diff options
Diffstat (limited to 'nixos')
31 files changed, 371 insertions, 50 deletions
diff --git a/nixos/doc/manual/configuration/config-file.section.md b/nixos/doc/manual/configuration/config-file.section.md index efd231fd1f4..b010026c582 100644 --- a/nixos/doc/manual/configuration/config-file.section.md +++ b/nixos/doc/manual/configuration/config-file.section.md @@ -170,6 +170,6 @@ Packages ``` The latter option definition changes the default PostgreSQL package - used by NixOS's PostgreSQL service to 10.x. For more information on + used by NixOS's PostgreSQL service to 14.x. For more information on packages, including how to add new ones, see [](#sec-custom-packages). diff --git a/nixos/doc/manual/from_md/configuration/config-file.section.xml b/nixos/doc/manual/from_md/configuration/config-file.section.xml index f6c8f70cffc..da5419cde4d 100644 --- a/nixos/doc/manual/from_md/configuration/config-file.section.xml +++ b/nixos/doc/manual/from_md/configuration/config-file.section.xml @@ -221,7 +221,7 @@ services.postgresql.package = pkgs.postgresql_14; </programlisting> <para> The latter option definition changes the default PostgreSQL - package used by NixOS’s PostgreSQL service to 10.x. For more + package used by NixOS’s PostgreSQL service to 14.x. For more information on packages, including how to add new ones, see <xref linkend="sec-custom-packages" />. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index 2ce4ce189cb..5f9d67b5e7d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -115,6 +115,14 @@ </listitem> <listitem> <para> + <link xlink:href="https://dm3mat.darc.de/qdmr/">QDMR</link>, a + gui application and command line tool for programming cheap + DMR radios + <link linkend="opt-programs.qdmr.enable">programs.qdmr</link> + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://v2raya.org">v2rayA</link>, a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as @@ -211,6 +219,18 @@ </listitem> <listitem> <para> + The <literal>services.kubo.settings</literal> option is now no + longer stateful. If you changed any of the options in + <literal>services.kubo.settings</literal> in the past and then + removed them from your NixOS configuration again, those + changes are still in your Kubo configuration file but will now + be reset to the default. If you’re unsure, you may want to + make a backup of your configuration file (probably + /var/lib/ipfs/config) and compare after the update. + </para> + </listitem> + <listitem> + <para> The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and @@ -353,6 +373,12 @@ </listitem> <listitem> <para> + Calling <literal>makeSetupHook</literal> without passing a + <literal>name</literal> argument is deprecated. + </para> + </listitem> + <listitem> + <para> Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as @@ -413,6 +439,17 @@ https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core </para> </listitem> + <listitem> + <para> + The iputils package, which is installed by default, no longer + provides the <literal>ninfod</literal>, + <literal>rarpd</literal> and <literal>rdisc</literal> tools. + See + <link xlink:href="https://github.com/iputils/iputils/releases/tag/20221126">upstream’s + release notes</link> for more details and available + replacements. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-23.05-notable-changes"> @@ -682,6 +719,36 @@ </listitem> <listitem> <para> + Updated recommended settings in + <literal>services.nginx.recommendedGzipSettings</literal>: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Enables gzip compression for only certain proxied + requests. + </para> + </listitem> + <listitem> + <para> + Allow checking and loading of precompressed files. + </para> + </listitem> + <listitem> + <para> + Updated gzip mime-types. + </para> + </listitem> + <listitem> + <para> + Increased the minimum length of a response that will be + gzipped. