutual-tls-ca" mutualTlsCa) + (opt "mutual-tls-cn" mutualTlsCn) + (opt "mutual-tls-client-key" mutualTlsClientKey) + (opt "mutual-tls-client-cert" mutualTlsClientCert) + (opt "tls-remote-ca" tlsRemoteCa) + (opt "db-config" dbConfig) + (opt "loglevel" (toString logLevel)) + ]; + } + (mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) { + StateDirectory = baseNameOf cfg.dataDir; + StateDirectoryMode = 700; + }) + ]; }; services.cfssl = { diff --git a/nixos/modules/services/security/haveged.nix b/nixos/modules/services/security/haveged.nix index 22ece188344..57cef7e44d5 100644 --- a/nixos/modules/services/security/haveged.nix +++ b/nixos/modules/services/security/haveged.nix @@ -3,12 +3,10 @@ with lib; let - cfg = config.services.haveged; in - { ###### interface @@ -17,14 +15,11 @@ in services.haveged = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable to haveged entropy daemon, which refills - /dev/random when low. - ''; - }; + enable = mkEnableOption '' + haveged entropy daemon, which refills /dev/random when low. + NOTE: does nothing on kernels newer than 5.6. + ''; + # source for the note https://github.com/jirka-h/haveged/issues/57 refill_threshold = mkOption { type = types.int; @@ -39,29 +34,44 @@ in }; - - ###### implementation - config = mkIf cfg.enable { - systemd.services.haveged = - { description = "Entropy Harvesting Daemon"; - unitConfig.Documentation = "man:haveged(8)"; - wantedBy = [ "multi-user.target" ]; - - path = [ pkgs.haveged ]; - - serviceConfig = { - ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1"; - SuccessExitStatus = 143; - PrivateTmp = true; - PrivateDevices = true; - PrivateNetwork = true; - ProtectSystem = "full"; - ProtectHome = true; - }; + # https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service + systemd.services.haveged = { + description = "Entropy Daemon based on the HAVEGE algorithm"; + unitConfig = { + Documentation = "man:haveged(8)"; + DefaultDependencies = false; + ConditionKernelVersion = "<5.6"; + }; + wantedBy = [ "sysinit.target" ]; + after = [ "systemd-tmpfiles-setup-dev.service" ]; + before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ]; + + serviceConfig = { + ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1"; + Restart = "always"; + SuccessExitStatus = "137 143"; + SecureBits = "noroot-locked"; + CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ]; + # We can *not* set PrivateTmp=true as it can cause an ordering cycle. + PrivateTmp = false; + PrivateDevices = true; + ProtectSystem = "full"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "newuname" "~@mount" ]; + SystemCallErrorNumber = "EPERM"; }; + }; }; } diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix index 27b2ceed1a4..db7f81acd2a 100644 --- a/nixos/modules/services/security/step-ca.nix +++ b/nixos/modules/services/security/step-ca.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, nixosTests, ... }: +{ config, lib, pkgs, ... }: let cfg = config.services.step-ca; settingsFormat = (pkgs.formats.json { }); @@ -82,8 +82,6 @@ in }); in { - passthru.tests.step-ca = nixosTests.step-ca; - assertions = [ { diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index 71088fc4dcd..fd459f70ccd 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -131,7 +131,7 @@ in { users.groups.vaultwarden = { }; systemd.services.vaultwarden = { - aliases = [ "bitwarden_rs" ]; + aliases = [ "bitwarden_rs.service" ]; after = [ "network.target" ]; path = with pkgs; [ openssl ]; serviceConfig = { diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix index eb82b738e49..8c6a6e294eb 100644 --- a/nixos/modules/services/system/cloud-init.nix +++ b/nixos/modules/services/system/cloud-init.nix @@ -52,11 +52,22 @@ in ''; }; + network.enable = mkOption { + type = types.bool; + default = false; + description = '' + Allow the cloud-init service to configure network interfaces + through systemd-networkd. + ''; + }; + config = mkOption { type = types.str; default = '' system_info: distro: nixos + network: + renderers: [ 'networkd' ] users: - root @@ -109,9 +120,12 @@ in environment.etc."cloud/cloud.cfg".text = cfg.config; + systemd.network.enable = cfg.network.enable; + systemd.services.cloud-init-local = { description = "Initial cloud-init job (pre-networking)"; wantedBy = [ "multi-user.target" ]; + before = ["systemd-networkd.service"]; path = path; serviceConfig = { Type = "oneshot"; @@ -129,7 +143,7 @@ in "sshd.service" "sshd-keygen.service" ]; after = [ "network-online.target" "cloud-init-local.service" ]; before = [ "sshd.service" "sshd-keygen.service" ]; - requires = [ "network.target "]; + requires = [ "network.target"]; path = path; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/system/self-deploy.nix b/nixos/modules/services/system/self-deploy.nix index 33d15e08f4a..d7130a13c73 100644 --- a/nixos/modules/services/system/self-deploy.nix +++ b/nixos/modules/services/system/self-deploy.nix @@ -126,6 +126,8 @@ in config = lib.mkIf cfg.enable { systemd.services.self-deploy = { + inherit (cfg) startAt; + wantedBy = [ "multi-user.target" ]; requires = lib.mkIf (!(isPathType cfg.repository)) [ "network-online.target" ]; @@ -138,8 +140,7 @@ in path = with pkgs; [ git nix - systemd - ]; + ] ++ lib.optionals (cfg.switchCommand == "boot") [ systemd ]; script = '' if [ ! -e ${repositoryDirectory} ]; then diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 54eaea63b6e..64a2767fab6 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -385,13 +385,13 @@ in { else if isString v then v else if true == v then "true" else if false == v then "false" - else if isSecret v then v._secret + else if isSecret v then hashString "sha256" v._secret else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; }; }; secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config); mkSecretReplacement = file: '' - replace-secret ${escapeShellArgs [ file file "${cfg.dataDir}/.env" ]} + replace-secret ${escapeShellArgs [ (builtins.hashString "sha256" file) file "${cfg.dataDir}/.env" ]} ''; secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config; diff --git a/nixos/modules/services/web-apps/ethercalc.nix b/nixos/modules/services/web-apps/ethercalc.nix new file mode 100644 index 00000000000..d74def59c6c --- /dev/null +++ b/nixos/modules/services/web-apps/ethercalc.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ethercalc; +in { + options = { + services.ethercalc = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + ethercalc, an online collaborative spreadsheet server. + + Persistent state will be maintained under + <filename>/var/lib/ethercalc</filename>. Upstream supports using a + redis server for storage and recommends the redis backend for + intensive use; however, the Nix module doesn't currently support + redis. + + Note that while ethercalc is a good and robust project with an active + issue tracker, there haven't been new commits since the end of 2020. + ''; + }; + + package = mkOption { + default = pkgs.ethercalc; + defaultText = literalExpression "pkgs.ethercalc"; + type = types.package; + description = "Ethercalc package to use."; + }; + + host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Address to listen on (use 0.0.0.0 to allow access from any address)."; + }; + + port = mkOption { + type = types.port; + default = 8000; + description = "Port to bind to."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.ethercalc = { + description = "Ethercalc service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${cfg.package}/bin/ethercalc --host ${cfg.host} --port ${toString cfg.port}"; + Restart = "always"; + StateDirectory = "ethercalc"; + WorkingDirectory = "/var/lib/ethercalc"; + }; + }; + }; +} diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 8a0ca33b51f..c6d4ed6d39d 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -192,6 +192,7 @@ in { # Copy config folder chmod g+s "${dataDir}" cp -r "${cfg.package}/share/config" "${dataDir}/" + mkdir -p "${dataDir}/misc" chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" # check whether user setup has already been done diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 026bde2a92d..14cbfb39540 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -4,6 +4,8 @@ with lib; let cfg = config.services.miniflux; + defaultAddress = "localhost:8080"; + dbUser = "miniflux"; dbPassword = "miniflux"; dbHost = "localhost"; @@ -31,7 +33,7 @@ in { options = { services.miniflux = { - enable = mkEnableOption "miniflux"; + enable = mkEnableOption "miniflux and creates a local postgres database for it"; config = mkOption { type = types.attrsOf types.str; @@ -45,6 +47,9 @@ in Configuration for Miniflux, refer to <link xlink:href="https://miniflux.app/docs/configuration.html"/> for documentation on the supported values. + + Correct configuration for the database is already provided. + By default, listens on ${defaultAddress}. ''; }; @@ -64,7 +69,7 @@ in config = mkIf cfg.enable { services.miniflux.config = { - LISTEN_ADDR = mkDefault "localhost:8080"; + LISTEN_ADDR = mkDefault defaultAddress; DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable"; RUN_MIGRATIONS = "1"; CREATE_ADMIN = "1"; diff --git a/nixos/modules/services/web-apps/plausible.nix b/nixos/modules/services/web-apps/plausible.nix index b6c48186a1d..5d550ae5ca8 100644 --- a/nixos/modules/services/web-apps/plausible.nix +++ b/nixos/modules/services/web-apps/plausible.nix @@ -10,8 +10,7 @@ in { enable = mkEnableOption "plausible"; releaseCookiePath = mkOption { - default = null; - type = with types; nullOr (either str path); + type = with types; either str path; description = '' The path to the file with release cookie. (used for remote connection to the running node). ''; @@ -235,6 +234,8 @@ in { script = '' export CONFIG_DIR=$CREDENTIALS_DIRECTORY + export RELEASE_COOKIE="$(< $CREDENTIALS_DIRECTORY/RELEASE_COOKIE )" + # setup ${pkgs.plausible}/createdb.sh ${pkgs.plausible}/migrate.sh @@ -243,10 +244,8 @@ in { psql -d plausible <<< "UPDATE users SET email_verified=true;" fi ''} - ${optionalString (cfg.releaseCookiePath != null) '' - export RELEASE_COOKIE="$(< $CREDENTIALS_DIRECTORY/RELEASE_COOKIE )" - ''} - plausible start + + exec plausible start ''; serviceConfig = { @@ -257,8 +256,8 @@ in { LoadCredential = [ "ADMIN_USER_PWD:${cfg.adminUser.passwordFile}" "SECRET_KEY_BASE:${cfg.server.secretKeybaseFile}" - ] ++ lib.optionals (cfg.mail.smtp.passwordFile != null) [ "SMTP_USER_PWD:${cfg.mail.smtp.passwordFile}"] - ++ lib.optionals (cfg.releaseCookiePath != null) [ "RELEASE_COOKIE:${cfg.releaseCookiePath}"]; + "RELEASE_COOKIE:${cfg.releaseCookiePath}" + ] ++ lib.optionals (cfg.mail.smtp.passwordFile != null) [ "SMTP_USER_PWD:${cfg.mail.smtp.passwordFile}"]; }; }; } diff --git a/nixos/modules/services/web-servers/agate.nix b/nixos/modules/services/web-servers/agate.nix new file mode 100644 index 00000000000..3afdb561c0b --- /dev/null +++ b/nixos/modules/services/web-servers/agate.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.agate; +in +{ + options = { + services.agate = { + enable = mkEnableOption "Agate Server"; + + package = mkOption { + type = types.package; + default = pkgs.agate; + defaultText = literalExpression "pkgs.agate"; + description = "The package to use"; + }; + + addresses = mkOption { + type = types.listOf types.str; + default = [ "0.0.0.0:1965" ]; + description = '' + Addresses to listen on, IP:PORT, if you haven't disabled forwarding + only set IPv4. + ''; + }; + + contentDir = mkOption { + default = "/var/lib/agate/content"; + type = types.path; + description = "Root of the content directory."; + }; + + certificatesDir = mkOption { + default = "/var/lib/agate/certificates"; + type = types.path; + description = "Root of the certificate directory."; + }; + + hostnames = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + Domain name of this Gemini server, enables checking hostname and port + in requests. (multiple occurences means basic vhosts) + ''; + }; + + language = mkOption { + default = null; + type = types.nullOr types.str; + description = "RFC 4646 Language code for text/gemini documents."; + }; + + onlyTls_1_3 = mkOption { + default = false; + type = types.bool; + description = "Only use TLSv1.3 (default also allows TLSv1.2)."