diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2003.xml | 15 | ||||
| -rw-r--r-- | nixos/lib/test-driver/test-driver.py | 35 | ||||
| -rw-r--r-- | nixos/modules/config/no-x-libs.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/i18n/input-method/ibus.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/programs/dconf.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/bluetooth.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitea.nix | 22 | ||||
| -rw-r--r-- | nixos/modules/services/x11/desktop-managers/pantheon.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/x11/desktop-managers/plasma5.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/ferm.nix | 30 | ||||
| -rw-r--r-- | nixos/tests/matomo.nix | 17 | ||||
| -rw-r--r-- | nixos/tests/nat.nix | 55 | ||||
| -rw-r--r-- | nixos/tests/predictable-interface-names.nix | 6 |
14 files changed, 136 insertions, 61 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index 2a5064c71b0..3447b1221bc 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -199,6 +199,21 @@ This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output. </para> </listitem> + <listitem> + <para> + The packages <literal>openobex</literal> and <literal>obexftp</literal> + are no loger installed when enabling bluetooth via + <option>hardware.bluetooth.enable</option>. + </para> + </listitem> + <listitem> + <para> + The <literal>dump1090</literal> derivation has been changed to use FlightAware's dump1090 + as its upstream. However, this version does not have an internal webserver anymore. The + assets in the <literal>share/dump1090</literal> directory of the derivation can be used + in conjunction with an external webserver to replace this functionality. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/lib/test-driver/test-driver.py b/nixos/lib/test-driver/test-driver.py index e45521424de..02c172c4a4d 100644 --- a/nixos/lib/test-driver/test-driver.py +++ b/nixos/lib/test-driver/test-driver.py @@ -16,6 +16,8 @@ import tempfile import time import unicodedata from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List +import shlex +import pathlib CHAR_TO_KEY = { "A": "shift-a", @@ -91,6 +93,10 @@ def eprint(*args: object, **kwargs: Any) -> None: print(*args, file=sys.stderr, **kwargs) +def make_command(args: list) -> str: + return " ".join(map(shlex.quote, (map(str, args)))) + + def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]: global log log.log("starting VDE switch for network {}".format(vlan_nr)) @@ -215,7 +221,7 @@ class Machine: return path self.state_dir = create_dir("vm-state-{}".format(self.name)) - self.shared_dir = create_dir("xchg-shared") + self.shared_dir = create_dir("{}/xchg".format(self.state_dir)) self.booted = False self.connected = False @@ -524,6 +530,33 @@ class Machine: if ret.returncode != 0: raise Exception("Cannot convert screenshot") + def copy_from_vm(self, source: str, target_dir: str = "") -> None: + """Copy a file from the VM (specified by an in-VM source path) to a path + relative to `$out`. The file is copied via the `shared_dir` shared among + all the VMs (using a temporary directory). + """ + # Compute the source, target, and intermediate shared file names + out_dir = pathlib.Path(os.environ.get("out", os.getcwd())) + vm_src = pathlib.Path(source) + with tempfile.TemporaryDirectory(dir=self.shared_dir) as shared_td: + shared_temp = pathlib.Path(shared_td) + vm_shared_temp = pathlib.Path("/tmp/xchg") / shared_temp.name + vm_intermediate = vm_shared_temp / vm_src.name + intermediate = shared_temp / vm_src.name + # Copy the file to the shared directory inside VM + self.succeed(make_command(["mkdir", "-p", vm_shared_temp])) + self.succeed(make_command(["cp", "-r", vm_src, vm_intermediate])) + self.succeed("sync") + abs_target = out_dir / target_dir / vm_src.name + abs_target.parent.mkdir(exist_ok=True, parents=True) + # Copy the file from the shared directory outside VM + if intermediate.is_dir(): + shutil.copytree(intermediate, abs_target) + else: + shutil.copy(intermediate, abs_target) + # Make sure the cleanup is synced into VM + self.succeed("sync") + def dump_tty_contents(self, tty: str) -> None: """Debugging: Dump the contents of the TTY<n> """ diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index d0f62d05870..873b8073fed 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -35,7 +35,6 @@ with lib; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; - polkit = super.polkit.override { withGnome = false; }; })); }; } diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index 8109ef76c40..956c521dde0 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -55,7 +55,7 @@ in # Without dconf enabled it is impossible to use IBus environment.systemPackages = with pkgs; [ - gnome3.dconf ibusAutostart + dconf ibusAutostart ]; environment.variables = { diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index