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link> version is based on <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>, @@ -704,6 +771,13 @@ </listitem> <listitem> <para> + <literal>services.nginx.recommendedProxySettings</literal> now + removes the <literal>Connection</literal> header preventing + clients from closing backend connections. + </para> + </listitem> + <listitem> + <para> Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 148b317ba28..b19bf5d402a 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -38,6 +38,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and recieves MMSes. Available as [services.mmsd](#opt-services.mmsd.enable). +- [QDMR](https://dm3mat.darc.de/qdmr/), a gui application and command line tool for programming cheap DMR radios [programs.qdmr](#opt-programs.qdmr.enable) + - [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable). - [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable). @@ -60,6 +62,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `git-bug` has been updated to at least version 0.8.0, which includes backwards incompatible changes. The `git-bug-migration` package can be used to upgrade existing repositories. +- The `services.kubo.settings` option is now no longer stateful. If you changed any of the options in `services.kubo.settings` in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update. + - The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service` @@ -87,6 +91,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. +- Calling `makeSetupHook` without passing a `name` argument is deprecated. + - Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually. - The [services.wordpress.sites.<name>.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.<name>.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name. @@ -101,6 +107,11 @@ In addition to numerous new and upgraded packages, this release has the followin - .NET 5.0 was removed due to being end-of-life, use a newer, supported .NET version - https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core +- The iputils package, which is installed by default, no longer provides the + `ninfod`, `rarpd` and `rdisc` tools. See + [upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126) + for more details and available replacements. + ## Other Notable Changes {#sec-release-23.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -172,10 +183,18 @@ In addition to numerous new and upgraded packages, this release has the followin - A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). +- Updated recommended settings in `services.nginx.recommendedGzipSettings`: + - Enables gzip compression for only certain proxied requests. + - Allow checking and loading of precompressed files. + - Updated gzip mime-types. + - Increased the minimum length of a response that will be gzipped. + - [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion). - `hip` has been separated into `hip`, `hip-common` and `hipcc`. +- `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections. + - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. - The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5e520c8308c..82eec40ecf1 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -214,6 +214,7 @@ ./programs/partition-manager.nix ./programs/plotinus.nix ./programs/proxychains.nix + ./programs/qdmr.nix ./programs/qt5ct.nix ./programs/rog-control-center.nix ./programs/rust-motd.nix diff --git a/nixos/modules/programs/qdmr.nix b/nixos/modules/programs/qdmr.nix new file mode 100644 index 00000000000..c0b1984eff9 --- /dev/null +++ b/nixos/modules/programs/qdmr.