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ "" ]; + example = [ "--log-ip" ]; + description = "Extra arguments to use running agate."; + }; + }; + }; + + config = mkIf cfg.enable { + # available for generating certs by hand + # it can be a bit arduous with openssl + environment.systemPackages = [ cfg.package ]; + + systemd.services.agate = { + description = "Agate"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "network-online.target" ]; + + script = + let + prefixKeyList = key: list: concatMap (v: [ key v ]) list; + addresses = prefixKeyList "--addr" cfg.addresses; + hostnames = prefixKeyList "--hostname" cfg.hostnames; + in + '' + exec ${cfg.package}/bin/agate ${ + escapeShellArgs ( + [ + "--content" "${cfg.contentDir}" + "--certs" "${cfg.certificatesDir}" + ] ++ + addresses ++ + (optionals (cfg.hostnames != []) hostnames) ++ + (optionals (cfg.language != null) [ "--lang" cfg.language ]) ++ + (optionals cfg.onlyTls_1_3 [ "--only-tls13" ]) ++ + (optionals (cfg.extraArgs != []) cfg.extraArgs) + ) + } + ''; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + DynamicUser = true; + StateDirectory = "agate"; + + # Security options: + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@obsolete" + "~@privileged" + "~@setuid" + ]; + }; + }; + }; +} diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index a8610047f5f..6876dbf39d8 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -924,7 +924,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; }; }; diff --git a/nixos/modules/services/web-servers/shellinabox.nix b/nixos/modules/services/web-servers/shellinabox.nix deleted file mode 100644 index c7c51f873eb..00000000000 --- a/nixos/modules/services/web-servers/shellinabox.nix +++ /dev/null @@ -1,122 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.shellinabox; - - # If a certificate file is specified, shellinaboxd requires - # a file descriptor to retrieve it - fd = "3"; - createFd = optionalString (cfg.certFile != null) "${fd}<${cfg.certFile}"; - - # Command line arguments for the shellinabox daemon - args = [ "--background" ] - ++ optional (! cfg.enableSSL) "--disable-ssl" - ++ optional (cfg.certFile != null) "--cert-fd=${fd}" - ++ optional (cfg.certDirectory != null) "--cert=${cfg.certDirectory}" - ++ cfg.extraOptions; - - # Command to start shellinaboxd - cmd = "${pkgs.shellinabox}/bin/shellinaboxd ${concatStringsSep " " args}"; - - # Command to start shellinaboxd if certFile is specified - wrappedCmd = "${pkgs.bash}/bin/bash -c 'exec ${createFd} && ${cmd}'"; - -in - -{ - - ###### interface - - options = { - services.shellinabox = { - enable = mkEnableOption "shellinabox daemon"; - - user = mkOption { - type = types.str; - default = "root"; - description = '' - User to run shellinaboxd as. If started as root, the server drops - privileges by changing to nobody, unless overridden by the - <literal>--user</literal> option. - ''; - }; - - enableSSL = mkOption { - type = types.bool; - default = false; - description = '' - Whether or not to enable SSL (https) support. - ''; - }; - - certDirectory = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/certs"; - description = '' - The daemon will look in this directory far any certificates. - If the browser negotiated a Server Name Identification the daemon - will look for a matching certificate-SERVERNAME.pem file. If no SNI - handshake takes place, it will fall back on using the certificate in the - certificate.pem file. - - If no suitable certificate is installed, shellinaboxd will attempt to - create a new self-signed certificate. This will only succeed if, after - dropping privileges, shellinaboxd has write permissions for this - directory. - ''; - }; - - certFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/certificate.pem"; - description = "Path to server SSL certificate."; - }; - - extraOptions = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "--port=443" "--service /:LOGIN" ]; - description = '' - A list of strings to be appended to the command line arguments - for shellinaboxd. Please see the manual page - <link xlink:href="https://code.google.com/p/shellinabox/wiki/shellinaboxd_man"/> - for a full list of available arguments. - ''; - }; - - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - - assertions = - [ { assertion = cfg.enableSSL == true - -> cfg.certDirectory != null || cfg.certFile != null; - message = "SSL is enabled for shellinabox, but no certDirectory or certFile has been specefied."; } - { assertion = ! (cfg.certDirectory != null && cfg.certFile != null); - message = "Cannot set both certDirectory and certFile for shellinabox."; } - ]; - - systemd.services.shellinaboxd = { - description = "Shellinabox Web Server Daemon"; - - wantedBy = [ "multi-user.target" ]; - requires = [ "sshd.service" ]; - after = [ "sshd.service" ]; - - serviceConfig = { - Type = "forking"; - User = "${cfg.user}"; - ExecStart = "${if cfg.certFile == null then "${cmd}" else "${wrappedCmd}"}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - }; - }; - }; -} diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index 6ee5b0fc54f..8247a7e381c 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -19,7 +19,7 @@ in # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix - ./lxqt.nix ./enlightenment.nix ./gnome.nix ./kodi.nix + ./lxqt.nix ./enlightenment.nix ./gnome.nix ./retroarch.nix ./kodi.nix ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ./cinnamon.nix ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index efc9bd39b36..e2323785149 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -569,6 +569,7 @@ in atomix five-or-more four-in-a-row + pkgs.gnome-2048 gnome-chess gnome-klotski gnome-mahjongg diff --git a/nixos/modules/services/x11/desktop-managers/gnome.xml b/nixos/modules/services/x11/desktop-managers/gnome.xml index e5da7740196..807c9d64e20 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.xml +++ b/nixos/modules/services/x11/desktop-managers/gnome.xml @@ -249,14 +249,5 @@ services.xserver.desktopManager.gnome = { See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/56342">this issue.</link> </para> </section> - - <section xml:id="sec-gnome-faq-nixos-rebuild-switch-kills-session"> - <title>Why does <literal>nixos-rebuild switch</literal> sometimes kill my session?</title> - - <para> - This is a known <link xlink:href="https://github.com/NixOS/nixpkgs/issues/44344">issue</link> without any workarounds. - If you are doing a fairly large upgrade, it is probably safer to use <literal>nixos-rebuild boot</literal>. - </para> - </section> </section> </chapter> diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 980a6b939d5..6a7d2a8aa6c 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -135,6 +135,7 @@ in services.bamf.enable = true; services.colord.enable = mkDefault true; services.fwupd.enable = mkDefault true; + services.packagekit.enable = mkDefault true; services.touchegg.enable = mkDefault true; services.touchegg.package = pkgs.pantheon.touchegg; services.tumbler.enable = mkDefault true; @@ -224,7 +225,6 @@ in programs.file-roller.package = pkgs.pantheon.file-roller; # Settings from elementary-default-settings - environment.sessionVariables.GTK_CSD = "1"; environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; xdg.portal.extraPortals = with pkgs.pantheon; [ @@ -273,7 +273,7 @@ in }) (mkIf serviceCfg.apps.enable { - environment.systemPackages = (with pkgs.pantheon; pkgs.gnome.removePackagesByName [ + environment.systemPackages = with pkgs.pantheon; pkgs.gnome.removePackagesByName ([ elementary-calculator elementary-calendar elementary-camera @@ -287,7 +287,11 @@ in elementary-terminal elementary-videos epiphany - ] config.environment.pantheon.excludePackages); + ] ++ lib.optionals config.services.flatpak.enable [ + # Only install appcenter if flatpak is enabled before + # https://github.com/NixOS/nixpkgs/issues/15932 is resolved. + appcenter + ]) config.environment.pantheon.excludePackages; # needed by screenshot fonts.fonts = [ diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.xml b/nixos/modules/services/x11/desktop-managers/pantheon.xml index fe0a1c49622..202909d398f 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.xml +++ b/nixos/modules/services/x11/desktop-managers/pantheon.xml @@ -105,10 +105,10 @@ switchboard-with-plugs.override { </term> <listitem> <para> - AppCenter has been available since 20.03, but it is of little use. This is because there is no functioning PackageKit backend for Nix 2.0. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. See this <link xlink:href="https://github.com/NixOS/nixpkgs/issues/70214">issue</link>. + AppCenter has been available since 20.03. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. However, due to missing appstream metadata, the Packagekit backend does not function currently. See this <link xlink:href="https://github.com/NixOS/nixpkgs/issues/15932">issue</link>. </para> <para> - To use AppCenter on NixOS, add <literal>pantheon.appcenter</literal> to <xref linkend="opt-environment.systemPackages" />, <link linkend="module-services-flatpak">enable Flatpak support</link> and optionally add the <literal>appcenter</literal> Flatpak remote: + If you are using Pantheon, AppCenter should be installed by default if you have <link linkend="module-services-flatpak">Flatpak support</link> enabled. If you also wish to add the <literal>appcenter</literal> Flatpak remote: </para> <screen> <prompt>$ </prompt>flatpak remote-add --if-not-exists appcenter https://flatpak.elementary.io/repo.flatpakrepo diff --git a/nixos/modules/services/x11/desktop-managers/retroarch.nix b/nixos/modules/services/x11/desktop-managers/retroarch.nix new file mode 100644 index 00000000000..d471673d452 --- /dev/null +++ b/nixos/modules/services/x11/desktop-managers/retroarch.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.xserver.desktopManager.retroarch; + +in { + options.services.xserver.desktopManager.retroarch = { + enable = mkEnableOption "RetroArch"; + + package = mkOption { + type = types.package; + default = pkgs.retroarch; + defaultText = literalExpression "pkgs.retroarch"; + example = literalExpression "pkgs.retroarch-full"; + description = "RetroArch package to use."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--verbose" "--host" ]; + description = "Extra arguments to pass to RetroArch."; + }; + }; + + config = mkIf cfg.enable { + services.xserver.desktopManager.session = [{ + name = "RetroArch"; + start = '' + ${cfg.package}/bin/retroarch -f ${escapeShellArgs cfg.extraArgs} & + waitPID=$! + ''; + }]; + + environment.systemPackages = [ cfg.package ]; + }; + + meta.maintainers = with maintainers; [ j0hax ]; +} diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 6f0d645725e..b1dc6643be8 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -53,6 +53,8 @@ in "autoLogin" "user" ]) + + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "gdm" "nvidiaWayland" ] "We defer to GDM whether Wayland should be enabled.") ]; meta = { @@ -83,17 +85,6 @@ in default = true; description = '' Allow GDM to run on Wayland instead of Xserver. - Note to enable Wayland with Nvidia the <option>nvidiaWayland</option> - must not be disabled. - ''; - }; - - nvidiaWayland = mkOption { - type = types.bool; - default = true; - description = '' - Whether to allow wayland to be used with the proprietary - NVidia graphics driver. ''; }; @@ -149,7 +140,8 @@ in environment = { GDM_X_SERVER_EXTRA_ARGS = toString (filter (arg: arg != "-terminate") cfg.xserverArgs); - XDG_DATA_DIRS = "${cfg.sessionData.desktops}/share/"; + # GDM is needed for gnome-login.session + XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share"; } // optionalAttrs (xSessionWrapper != null) { # Make GDM use this wrapper before running the session, which runs the # configured setupCommands. This relies on a patched GDM which supports @@ -230,19 +222,6 @@ in services.dbus.packages = [ gdm ]; - # We duplicate upstream's udev rules manually to make wayland with nvidia configurable - services.udev.extraRules = '' - # disable Wayland on Cirrus chipsets - ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" - # disable Wayland on Hi1710 chipsets - ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" - ${optionalString (!cfg.gdm.nvidiaWayland) '' - DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" - ''} - # disable Wayland when modesetting is disabled - IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" - ''; - systemd.user.services.dbus.wantedBy = [ "default.target" ]; programs.dconf.profiles.gdm = diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index 1fe346114e4..a8fe14c58f0 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -5,7 +5,7 @@ use warnings; use Config::IniFiles; use File::Path qw(make_path); use File::Basename; -use File::Slurp; +use File::Slurp qw(read_file write_file edit_file); use Net::DBus; use Sys::Syslog qw(:standard :macros); use Cwd 'abs_path'; @@ -20,12 +20,19 @@ my $restartListFile = "/run/nixos/restart-list"; my $reloadListFile = "/run/nixos/reload-list"; # Parse restart/reload requests by the activation