diff options
Diffstat (limited to 'nixos')
43 files changed, 1637 insertions, 339 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index e96bc47b4a5..bcb5d0d02f7 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -14,6 +14,10 @@ with pkgs; let lib = pkgs.lib; + docbook_xsl_ns = pkgs.docbook-xsl-ns.override { + withManOptDedupPatch = true; + }; + # We need to strip references to /nix/store/* from options, # including any `extraSources` if some modules came from elsewhere, # or else the build will fail. diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4453c907f67..80af4c32e34 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -132,6 +132,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/vvilhonen/nethoscope">nethoscope</link>, + listen to your network traffic. Available as + <link linkend="opt-programs.nethoscope.enable">programs.nethoscope</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, a lightweight shipper for forwarding and centralizing log data. Available as @@ -221,6 +228,15 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/mozilla-mobile/mozilla-vpn-client">mozillavpn</link>, + the client for the + <link xlink:href="https://vpn.mozilla.org/">Mozilla VPN</link> + service. Available as + <link xlink:href="options.html#opt-services.mozillavpn">services.mozillavpn</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/mgumz/mtr-exporter">mtr-exporter</link>, a Prometheus exporter for mtr metrics. Available as <link xlink:href="options.html#opt-services.mtr-exporter.enable">services.mtr-exporter</link>. @@ -365,6 +381,14 @@ cluster resource manager </para> </listitem> + <listitem> + <para> + <link xlink:href="https://nifi.apache.org">nifi</link>, an + easy to use, powerful, and reliable system to process and + distribute data. Available as + <link xlink:href="options.html#opt-services.nifi.enable">services.nifi</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-incompatibilities"> @@ -434,6 +458,12 @@ </listitem> <listitem> <para> + <literal>security.klogd</literal> was removed. Logging of + kernel messages is handled by systemd since Linux 3.5. + </para> + </listitem> + <listitem> + <para> <literal>services.kubernetes.addons.dashboard</literal> was removed due to it being an outdated version. </para> @@ -489,6 +519,13 @@ </listitem> <listitem> <para> + <literal>services.prometheus.alertManagerTimeout</literal> has + been removed as it has been deprecated upstream and has no + effect. + </para> + </listitem> + <listitem> + <para> The DHCP server (<literal>services.dhcpd4</literal>, <literal>services.dhcpd6</literal>) has been hardened. The service is now using the systemd’s @@ -522,6 +559,17 @@ </listitem> <listitem> <para> + <literal>services.paperless-ng</literal> was renamed to + <literal>services.paperless</literal>. Accordingly, the + <literal>paperless-ng-manage</literal> script (located in + <literal>dataDir</literal>) was renamed to + <literal>paperless-manage</literal>. + <literal>services.paperless</literal> now uses + <literal>paperless-ngx</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>matrix-synapse</literal> service (<literal>services.matrix-synapse</literal>) has been converted to use the <literal>settings</literal> option @@ -1281,6 +1329,33 @@ </listitem> <listitem> <para> + Existing <literal>resholve*</literal> functions have been + renamed and nested under <literal>pkgs.resholve</literal>. + Update uses to: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>resholvePackage</literal> -> + <literal>resholve.mkDerivation</literal> + </para> + </listitem> + <listitem> + <para> + <literal>resholveScript</literal> -> + <literal>resholve.writeScript</literal> + </para> + </listitem> + <listitem> + <para> + <literal>resholveScriptBin</literal> -> + <literal>resholve.writeScriptBin</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> <literal>pkgs.cosmopolitan</literal> no longer provides the <literal>cosmoc</literal> command. It has been moved to <literal>pkgs.cosmoc</literal>. @@ -1633,6 +1708,13 @@ </listitem> <listitem> <para> + A module for declarative configuration of openconnect VPN + profiles was added under + <literal>networking.openconnect</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>element-desktop</literal> package now has an <literal>useKeytar</literal> option (defaults to <literal>true</literal>), which allows disabling @@ -1731,6 +1813,15 @@ </listitem> <listitem> <para> + <literal>security.pam.ussh</literal> has been added, which + allows authorizing PAM sessions based on SSH + <emphasis>certificates</emphasis> held within an SSH agent, + using + <link xlink:href="https://github.com/uber/pam-ussh">pam-ussh</link>. + </para> + </listitem> + <listitem> + <para> The <literal>zrepl</literal> package has been updated from 0.4.0 to 0.5: </para> @@ -1811,6 +1902,17 @@ </listitem> <listitem> <para> + xfsprogs was update to version 5.15, which enables inobtcount + and bigtime by default on filesystem creation. Support for + these features was added in kernel 5.10 and deemed stable in + kernel 5.15. If you want to be able to mount XFS filesystems + created with this release of xfsprogs on kernel releases older + than 5.10, you need to format them with + <literal>mkfs.xfs -m bigtime=0 -m inobtcount=0</literal>. + </para> + </listitem> + <listitem> + <para> <literal>services.xserver.desktopManager.xfce</literal> now includes Xfce’s screen locker, <literal>xfce4-screensaver</literal>. diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index