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.programs.qdmr; +in { + meta.maintainers = [ lib.maintainers.janik ]; + + options = { + programs.qdmr = { + enable = lib.mkEnableOption (lib.mdDoc "QDMR - a GUI application and command line tool for programming DMR radios"); + package = lib.mkPackageOptionMD pkgs "qdmr" { }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + users.groups.wireshark = {}; + }; +} diff --git a/nixos/modules/services/audio/hqplayerd.nix b/nixos/modules/services/audio/hqplayerd.nix index eff1549380c..d54400b18e3 100644 --- a/nixos/modules/services/audio/hqplayerd.nix +++ b/nixos/modules/services/audio/hqplayerd.nix @@ -82,7 +82,6 @@ in etc = { "hqplayer/hqplayerd.xml" = mkIf (cfg.config != null) { source = pkgs.writeText "hqplayerd.xml" cfg.config; }; "hqplayer/hqplayerd4-key.xml" = mkIf (cfg.licenseFile != null) { source = cfg.licenseFile; }; - "modules-load.d/taudio2.conf".source = "${pkg}/etc/modules-load.d/taudio2.conf"; }; systemPackages = [ pkg ]; }; @@ -91,8 +90,6 @@ in allowedTCPPorts = [ 8088 4321 ]; }; - services.udev.packages = [ pkg ]; - systemd = { tmpfiles.rules = [ "d ${configDir} 0755 hqplayer hqplayer - -" diff --git a/nixos/modules/services/desktops/pipewire/daemon/client-rt.conf.json b/nixos/modules/services/desktops/pipewire/daemon/client-rt.conf.json index 9aa51b61431..c204606193a 100644 --- a/nixos/modules/services/desktops/pipewire/daemon/client-rt.conf.json +++ b/nixos/modules/services/desktops/pipewire/daemon/client-rt.conf.json @@ -35,5 +35,20 @@ } ], "filter.properties": {}, - "stream.properties": {} + "stream.properties": {}, + "alsa.properties": {}, + "alsa.rules": [ + { + "matches": [ + { + "application.process.binary": "resolve" + } + ], + "actions": { + "update-props": { + "alsa.buffer-bytes": 131072 + } + } + } + ] } diff --git a/nixos/modules/services/desktops/pipewire/daemon/jack.conf.json b/nixos/modules/services/desktops/pipewire/daemon/jack.conf.json index 4a173f73229..f2e396dd28d 100644 --- a/nixos/modules/services/desktops/pipewire/daemon/jack.conf.json +++ b/nixos/modules/services/desktops/pipewire/daemon/jack.conf.json @@ -58,6 +58,18 @@ "node.passive": true } } + }, + { + "matches": [ + { + "client.name": "Mixxx" + } + ], + "actions": { + "update-props": { + "jack.merge-monitor": false + } + } } ] } diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index 6453e6968dc..2a58be51bb0 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -71,6 +71,29 @@ in }; description = lib.mdDoc "Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf)."; }; + + input = mkOption { + type = cfgFmt.type; + default = { }; + example = { + General = { + IdleTimeout = 30; + ClassicBondedOnly = true; + }; + }; + description = lib.mdDoc "Set configuration for the input service (/etc/bluetooth/input.conf)."; + }; + + network = mkOption { + type = cfgFmt.type; + default = { }; + example = { + General = { + DisableSecurity = true; + }; + }; + description = lib.mdDoc "Set configuration for the network service (/etc/bluetooth/network.conf)."; + }; }; }; @@ -80,6 +103,10 @@ in environment.systemPackages = [ package ] ++ optional cfg.hsphfpd.enable pkgs.hsphfpd; + environment.etc."bluetooth/input.conf".source = + cfgFmt.generate "input.conf" cfg.input; + environment.etc."bluetooth/network.conf".source = + cfgFmt.generate "network.conf" cfg.network; environment.etc."bluetooth/main.conf".source = cfgFmt.generate "main.conf" (recursiveUpdate defaults cfg.settings); services.udev.packages = [ package ]; diff --git a/nixos/modules/services/hardware/throttled.nix b/nixos/modules/services/hardware/throttled.nix index 2d801a7e838..afca24d976e 100644 --- a/nixos/modules/services/hardware/throttled.nix +++ b/nixos/modules/services/hardware/throttled.nix @@ -20,7 +20,7 @@ in { config = mkIf cfg.enable { systemd.packages = [ pkgs.throttled ]; # The upstream package has this in Install, but that's not enough, see the NixOS manual - systemd.services.lenovo_fix.wantedBy = [ "multi-user.target" ]; + systemd.services.throttled.wantedBy = [ "multi-user.target" ]; environment.etc."throttled.conf".source = if cfg.extraConfig != "" diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 1dddd147ac0..667f16d98f8 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -226,9 +226,26 @@ in # Auto-migrate on first run or if the package has changed versionFile="${cfg.dataDir}/src-version" - if [[ $(cat "$versionFile" 2>/dev/null) != ${pkg} ]]; then + version=$(cat "$versionFile" 2>/dev/null || echo 0) + + if [[ $version != ${pkg.version} ]]; then ${pkg}/bin/paperless-ngx migrate - echo ${pkg} > "$versionFile" + + # Parse old version