script. -# Activation scripts may write newline-separated units to this +# Activation scripts may write newline-separated units to the restart # file and switch-to-configuration will handle them. While # `stopIfChanged = true` is ignored, switch-to-configuration will # handle `restartIfChanged = false` and `reloadIfChanged = true`. +# This is the same as specifying a restart trigger in the NixOS module. +# +# The reload file asks the script to reload a unit. This is the same as +# specifying a reload trigger in the NixOS module and can be ignored if +# the unit is restarted in this activation. my $restartByActivationFile = "/run/nixos/activation-restart-list"; +my $reloadByActivationFile = "/run/nixos/activation-reload-list"; my $dryRestartByActivationFile = "/run/nixos/dry-activation-restart-list"; +my $dryReloadByActivationFile = "/run/nixos/dry-activation-reload-list"; make_path("/run/nixos", { mode => oct(755) }); @@ -131,6 +138,10 @@ sub parseSystemdIni { # Copy over all sections foreach my $sectionName (keys %fileContents) { + if ($sectionName eq "Install") { + # Skip the [Install] section because it has no relevant keys for us + next; + } # Copy over all keys foreach my $iniKey (keys %{$fileContents{$sectionName}}) { # Ensure the value is an array so it's easier to work with @@ -162,13 +173,18 @@ sub parseSystemdIni { # # If a directory with the same basename ending in .d exists next to the unit file, it will be # assumed to contain override files which will be parsed as well and handled properly. -sub parseUnit { - my ($unitPath) = @_; +sub parse_unit { + my ($unit_path) = @_; # Parse the main unit and all overrides - my %unitData; - parseSystemdIni(\%unitData, $_) for glob("${unitPath}{,.d/*.conf}"); - return %unitData; + my %unit_data; + # Replace \ with \\ so glob() still works with units that have a \ in them + # Valid characters in unit names are ASCII letters, digits, ":", "-", "_", ".", and "\" + $unit_path =~ s/\\/\\\\/gmsx; + foreach (glob "${unit_path}{,.d/*.conf}") { + parseSystemdIni(\%unit_data, "$_") + } + return %unit_data; } # Checks whether a specified boolean in a systemd unit is true @@ -192,16 +208,96 @@ sub recordUnit { write_file($fn, { append => 1 }, "$unit\n") if $action ne "dry-activate"; } -# As a fingerprint for determining whether a unit has changed, we use -# its absolute path. If it has an override file, we append *its* -# absolute path as well. -sub fingerprintUnit { - my ($s) = @_; - return abs_path($s) . (-f "${s}.d/overrides.conf" ? " " . abs_path "${s}.d/overrides.conf" : ""); +# The opposite of recordUnit, removes a unit name from a file +sub unrecord_unit { + my ($fn, $unit) = @_; + edit_file { s/^$unit\n//msx } $fn if $action ne "dry-activate"; +} + +# Compare the contents of two unit files and return whether the unit +# needs to be restarted or reloaded. If the units differ, the service +# is restarted unless the only difference is `X-Reload-Triggers` in the +# `Unit` section. If this is the only modification, the unit is reloaded +# instead of restarted. +# Returns: +# - 0 if the units are equal +# - 1 if the units are different and a restart action is required +# - 2 if the units are different and a reload action is required +sub compare_units { + my ($old_unit, $new_unit) = @_; + my $ret = 0; + + my $comp_array = sub { + my ($a, $b) = @_; + return join("\0", @{$a}) eq join("\0", @{$b}); + }; + + # Comparison hash for the sections + my %section_cmp = map { $_ => 1 } keys %{$new_unit}; + # Iterate over the sections + foreach my $section_name (keys %{$old_unit}) { + # Missing section in the new unit? + if (not exists $section_cmp{$section_name}) { + if ($section_name eq 'Unit' and %{$old_unit->{'Unit'}} == 1 and defined(%{$old_unit->{'Unit'}}{'X-Reload-Triggers'})) { + # If a new [Unit] section was removed that only contained X-Reload-Triggers, + # do nothing. + next; + } else { + return 1; + } + } + delete $section_cmp{$section_name}; + # Comparison hash for the section contents + my %ini_cmp = map { $_ => 1 } keys %{$new_unit->{$section_name}}; + # Iterate over the keys of the section + foreach my $ini_key (keys %{$old_unit->{$section_name}}) { + delete $ini_cmp{$ini_key}; + my @old_value = @{$old_unit->{$section_name}{$ini_key}}; + # If the key is missing in the new unit, they are different... + if (not $new_unit->{$section_name}{$ini_key}) { + # ... unless the key that is now missing was the reload trigger + if ($section_name eq 'Unit' and $ini_key eq 'X-Reload-Triggers') { + next; + } + return 1; + } + my @new_value = @{$new_unit->{$section_name}{$ini_key}}; + # If the contents are different, the units are different + if (not $comp_array->(\@old_value, \@new_value)) { + # Check if only the reload triggers changed + if ($section_name eq 'Unit' and $ini_key eq 'X-Reload-Triggers') { + $ret = 2; + } else { + return 1; + } + } + } + # A key was introduced that was missing in the old unit + if (%ini_cmp) { + if ($section_name eq 'Unit' and %ini_cmp == 1 and defined($ini_cmp{'X-Reload-Triggers'})) { + # If the newly introduced key was the reload triggers, reload the unit + $ret = 2; + } else { + return 1; + } + }; + } + # A section was introduced that was missing in the old unit + if (%section_cmp) { + if (%section_cmp == 1 and defined($section_cmp{'Unit'}) and %{$new_unit->{'Unit'}} == 1 and defined(%{$new_unit->{'Unit'}}{'X-Reload-Triggers'})) { + # If a new [Unit] section was introduced that only contains X-Reload-Triggers, + # reload instead of restarting + $ret = 2; + } else { + return 1; + } + } + + return $ret; } sub handleModifiedUnit { - my ($unit, $baseName, $newUnitFile, $activePrev, $unitsToStop, $unitsToStart, $unitsToReload, $unitsToRestart, $unitsToSkip) = @_; + my ($unit, $baseName, $newUnitFile, $newUnitInfo, $activePrev, $unitsToStop, $unitsToStart, $unitsToReload, $unitsToRestart, $unitsToSkip) = @_; if ($unit eq "sysinit.target" || $unit eq "basic.target" || $unit eq "multi-user.target" || $unit eq "graphical.target" || $unit =~ /\.path$/ || $unit =~ /\.slice$/) { # Do nothing. These cannot be restarted directly. @@ -219,8 +315,8 @@ sub handleModifiedUnit { # Revert of the attempt: https://github.com/NixOS/nixpkgs/pull/147609 # More details: https://github.com/NixOS/nixpkgs/issues/74899#issuecomment-981142430 } else { - my %unitInfo = parseUnit($newUnitFile); - if (parseSystemdBool(\%unitInfo, "Service", "X-ReloadIfChanged", 0)) { + my %unitInfo = $newUnitInfo ? %{$newUnitInfo} : parse_unit($newUnitFile); + if (parseSystemdBool(\%unitInfo, "Service", "X-ReloadIfChanged", 0) and not $unitsToRestart->{$unit} and not $unitsToStop->{$unit}) { $unitsToReload->{$unit} = 1; recordUnit($reloadListFile, $unit); } @@ -234,6 +330,11 @@ sub handleModifiedUnit { # stopped and started. $unitsToRestart->{$unit} = 1; recordUnit($restartListFile, $unit); + # Remove from units to reload so we don't restart and reload + if ($unitsToReload->{$unit}) { + delete $unitsToReload->{$unit}; + unrecord_unit($reloadListFile, $unit); + } } else { # If this unit is socket-activated, then stop the # socket unit(s) as well, and restart the @@ -254,6 +355,11 @@ sub handleModifiedUnit { recordUnit($startListFile, $socket); $socketActivated = 1; } + # Remove from units to reload so we don't restart and reload + if ($unitsToReload->{$unit}) { + delete $unitsToReload->{$unit}; + unrecord_unit($reloadListFile, $unit); + } } } } @@ -268,6 +374,11 @@ sub handleModifiedUnit { } $unitsToStop->{$unit} = 1; + # Remove from units to reload so we don't restart and reload + if ($unitsToReload->{$unit}) { + delete $unitsToReload->{$unit}; + unrecord_unit($reloadListFile, $unit); + } } } } @@ -306,12 +417,12 @@ while (my ($unit, $state) = each %{$activePrev}) { if (-e $prevUnitFile && ($state->{state} eq "active" || $state->{state} eq "activating")) { if (! -e $newUnitFile || abs_path($newUnitFile) eq "/dev/null") { - my %unitInfo = parseUnit($prevUnitFile); + my %unitInfo = parse_unit($prevUnitFile); $unitsToStop{$unit} = 1 if parseSystemdBool(\%unitInfo, "Unit", "X-StopOnRemoval", 1); } elsif ($unit =~ /\.target$/) { - my %unitInfo = parseUnit($newUnitFile); + my %unitInfo = parse_unit($newUnitFile); # Cause all active target units to be restarted below. # This should start most changed units we stop here as @@ -344,8 +455,16 @@ while (my ($unit, $state) = each %{$activePrev}) { } } - elsif (fingerprintUnit($prevUnitFile) ne fingerprintUnit($newUnitFile)) { - handleModifiedUnit($unit, $baseName, $newUnitFile, $activePrev, \%unitsToStop, \%unitsToStart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); + else { + my %old_unit_info = parse_unit($prevUnitFile); + my %new_unit_info = parse_unit($newUnitFile); + my $diff = compare_units(\%old_unit_info, \%new_unit_info); + if ($diff eq 1) { + handleModifiedUnit($unit, $baseName, $newUnitFile, \%new_unit_info, $activePrev, \%unitsToStop, \%unitsToStart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); + } elsif ($diff eq 2 and not $unitsToRestart{$unit}) { + $unitsToReload{$unit} = 1; + recordUnit($reloadListFile, $unit); + } } } } @@ -361,17 +480,6 @@ sub pathToUnitName { return $escaped; } -sub unique { - my %seen; - my @res; - foreach my $name (@_) { - next if $seen{$name}; - $seen{$name} = 1; - push @res, $name; - } - return @res; -} - # Compare the previous and new fstab to figure out which filesystems # need a remount or need to be unmounted. New filesystems are mounted # automatically by starting local-fs.target. FIXME: might be nicer if @@ -407,8 +515,12 @@ foreach my $device (keys %$prevSwaps) { # "systemctl stop" here because systemd has lots of alias # units that prevent a stop from actually calling # "swapoff". - print STDERR "stopping swap device: $device\n"; - system("@utillinux@/sbin/swapoff", $device); + if ($action ne "dry-activate") { + print STDERR "would stop swap device: $device\n"; + } else { + print STDERR "stopping swap device: $device\n"; + system("@utillinux@/sbin/swapoff", $device); + } } # FIXME: update swap options (i.e. its priority). } @@ -469,10 +581,20 @@ if ($action eq "dry-activate") { next; } - handleModifiedUnit($unit, $baseName, $newUnitFile, $activePrev, \%unitsToRestart, \%unitsToRestart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); + handleModifiedUnit($unit, $baseName, $newUnitFile, undef, $activePrev, \%unitsToRestart, \%unitsToRestart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); } unlink($dryRestartByActivationFile); + foreach (split('\n', read_file($dryReloadByActivationFile, err_mode => 'quiet') // "")) { + my $unit = $_; + + if (defined($activePrev->{$unit}) and not $unitsToRestart{$unit} and not $unitsToStop{$unit}) { + $unitsToReload{$unit} = 1; + recordUnit($reloadListFile, $unit); + } + } + unlink($dryReloadByActivationFile); + print STDERR "would restart systemd\n" if $restartSystemd; print STDERR "would reload the following units: ", join(", ", sort(keys %unitsToReload)), "\n" if scalar(keys %unitsToReload) > 0; @@ -525,11 +647,22 @@ foreach (split('\n', read_file($restartByActivationFile, err_mode => 'quiet') // next; } - handleModifiedUnit($unit, $baseName, $newUnitFile, $activePrev, \%unitsToRestart, \%unitsToRestart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); + handleModifiedUnit($unit, $baseName, $newUnitFile, undef, $activePrev, \%unitsToRestart, \%unitsToRestart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); } # We can remove the file now because it has been propagated to the other restart/reload files unlink($restartByActivationFile); +foreach (split('\n', read_file($reloadByActivationFile, err_mode => 'quiet') // "")) { + my $unit = $_; + + if (defined($activePrev->{$unit}) and not $unitsToRestart{$unit} and not $unitsToStop{$unit}) { + $unitsToReload{$unit} = 1; + recordUnit($reloadListFile, $unit); + } +} +# We can remove the file now because it has been propagated to the other reload file +unlink($reloadByActivationFile); + # Restart systemd if necessary. Note that this is done using the # current version of systemd, just in case the new one has trouble # communicating with the running pid 1. diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 9e6ca75b9da..b8aeee8c11b 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -117,7 +117,7 @@ let configurationName = config.boot.loader.grub.configurationName; # Needed by switch-to-configuration. - perl = pkgs.perl.withPackages (p: with p; [ FileSlurp NetDBus XMLParser XMLTwig ConfigIniFiles ]); + perl = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp NetDBus ]); }; # Handle assertions and warnings diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index f86d4641228..8fcc1f02972 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -282,6 +282,9 @@ checkFS() { # Don't check resilient COWs as they validate the fs structures at mount time if [ "$fsType" = btrfs -o "$fsType" = zfs -o "$fsType" = bcachefs ]; then return 0; fi + # Skip fsck for apfs as the fsck utility does not support repairing the filesystem (no -a option) + if [ "$fsType" = apfs ]; then return 0; fi + # Skip fsck for nilfs2 - not needed by design and no fsck tool for this filesystem. if [ "$fsType" = nilfs2 ]; then return 0; fi diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 9c684fbada2..1575c0257d1 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -350,6 +350,9 @@ let ''; symlink = "/etc/modprobe.d/ubuntu.conf"; } + { object = config.environment.etc."modprobe.d/nixos.conf".source; + symlink = "/etc/modprobe.d/nixos.conf"; + } { object = pkgs.kmod-debian-aliases; symlink = "/etc/modprobe.d/debian.conf"; } diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 76c59c047e0..1f2dd618698 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -25,9 +25,11 @@ let "nss-lookup.target" "nss-user-lookup.target" "time-sync.target" + ] ++ (optionals cfg.package.withCryptsetup [ "cryptsetup.target" "cryptsetup-pre.target" "remote-cryptsetup.target" + ]) ++ [ "sigpwr.target" "timers.target" "paths.target" @@ -241,6 +243,8 @@ let { Requisite = toString config.requisite; } // optionalAttrs (config.restartTriggers != []) { X-Restart-Triggers = toString config.restartTriggers; } + // optionalAttrs (config.reloadTriggers != []) + { X-Reload-Triggers = toString config.reloadTriggers; } // optionalAttrs (config.description != "") { Description = config.description; } // optionalAttrs (config.documentation != []) { @@ -915,6 +919,9 @@ in (optional hasDeprecated "Service '${name}.service' uses the attribute 'StartLimitInterval' in the Service section, which is deprecated. See https://github.com/NixOS/nixpkgs/issues/45786." ) + (optional (service.reloadIfChanged && service.reloadTriggers != []) + "Service '${name}.service' has both 'reloadIfChanged' and 'reloadTriggers' set. This is probably not what you want, because 'reloadTriggers' behave the same whay as 'restartTriggers' if 'reloadIfChanged' is set." + ) ] ) cfg.services diff --git a/nixos/modules/system/boot/tmp.nix b/nixos/modules/system/boot/tmp.nix index 6edafd6695b..cf6d19eb5f0 100644 --- a/nixos/modules/system/boot/tmp.nix +++ b/nixos/modules/system/boot/tmp.nix @@ -48,7 +48,12 @@ in what = "tmpfs"; where = "/tmp"; type = "tmpfs"; - mountConfig.Options = [ "mode=1777" "strictatime" "rw" "nosuid" "nodev" "size=${toString cfg.tmpOnTmpfsSize}" ]; + mountConfig.Options = concatStringsSep "," [ "mode=1777" + "strictatime" + "rw" + "nosuid" + "nodev" + "size=${toString cfg.tmpOnTmpfsSize}" ]; } ]; diff --git a/nixos/modules/system/etc/etc-activation.nix b/nixos/modules/system/etc/etc-activation.nix new file mode 100644 index 00000000000..78010495018 --- /dev/null +++ b/nixos/modules/system/etc/etc-activation.nix @@ -0,0 +1,12 @@ +{ config, lib, ... }: +let + inherit (lib) stringAfter; +in { + + imports = [ ./etc.nix ]; + + config = { + system.activationScripts.etc = + stringAfter [ "users" "groups" ] config.system.build.etcActivationCommands; + }; +} diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index 6cc8c341e6d..ed552fecec5 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -66,6 +66,8 @@ in { + imports = [ ../build.nix ]; + ###### interface options = { @@ -188,14 +190,12 @@ in config = { system.build.etc = etc; - - system.activationScripts.etc = stringAfter [ "users" "groups" ] + system.build.etcActivationCommands = '' # Set up the statically computed bits of /etc. echo "setting up /etc..." ${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl ${./setup-etc.pl} ${etc}/etc ''; - }; } diff --git a/nixos/modules/system/etc/test.nix b/nixos/modules/system/etc/test.nix new file mode 100644 index 00000000000..5e43b155038 --- /dev/null +++ b/nixos/modules/system/etc/test.nix @@ -0,0 +1,70 @@ +{ lib +, coreutils +, fakechroot +, fakeroot +, evalMinimalConfig +, pkgsModule +, runCommand +, util-linux +, vmTools +, writeText +}: +let + node = evalMinimalConfig ({ config, ... }: { + imports = [ pkgsModule ../etc/etc.nix ]; + environment.etc."passwd" = { + text = passwdText; + }; + environment.etc."hosts" = { + text = hostsText; + mode = "0751"; + }; + }); + passwdText = '' + root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash + ''; + hostsText = '' + 127.0.0.1 localhost + ::1 localhost + # testing... + ''; +in +lib.recurseIntoAttrs { + test-etc-vm = + vmTools.runInLinuxVM (runCommand "test-etc-vm" { } '' + mkdir -p /etc + ${node.config.system.build.etcActivationCommands} + set -x + [[ -L /etc/passwd ]] + diff /etc/passwd ${writeText "expected-passwd" passwdText} + [[ 751 = $(stat --format %a /etc/hosts) ]] + diff /etc/hosts ${writeText "expected-hosts" hostsText} + set +x + touch $out + ''); + + # fakeroot is behaving weird + test-etc-fakeroot = + runCommand "test-etc" + { + nativeBuildInputs = [ + fakeroot + fakechroot + # for chroot + coreutils + # fakechroot needs getopt, which is provided by util-linux + util-linux + ]; + fakeRootCommands = '' + mkdir -p /etc + ${node.config.system.build.etcActivationCommands} + diff /etc/hosts ${writeText "expected-hosts" hostsText} + touch $out + ''; + } '' + mkdir fake-root + export FAKECHROOT_EXCLUDE_PATH=/dev:/proc:/sys:${builtins.storeDir}:$out + fakechroot fakeroot chroot $PWD/fake-root bash -c 'source $stdenv/setup; eval "$fakeRootCommands"' + ''; + +} diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 225bcbe58e0..f3da6771197 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -250,7 +250,7 @@ in environment.etc.fstab.text = let - fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ]; + fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" "apfs" ]; skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck; # https://wiki.archlinux.org/index.php/fstab#Filepath_spaces escape = string: builtins.replaceStrings [ " " "\t" ] [ "\\040" "\\011" ] string; diff --git a/nixos/modules/tasks/filesystems/apfs.nix b/nixos/modules/tasks/filesystems/apfs.nix new file mode 100644 index 00000000000..2f2be351df6 --- /dev/null +++ b/nixos/modules/tasks/filesystems/apfs.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inInitrd = any (fs: fs == "apfs") config.boot.initrd.supportedFilesystems; + +in + +{ + config = mkIf (any (fs: fs == "apfs") config.boot.supportedFilesystems) { + + system.fsPackages = [ pkgs.apfsprogs ]; + + boot.extraModulePackages = [ config.boot.kernelPackages.apfs ]; + + boot.initrd.kernelModules = mkIf inInitrd [ "apfs" ]; + + # Don't copy apfsck into the initramfs since it does not support repairing the filesystem + }; +} diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 1dac405ac30..5c91993771e 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -305,7 +305,7 @@ let enable = mkOption { type = types.bool; default = false; - description = "Wether to enable wol on this interface."; + description = "Whether to enable wol on this interface."; }; }; }; diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index a7011be7e04..01447e6ada8 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -109,6 +109,10 @@ in # Allow very slow start DefaultTimeoutStartSec=300 ''; + systemd.user.extraConfig = '' + # Allow very slow start + DefaultTimeoutStartSec=300 + ''; boot.consoleLogLevel = 7; diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index fe248a94488..bd7077ff7ea 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -155,7 +155,7 @@ in systemd.services."serial-getty@ttyS0".enable = true; # Creates symlinks for block device names. - services.udev.packages = [ pkgs.ec2-utils ]; + services.udev.packages = [ pkgs.amazon-ec2-utils ]; # Force getting the hostname from EC2. networking.hostName = mkDefault ""; diff --git a/nixos/modules/virtualisation/containerd.nix b/nixos/modules/virtualisation/containerd.nix index 898a66e7b04..ea89a994b17 100644 --- a/nixos/modules/virtualisation/containerd.nix +++ b/nixos/modules/virtualisation/containerd.nix @@ -53,6 +53,7 @@ in virtualisation.containerd = { args.config = toString containerdConfigChecked; settings = { + version = 2; plugins."io.containerd.grpc.v1.cri" = { containerd.snapshotter = lib.mkIf config.boot.zfs.enabled (lib.mkOptionDefault "zfs"); diff --git a/nixos/modules/virtualisation/docker-rootless.nix b/nixos/modules/virtualisation/docker-rootless.nix index 0e7f0503142..d371f67ecdc 100644 --- a/nixos/modules/virtualisation/docker-rootless.nix +++ b/nixos/modules/virtualisation/docker-rootless.nix @@ -76,7 +76,11 @@ in # needs newuidmap from pkgs.shadow path = [ "/run/wrappers" ]; environment = proxy_env; - unitConfig.StartLimitInterval = "60s"; + unitConfig = { + # docker-rootless doesn't support running as root. + ConditionUser = "!root"; + StartLimitInterval = "60s"; + }; serviceConfig = { Type = "notify"; ExecStart = "${cfg.package}/bin/dockerd-rootless --config-file=${daemonSettingsFile}"; diff --git a/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash b/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash deleted file mode 100644 index 4a860196111..00000000000 --- a/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -WGET() { - wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@" -} - -# When dealing with cryptographic keys, we want to keep things private. -umask 077 -mkdir -p /root/.ssh - -echo "Fetching authorized keys..." -WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys - -# Read keys one by one, split in case Google decided -# to append metadata (it does sometimes) and add to -# authorized_keys if not already present. -touch /root/.ssh/authorized_keys -while IFS='' read -r line || [[ -n "$line" ]]; do - keyLine=$(echo -n "$line" | cut -d ':' -f2) - IFS=' ' read -r -a array <<<"$keyLine" - if [[ ${#array[@]} -ge 3 ]]; then - echo "${array[@]:0:3}" >>/tmp/new_keys - echo "Added ${array[*]:2} to authorized_keys" - fi -done </tmp/auth_keys -mv /tmp/new_keys /root/.ssh/authorized_keys -chmod 600 /root/.ssh/authorized_keys - -echo "Fetching host keys..." -WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key -WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub -mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/ -chmod 600 /etc/ssh/ssh_host_ed25519_key -chmod 644 /etc/ssh/ssh_host_ed25519_key.pub diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index cff48d20b2b..44d2a589511 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -1,8 +1,5 @@ { config, lib, pkgs, ... }: with lib; -let - gce = pkgs.google-compute-engine; -in { imports = [ ../profiles/headless.nix @@ -40,7 +37,8 @@ in security.googleOsLogin.enable = true; # Use GCE udev rules for dynamic disk volumes - services.udev.packages = [ gce ]; + services.udev.packages = [ pkgs.google-guest-configs ]; + services.udev.path = [ pkgs.google-guest-configs ]; # Force getting the hostname from Google Compute. networking.hostName = mkDefault ""; @@ -48,12 +46,6 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - # Make sure GCE image does not replace host key that NixOps sets - environment.etc."default/instance_configs.cfg".text = lib.mkDefault '' - [InstanceSetup] - set_host_keys = false - ''; - # Rely on GCP's firewall instead networking.firewall.enable = mkDefault false; @@ -69,105 +61,42 @@ in # GC has 1460 MTU networking.interfaces.eth0.mtu = 1460; - # Used by NixOps - systemd.services.fetch-instance-ssh-keys = { - description = "Fetch host keys and authorized_keys for root user"; - - wantedBy = [ "sshd.service" ]; - before = [ "sshd.service" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - path = [ pkgs.wget ]; - - serviceConfig = { - Type = "oneshot"; - ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } '' - cp ${./fetch-instance-ssh-keys.bash} $out - chmod +x $out - ${pkgs.shfmt}/bin/shfmt -i 4 -d $out - ${pkgs.shellcheck}/bin/shellcheck $out - patchShebangs $out - ''; - PrivateTmp = true; - StandardError = "journal+console"; - StandardOutput = "journal+console"; - }; + systemd.packages = [ pkgs.google-guest-agent ]; + systemd.services.google-guest-agent = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ]; + path = lib.optional config.users.mutableUsers pkgs.shadow; }; + systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ]; + systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ]; - systemd.services.google-instance-setup = { - description = "Google Compute Engine Instance Setup"; - after = [ "network-online.target" "network.target" "rsyslog.service" ]; - before = [ "sshd.service" ]; - path = with pkgs; [ coreutils ethtool openssh ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_instance_setup"; - StandardOutput="journal+console"; - Type = "oneshot"; - }; - wantedBy = [ "sshd.service" "multi-user.target" ]; - }; + security.sudo.extraRules = mkIf config.users.mutableUsers [ + { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; - systemd.services.google-network-daemon = { - description = "Google Compute Engine Network Daemon"; - after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; - path = with pkgs; [ iproute2 ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_network_daemon"; - StandardOutput="journal+console"; - Type="simple"; - }; - wantedBy = [ "multi-user.target" ]; - }; + users.groups.google-sudoers = mkIf config.users.mutableUsers { }; - systemd.services.google-clock-skew-daemon = { - description = "Google Compute Engine Clock Skew Daemon"; - after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_clock_skew_daemon"; - StandardOutput="journal+console"; - Type = "simple"; - }; - wantedBy = ["multi-user.target"]; - }; + boot.extraModprobeConfig = lib.readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; + environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf"; - systemd.services.google-shutdown-scripts = { - description = "Google Compute Engine Shutdown Scripts"; - after = [ - "network-online.target" - "network.target" - "rsyslog.service" - "google-instance-setup.service" - "google-network-daemon.service" - ]; - serviceConfig = { - ExecStart = "${pkgs.coreutils}/bin/true"; - ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown"; - RemainAfterExit = true; - StandardOutput="journal+console"; - TimeoutStopSec = "0"; - Type = "oneshot"; - }; - wantedBy = [ "multi-user.target" ]; - }; + environment.etc."default/instance_configs.cfg".text = '' + [Accounts] + useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user} - systemd.services.google-startup-scripts = { - description = "Google Compute Engine Startup Scripts"; - after = [ - "network-online.target" - "network.target" - "rsyslog.service" - "google-instance-setup.service" - "google-network-daemon.service" - ]; - serviceConfig = { - ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup"; - KillMode = "process"; - StandardOutput = "journal+console"; - Type = "oneshot"; - }; - wantedBy = [ "multi-user.target" ]; - }; + [Daemons] + accounts_daemon = ${boolToString config.users.mutableUsers} - environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; + [InstanceSetup] + # Make sure GCE image does not replace host key that NixOps sets. + set_host_keys = false + + [MetadataScripts] + default_shell = ${pkgs.stdenv.shell} + + [NetworkInterfaces] + dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script + # We set up network interfaces declaratively. + setup = false + ''; } diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index 72bd2c24e56..5e7a73bec90 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -82,5 +82,5 @@ in { }; }; - meta.maintainers = with maintainers; [ ]; + meta.maintainers = with maintainers; [ patryk27 ]; } diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 29e3aa024df..51438935894 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -632,6 +632,15 @@ in Enable the Qemu guest agent. ''; }; + + virtioKeyboard = + mkOption { + type = types.bool; + default = true; + description = '' + Enable the virtio-keyboard device. + ''; + }; }; virtualisation.useNixStoreImage = @@ -835,7 +844,9 @@ in # FIXME: Consolidate this one day. virtualisation.qemu.options = mkMerge [ - [ "-device virtio-keyboard" ] + (mkIf cfg.qemu.virtioKeyboard [ + "-device virtio-keyboard" + ]) (mkIf pkgs.stdenv.hostPlatform.isx86 [ "-usb" "-device usb-tablet,bus=usb-bus.0" ]) diff --git a/nixos/modules/virtualisation/virtualbox-guest.nix b/nixos/modules/virtualisation/virtualbox-guest.nix index f702fb4e525..7b55b3b9759 100644 --- a/nixos/modules/virtualisation/virtualbox-guest.nix +++ b/nixos/modules/virtualisation/virtualbox-guest.nix @@ -68,7 +68,7 @@ in SUBSYSTEM=="misc", KERNEL=="vboxguest", TAG+="systemd" ''; } (mkIf cfg.x11 { - services.xserver.videoDrivers = mkOverride 50 [ "vmware" "virtualbox" "modesetting" ]; + services.xserver.videoDrivers = [ "vmware" "virtualbox" "modesetting" ]; services.xserver.config = '' diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 62bc8acef60..a0beaf98de5 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -32,9 +32,11 @@ in acme = handleTest ./acme.nix {}; adguardhome = handleTest ./adguardhome.nix {}; aesmd = handleTest ./aesmd.nix {}; + agate = handleTest ./web-servers/agate.nix {}; agda = handleTest ./agda.nix {}; airsonic = handleTest ./airsonic.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {}; + apfs = handleTest ./apfs.nix {}; apparmor = handleTest ./apparmor.nix {}; atd = handleTest ./atd.nix {}; atop = handleTest ./atop.nix {}; @@ -50,11 +52,13 @@ in bitcoind = handleTest ./bitcoind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {}; + blocky = handleTest ./blocky.nix {}; boot = handleTestOn ["x86_64-linux" "aarch64-linux"] ./boot.nix {}; boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; botamusique = handleTest ./botamusique.nix {}; bpf = handleTestOn ["x86_64-linux" "aarch64-linux"] ./bpf.nix {}; + breitbandmessung = handleTest ./breitbandmessung.nix {}; brscan5 = handleTest ./brscan5.nix {}; btrbk = handleTest ./btrbk.nix {}; buildbot = handleTest ./buildbot.nix {}; @@ -139,6 +143,7 @@ in env = handleTest ./env.nix {}; ergo = handleTest ./ergo.nix {}; ergochat = handleTest ./ergochat.nix {}; + etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; }; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; etebase-server = handleTest ./etebase-server.nix {}; @@ -235,7 +240,6 @@ in jibri = handleTest ./jibri.nix {}; jirafeau = handleTest ./jirafeau.nix {}; jitsi-meet = handleTest ./jitsi-meet.nix {}; - k3s = handleTest ./k3s.nix {}; k3s-single-node = handleTest ./k3s-single-node.nix {}; k3s-single-node-docker = handleTest ./k3s-single-node-docker.nix {}; kafka = handleTest ./kafka.nix {}; @@ -303,6 +307,7 @@ in moodle = handleTest ./moodle.nix {}; morty = handleTest ./morty.nix {}; mosquitto = handleTest ./mosquitto.nix {}; + moosefs = handleTest ./moosefs.nix {}; mpd = handleTest ./mpd.nix {}; mpv = handleTest ./mpv.nix {}; mumble = handleTest ./mumble.nix {}; @@ -354,6 +359,7 @@ in nixpkgs = pkgs.callPackage ../modules/misc/nixpkgs/test.nix { inherit evalMinimalConfig; }; node-red = handleTest ./node-red.nix {}; nomad = handleTest ./nomad.nix {}; + noto-fonts = handleTest ./noto-fonts.nix {}; novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; nsd = handleTest ./nsd.nix {}; nzbget = handleTest ./nzbget.nix {}; @@ -437,6 +443,7 @@ in resolv = handleTest ./resolv.nix {}; restartByActivationScript = handleTest ./restart-by-activation-script.nix {}; restic = handleTest ./restic.nix {}; + retroarch = handleTest ./retroarch.nix {}; riak = handleTest ./riak.nix {}; robustirc-bridge = handleTest ./robustirc-bridge.nix {}; roundcube = handleTest ./roundcube.nix {}; @@ -558,6 +565,7 @@ in xrdp = handleTest ./xrdp.nix {}; xss-lock = handleTest ./xss-lock.nix {}; xterm = handleTest ./xterm.nix {}; + xxh = handleTest ./xxh.nix {}; yabar = handleTest ./yabar.nix {}; yggdrasil = handleTest ./yggdrasil.nix {}; zfs = handleTest ./zfs.nix {}; diff --git a/nixos/tests/apfs.nix b/nixos/tests/apfs.nix new file mode 100644 index 00000000000..a82886cbe73 --- /dev/null +++ b/nixos/tests/apfs.nix @@ -0,0 +1,54 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "apfs"; + meta.maintainers = with pkgs.lib.maintainers; [ Luflosi ]; + + machine = { pkgs, ... }: { + virtualisation.emptyDiskImages = [ 1024 ]; + + boot.supportedFilesystems = [ "apfs" ]; + }; + + testScript = '' + machine.wait_for_unit("basic.target") + machine.succeed("mkdir /tmp/mnt") + + with subtest("mkapfs refuses to work with a label that is too long"): + machine.fail( "mkapfs -L '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F' /dev/vdb") + + with subtest("mkapfs works with the maximum label length"): + machine.succeed("mkapfs -L '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7' /dev/vdb") + + with subtest("Enable case sensitivity and normalization sensitivity"): + machine.succeed( + "mkapfs -s -z /dev/vdb", + # Triggers a bug, see https://github.com/linux-apfs/linux-apfs-rw/issues/15 + # "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", + "mount -o readwrite /dev/vdb /tmp/mnt", + "echo 'Hello World 1' > /tmp/mnt/test.txt", + "[ ! -f /tmp/mnt/TeSt.TxT ] || false", # Test case sensitivity + "echo 'Hello World 1' | diff - /tmp/mnt/test.txt", + "echo 'Hello World 2' > /tmp/mnt/\u0061\u0301.txt", + "echo 'Hello World 2' | diff - /tmp/mnt/\u0061\u0301.txt", + "[ ! -f /tmp/mnt/\u00e1.txt ] || false", # Test Unicode normalization sensitivity + "umount /tmp/mnt", + "apfsck /dev/vdb", + ) + with subtest("Disable case sensitivity and normalization sensitivity"): + machine.succeed( + "mkapfs /dev/vdb", + "mount -o readwrite /dev/vdb /tmp/mnt", + "echo 'bla bla bla' > /tmp/mnt/Test.txt", + "echo -n 'Hello World' > /tmp/mnt/test.txt", + "echo ' 1' >> /tmp/mnt/TEST.TXT", + "umount /tmp/mnt", + "apfsck /dev/vdb", + "mount -o readwrite /dev/vdb /tmp/mnt", + "echo 'Hello World 1' | diff - /tmp/mnt/TeSt.TxT", # Test case insensitivity + "echo 'Hello World 2' > /tmp/mnt/\u0061\u0301.txt", + "echo 'Hello World 2' | diff - /tmp/mnt/\u0061\u0301.txt", + "echo 'Hello World 2' | diff - /tmp/mnt/\u00e1.txt", # Test Unicode normalization + "umount /tmp/mnt", + "apfsck /dev/vdb", + ) + ''; +}) diff --git a/nixos/tests/blocky.nix b/nixos/tests/blocky.nix new file mode 100644 index 00000000000..18e7f45e1c7 --- /dev/null +++ b/nixos/tests/blocky.nix @@ -0,0 +1,34 @@ +import ./make-test-python.nix { + name = "blocky"; + + nodes = { + server = { pkgs, ... }: { + environment.systemPackages = [ pkgs.dnsutils ]; + services.blocky = { + enable = true; + + settings = { + customDNS = { + mapping = { + "printer.lan" = "192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344"; + }; + }; + upstream = { + default = [ "8.8.8.8" "1.1.1.1" ]; + }; + port = 53; + httpPort = 5000; + logLevel = "info"; + }; + }; + }; + }; + + testScript = '' + with subtest("Service test"): + server.wait_for_unit("blocky.service") + server.wait_for_open_port(53) + server.wait_for_open_port(5000) + server.succeed("dig @127.0.0.1 +short -x 192.168.178.3 | grep -qF printer.lan") + ''; +} diff --git a/nixos/tests/bpf.nix b/nixos/tests/bpf.nix index 233c7dab1ee..e479cd05792 100644 --- a/nixos/tests/bpf.nix +++ b/nixos/tests/bpf.nix @@ -18,8 +18,12 @@ import ./make-test-python.nix ({ pkgs, ... }: { # simple BEGIN probe (user probe on bpftrace itself) print(machine.succeed("bpftrace -e 'BEGIN { print(\"ok\"); exit(); }'")) # tracepoint - print(machine.succeed("bpftrace -e 'tracepoint:syscalls:sys_enter_* { print(probe); exit(); }'")) + print(machine.succeed("bpftrace -e 'tracepoint:syscalls:sys_enter_* { print(probe); exit() }'")) # kprobe print(machine.succeed("bpftrace -e 'kprobe:schedule { print(probe); exit() }'")) + # BTF + print(machine.succeed("bpftrace -e 'kprobe:schedule { " + " printf(\"tgid: %d\", ((struct task_struct*) curtask)->tgid); exit() " + "}'")) ''; }) diff --git a/nixos/tests/breitbandmessung.nix b/nixos/tests/breitbandmessung.nix new file mode 100644 index 00000000000..12b1a094839 --- /dev/null +++ b/nixos/tests/breitbandmessung.nix @@ -0,0 +1,33 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "breitbandmessung"; + meta.maintainers = with lib.maintainers; [ b4dm4n ]; + + machine = { pkgs, ... }: { + imports = [ + ./common/user-account.nix + ./common/x11.nix + ]; + + # increase screen size to make the whole program visible + virtualisation.resolution = { x = 1280; y = 1024; }; + + test-support.displayManager.auto.user = "alice"; + + environment.systemPackages = with pkgs; [ breitbandmessung ]; + environment.variables.XAUTHORITY = "/home/alice/.Xauthority"; + + # breitbandmessung is unfree + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "breitbandmessung" ]; + }; + + enableOCR = true; + + testScript = '' + machine.wait_for_x() + machine.execute("su - alice -c breitbandmessung >&2 &") + machine.wait_for_window("Breitbandmessung") + machine.wait_for_text("Breitbandmessung") + machine.wait_for_text("Datenschutz") + machine.screenshot("breitbandmessung") + ''; +}) diff --git a/nixos/tests/cloud-init.nix b/nixos/tests/cloud-init.nix index e06cbd056a3..3f191ff5616 100644 --- a/nixos/tests/cloud-init.nix +++ b/nixos/tests/cloud-init.nix @@ -35,6 +35,24 @@ let public-keys: - "${snakeOilPublicKey}" EOF + + cat << EOF > $out/iso/network-config + version: 1 + config: + - type: physical + name: eth0 + mac_address: '52:54:00:12:34:56' + subnets: + - type: static + address: '12.34.56.78' + netmask: '255.255.255.0' + gateway: '12.34.56.9' + - type: nameserver + address: + - '8.8.8.8' + search: + - 'example.com' + EOF ${pkgs.cdrkit}/bin/genisoimage -volid cidata -joliet -rock -o $out/metadata.iso $out/iso ''; }; @@ -46,9 +64,13 @@ in makeTest { machine = { ... }: { virtualisation.qemu.options = [ "-cdrom" "${metadataDrive}/metadata.iso" ]; - services.cloud-init.enable = true; + services.cloud-init = { + enable = true; + network.enable = true; + }; services.openssh.enable = true; networking.hostName = ""; + networking.useDHCP = false; }; testScript = '' # To wait until cloud-init terminates its run @@ -80,5 +102,8 @@ in makeTest { ).strip() == "test" ) + + assert "default via 12.34.56.9 dev eth0 proto static" in unnamed.succeed("ip route") + assert "12.34.56.0/24 dev eth0 proto kernel scope link src 12.34.56.78" in unnamed.succeed("ip route") ''; } diff --git a/nixos/tests/google-oslogin/default.nix b/nixos/tests/google-oslogin/default.nix index dea660ed05a..72c87d7153b 100644 --- a/nixos/tests/google-oslogin/default.nix +++ b/nixos/tests/google-oslogin/default.nix @@ -31,10 +31,10 @@ in { # mockserver should return a non-expired ssh key for both mockuser and mockadmin server.succeed( - f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"' + f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"' ) server.succeed( - f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"' + f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"' ) # install snakeoil ssh key on the client, and provision .ssh/config file diff --git a/nixos/tests/google-oslogin/server.nix b/nixos/tests/google-oslogin/server.nix index a0a3144ae69..faf5e847d7e 100644 --- a/nixos/tests/google-oslogin/server.nix +++ b/nixos/tests/google-oslogin/server.nix @@ -23,7 +23,5 @@ in { security.googleOsLogin.enable = true; # Mock google service - networking.extraHosts = '' - 127.0.0.1 metadata.google.internal - ''; + networking.interfaces.lo.ipv4.addresses = [ { address = "169.254.169.254"; prefixLength = 32; } ]; } diff --git a/nixos/tests/google-oslogin/server.py b/nixos/tests/google-oslogin/server.py index 5ea9bbd2c96..5ea9bbd2c96 100644..100755 --- a/nixos/tests/google-oslogin/server.py +++ b/nixos/tests/google-oslogin/server.py diff --git a/nixos/tests/haproxy.nix b/nixos/tests/haproxy.nix index 2c3878131b6..b6ff4102fe6 100644 --- a/nixos/tests/haproxy.nix +++ b/nixos/tests/haproxy.nix @@ -16,7 +16,6 @@ import ./make-test-python.nix ({ pkgs, ...}: { frontend http bind *:80 mode http - option http-use-htx http-request use-service prometheus-exporter if { path /metrics } use_backend http_server ''; diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 5b1c07c92da..31f8a4bcc19 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -10,6 +10,7 @@ in { nodes.hass = { pkgs, ... }: { environment.systemPackages = with pkgs; [ mosquitto ]; + services.mosquitto = { enable = true; listeners = [ { @@ -21,14 +22,42 @@ in { }; } ]; }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "hass" ]; + ensureUsers = [{ + name = "hass"; + ensurePermissions = { + "DATABASE hass" = "ALL PRIVILEGES"; + }; + }]; + }; + services.home-assistant = { - inherit configDir; enable = true; + inherit configDir; + + # tests loading components by overriding the package package = (pkgs.home-assistant.override { + extraPackages = ps: with ps; [ + colorama + ]; extraComponents = [ "zha" ]; }).overrideAttrs (oldAttrs: { doInstallCheck = false; }); + + # tests loading components from the module + extraComponents = [ + "wake_on_lan" + ]; + + # test extra package passing from the module + extraPackages = python3Packages: with python3Packages; [ + psycopg2 + ]; + config = { homeassistant = { name = "Home"; @@ -37,34 +66,58 @@ in { longitude = "0.0"; elevation = 0; }; + + # configure the recorder component to use the postgresql db + recorder.db_url = "postgresql://@/hass"; + + # we can't load default_config, because the updater requires + # network access and would cause an error, so load frontend + # here explicitly. + # https://www.home-assistant.io/integrations/frontend/ frontend = {}; + + # configure an mqtt broker connection + # https://www.home-assistant.io/integrations/mqtt mqtt = { broker = "127.0.0.1"; username = mqttUsername; password = mqttPassword; }; - binary_sensor = [{ + + # create a mqtt sensor that syncs state with its mqtt topic + # https://www.home-assistant.io/integrations/sensor.mqtt/ + binary_sensor = [ { platform = "mqtt"; state_topic = "home-assistant/test"; payload_on = "let_there_be_light"; payload_off = "off"; - }]; - wake_on_lan = {}; - switch = [{ + } ]; + + # set up a wake-on-lan switch to test capset capability required + # for the ping suid wrapper + # https://www.home-assistant.io/integrations/wake_on_lan/ + switch = [ { platform = "wake_on_lan"; mac = "00:11:22:33:44:55"; host = "127.0.0.1"; - }]; - # tests component-based capability assignment (CAP_NET_BIND_SERVICE) + } ]; + + # test component-based capability assignment (CAP_NET_BIND_SERVICE) + # https://www.home-assistant.io/integrations/emulated_hue/ emulated_hue = { host_ip = "127.0.0.1"; listen_port = 80; }; + + # show mqtt interaction in the log + # https://www.home-assistant.io/integrations/logger/ logger = { default = "info"; logs."homeassistant.components.mqtt" = "debug"; }; }; + + # configure the sample lovelace dashboard lovelaceConfig = { title = "My Awesome Home"; views = [{ @@ -81,34 +134,57 @@ in { }; testScript = '' + import re + start_all() + + # Parse the package path out of the systemd unit, as we cannot + # access the final package, that is overriden inside the module, + # by any other means. + pattern = re.compile(r"path=(?P<path>[\/a-z0-9-.]+)\/bin\/hass") + response = hass.execute("systemctl show -p ExecStart home-assistant.service")[1] + match = pattern.search(response) + package = match.group('path') + hass.wait_for_unit("home-assistant.service") + with subtest("Check that YAML configuration file is in place"): hass.succeed("test -L ${configDir}/configuration.yaml") - with subtest("lovelace config is copied because lovelaceConfigWritable = true"): + + with subtest("Check the lovelace config is copied because lovelaceConfigWritable = true"): hass.succeed("test -f ${configDir}/ui-lovelace.yaml") + + with subtest("Check extraComponents and extraPackages are considered from the package"): + hass.succeed(f"grep -q 'colorama' {package}/extra_packages") + hass.succeed(f"grep -q 'zha' {package}/extra_components") + + with subtest("Check extraComponents and extraPackages are considered from the module"): + hass.succeed(f"grep -q 'psycopg2' {package}/extra_packages") + hass.succeed(f"grep -q 'wake_on_lan' {package}/extra_components") + with subtest("Check that Home Assistant's web interface and API can be reached"): + hass.wait_until_succeeds("journalctl -u home-assistant.service | grep -q 'Home Assistant initialized in'") hass.wait_for_open_port(8123) hass.succeed("curl --fail http://localhost:8123/lovelace") + with subtest("Toggle a binary sensor using MQTT"): hass.wait_for_open_port(1883) hass.succeed( "mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light" ) + with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"): hass.wait_for_open_port(80) hass.succeed("curl --fail http://localhost:80/description.xml") + with subtest("Check extra components are considered in systemd unit hardening"): hass.succeed("systemctl show -p DeviceAllow home-assistant.service | grep -q char-ttyUSB") + with subtest("Print log to ease debugging"): output_log = hass.succeed("cat ${configDir}/home-assistant.log") print("\n### home-assistant.log ###\n") print(output_log + "\n") - # wait for home-assistant to fully boot - hass.sleep(30) - hass.wait_for_unit("home-assistant.service") - with subtest("Check that no errors were logged"): assert "ERROR" not in output_log @@ -117,7 +193,7 @@ in { assert "let_there_be_light" in output_log with subtest("Check systemd unit hardening"): - hass.log(hass.succeed("systemctl show home-assistant.service")) + hass.log(hass.succeed("systemctl cat home-assistant.service")) hass.log(hass.succeed("systemd-analyze security home-assistant.service")) ''; }) diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 761020571fa..5525c3117b7 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -306,6 +306,9 @@ let # The test cannot access the network, so any packages we # need must be included in the VM. system.extraDependencies = with pkgs; [ + brotli + brotli.dev + brotli.lib desktop-file-utils docbook5 docbook_xsl_ns @@ -315,6 +318,7 @@ let ntp perlPackages.ListCompare perlPackages.XMLLibXML + python3Minimal shared-mime-info sudo texinfo diff --git a/nixos/tests/moosefs.nix b/nixos/tests/moosefs.nix new file mode 100644 index 00000000000..0dc08748b82 --- /dev/null +++ b/nixos/tests/moosefs.nix @@ -0,0 +1,89 @@ +import ./make-test-python.nix ({ pkgs, ... } : + +let + master = { pkgs, ... } : { + # data base is stored in memory + # server crashes with default memory size + virtualisation.memorySize = 1024; + + services.moosefs.master = { + enable = true; + openFirewall = true; + exports = [ + "* / rw,alldirs,admin,maproot=0:0" + "* . rw" + ]; + }; + }; + + chunkserver = { pkgs, ... } : { + virtualisation.emptyDiskImages = [ 4096 ]; + boot.initrd.postDeviceCommands = '' + ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb + ''; + + fileSystems = pkgs.lib.mkVMOverride { + "/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + }; + }; + + services.moosefs = { + masterHost = "master"; + chunkserver = { + openFirewall = true; + enable = true; + hdds = [ "~/data" ]; + }; + }; + }; + + metalogger = { pkgs, ... } : { + services.moosefs = { + masterHost = "master"; + metalogger.enable = true; + }; + }; + + client = { pkgs, ... } : { + services.moosefs.client.enable = true; + }; + +in { + name = "moosefs"; + + nodes= { + inherit master; + inherit metalogger; + chunkserver1 = chunkserver; + chunkserver2 = chunkserver; + client1 = client; + client2 = client; + }; + + testScript = '' + # prepare master server + master.start() + master.wait_for_unit("multi-user.target") + master.succeed("mfsmaster-init") + master.succeed("systemctl restart mfs-master") + master.wait_for_unit("mfs-master.service") + + metalogger.wait_for_unit("mfs-metalogger.service") + + for chunkserver in [chunkserver1, chunkserver2]: + chunkserver.wait_for_unit("multi-user.target") + chunkserver.succeed("chown moosefs:moosefs /data") + chunkserver.succeed("systemctl restart mfs-chunkserver") + chunkserver.wait_for_unit("mfs-chunkserver.service") + + for client in [client1, client2]: + client.wait_for_unit("multi-user.target") + client.succeed("mkdir /moosefs") + client.succeed("mount -t moosefs master:/ /moosefs") + + client1.succeed("echo test > /moosefs/file") + client2.succeed("grep test /moosefs/file") + ''; +}) diff --git a/nixos/tests/mysql/common.nix b/nixos/tests/mysql/common.nix index 968253d109c..040d360b6d9 100644 --- a/nixos/tests/mysql/common.nix +++ b/nixos/tests/mysql/common.nix @@ -3,7 +3,7 @@ inherit (pkgs.darwin) cctools; inherit (pkgs.darwin.apple_sdk.frameworks) CoreServices; }); - mysqlPackage = { + mysqlPackages = { inherit (pkgs) mysql57 mysql80; }; mkTestName = pkg: "mariadb_${builtins.replaceStrings ["."] [""] (lib.versions.majorMinor pkg.version)}"; diff --git a/nixos/tests/mysql/mysql.nix b/nixos/tests/mysql/mysql.nix index a5e42f85a7f..197e6da80e2 100644 --- a/nixos/tests/mysql/mysql.nix +++ b/nixos/tests/mysql/mysql.nix @@ -142,7 +142,7 @@ let in lib.mapAttrs (_: package: makeMySQLTest { inherit package; - hasRocksDB = false; hasMroonga = false; + hasRocksDB = false; hasMroonga = false; useSocketAuth = false; }) mysqlPackages // (lib.mapAttrs (_: package: makeMySQLTest { inherit package; diff --git a/nixos/tests/noto-fonts.nix b/nixos/tests/noto-fonts.nix new file mode 100644 index 00000000000..049dc766bd3 --- /dev/null +++ b/nixos/tests/noto-fonts.nix @@ -0,0 +1,44 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "noto-fonts"; + meta = { + maintainers = with lib.maintainers; [ nickcao midchildan ]; + }; + + machine = { + imports = [ ./common/x11.nix ]; + environment.systemPackages = [ pkgs.gnome.gedit ]; + fonts = { + enableDefaultFonts = false; + fonts = with pkgs;[ + noto-fonts + noto-fonts-cjk-sans + noto-fonts-cjk-serif + noto-fonts-emoji + ]; + fontconfig.defaultFonts = { + serif = [ "Noto Serif" "Noto Serif CJK SC" ]; + sansSerif = [ "Noto Sans" "Noto Sans CJK SC" ]; + monospace = [ "Noto Sans Mono" "Noto Sans Mono CJK SC" ]; + emoji = [ "Noto Color Emoji" ]; + }; + }; + }; + + testScript = + # extracted from http://www.clagnut.com/blog/2380/ + let testText = builtins.toFile "test.txt" '' + the quick brown fox jumps over the lazy dog + 視野無限廣,窗外有藍天 + Eĥoŝanĝo ĉiuĵaŭde. + いろはにほへと ちりぬるを わかよたれそ つねならむ うゐのおくやま けふこえて あさきゆめみし ゑひもせす + 다람쥐 헌 쳇바퀴에 타고파 + 中国智造,慧及全球 + ''; in + '' + machine.wait_for_x() + machine.succeed("gedit ${testText} >&2 &") + machine.wait_for_window(".