eeebc3558bd..e0e2ffd80cf 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -32,13 +32,13 @@ in environment.etc = optionals (cfg.profiles != {}) (mapAttrsToList mkDconfProfile cfg.profiles); - services.dbus.packages = [ pkgs.gnome3.dconf ]; + services.dbus.packages = [ pkgs.dconf ]; # For dconf executable - environment.systemPackages = [ pkgs.gnome3.dconf ]; + environment.systemPackages = [ pkgs.dconf ]; # Needed for unwrapped applications - environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ]; + environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; }; } diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index 7b13beea1ca..11d67418a31 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -72,7 +72,7 @@ in { }; }; - environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; + environment.systemPackages = [ bluez-bluetooth ]; environment.etc = singleton { source = pkgs.writeText "main.conf" (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index c8c59fb256e..b6f4d88adbe 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -394,6 +394,28 @@ in WorkingDirectory = cfg.stateDir; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; + + # Filesystem + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ReadWritePaths = cfg.stateDir; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "~@chown @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; environment = { diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 80dab135ee2..25ef1cbfc67 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -159,7 +159,7 @@ in # Override GSettings schemas environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; - environment.sessionVariables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; + environment.sessionVariables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1"; # Settings from elementary-default-settings environment.sessionVariables.GTK_CSD = "1"; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index da8bdcb78c4..56015874723 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -169,7 +169,7 @@ in ++ lib.optional (cfg.phononBackend == "vlc") libsForQt5.phonon-backend-vlc # Optional hardware support features - ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt ] + ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt openobex obexftp ] ++ lib.optional config.networking.networkmanager.enable plasma-nm ++ lib.optional config.hardware.pulseaudio.enable plasma-pa ++ lib.optional config.powerManagement.enable powerdevil diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 912ec5bd38e..29a80aac6e6 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -281,7 +281,7 @@ in customDconfDb = pkgs.stdenv.mkDerivation { name = "gdm-dconf-db"; buildCommand = '' - ${pkgs.gnome3.dconf}/bin/dconf compile $out ${customDconf}/dconf + ${pkgs.dconf}/bin/dconf compile $out ${customDconf}/dconf ''; }; in pkgs.stdenv.mkDerivation { diff --git a/nixos/tests/ferm.nix b/nixos/tests/ferm.nix index edf9c8036ac..a73c9ce739c 100644 --- a/nixos/tests/ferm.nix +++ b/nixos/tests/ferm.nix @@ -1,5 +1,5 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "ferm"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ mic92 ]; @@ -53,24 +53,22 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; + start_all() - $client->waitForUnit("network-online.target"); - $server->waitForUnit("ferm.service"); - $server->waitForUnit("nginx.service"); - $server->waitUntilSucceeds("ss -ntl | grep -q 80"); + client.wait_for_unit("network-online.target") + server.wait_for_unit("ferm.service") + server.wait_for_unit("nginx.service") + server.wait_until_succeeds("ss -ntl | grep -q 80") - subtest "port 80 is allowed", sub { - $client->succeed("curl --fail -g http://192.168.1.1:80/status"); - $client->succeed("curl --fail -g http://[fd00::1]:80/status"); - }; + with subtest("port 80 is allowed"): + client.succeed("curl --fail -g http://192.168.1.1:80/status") + client.succeed("curl --fail -g http://[fd00::1]:80/status") - subtest "port 8080 is not allowed", sub { - $server->succeed("curl --fail -g http://192.168.1.1:8080/status"); - $server->succeed("curl --fail -g http://[fd00::1]:8080/status"); + with subtest("port 8080 is not allowed"): + server.succeed("curl --fail -g http://192.168.1.1:8080/status") + server.succeed("curl --fail -g http://[fd00::1]:8080/status") - $client->fail("curl --fail -g http://192.168.1.1:8080/status"); - $client->fail("curl --fail -g http://[fd00::1]:8080/status"); - }; + client.fail("curl --fail -g http://192.168.1.1:8080/status") + client.fail("curl --fail -g http://[fd00::1]:8080/status") ''; }) diff --git a/nixos/tests/matomo.nix b/nixos/tests/matomo.nix index 4efa65a7b6d..2bea237c8bd 100644 --- a/nixos/tests/matomo.nix +++ b/nixos/tests/matomo.nix @@ -1,7 +1,7 @@ { system ? builtins.currentSystem, config ? { } , pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -24,11 +24,16 @@ let }; testScript = '' - startAll; - $machine->waitForUnit("mysql.service"); - $machine->waitForUnit("phpfpm-matomo.service"); - $machine->waitForUnit("nginx.service"); - $machine->succeed("curl -sSfL http://localhost/ | grep '<title>Matomo[^<]*Installation'"); + start_all() + machine.wait_for_unit("mysql.service") + machine.wait_for_unit("phpfpm-matomo.service") + machine.wait_for_unit("nginx.service") + + # without the grep the command does not produce valid utf-8 for some reason + with subtest("welcome screen loads"): + machine.succeed( + "curl -sSfL http://localhost/ | grep '<title>Matomo[^<]*Installation'" + ) ''; }; in { diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 51d9cf166bb..0d1f7aaedfa 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,7 +3,7 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. -import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: +import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: let unit = if withFirewall then "firewall" else "nat"; @@ -69,49 +69,52 @@ import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, routerDummyNoNatClosure = nodes.routerDummyNoNat.config.system.build.toplevel; routerClosure = nodes.router.config.system.build.toplevel; in '' - $client->start; - $router->start; - $server->start; + client.start() + router.start() + server.start() # The router should have access to the server. - $server->waitForUnit("network.target"); - $server->waitForUnit("httpd"); - $router->waitForUnit("network.target"); - $router->succeed("curl --fail http://server/ >&2"); + server.wait_for_unit("network.target") + server.wait_for_unit("httpd") + router.wait_for_unit("network.target") + router.succeed("curl --fail http://server/ >&2") # The client should be also able to connect via the NAT router. - $router->waitForUnit("${unit}"); - $client->waitForUnit("network.target"); - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); + router.wait_for_unit("${unit}") + client.wait_for_unit("network.target") + client.succeed("curl --fail http://server/ >&2") + client.succeed("ping -c 1 server >&2") # Test whether passive FTP works. - $server->waitForUnit("vsftpd"); - $server->succeed("echo Hello World > /home/ftp/foo.txt"); - $client->succeed("curl -v ftp://server/foo.txt >&2"); + server.wait_for_unit("vsftpd") + server.succeed("echo Hello World > /home/ftp/foo.txt") + client.succeed("curl -v ftp://server/foo.txt >&2") # Test whether active FTP works. - $client->${if withConntrackHelpers then "succeed" else "fail"}( - "curl -v -P - ftp://server/foo.txt >&2"); + client.${if withConntrackHelpers then "succeed" else "fail"}("curl -v -P - ftp://server/foo.txt >&2") # Test ICMP. - $client->succeed("ping -c 1 router >&2"); - $router->succeed("ping -c 1 client >&2"); + client.succeed("ping -c 1 router >&2") + router.succeed("ping -c 1 client >&2") # If we turn off NAT, the client shouldn't be able to reach the server. - $router->succeed("${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1"); - $client->fail("curl --fail --connect-timeout 5 http://server/ >&2"); - $client->fail("ping -c 1 server >&2"); + router.succeed( + "${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1" + ) + client.fail("curl --fail --connect-timeout 5 http://server/ >&2") + client.fail("ping -c 1 server >&2") # And make sure that reloading the NAT job works. - $router->succeed("${routerClosure}/bin/switch-to-configuration test 2>&1"); + router.succeed( + "${routerClosure}/bin/switch-to-configuration test 2>&1" + ) # FIXME: this should not be necessary, but nat.service is not started because # network.target is not triggered # (https://github.com/NixOS/nixpkgs/issues/16230#issuecomment-226408359) ${lib.optionalString (!withFirewall) '' - $router->succeed("systemctl start nat.service"); + router.succeed("systemctl start nat.service") ''} - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); + client.succeed("curl --fail http://server/ >&2") + client.succeed("ping -c 1 server >&2") ''; }) diff --git a/nixos/tests/predictable-interface-names.nix b/nixos/tests/predictable-interface-names.nix index 194b4dafa77..83883477a5c 100644 --- a/nixos/tests/predictable-interface-names.nix +++ b/nixos/tests/predictable-interface-names.nix @@ -4,7 +4,7 @@ }: let - inherit (import ../lib/testing.nix { inherit system pkgs; }) makeTest; + inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: { name = pkgs.lib.optionalString (!predictable) "un" + "predictable" + pkgs.lib.optionalString withNetworkd "Networkd"; @@ -20,8 +20,8 @@ in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: { }; testScript = '' - print $machine->succeed("ip link"); - $machine->${if predictable then "fail" else "succeed"}("ip link show eth0 "); + print(machine.succeed("ip link")) + machine.${if predictable then "fail" else "succeed"}("ip link show eth0") ''; }; }) [[true false] [true false]]) |