string format for backwards compatibility + version=$(echo "$version" | grep -ohP '[^-]+$') + + versionLessThan() { + target=$1 + [[ $({ echo "$version"; echo "$target"; } | sort -V | head -1) != "$target" ]] + } + + if versionLessThan 1.12.0; then + # Reindex documents as mentioned in https://github.com/paperless-ngx/paperless-ngx/releases/tag/v1.12.1 + echo "Reindexing documents, to allow searching old comments. Required after the 1.12.x upgrade." + ${pkg}/bin/paperless-ngx document_index reindex + fi + + echo ${pkg.version} > "$versionFile" fi '' + optionalString (cfg.passwordFile != null) '' diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 23cac6793cc..fd40dce1410 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -64,6 +64,7 @@ let "rspamd" "rtl_433" "script" + "shelly" "snmp" "smartctl" "smokeping" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/shelly.nix b/nixos/modules/services/monitoring/prometheus/exporters/shelly.nix new file mode 100644 index 00000000000..b9cfd1b1e84 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/shelly.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.shelly; +in +{ + port = 9784; + extraOpts = { + metrics-file = mkOption { + type = types.path; + description = lib.mdDoc '' + Path to the JSON file with the metric definitions + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-shelly-exporter}/bin/shelly_exporter \ + -metrics-file ${cfg.metrics-file} \ + -listen-address ${cfg.listenAddress}:${toString cfg.port} + ''; + }; + }; +} diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 13a062c3212..4d423c90598 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -5,6 +5,23 @@ let settingsFormat = pkgs.formats.json {}; + rawDefaultConfig = lib.importJSON (pkgs.runCommand "kubo-default-config" { + nativeBuildInputs = [ cfg.package ]; + } '' + export IPFS_PATH="$TMPDIR" + ipfs init --empty-repo --profile=${profile} + ipfs --offline config show > "$out" + ''); + + # Remove the PeerID (an attribute of "Identity") of the temporary Kubo repo. + # The "Pinning" section contains the "RemoteServices" section, which would prevent + # the daemon from starting as that setting can't be changed via ipfs config replace. + defaultConfig = builtins.removeAttrs rawDefaultConfig [ "Identity" "Pinning" ]; + + customizedConfig = lib.recursiveUpdate defaultConfig cfg.settings; + + configFile = settingsFormat.generate "kubo-config.json" customizedConfig; + kuboFlags = utils.escapeSystemdExecArgs ( optional cfg.autoMount "--mount" ++ optional cfg.enableGC "--enable-gc" ++ @@ -161,9 +178,9 @@ in }; }; description = lib.mdDoc '' - Attrset of daemon configuration to set using {command}`ipfs config`, every time the daemon starts. + Attrset of daemon configuration. See [https://github.com/ipfs/kubo/blob/master/docs/config.md](https://github.com/ipfs/kubo/blob/master/docs/config.md) for reference. - Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default! + You can't set `Identity` or `Pinning`. ''; default = { }; example = { @@ -211,6 +228,21 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ + { + assertion = !builtins.hasAttr "Identity" cfg.settings; + message = '' + You can't set services.kubo.settings.Identity because the ``config replace`` subcommand used at startup does not support modifying any of the Identity settings. + ''; + } + { + assertion = !((builtins.hasAttr "Pinning" cfg.settings) && (builtins.hasAttr "RemoteServices" cfg.settings.Pinning)); + message = '' + You can't set services.kubo.settings.Pinning.RemoteServices because the ``config replace`` subcommand used at startup does not work with it. + ''; + } + ]; + environment.systemPackages = [ cfg.package ]; environment.variables.IPFS_PATH = cfg.dataDir; @@ -262,21 +294,26 @@ in preStart = '' if [[ ! -f "$IPFS_PATH/config" ]]; then - ipfs init ${optionalString cfg.emptyRepo "-e"} --profile=${profile} + ipfs init ${optionalString cfg.emptyRepo "-e"} else # After an unclean shutdown this file may exist which will cause the config command to attempt to talk to the daemon. This will hang forever if systemd is holding our sockets open. rm -vf "$IPFS_PATH/api" '' + optionalString cfg.autoMigrate '' ${pkgs.kubo-migrator}/bin/fs-repo-migrations -to '${cfg.package.repoVersion}' -y '' + '' - ipfs --offline config profile apply ${profile} >/dev/null fi - '' + '' - ipfs --offline config show \ - | ${pkgs.jq}/bin/jq '. * $settings' --argjson settings ${ - escapeShellArg (builtins.toJSON cfg.settings) - } \ - | ipfs --offline config replace - + ipfs --offline config show | + ${pkgs.jq}/bin/jq -s '.