* - gedit") + machine.sleep(10) + machine.screenshot("screen") + ''; +}) diff --git a/nixos/tests/plausible.nix b/nixos/tests/plausible.nix index 45e11f0270e..58c1dd5cf4a 100644 --- a/nixos/tests/plausible.nix +++ b/nixos/tests/plausible.nix @@ -8,6 +8,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { virtualisation.memorySize = 4096; services.plausible = { enable = true; + releaseCookiePath = "${pkgs.runCommand "cookie" { } '' + ${pkgs.openssl}/bin/openssl rand -base64 64 >"$out" + ''}"; adminUser = { email = "admin@example.org"; passwordFile = "${pkgs.writeText "pwd" "foobar"}"; diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 036c037e426..323d79c5b86 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -672,7 +672,7 @@ let basicAuth.nextcloud-exporter = "snakeoilpw"; locations."/" = { root = "${pkgs.prometheus-nextcloud-exporter.src}/serverinfo/testdata"; - tryFiles = "/negative-space.xml =404"; + tryFiles = "/negative-space.json =404"; }; }; }; diff --git a/nixos/tests/retroarch.nix b/nixos/tests/retroarch.nix new file mode 100644 index 00000000000..4c96f9eabc8 --- /dev/null +++ b/nixos/tests/retroarch.nix @@ -0,0 +1,49 @@ +import ./make-test-python.nix ({ pkgs, ... }: + + { + name = "retroarch"; + meta = with pkgs.lib.maintainers; { maintainers = [ j0hax ]; }; + + machine = { ... }: + + { + imports = [ ./common/user-account.nix ]; + services.xserver.enable = true; + services.xserver.desktopManager.retroarch = { + enable = true; + package = pkgs.retroarchFull; + }; + services.xserver.displayManager = { + sddm.enable = true; + defaultSession = "RetroArch"; + autoLogin = { + enable = true; + user = "alice"; + }; + }; + }; + + testScript = { nodes, ... }: + let + user = nodes.machine.config.users.users.alice; + xdo = "${pkgs.xdotool}/bin/xdotool"; + in '' + with subtest("Wait for login"): + start_all() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + + with subtest("Check RetroArch started"): + machine.wait_until_succeeds("pgrep retroarch") + machine.wait_for_window("^RetroArch ") + + with subtest("Check configuration created"): + machine.wait_for_file("${user.home}/.config/retroarch/retroarch.cfg") + + with subtest("Wait to get a screenshot"): + machine.execute( + "${xdo} key Alt+F1 sleep 10" + ) + machine.screenshot("screen") + ''; + }) diff --git a/nixos/tests/sourcehut.nix b/nixos/tests/sourcehut.nix index d1536c59322..55757e35f9b 100644 --- a/nixos/tests/sourcehut.nix +++ b/nixos/tests/sourcehut.nix @@ -125,13 +125,18 @@ in virtualisation.memorySize = 2 * 1024; networking.domain = domain; networking.extraHosts = '' - ${config.networking.primaryIPAddress} meta.${domain} ${config.networking.primaryIPAddress} builds.${domain} + ${config.networking.primaryIPAddress} git.${domain} + ${config.networking.primaryIPAddress} meta.${domain} ''; services.sourcehut = { enable = true; - services = [ "meta" "builds" ]; + services = [ + "builds" + "git" + "meta" + ]; nginx.enable = true; nginx.virtualHost = { forceSSL = true; @@ -148,6 +153,8 @@ in #enableWorker = true; inherit images; }; + git.enable = true; + settings."sr.ht" = { global-domain = config.networking.domain; service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01"; @@ -157,6 +164,10 @@ in oauth-client-secret = pkgs.writeText "buildsrht-oauth-client-secret" "2260e9c4d9b8dcedcef642860e0504bc"; oauth-client-id = "299db9f9c2013170"; }; + settings."git.sr.ht" = { + oauth-client-secret = pkgs.writeText "gitsrht-oauth-client-secret" "3597288dc2c716e567db5384f493b09d"; + oauth-client-id = "d07cb713d920702e"; + }; settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA="; }; @@ -193,5 +204,9 @@ in machine.wait_for_open_port(5002) machine.succeed("curl -sL http://localhost:5002 | grep builds.${domain}") #machine.wait_for_unit("buildsrht-worker.service") + + # Testing gitsrht + machine.wait_for_unit("gitsrht.service") + machine.succeed("curl -sL http://git.${domain} | grep git.${domain}") ''; }) diff --git a/nixos/tests/ssh-keys.nix b/nixos/tests/ssh-keys.nix index 07d422196ef..df9ff38a3b2 100644 --- a/nixos/tests/ssh-keys.nix +++ b/nixos/tests/ssh-keys.nix @@ -10,6 +10,6 @@ pkgs: snakeOilPublicKey = pkgs.lib.concatStrings [ "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" - "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil" + "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil" ]; } diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix index ae9362ca70d..661fe9989e7 100644 --- a/nixos/tests/sudo.nix +++ b/nixos/tests/sudo.nix @@ -28,6 +28,10 @@ in enable = true; wheelNeedsPassword = false; + extraConfig = '' + Defaults lecture="never" + ''; + extraRules = [ # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output; # errors being detected by the visudo checks. diff --git a/nixos/tests/sway.nix b/nixos/tests/sway.nix index 43b8c847304..1e9e146c4b6 100644 --- a/nixos/tests/sway.nix +++ b/nixos/tests/sway.nix @@ -1,6 +1,4 @@ -import ./make-test-python.nix ({ pkgs, lib, ... }: - -{ +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "sway"; meta = { maintainers = with lib.maintainers; [ primeos synthetica ]; @@ -70,6 +68,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: enableOCR = true; testScript = { nodes, ... }: '' + import shlex + + def swaymsg(command: str, succeed=True): + with machine.nested(f"sending swaymsg {command!r}" + " (allowed to fail)" * (not succeed)): + (machine.succeed if succeed else machine.execute)( + f"su - alice -c {shlex.quote('swaymsg -- ' + command)}" + ) + start_all() machine.wait_for_unit("multi-user.target") @@ -81,9 +87,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: machine.wait_for_file("/tmp/sway-ipc.sock") # Test XWayland (foot does not support X): - machine.succeed( - "su - alice -c 'swaymsg exec WINIT_UNIX_BACKEND=x11 WAYLAND_DISPLAY=invalid alacritty'" - ) + swaymsg("exec WINIT_UNIX_BACKEND=x11 WAYLAND_DISPLAY=invalid alacritty") machine.wait_for_text("alice@machine") machine.send_chars("test-x11\n") machine.wait_for_file("/tmp/test-x11-exit-ok") @@ -107,9 +111,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: # Test gpg-agent starting pinentry-gnome3 via D-Bus (tests if # $WAYLAND_DISPLAY is correctly imported into the D-Bus user env): - machine.succeed( - "su - alice -c 'swaymsg -- exec gpg --no-tty --yes --quick-generate-key test'" - ) + swaymsg("exec gpg --no-tty --yes --quick-generate-key test") machine.wait_until_succeeds("pgrep --exact gpg") machine.wait_for_text("Passphrase") machine.screenshot("gpg_pinentry") @@ -121,8 +123,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: machine.wait_for_text("You pressed the exit shortcut.") machine.screenshot("sway_exit") + swaymsg("exec swaylock") + machine.wait_until_succeeds("pgrep -x swaylock") + machine.sleep(3) + machine.send_chars("${nodes.machine.config.users.users.alice.password}") + machine.send_key("ret") + machine.wait_until_fails("pgrep -x swaylock") + # Exit Sway and verify process exit status 0: - machine.succeed("su - alice -c 'swaymsg exit || true'") + swaymsg("exit", succeed=False) machine.wait_until_fails("pgrep -x sway") machine.wait_for_file("/tmp/sway-exit-ok") ''; diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 8e425f0f877..4f297b6521d 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -18,6 +18,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { Type = "oneshot"; RemainAfterExit = true; ExecStart = "${pkgs.coreutils}/bin/true"; + ExecReload = "${pkgs.coreutils}/bin/true"; }; }; }; @@ -70,6 +71,97 @@ import ./make-test-python.nix ({ pkgs, ...} : { }; }; + simpleServiceWithExtraSection.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.packages = [ (pkgs.writeTextFile { + name = "systemd-extra-section"; + destination = "/etc/systemd/system/test.service"; + text = '' + [X-Test] + X-Test-Value=a + ''; + }) ]; + }; + + simpleServiceWithExtraSectionOtherName.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.packages = [ (pkgs.writeTextFile { + name = "systemd-extra-section"; + destination = "/etc/systemd/system/test.service"; + text = '' + [X-Test2] + X-Test-Value=a + ''; + }) ]; + }; + + simpleServiceWithInstallSection.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.packages = [ (pkgs.writeTextFile { + name = "systemd-extra-section"; + destination = "/etc/systemd/system/test.service"; + text = '' + [Install] + WantedBy=multi-user.target + ''; + }) ]; + }; + + simpleServiceWithExtraKey.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.services.test.serviceConfig."X-Test" = "test"; + }; + + simpleServiceWithExtraKeyOtherValue.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.services.test.serviceConfig."X-Test" = "test2"; + }; + + simpleServiceWithExtraKeyOtherName.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.services.test.serviceConfig."X-Test2" = "test"; + }; + + simpleServiceReloadTrigger.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.services.test.reloadTriggers = [ "/dev/null" ]; + }; + + simpleServiceReloadTriggerModified.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.services.test.reloadTriggers = [ "/dev/zero" ]; + }; + + simpleServiceReloadTriggerModifiedAndSomethingElse.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.services.test = { + reloadTriggers = [ "/dev/zero" ]; + serviceConfig."X-Test" = "test"; + }; + }; + + simpleServiceReloadTriggerModifiedSomethingElse.configuration = { + imports = [ simpleServiceNostop.configuration ]; + systemd.services.test.serviceConfig."X-Test" = "test"; + }; + + unitWithBackslash.configuration = { + systemd.services."escaped\\x2ddash" = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.coreutils}/bin/true"; + ExecReload = "${pkgs.coreutils}/bin/true"; + }; + }; + }; + + unitWithBackslashModified.configuration = { + imports = [ unitWithBackslash.configuration ]; + systemd.services."escaped\\x2ddash".serviceConfig.X-Test = "test"; + }; + restart-and-reload-by-activation-script.configuration = { systemd.services = rec { simple-service = { @@ -93,6 +185,17 @@ import ./make-test-python.nix ({ pkgs, ...} : { no-restart-service = simple-service // { restartIfChanged = false; }; + + reload-triggers = simple-service // { + wantedBy = [ "multi-user.target" ]; + }; + + reload-triggers-and-restart-by-as = simple-service; + + reload-triggers-and-restart = simple-service // { + stopIfChanged = false; # easier to check for this + wantedBy = [ "multi-user.target" ]; + }; }; system.activationScripts.restart-and-reload-test = { @@ -101,19 +204,33 @@ import ./make-test-python.nix ({ pkgs, ...} : { text = '' if [ "$NIXOS_ACTION" = dry-activate ]; then f=/run/nixos/dry-activation-restart-list + g=/run/nixos/dry-activation-reload-list else f=/run/nixos/activation-restart-list + g=/run/nixos/activation-reload-list fi cat <<EOF >> "$f" simple-service.service simple-restart-service.service simple-reload-service.service no-restart-service.service + reload-triggers-and-restart-by-as.service + EOF + + cat <<EOF >> "$g" + reload-triggers.service + reload-triggers-and-restart-by-as.service + reload-triggers-and-restart.service EOF ''; }; }; + restart-and-reload-by-activation-script-modified.configuration = { + imports = [ restart-and-reload-by-activation-script.configuration ]; + systemd.services.reload-triggers-and-restart.serviceConfig.X-Modified = "test"; + }; + mount.configuration = { systemd.mounts = [ { @@ -241,6 +358,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { raise Exception(f"Unexpected string '{needle}' was found") + machine.wait_for_unit("multi-user.target") + machine.succeed( "${stderrRunner} ${originalSystem}/bin/switch-to-configuration test" ) @@ -331,6 +450,25 @@ import ./make-test-python.nix ({ pkgs, ...} : { assert_lacks(out, "as well:") assert_contains(out, "would start the following units: test.service\n") + # Ensure \ works in unit names + out = switch_to_specialisation("${machine}", "unitWithBackslash") + assert_contains(out, "stopping the following units: test.service\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_contains(out, "the following new units were started: escaped\\x2ddash.service\n") + assert_lacks(out, "as well:") + + out = switch_to_specialisation("${machine}", "unitWithBackslashModified") + assert_contains(out, "stopping the following units: escaped\\x2ddash.service\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_contains(out, "\nstarting the following units: escaped\\x2ddash.service\n") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + with subtest("failing units"): # Let the simple service fail switch_to_specialisation("${machine}", "simpleServiceModified") @@ -379,6 +517,130 @@ import ./make-test-python.nix ({ pkgs, ...