abc16b8d66e..98e4010abef 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -41,6 +41,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable). +- [nethoscope](https://github.com/vvilhonen/nethoscope), listen to your network traffic. Available as [programs.nethoscope](#opt-programs.nethoscope.enable). + - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable). - [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). @@ -65,6 +67,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](options.html#opt-programs.k4-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device. +- [mozillavpn](https://github.com/mozilla-mobile/mozilla-vpn-client), the client for the [Mozilla VPN](https://vpn.mozilla.org/) service. Available as [services.mozillavpn](options.html#opt-services.mozillavpn). + - [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable). - [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](options.html#opt-services.prometheus.exporters.pve). @@ -105,6 +109,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager +- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} @@ -141,6 +147,9 @@ In addition to numerous new and upgraded packages, this release has the followin org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and `pkgs.emacsPackages.nongnuPackages` where the new versions will release. +- `security.klogd` was removed. Logging of kernel messages is handled + by systemd since Linux 3.5. + - `services.kubernetes.addons.dashboard` was removed due to it being an outdated version. - `services.kubernetes.scheduler.{port,address}` now set `--secure-port` and `--bind-address` instead of `--port` and `--address`, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. @@ -164,6 +173,8 @@ In addition to numerous new and upgraded packages, this release has the followin } ``` +- `services.prometheus.alertManagerTimeout` has been removed as it has been deprecated upstream and has no effect. + - The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened. The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed. @@ -173,6 +184,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.ipfs.extraFlags` is now escaped with `utils.escapeSystemdExecArgs`. If you rely on systemd interpolating `extraFlags` in the service `ExecStart`, this will no longer work. +- `services.paperless-ng` was renamed to `services.paperless`. Accordingly, the `paperless-ng-manage` script (located in `dataDir`) was renamed to `paperless-manage`. `services.paperless` now uses `paperless-ngx`. + - The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42. This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you @@ -451,6 +464,11 @@ In addition to numerous new and upgraded packages, this release has the followin See the `vscode` package for a more detailed example. +- Existing `resholve*` functions have been renamed and nested under `pkgs.resholve`. Update uses to: + - `resholvePackage` -> `resholve.mkDerivation` + - `resholveScript` -> `resholve.writeScript` + - `resholveScriptBin` -> `resholve.writeScriptBin` + - `pkgs.cosmopolitan` no longer provides the `cosmoc` command. It has been moved to `pkgs.cosmoc`. <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -569,6 +587,8 @@ In addition to numerous new and upgraded packages, this release has the followin using `fetchgit` or `fetchhg` if the argument `fetchSubmodules` is set to `true`. +- A module for declarative configuration of openconnect VPN profiles was added under `networking.openconnect`. + - The `element-desktop` package now has an `useKeytar` option (defaults to `true`), which allows disabling `keytar` and in turn `libsecret` usage (which binds to native credential managers / keychain libraries). @@ -599,6 +619,8 @@ In addition to numerous new and upgraded packages, this release has the followin and [services.logrotate.extraConfig](#opt-services.logrotate.extraConfig) will work, but issue deprecation warnings and [services.logrotate.settings](#opt-services.logrotate.settings) should now be used instead. +- `security.pam.ussh` has been added, which allows authorizing PAM sessions based on SSH _certificates_ held within an SSH agent, using [pam-ussh](https://github.com/uber/pam-ussh). + - The `zrepl` package has been updated from 0.4.0 to 0.5: - The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. @@ -625,6 +647,9 @@ In addition to numerous new and upgraded packages, this release has the followin - The polkit service, available at `security.polkit.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. +- xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15. + If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with `mkfs.xfs -m bigtime=0 -m inobtcount=0`. + - `services.xserver.desktopManager.xfce` now includes Xfce's screen locker, `xfce4-screensaver`. - The `hadoop` package has added support for `aarch64-linux` and `aarch64-darwin` as of 3.3.1 ([#158613](https://github.com/NixOS/nixpkgs/pull/158613)). diff --git a/nixos/lib/qemu-common.nix b/nixos/lib/qemu-common.nix index 20bbe9ff5d9..250f714be0a 100644 --- a/nixos/lib/qemu-common.nix +++ b/nixos/lib/qemu-common.nix @@ -23,8 +23,8 @@ rec { qemuBinary = qemuPkg: { x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu max"; - armv7l-linux = "${qemuPkg}/bin/qemu-system-arm -enable-kvm -machine virt -cpu host"; - aarch64-linux = "${qemuPkg}/bin/qemu-system-aarch64 -enable-kvm -machine virt,gic-version=host -cpu host"; + armv7l-linux = "${qemuPkg}/bin/qemu-system-arm -machine virt,accel=kvm:tcg -cpu max"; + aarch64-linux = "${qemuPkg}/bin/qemu-system-aarch64 -machine virt,gic-version=max,accel=kvm:tcg -cpu max"; powerpc64le-linux = "${qemuPkg}/bin/qemu-system-ppc64 -machine powernv"; powerpc64-linux = "${qemuPkg}/bin/qemu-system-ppc64 -machine powernv"; x86_64-darwin = "${qemuPkg}/bin/qemu-kvm -cpu max"; diff --git a/nixos/modules/config/terminfo.nix b/nixos/modules/config/terminfo.nix index 1396640af67..693404a429c 100644 --- a/nixos/modules/config/terminfo.nix +++ b/nixos/modules/config/terminfo.nix @@ -1,9 +1,33 @@ # This module manages the terminfo database # and its integration in the system. -{ config, ... }: +{ config, lib, pkgs, ... }: + +with lib; + { + + options.environment.enableAllTerminfo = with lib; mkOption { + default = false; + type = types.bool; + description = '' + Whether to install all terminfo outputs + ''; + }; + config = { + # can be generated with: filter (drv: (builtins.tryEval (drv ? terminfo)).value) (attrValues pkgs) + environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [ + alacritty + foot + kitty + mtm + rxvt-unicode-unwrapped + rxvt-unicode-unwrapped-emoji + termite + wezterm + ])); + environment.pathsToLink = [ "/share/terminfo" ]; diff --git a/nixos/modules/hardware/video/webcam/facetimehd.nix b/nixos/modules/hardware/video/webcam/facetimehd.nix index d311f600c31..b13f103350e 100644 --- a/nixos/modules/hardware/video/webcam/facetimehd.nix +++ b/nixos/modules/hardware/video/webcam/facetimehd.nix @@ -16,11 +16,6 @@ in config = mkIf cfg.enable { - assertions = singleton { - assertion = versionAtLeast kernelPackages.kernel.version "3.19"; - message = "facetimehd is not supported for kernels older than 3.19"; - }; - boot.kernelModules = [ "facetimehd" ]; boot.blacklistedKernelModules = [ "bdc_pci" ]; diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index 9304c307af2..8e28d3336fa 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -64,7 +64,8 @@ let filter = builtins.filterSource (n: t: - (t == "directory" -> baseNameOf n != "tests") + cleanSourceFilter n t + && (t == "directory" -> baseNameOf n != "tests") && (t == "file" -> hasSuffix ".nix" n) ); in diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1ad2592b1dd..2452ee685eb 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -185,6 +185,7 @@ ./programs/nbd.nix ./programs/nix-ld.nix ./programs/neovim.nix + ./programs/nethoscope.nix ./programs/nm-applet.nix ./programs/nncp.nix ./programs/npm.nix @@ -596,7 +597,7 @@ ./services/misc/osrm.nix ./services/misc/owncast.nix ./services/misc/packagekit.nix - ./services/misc/paperless-ng.nix + ./services/misc/paperless.nix ./services/misc/parsoid.nix ./services/misc/plex.nix ./services/misc/plikd.nix @@ -816,6 +817,7 @@ ./services/networking/mosquitto.nix ./services/networking/monero.nix ./services/networking/morty.nix + ./services/networking/mozillavpn.nix ./services/networking/miredo.nix ./services/networking/mstpd.nix ./services/networking/mtprotoproxy.nix @@ -851,6 +853,7 @@ ./services/networking/ofono.nix ./services/networking/oidentd.nix ./services/networking/onedrive.nix + ./services/networking/openconnect.nix ./services/networking/openvpn.nix ./services/networking/ostinato.nix ./services/networking/owamp.nix @@ -1052,6 +1055,7 @@ ./services/web-apps/netbox.nix ./services/web-apps/nextcloud.nix ./services/web-apps/nexus.nix + ./services/web-apps/nifi.nix ./services/web-apps/node-red.nix ./services/web-apps/pict-rs.nix ./services/web-apps/peertube.nix diff --git a/nixos/modules/programs/nethoscope.nix b/nixos/modules/programs/nethoscope.nix new file mode 100644 index 00000000000..495548e9c65 --- /dev/null +++ b/nixos/modules/programs/nethoscope.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.programs.nethoscope; +in +{ + meta.maintainers = with maintainers; [ _0x4A6F ]; + + options = { + programs.nethoscope = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add nethoscope to the global environment and configure a + setcap wrapper for it. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ nethoscope ]; + security.wrappers.nethoscope = { + source = "${pkgs.nethoscope}/bin/nethoscope"; + capabilities = "cap_net_raw,cap_net_admin=eip"; + }; + }; +} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index c0ef8b5f30b..530304b497a 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -61,6 +61,19 @@ let ''; }; + usshAuth = mkOption { + default = false; + type = types.bool; + description = '' + If set, users with an SSH certificate containing an authorized principal + in their SSH agent are able to log in. Specific options are controlled + using the <option>security.pam.ussh</option> options. + + Note that the <option>security.pam.ussh.enable</option> must also be + set for this option to take effect. + ''; + }; + yubicoAuth = mkOption { default = config.security.pam.yubico.enable; defaultText = literalExpression "config.security.pam.yubico.enable"; @@ -475,6 +488,9 @@ let optionalString cfg.usbAuth '' auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so '' + + (let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) '' + auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"} + '') + (let oath = config.security.pam.oath; in optionalString cfg.oathAuth '' auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} '') + @@ -594,6 +610,7 @@ let session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so '' + optionalString cfg.pamMount '' + session [success=1 