[0].Pinning as $Pinning | .[0].Identity as $Identity | .[1] + {$Identity,$Pinning}' - '${configFile}' | + + # This command automatically injects the private key and other secrets from + # the old config file back into the new config file. + # Unfortunately, it doesn't keep the original `Identity.PeerID`, + # so we need `ipfs config show` and jq above. + # See https://github.com/ipfs/kubo/issues/8993 for progress on fixing this problem. + # Kubo also wants a specific version of the original "Pinning.RemoteServices" + # section (redacted by `ipfs config show`), such that that section doesn't + # change when the changes are applied. Whyyyyyy..... + ipfs --offline config replace - ''; serviceConfig = { ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${kuboFlags}" ]; diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 28dd24f4e7c..103f73fdaa6 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -275,6 +275,7 @@ in BusName = "org.freedesktop.Avahi"; Type = "dbus"; ExecStart = "${pkgs.avahi}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}"; + ConfigurationDirectory = "avahi/services"; }; }; diff --git a/nixos/modules/services/networking/multipath.nix b/nixos/modules/services/networking/multipath.nix index 54ee2a01568..b20ec76ddf5 100644 --- a/nixos/modules/services/networking/multipath.nix +++ b/nixos/modules/services/networking/multipath.nix @@ -516,7 +516,6 @@ in { ${optionalString (!isNull defaults) '' defaults { ${indentLines 2 defaults} - multipath_dir ${cfg.package}/lib/multipath } ''} ${optionalString (!isNull blacklist) '' diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index dc180d4a4f9..6c8d7b985d5 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -185,7 +185,7 @@ in ProtectSystem = "full"; ProtectHome = true; PrivateTmp = true; - PrivateDevices = true; + PrivateDevices = false; PrivateUsers = false; ProtectHostname = true; ProtectClock = false; @@ -203,7 +203,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ]; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ] ++ lib.optional pkgs.stdenv.hostPlatform.isAarch64 "fchownat"; }; }; }; diff --git a/nixos/modules/services/networking/openconnect.nix b/nixos/modules/services/networking/openconnect.nix index 5a02bd07225..7f9006053b8 100644 --- a/nixos/modules/services/networking/openconnect.nix +++ b/nixos/modules/services/networking/openconnect.nix @@ -90,6 +90,7 @@ let generateConfig = name: icfg: pkgs.writeText "config" '' interface=${name} + ${optionalString (icfg.protocol != null) "protocol=${icfg.protocol}"} ${optionalString (icfg.user != null) "user=${icfg.user}"} ${optionalString (icfg.passwordFile != null) "passwd-on-stdin"} ${optionalString (icfg.certificate != null) diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix index 627439e1079..64cda7fb675 100644 --- a/nixos/modules/services/torrent/rtorrent.nix +++ b/nixos/modules/services/torrent/rtorrent.nix @@ -19,6 +19,15 @@ in { ''; }; + dataPermissions = mkOption { + type = types.str; + default = "0750"; + example = "0755"; + description = lib.mdDoc '' + Unix Permissions in octal on the rtorrent directory. + ''; + }; + downloadDir = mkOption { type = types.str; default = "${cfg.dataDir}/download"; @@ -205,7 +214,7 @@ in { }; }; - tmpfiles.rules = [ "d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} -" ]; + tmpfiles.rules = [ "d '${cfg.dataDir}' ${cfg.dataPermissions} ${cfg.user} ${cfg.group} -" ]; }; }; } diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 2e3a4e79e2b..1837ec936c6 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -184,25 +184,17 @@ let brotli_window 512k; brotli_min_length 256; brotli_types ${lib.concatStringsSep " " compressMimeTypes}; - brotli_buffers 32 8k; ''} + # https://docs.nginx.com/nginx/admin-guide/web-server/compression/ ${optionalString cfg.recommendedGzipSettings '' gzip on; - gzip_proxied any; - gzip_comp_level 5; - gzip_types - application/atom+xml - application/javascript - application/json - application/xml - application/xml+rss - image/svg+xml - text/css - text/javascript - text/plain - text/xml; + gzip_static on; gzip_vary on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private auth; + gzip_types ${lib.concatStringsSep " " compressMimeTypes}; ''} ${optionalString cfg.recommendedProxySettings '' @@ -211,6 +203,8 @@ let proxy_send_timeout ${cfg.proxyTimeout}; proxy_read_timeout ${cfg.proxyTimeout}; proxy_http_version 1.1; + # don't let clients close the keep-alive connection to upstream + proxy_set_header "Connection" ""; include ${recommendedProxyConfig}; ''} diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index b295b9a109b..65b94f61c4a 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -365,6 +365,7 @@ in pkgs.xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ ]; optionalPackages = [ + pkgs.aha # needed by kinfocenter for fwupd support plasma-browser-integration konsole oxygen diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix index 9b6472fea42..a1ab7093857 100644 --- a/nixos/modules/system/boot/plymouth.nix +++ b/nixos/modules/system/boot/plymouth.nix @@ -146,6 +146,9 @@ in systemd.services.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ]; systemd.paths.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ]; + # Prevent Plymouth taking over the screen during system updates. + systemd.services.plymouth-start.restartIfChanged = false; + boot.initrd.systemd = { extraBin.plymouth = "${plymouth}/bin/plymouth"; # for the recovery shell storePaths = [ diff --git a/nixos/modules/system/boot/systemd/coredump.nix b/nixos/modules/system/boot/systemd/coredump.nix index c2ca973d380..03ef00e5683 100644 --- a/nixos/modules/system/boot/systemd/coredump.nix +++ b/nixos/modules/system/boot/systemd/coredump.nix @@ -44,7 +44,21 @@ in { ''; # install provided sysctl snippets - "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-coredump.conf".source = + # Fix systemd-coredump error caused by truncation of `kernel.core_pattern` + # when the `systemd` derivation name is too long. This works by substituting + # the path to `systemd` with a symlink that has a constant-length path. + # + # See: https://github.com/NixOS/nixpkgs/issues/213408 + pkgs.substitute { + src = "${systemd}/example/sysctl.d/50-coredump.conf"; + replacements = [ + "--replace" + "${systemd}" + "${pkgs.symlinkJoin { name = "systemd"; paths = [ systemd ]; }}" + ]; + }; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; }; diff --git a/nixos/modules/virtualisation/amazon-options.nix b/nixos/modules/virtualisation/amazon-options.nix index 926fe43b0ff..3ea4a6cf781 100644 --- a/nixos/modules/virtualisation/amazon-options.nix +++ b/nixos/modules/virtualisation/amazon-options.nix @@ -28,13 +28,13 @@ in { options = { mount = lib.mkOption { description = lib.mdDoc "Where to mount this dataset."; - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; }; properties = lib.mkOption { description = lib.mdDoc "Properties to set on this dataset."; - type = types.attrsOf types.string; + type = types.attrsOf types.str; default = {}; }; }; diff --git a/nixos/modules/virtualisation/openstack-options.nix b/nixos/modules/virtualisation/openstack-options.nix index c71b581b02c..52f45de92ec 100644 --- a/nixos/modules/virtualisation/openstack-options.nix +++ b/nixos/modules/virtualisation/openstack-options.nix @@ -29,13 +29,13 @@ in options = { mount = lib.mkOption { description = lib.mdDoc "Where to mount this dataset."; - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; }; properties = lib.mkOption { description = lib.mdDoc "Properties to set on this dataset."; - type = types.attrsOf