} : { assert_contains(out, "Main PID:") # output of systemctl assert_lacks(out, "as well:") + with subtest("unit file parser"): + # Switch to a well-known state + switch_to_specialisation("${machine}", "simpleServiceNostop") + + # Add a section + out = switch_to_specialisation("${machine}", "simpleServiceWithExtraSection") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Rename it + out = switch_to_specialisation("${machine}", "simpleServiceWithExtraSectionOtherName") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Remove it + out = switch_to_specialisation("${machine}", "simpleServiceNostop") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # [Install] section is ignored + out = switch_to_specialisation("${machine}", "simpleServiceWithInstallSection") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Add a key + out = switch_to_specialisation("${machine}", "simpleServiceWithExtraKey") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Change its value + out = switch_to_specialisation("${machine}", "simpleServiceWithExtraKeyOtherValue") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Rename it + out = switch_to_specialisation("${machine}", "simpleServiceWithExtraKeyOtherName") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Remove it + out = switch_to_specialisation("${machine}", "simpleServiceNostop") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Add a reload trigger + out = switch_to_specialisation("${machine}", "simpleServiceReloadTrigger") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_contains(out, "reloading the following units: test.service\n") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Modify the reload trigger + out = switch_to_specialisation("${machine}", "simpleServiceReloadTriggerModified") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_contains(out, "reloading the following units: test.service\n") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Modify the reload trigger and something else + out = switch_to_specialisation("${machine}", "simpleServiceReloadTriggerModifiedAndSomethingElse") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: test.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + + # Remove the reload trigger + out = switch_to_specialisation("${machine}", "simpleServiceReloadTriggerModifiedSomethingElse") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + assert_lacks(out, "as well:") + with subtest("restart and reload by activation script"): switch_to_specialisation("${machine}", "simpleServiceNorestart") out = switch_to_specialisation("${machine}", "restart-and-reload-by-activation-script") @@ -386,23 +648,32 @@ import ./make-test-python.nix ({ pkgs, ...} : { assert_lacks(out, "NOT restarting the following changed units:") assert_lacks(out, "reloading the following units:") assert_lacks(out, "restarting the following units:") - assert_contains(out, "\nstarting the following units: no-restart-service.service, simple-reload-service.service, simple-restart-service.service, simple-service.service\n") + assert_contains(out, "\nstarting the following units: no-restart-service.service, reload-triggers-and-restart-by-as.service, simple-reload-service.service, simple-restart-service.service, simple-service.service\n") assert_lacks(out, "as well:") # Switch to the same system where the example services get restarted - # by the activation script + # and reloaded by the activation script out = switch_to_specialisation("${machine}", "restart-and-reload-by-activation-script") assert_lacks(out, "stopping the following units:") assert_lacks(out, "NOT restarting the following changed units:") - assert_contains(out, "reloading the following units: simple-reload-service.service\n") - assert_contains(out, "restarting the following units: simple-restart-service.service, simple-service.service\n") + assert_contains(out, "reloading the following units: reload-triggers-and-restart.service, reload-triggers.service, simple-reload-service.service\n") + assert_contains(out, "restarting the following units: reload-triggers-and-restart-by-as.service, simple-restart-service.service, simple-service.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "as well:") + # Switch to the same system and see if the service gets restarted when it's modified + # while the fact that it's supposed to be reloaded by the activation script is ignored. + out = switch_to_specialisation("${machine}", "restart-and-reload-by-activation-script-modified") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_contains(out, "reloading the following units: reload-triggers.service, simple-reload-service.service\n") + assert_contains(out, "restarting the following units: reload-triggers-and-restart-by-as.service, reload-triggers-and-restart.service, simple-restart-service.service, simple-service.service\n") assert_lacks(out, "\nstarting the following units:") assert_lacks(out, "as well:") # The same, but in dry mode out = switch_to_specialisation("${machine}", "restart-and-reload-by-activation-script", action="dry-activate") assert_lacks(out, "would stop the following units:") assert_lacks(out, "would NOT stop the following changed units:") - assert_contains(out, "would reload the following units: simple-reload-service.service\n") - assert_contains(out, "would restart the following units: simple-restart-service.service, simple-service.service\n") + assert_contains(out, "would reload the following units: reload-triggers.service, simple-reload-service.service\n") + assert_contains(out, "would restart the following units: reload-triggers-and-restart-by-as.service, reload-triggers-and-restart.service, simple-restart-service.service, simple-service.service\n") assert_lacks(out, "\nwould start the following units:") assert_lacks(out, "as well:") diff --git a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix index 68836c73072..37a89fc21e4 100644 --- a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix +++ b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix @@ -36,19 +36,10 @@ import ./make-test-python.nix ({pkgs, ...}: { }; # Since we want to program the routes that we delegate to the "customer" - # into our routing table we must have a way to gain the required privs. - # This security wrapper will do in our test setup. - # - # DO NOT COPY THIS TO PRODUCTION AS IS. Think about it at least twice. - # Everyone on the "isp" machine will be able to add routes to the kernel. - security.wrappers.add-dhcpd-lease = { - owner = "root"; - group = "root"; - source = pkgs.writeShellScript "add-dhcpd-lease" '' - exec ${pkgs.iproute2}/bin/ip -6 route replace "$1" via "$2" - ''; - capabilities = "cap_net_admin+ep"; - }; + # into our routing table we must give dhcpd the required privs. + systemd.services.dhcpd6.serviceConfig.AmbientCapabilities = + [ "CAP_NET_ADMIN" ]; + services = { # Configure the DHCPv6 server # @@ -80,7 +71,7 @@ import ./make-test-python.nix ({pkgs, ...}: { set Prefix = pick-first-value(binary-to-ascii(16, 16, ":", suffix(option dhcp6.ia-pd, 16)), "n/a"); set PrefixLength = pick-first-value(binary-to-ascii(10, 8, ":", substring(suffix(option dhcp6.ia-pd, 17), 0, 1)), "n/a"); log(concat(IP, " ", Prefix, " ", PrefixLength)); - execute("/run/wrappers/bin/add-dhcpd-lease", concat(Prefix,"/",PrefixLength), IP); + execute("${pkgs.iproute2}/bin/ip", "-6", "route", "replace", concat(Prefix,"/",PrefixLength), "via", IP); } ''; }; diff --git a/nixos/tests/unifi.nix b/nixos/tests/unifi.nix index 34284811abf..9dc7e5d04bd 100644 --- a/nixos/tests/unifi.nix +++ b/nixos/tests/unifi.nix @@ -12,7 +12,7 @@ let makeAppTest = unifi: makeTest { name = "unifi-controller-${unifi.version}"; meta = with pkgs.lib.maintainers; { - maintainers = [ zhaofengli ]; + maintainers = [ patryk27 zhaofengli ]; }; nodes.server = { @@ -32,4 +32,5 @@ in with pkgs; { unifiLTS = makeAppTest unifiLTS; unifi5 = makeAppTest unifi5; unifi6 = makeAppTest unifi6; + unifi7 = makeAppTest unifi7; } diff --git a/nixos/tests/web-servers/agate.nix b/nixos/tests/web-servers/agate.nix new file mode 100644 index 00000000000..e364e134cfd --- /dev/null +++ b/nixos/tests/web-servers/agate.nix @@ -0,0 +1,29 @@ +import ../make-test-python.nix ( + { pkgs, lib, ... }: + { + name = "agate"; + meta = with lib.maintainers; { maintainers = [ jk ]; }; + + nodes = { + geminiserver = { pkgs, ... }: { + services.agate = { + enable = true; + hostnames = [ "localhost" ]; + contentDir = pkgs.writeTextDir "index.gmi" '' + # Hello NixOS! + ''; + }; + }; + }; + + testScript = { nodes, ... }: '' + geminiserver.wait_for_unit("agate") + geminiserver.wait_for_open_port(1965) + + with subtest("check is serving over gemini"): + response = geminiserver.succeed("${pkgs.gmni}/bin/gmni -j once -i -N gemini://localhost:1965") + print(response) + assert "Hello NixOS!" in response + ''; + } +) diff --git a/nixos/tests/wine.nix b/nixos/tests/wine.nix index 18ad759b551..cc449864c76 100644 --- a/nixos/tests/wine.nix +++ b/nixos/tests/wine.nix @@ -17,7 +17,7 @@ let machine = { pkgs, ... }: { environment.systemPackages = [ pkgs."${packageSet}"."${variant}" ]; - virtualisation.diskSize = "800"; + virtualisation.diskSize = 800; }; testScript = '' diff --git a/nixos/tests/wpa_supplicant.nix b/nixos/tests/wpa_supplicant.nix index 1d669d5016a..40d934b8e1d 100644 --- a/nixos/tests/wpa_supplicant.nix +++ b/nixos/tests/wpa_supplicant.nix @@ -27,8 +27,19 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: enable = lib.mkOverride 0 true; userControlled.enable = true; interfaces = [ "wlan1" ]; + fallbackToWPA2 = true; networks = { + # test WPA2 fallback + mixed-wpa = { + psk = "password"; + authProtocols = [ "WPA-PSK" "SAE" ]; + }; + sae-only = { + psk = "password"; + authProtocols = [ "SAE" ]; + }; + # test network nixos-test.psk = "@PSK_NIXOS_TEST@"; @@ -64,8 +75,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: machine.succeed(f"grep -q @PSK_MISSING@ {config_file}") machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}") - # save file for manual inspection - machine.copy_from_vm(config_file) + with subtest("WPA2 fallbacks have been generated"): + assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1 + assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2 + + # save file for manual inspection + machine.copy_from_vm(config_file) with subtest("Daemon is running and accepting connections"): machine.wait_for_unit("wpa_supplicant-wlan1.service") diff --git a/nixos/tests/xxh.nix b/nixos/tests/xxh.nix new file mode 100644 index 00000000000..3af8e53779e --- /dev/null +++ b/nixos/tests/xxh.nix @@ -0,0 +1,67 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: + + let + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; + xxh-shell-zsh = pkgs.stdenv.mkDerivation { + pname = "xxh-shell-zsh"; + version = ""; + src = pkgs.fetchFromGitHub { + owner = "xxh"; + repo = "xxh-shell-zsh"; + # gets rarely updated, we can then just replace the hash + rev = "91e1f84f8d6e0852c3235d4813f341230cac439f"; + sha256 = "sha256-Y1FrIRxTd0yooK+ZzKcCd6bLSy5E2fRXYAzrIsm7rIc="; + }; + + postPatch = '' + substituteInPlace build.sh \ + --replace "echo Install wget or curl" "cp ${zsh-portable-binary} zsh-5.8-linux-x86_64.tar.gz" \ + --replace "command -v curl" "command -v this-should-not-trigger" + ''; + + installPhase = '' + mkdir -p $out + mv * $out/ + ''; + }; + + zsh-portable-binary = pkgs.fetchurl { + # kept in sync with https://github.com/xxh/xxh-shell-zsh/tree/master/build.sh#L27 + url = "https://github.com/romkatv/zsh-bin/releases/download/v3.0.1/zsh-5.8-linux-x86_64.tar.gz"; + sha256 = "sha256-i8flMd2Isc0uLoeYQNDnOGb/kK3oTFVqQgIx7aOAIIo="; + }; + in + { + name = "xxh"; + meta = with lib.maintainers; { + maintainers = [ lom ]; + }; + + nodes = { + server = { ... }: { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; + }; + + client = { ... }: { + programs.zsh.enable = true; + users.users.root.shell = pkgs.zsh; + environment.systemPackages = with pkgs; [ xxh git ]; + }; + }; + + testScript = '' + start_all() + + client.succeed("mkdir -m 700 /root/.ssh") + + client.succeed( + "cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa" + ) + client.succeed("chmod 600 /root/.ssh/id_ecdsa") + + server.wait_for_unit("sshd") + + client.succeed("xxh server -i /root/.ssh/id_ecdsa +hc \'echo $0\' +i +s zsh +I xxh-shell-zsh+path+${xxh-shell-zsh} | grep -Fq '/root/.xxh/.xxh/shells/xxh-shell-zsh/build/zsh-bin/bin/zsh'") + ''; + }) |