default=ignore] ${pkgs.pam}/lib/security/pam_succeed_if.so service = systemd-user quiet session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive '' + optionalString use_ldap '' @@ -926,6 +943,96 @@ in }; }; + security.pam.ussh = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module. + + This is similar to <literal>pam-ssh-agent</literal>, except that + the presence of a CA-signed SSH key with a valid principal is checked + instead. + + Note that this module must both be enabled using this option and on a + per-PAM-service level as well (using <literal>usshAuth</literal>). + + More information can be found <link + xlink:href="https://github.com/uber/pam-ussh">here</link>. + ''; + }; + + caFile = mkOption { + default = null; + type = with types; nullOr path; + description = '' + By default <literal>pam-ussh</literal> reads the trusted user CA keys + from <filename>/etc/ssh/trusted_user_ca</filename>. + + This should be set the same as your <literal>TrustedUserCAKeys</literal> + option for sshd. + ''; + }; + + authorizedPrincipals = mkOption { + default = null; + type = with types; nullOr commas; + description = '' + Comma-separated list of authorized principals to permit; if the user + presents a certificate with one of these principals, then they will be + authorized. + + Note that <literal>pam-ussh</literal> also requires that the certificate + contain a principal matching the user's username. The principals from + this list are in addition to those principals. + + Mutually exclusive with <literal>authorizedPrincipalsFile</literal>. + ''; + }; + + authorizedPrincipalsFile = mkOption { + default = null; + type = with types; nullOr path; + description = '' + Path to a list of principals; if the user presents a certificate with + one of these principals, then they will be authorized. + + Note that <literal>pam-ussh</literal> also requires that the certificate + contain a principal matching the user's username. The principals from + this file are in addition to those principals. + + Mutually exclusive with <literal>authorizedPrincipals</literal>. + ''; + }; + + group = mkOption { + default = null; + type = with types; nullOr str; + description = '' + If set, then the authenticating user must be a member of this group + to use this module. + ''; + }; + + control = mkOption { + default = "sufficient"; + type = types.enum [ "required" "requisite" "sufficient" "optional" ]; + description = '' + This option sets pam "control". + If you want to have multi factor authentication, use "required". + If you want to use the SSH certificate instead of the regular password, + use "sufficient". + + Read + <citerefentry> + <refentrytitle>pam.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for better understanding of this option. + ''; + }; + }; + security.pam.yubico = { enable = mkOption { default = false; @@ -1110,6 +1217,9 @@ in optionalString (isEnabled (cfg: cfg.usbAuth)) '' mr ${pkgs.pam_usb}/lib/security/pam_usb.so, '' + + optionalString (isEnabled (cfg: cfg.usshAuth)) '' + mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so, + '' + optionalString (isEnabled (cfg: cfg.oathAuth)) '' "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, '' + diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix index 462b7f89e2f..1d0efee8ca8 100644 --- a/nixos/modules/security/pam_mount.nix +++ b/nixos/modules/security/pam_mount.nix @@ -5,6 +5,14 @@ with lib; let cfg = config.security.pam.mount; + oflRequired = cfg.logoutHup || cfg.logoutTerm || cfg.logoutKill; + + fake_ofl = pkgs.writeShellScriptBin "fake_ofl" '' + SIGNAL=$1 + MNTPT=$2 + ${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL + ''; + anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services); in @@ -51,6 +59,71 @@ in You can define volume-specific options in the volume definitions. ''; }; + + debugLevel = mkOption { + type = types.int; + default = 0; + example = 1; + description = '' + Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, + and 2 additionally enables tracing in mount.crypt. The default is 0. + For more information, visit <link + xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. + ''; + }; + + logoutWait = mkOption { + type = types.int; + default = 0; + description = '' + Amount of microseconds to wait until killing remaining processes after + final logout. + For more information, visit <link + xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. + ''; + }; + + logoutHup = mkOption { + type = types.bool; + default = false; + description = '' + Kill remaining processes after logout by sending a SIGHUP. + ''; + }; + + logoutTerm = mkOption { + type = types.bool; + default = false; + description = '' + Kill remaining processes after logout by sending a SIGTERM. + ''; + }; + + logoutKill = mkOption { + type = types.bool; + default = false; + description = '' + Kill remaining processes after logout by sending a SIGKILL. + ''; + }; + + createMountPoints = mkOption { + type = types.bool; + default = true; + description = '' + Create mountpoints for volumes if they do not exist. + ''; + }; + + removeCreatedMountPoints = mkOption { + type = types.bool; + default = true; + description = '' + Remove mountpoints created by pam_mount after logout. This + only affects mountpoints that have been created by pam_mount + in the same session. + ''; + }; }; }; @@ -77,21 +150,20 @@ in <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- auto generated from Nixos: modules/config/users-groups.nix --> <pam_mount> - <debug enable="0" /> - + <debug enable="${toString cfg.debugLevel}" /> <!