types.string; + type = types.attrsOf types.str; default = { }; }; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index b4bd8ef3e0f..fe51123f1d0 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -126,6 +126,7 @@ in { cfssl = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cfssl.nix {}; charliecloud = handleTest ./charliecloud.nix {}; chromium = (handleTestOn ["aarch64-linux" "x86_64-linux"] ./chromium.nix {}).stable or {}; + chrony-ptp = handleTestOn ["aarch64-linux" "x86_64-linux"] ./chrony-ptp.nix {}; cinnamon = handleTest ./cinnamon.nix {}; cjdns = handleTest ./cjdns.nix {}; clickhouse = handleTest ./clickhouse.nix {}; diff --git a/nixos/tests/apfs.nix b/nixos/tests/apfs.nix index a8841fe9304..ac0459b57e9 100644 --- a/nixos/tests/apfs.nix +++ b/nixos/tests/apfs.nix @@ -21,9 +21,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Enable case sensitivity and normalization sensitivity"): machine.succeed( "mkapfs -s -z /dev/vdb", - # Triggers a bug, see https://github.com/linux-apfs/linux-apfs-rw/issues/15 - # "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", - "mount -o readwrite /dev/vdb /tmp/mnt", + "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", "echo 'Hello World 1' > /tmp/mnt/test.txt", "[ ! -f /tmp/mnt/TeSt.TxT ] || false", # Test case sensitivity "echo 'Hello World 1' | diff - /tmp/mnt/test.txt", @@ -36,13 +34,13 @@ import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Disable case sensitivity and normalization sensitivity"): machine.succeed( "mkapfs /dev/vdb", - "mount -o readwrite /dev/vdb /tmp/mnt", + "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", "echo 'bla bla bla' > /tmp/mnt/Test.txt", "echo -n 'Hello World' > /tmp/mnt/test.txt", "echo ' 1' >> /tmp/mnt/TEST.TXT", "umount /tmp/mnt", "apfsck /dev/vdb", - "mount -o readwrite /dev/vdb /tmp/mnt", + "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", "echo 'Hello World 1' | diff - /tmp/mnt/TeSt.TxT", # Test case insensitivity "echo 'Hello World 2' > /tmp/mnt/\u0061\u0301.txt", "echo 'Hello World 2' | diff - /tmp/mnt/\u0061\u0301.txt", diff --git a/nixos/tests/chrony-ptp.nix b/nixos/tests/chrony-ptp.nix new file mode 100644 index 00000000000..b2634a8cfc5 --- /dev/null +++ b/nixos/tests/chrony-ptp.nix @@ -0,0 +1,28 @@ +import ./make-test-python.nix ({ lib, ... }: +{ + name = "chrony-ptp"; + + meta = { + maintainers = with lib.maintainers; [ gkleen ]; + }; + + nodes = { + qemuGuest = { lib, ... }: { + boot.kernelModules = [ "ptp_kvm" ]; + + services.chrony = { + enable = true; + extraConfig = '' + refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3 + ''; + }; + }; + }; + + testScript = '' + start_all() + + qemuGuest.wait_for_unit('multi-user.target') + qemuGuest.succeed('systemctl is-active chronyd.service') + ''; +}) diff --git a/nixos/tests/grafana/provision/default.nix b/nixos/tests/grafana/provision/default.nix index 1eb927632eb..96378452ade 100644 --- a/nixos/tests/grafana/provision/default.nix +++ b/nixos/tests/grafana/provision/default.nix @@ -22,9 +22,15 @@ let }; }; - systemd.tmpfiles.rules = [ - "L /var/lib/grafana/dashboards/test.json 0700 grafana grafana - ${pkgs.writeText "test.json" (builtins.readFile ./test_dashboard.json)}" - ]; + system.activationScripts.setup-grafana = { + deps = [ "users" ]; + text = '' + mkdir -p /var/lib/grafana/dashboards + chown -R grafana:grafana /var/lib/grafana + chmod 0700 -R /var/lib/grafana/dashboards + cp ${pkgs.writeText "test.json" (builtins.readFile ./test_dashboard.json)} /var/lib/grafana/dashboards/ + ''; + }; }; extraNodeConfs = { diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 5f50a3f87d5..82d50da6381 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -1060,6 +1060,20 @@ let ''; }; + shelly = { + exporterConfig = { + enable = true; + metrics-file = "${pkgs.writeText "test.json" ''{}''}"; + }; + exporterTest = '' + wait_for_unit("prometheus-shelly-exporter.service") + wait_for_open_port(9784) + wait_until_succeeds( + "curl -sSf 'localhost:9784/metrics'" + ) + ''; + }; + script = { exporterConfig = { enable = true; |