-- if activated, requires ofl from hxtools to be present --> - <logout wait="0" hup="no" term="no" kill="no" /> + <logout wait="${toString cfg.logoutWait}" hup="${if cfg.logoutHup then "yes" else "no"}" term="${if cfg.logoutTerm then "yes" else "no"}" kill="${if cfg.logoutKill then "yes" else "no"}" /> <!-- set PATH variable for pam_mount module --> <path>${makeBinPath ([ pkgs.util-linux ] ++ cfg.additionalSearchPaths)}</path> <!-- create mount point if not present --> - <mkmountpoint enable="1" remove="true" /> - + <mkmountpoint enable="${if cfg.createMountPoints then "1" else "0"}" remove="${if cfg.removeCreatedMountPoints then "true" else "false"}" /> <!-- specify the binaries to be called --> <fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}</fusemount> + <fuseumount>${pkgs.fuse}/bin/fusermount -u %(MNTPT)</fuseumount> <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount> <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount> <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> - + ${optionalString oflRequired "<ofl>${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)</ofl>"} ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} ${concatStringsSep "\n" cfg.extraVolumes} </pam_mount> diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 99e578f8ada..4bf239fca8f 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -245,7 +245,7 @@ in environment.systemPackages = [ sudo ]; - security.pam.services.sudo = { sshAgentAuth = true; }; + security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; environment.etc.sudoers = { source = diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 61448af2d33..8257eeb673b 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -23,17 +23,16 @@ let nixosRules = '' # Miscellaneous devices. KERNEL=="kvm", MODE="0666" - KERNEL=="kqemu", MODE="0666" # Needed for gpm. SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd" ''; # Perform substitutions in all udev rules files. - udevRules = pkgs.runCommand "udev-rules" + udevRulesFor = { name, udevPackages, udevPath, udev, systemd, binPackages, initrdBin ? null }: pkgs.runCommand name { preferLocalBuild = true; allowSubstitutes = false; - packages = unique (map toString cfg.packages); + packages = unique (map toString udevPackages); } '' mkdir -p $out @@ -61,6 +60,9 @@ let --replace \"/bin/mount \"${pkgs.util-linux}/bin/mount \ --replace /usr/bin/readlink ${pkgs.coreutils}/bin/readlink \ --replace /usr/bin/basename ${pkgs.coreutils}/bin/basename + ${optionalString (initrdBin != null) '' + substituteInPlace $i --replace '/run/current-system/systemd' "${removeSuffix "/bin" initrdBin}" + ''} done echo -n "Checking that all programs called by relative paths in udev rules exist in ${udev}/lib/udev... " @@ -85,8 +87,9 @@ let for i in $import_progs $run_progs; do # if the path refers to /run/current-system/systemd, replace with config.systemd.package if [[ $i == /run/current-system/systemd* ]]; then - i="${config.systemd.package}/''${i#/run/current-system/systemd/}" + i="${systemd}/''${i#/run/current-system/systemd/}" fi + if [[ ! -x $i ]]; then echo "FAIL" echo "$i is called in udev rules but is not executable or does not exist" @@ -103,7 +106,7 @@ let echo "Consider fixing the following udev rules:" echo "$filesToFixup" | while read localFile; do remoteFile="origin unknown" - for i in ${toString cfg.packages}; do + for i in ${toString binPackages}; do for j in "$i"/*/udev/rules.d/*; do [ -e "$out/$(basename "$j")" ] || continue [ "$(basename "$j")" = "$(basename "$localFile")" ] || continue @@ -126,7 +129,7 @@ let ${optionalString (!config.boot.hardwareScan) '' ln -s /dev/null $out/80-drivers.rules ''} - ''; # */ + ''; hwdbBin = pkgs.runCommand "hwdb.bin" { preferLocalBuild = true; @@ -202,20 +205,6 @@ in ''; }; - initrdRules = mkOption { - default = ""; - example = '' - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card" - ''; - type = types.lines; - description = '' - <command>udev</command> rules to include in the initrd - <emphasis>only</emphasis>. They'll be written into file - <filename>99-local.rules</filename>. Thus they are read and applied - after the essential initrd rules. - ''; - }; - extraRules = mkOption { default = ""; example = '' @@ -283,6 +272,52 @@ in ''; }; + boot.initrd.services.udev = { + + packages = mkOption { + type = types.listOf types.path; + default = []; + visible = false; + description = '' + <emphasis>This will only be used when systemd is used in stage 1.</emphasis> + + List of packages containing <command>udev</command> rules that will be copied to stage 1. + All files found in + <filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and + <filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename> + will be included. + ''; + }; + + binPackages = mkOption { + type = types.listOf types.path; + default = []; + visible = false; + description = '' + <emphasis>This will only be used when systemd is used in stage 1.</emphasis> + + Packages to search for binaries that are referenced by the udev rules in stage 1. + This list always contains /bin of the initrd. + ''; + apply = map getBin; + }; + + rules = mkOption { + default = ""; + example = '' + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card" + ''; + type = types.lines; + description = '' + <command>udev</command> rules to include in the initrd + <emphasis>only</emphasis>. They'll be written into file + <filename>99-local.rules</filename>. Thus they are read and applied + after the essential initrd rules. + ''; + }; + + }; + }; @@ -298,16 +333,54 @@ in boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; - boot.initrd.extraUdevRulesCommands = optionalString (cfg.initrdRules != "") + boot.initrd.extraUdevRulesCommands = optionalString (!config.boot.initrd.systemd.enable && config.boot.initrd.services.udev.rules != "") '' cat <<'EOF' > $out/99-local.rules - ${cfg.initrdRules} + ${config.boot.initrd.services.udev.rules} EOF ''; + boot.initrd.systemd.additionalUpstreamUnits = [ + # TODO: "initrd-udevadm-cleanup-db.service" is commented out because of https://github.com/systemd/systemd/issues/12953 + "systemd-udevd-control.socket" + "systemd-udevd-kernel.socket" + "systemd-udevd.service" + "systemd-udev-settle.service" + "systemd-udev-trigger.service" + ]; + boot.initrd.systemd.storePaths = [ + "${config.boot.initrd.systemd.package}/lib/systemd/systemd-udevd" + "${config.boot.initrd.systemd.package}/lib/udev" + ] ++ map (x: "${x}/bin") config.boot.initrd.services.udev.binPackages; + + # Generate the udev rules for the initrd + boot.initrd.systemd.contents = { + "/etc/udev/rules.d".source = udevRulesFor { + name = "initrd-udev-rules"; + initrdBin = config.boot.initrd.systemd.contents."/bin".source; + udevPackages = config.boot.initrd.services.udev.packages; + udevPath = config.boot.initrd.systemd.contents."/bin".source; + udev = config.boot.initrd.systemd.package; + systemd = config.boot.initrd.systemd.package; + binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ]; + }; + }; + # Insert custom rules + boot.initrd.services.udev.packages = mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile { + name = "initrd-udev-rules"; + destination = "/etc/udev/rules.d/99-local.rules"; + text = config.boot.initrd.services.udev.rules; + }); + environment.etc = { - "udev/rules.d".source = udevRules; + "udev/rules.d".source = udevRulesFor { + name = "udev-rules"; + udevPackages = cfg.packages; + systemd = config.systemd.package; + binPackages = cfg.packages; + inherit udevPath udev; + }; "udev/hwdb.bin".source = hwdbBin; }; @@ -338,4 +411,8 @@ in }; }; + + imports = [ + (mkRenamedOptionModule [ "services" "udev" "initrdRules" ] [ "boot" "initrd" "services" "udev" "rules" ]) + ]; } diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index 6be23f39754..ea552ce867e 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -4,6 +4,13 @@ with lib; +let + settingsFormat = pkgs.formats.ini { + listToValue = concatMapStringsSep "," (generators.mkValueStringDefault {}); + }; + configFiles = mapAttrs (name: value: (settingsFormat.generate name value)) (mapAttrs' (name: value: nameValuePair name value ) config.services.udisks2.settings); +in + { ###### interface @@ -21,6 +28,36 @@ with lib; ''; }; + settings = mkOption rec { + type = types.attrsOf settingsFormat.type; + apply = recursiveUpdate default; + default = { + "udisks2.conf" = { + udisks2 = { + modules = [ "*" ]; + modules_load_preference = "ondemand"; + }; + defaults = { + encryption = "luks2"; + }; + }; + }; + example = literalExpression '' + { + "WDC-WD10EZEX-60M2NA0-WD-WCC3F3SJ0698.conf" = { + ATA = { + StandbyTimeout = 50; + }; + }; + }; + ''; + description = '' + Options passed to udisksd. + See <link xlink:href="http://manpages.ubuntu.com/manpages/latest/en/man5/udisks2.conf.5.html">here</link> and + drive configuration in <link xlink:href="http://manpages.ubuntu.com/manpages/latest/en/man8/udisks.8.html">here</link> for supported options. + ''; + }; + }; }; @@ -32,6 +69,8 @@ with lib; environment.systemPackages = [ pkgs.udisks2 ]; + environment.etc = mapAttrs' (name: value: nameValuePair "udisks2/${name}" { source = value; } ) configFiles; + security.polkit.enable = true; services.dbus.packages = [ pkgs.udisks2 ]; diff --git a/nixos/modules/services/logging/klogd.nix b/nixos/modules/services/logging/klogd.nix index 8d371c161eb..1de0e58abbb 100644 --- a/nixos/modules/services/logging/klogd.nix +++ b/nixos/modules/services/logging/klogd.nix @@ -1,38 +1,9 @@ -{ config, lib, pkgs, ... }: - -with lib; +{ lib, ... }: { - ###### interface - - options = { - - services.klogd.enable = mkOption { - type = types.bool; - default = versionOlder (getVersion config.boot.kernelPackages.kernel) "3.5"; - defaultText = literalExpression ''versionOlder (getVersion config.boot.kernelPackages.kernel) "3.5"''; - description = '' - Whether to enable klogd, the kernel log message processing - daemon. Since systemd handles logging of kernel messages on - Linux 3.5 and later, this is only useful if you're running an - older kernel. - ''; - }; - - }; - - - ###### implementation - - config = mkIf config.services.klogd.enable { - systemd.services.klogd = { - description = "Kernel Log Daemon"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.sysklogd ]; - unitConfig.ConditionVirtualization = "!systemd-nspawn"; - script = - "klogd -c 1 -2 -n " + - "-k $(dirname $(readlink -f /run/booted-system/kernel))/System.map"; - }; - }; + imports = [ + (lib.mkRemovedOptionModule [ "security" "klogd" "enable" ] '' + Logging of kernel messages is now handled by systemd. + '') + ]; } diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index 0c9b38b44b2..b7e1110f1cd 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -192,7 +192,6 @@ in { log_dir = "/var/log/mailman"; lock_dir = "$var_dir/lock"; etc_dir = "/etc"; - ext_dir = "$etc_dir/mailman.d"; pid_file = "/run/mailman/master.pid"; }; @@ -225,7 +224,14 @@ in { See <https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html>. ''; }; - in (lib.optionals cfg.enablePostfix [ + in [ + { assertion = cfg.webHosts != []; + message = '' + services.mailman.serve.enable requires there to be at least one entry + in services.mailman.webHosts. + ''; + } + ] ++ (lib.optionals cfg.enablePostfix [ { assertion = postfix.enable; message = '' Mailman's default NixOS configuration requires Postfix to be enabled. @@ -275,15 +281,14 @@ in { globals().update(json.load(f)) ''; - services.nginx = mkIf cfg.serve.enable { + services.nginx = mkIf (cfg.serve.enable && cfg.webHosts != []) { enable = mkDefault true; - virtualHosts."${lib.head cfg.webHosts}" = { - serverAliases = cfg.webHosts; + virtualHosts = lib.genAttrs cfg.webHosts (webHost: { locations = { "/".extraConfig = "uwsgi_pass unix:/run/mailman-web.socket;"; "/static/".alias = webSettings.STATIC_ROOT + "/"; }; - }; + }); }; environment.systemPackages = [ (pkgs.buildEnv { diff --git a/nixos/modules/services/misc/ethminer.nix b/nixos/modules/services/misc/ethminer.nix index 253476d1a23..22363466982 100644 --- a/nixos/modules/services/misc/ethminer.nix +++ b/nixos/modules/services/misc/ethminer.nix @@ -85,7 +85,7 @@ in config = mkIf cfg.enable { systemd.services.ethminer = { - path = optional (cfg.toolkit == "cuda") [ pkgs.cudatoolkit ]; + path = optional (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ]; description = "ethminer ethereum mining service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; diff --git a/nixos/modules/services/misc/paperless-ng.nix b/nixos/modules/services/misc/paperless.nix index 881fa93c04e..bfaf842fb46 100644 --- a/nixos/modules/services/misc/paperless-ng.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -2,11 +2,13 @@ with lib; let - cfg = config.services.paperless-ng; + cfg = config.services.paperless; defaultUser = "paperless"; - hasCustomRedis = hasAttr "PAPERLESS_REDIS" cfg.extraConfig; + # Don't start a redis instance if the user sets a custom redis connection + enableRedis = !hasAttr "PAPERLESS_REDIS" cfg.extraConfig; + redisServer = config.services.redis.servers.paperless; env = { PAPERLESS_DATA_DIR = cfg.dataDir; @@ -15,15 +17,15 @@ let GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}"; } // ( lib.mapAttrs (_: toString) cfg.extraConfig - ) // (optionalAttrs (!hasCustomRedis) { - PAPERLESS_REDIS = "unix://${config.services.redis.servers.paperless-ng.unixSocket}"; + ) // (optionalAttrs enableRedis { + PAPERLESS_REDIS = "unix://${redisServer.unixSocket}"; }); manage = let setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); in pkgs.writeShellScript "manage" '' ${setupEnv} - exec ${cfg.package}/bin/paperless-ng "$@" + exec ${cfg.package}/bin/paperless-ngx "$@" ''; # Secure the services @@ -36,7 +38,7 @@ let "-/etc/hosts" "-/etc/localtime" "-/run/postgresql" - ] ++ (optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.unixSocket); + ] ++ (optional enableRedis redisServer.unixSocket); BindPaths = [ cfg.consumptionDir cfg.dataDir @@ -53,7 +55,6 @@ let PrivateNetwork = true; PrivateTmp = true; PrivateUsers = true; - ProcSubset = "pid"; ProtectClock = true; # Breaks if the home dir of the user is in /home # Also does not add much value in combination with the TemporaryFileSystem. @@ -66,11 +67,15 @@ let ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; + # Don't restrict ProcSubset because django-q requires read access to /proc/stat + # to query CPU and memory information. + # Note that /proc only contains processes of user `paperless`, so this is safe. + # ProcSubset = "pid"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; - SupplementaryGroups = optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.user; + SupplementaryGroups = optional enableRedis redisServer.user; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; # Does not work well with the temporary root @@ -81,26 +86,22 @@ in meta.maintainers = with maintainers; [ earvstedt Flakebi ]; imports = [ - (mkRemovedOptionModule [ "services" "paperless"] '' - The paperless module has been removed as the upstream project died. - Users should migrate to the paperless-ng module (services.paperless-ng). - More information can be found in the NixOS 21.11 release notes. - '') + (mkRenamedOptionModule [ "services" "paperless-ng" ] [ "services" "paperless" ]) ]; - options.services.paperless-ng = { + options.services.paperless = { enable = mkOption { type = lib.types.bool; default = false; description = '' - Enable Paperless-ng. + Enable Paperless. When started, the Paperless database is automatically created if it doesn't exist and updated if the Paperless package has changed. Both tasks are achieved by running a Django migration. A script to manage the Paperless instance (by wrapping Django's manage.py) is linked to - <literal>''${dataDir}/paperless-ng-manage</literal>. + <literal>''${dataDir}/paperless-manage</literal>. ''; }; @@ -133,13 +134,13 @@ in passwordFile = mkOption { type = types.nullOr types.path; default = null; - example = "/run/keys/paperless-ng-password"; + example = "/run/keys/paperless-password"; description = '' A file containing the superuser password. A superuser is required to access the web interface. If unset, you can create a superuser manually by running - <literal>''${dataDir}/paperless-ng-manage createsuperuser</literal>. + <literal>''${dataDir}/paperless-manage createsuperuser</literal>. The default superuser name is <literal>admin</literal>. To change it, set option <option>extraConfig.PAPERLESS_ADMIN_USER</option>. @@ -168,9 +169,9 @@ in type = types.attrs; default = {}; description = '' - Extra paperless-ng config options. + Extra paperless config options. - See <link xlink:href="https://paperless-ng.readthedocs.io/en/latest/configuration.html">the documentation</link> + See <link xlink:href="https://paperless-ngx.readthedocs.io/en/latest/configuration.html">the documentation</link> for available options. ''; example = literalExpression '' @@ -188,15 +189,14 @@ in package = mkOption { type = types.package; - default = pkgs.paperless-ng; - defaultText = literalExpression "pkgs.paperless-ng"; + default = pkgs.paperless-ngx; + defaultText = literalExpression "pkgs.paperless-ngx"; description = "The Paperless package to use."; }; }; config = mkIf cfg.enable { - # Enable redis if no special url is set - services.redis.servers.paperless-ng.enable = mkIf (!hasCustomRedis) true; + services.redis.servers.paperless.enable = mkIf enableRedis true; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" @@ -208,11 +208,11 @@ in ) ]; - systemd.services.paperless-ng-server = { - description = "Paperless document server"; + systemd.services.paperless-scheduler = { + description = "Paperless scheduler"; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = "${cfg.package}/bin/paperless-ng qcluster"; + ExecStart = "${cfg.package}/bin/paperless-ngx qcluster"; Restart = "on-failure"; # The `mbind` syscall is needed for running the classifier. SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; @@ -221,15 +221,15 @@ in }; environment = env; wantedBy = [ "multi-user.target" ]; - wants = [ "paperless-ng-consumer.service" "paperless-ng-web.service" ]; + wants = [ "paperless-consumer.service" "paperless-web.service" ]; preStart = '' - ln -sf ${manage} ${cfg.dataDir}/paperless-ng-manage + ln -sf ${manage} ${cfg.dataDir}/paperless-manage # Auto-migrate on first run or if the package has changed versionFile="${cfg.dataDir}/src-version" if [[ $(cat "$versionFile" 2>/dev/null) != ${cfg.package} ]]; then - ${cfg.package}/bin/paperless-ng migrate + ${cfg.package}/bin/paperless-ngx migrate echo ${cfg.package} > "$versionFile" fi '' @@ -240,20 +240,18 @@ in superuserStateFile="${cfg.dataDir}/superuser-state" if [[ $(cat "$superuserStateFile" 2>/dev/null) != $superuserState ]]; then - ${cfg.package}/bin/paperless-ng manage_superuser + ${cfg.package}/bin/paperless-ngx manage_superuser echo "$superuserState" > "$superuserStateFile" fi ''; - } // optionalAttrs (!hasCustomRedis) { - after = [ "redis-paperless-ng.service" ]; + } // optionalAttrs enableRedis { + after = [ "redis-paperless.service" ]; }; - # Password copying can't be implemented as a privileged preStart script - # in 'paperless-ng-server' because 'defaultServiceConfig' limits the filesystem - # paths accessible by the service. - systemd.services.paperless-ng-copy-password = mkIf (cfg.passwordFile != null) { - requiredBy = [ "paperless-ng-server.service" ]; - before = [ "paperless-ng-server.service" ]; + # Reading the user-provided password file requires root access + systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) { + requiredBy = [ "paperless-scheduler.service" ]; + before = [ "paperless-scheduler.service" ]; serviceConfig = { ExecStart = '' ${pkgs.coreutils}/bin/install --mode 600 --owner '${cfg.user}' --compare \ @@ -263,27 +261,27 @@ in }; }; - systemd.services.paperless-ng-consumer = { + systemd.services.paperless-consumer = { description = "Paperless document consumer"; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = "${cfg.package}/bin/paperless-ng document_consumer"; + ExecStart = "${cfg.package}/bin/paperless-ngx document_consumer"; Restart = "on-failure"; }; environment = env; - # Bind to `paperless-ng-server` so that the consumer never runs + # Bind to `paperless-scheduler` so that the consumer never runs # during migrations - bindsTo = [ "paperless-ng-server.service" ]; - after = [ "paperless-ng-server.service" ]; + bindsTo = [ "paperless-scheduler.service" ]; + after = [ "paperless-scheduler.service" ]; }; - systemd.services.paperless-ng-web = { + systemd.services.paperless-web = { description = "Paperless web server"; serviceConfig = defaultServiceConfig // { User = cfg.user; ExecStart = '' ${pkgs.python3Packages.gunicorn}/bin/gunicorn \ - -c ${cfg.package}/lib/paperless-ng/gunicorn.conf.py paperless.asgi:application + -c ${cfg.package}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application ''; Restart = "on-failure"; @@ -296,15 +294,15 @@ in }; environment = env // { PATH = mkForce cfg.package.path; - PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ng/src"; + PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ngx/src"; }; # Allow the web interface to access the private /tmp directory of the server. # This is required to support uploading files via the web interface. - unitConfig.JoinsNamespaceOf = "paperless-ng-server.service"; - # Bind to `paperless-ng-server` so that the web server never runs + unitConfig.JoinsNamespaceOf = "paperless-scheduler.service"; + # Bind to `paperless-scheduler` so that the web server never runs # during migrations - bindsTo = [ "paperless-ng-server.service" ]; - after = [ "paperless-ng-server.service" ]; + bindsTo = [ "paperless-scheduler.service" ]; + after = [ "paperless-scheduler.service" ]; }; users = optionalAttrs (cfg.user == defaultUser) { diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index f563861b61c..52525e8935b 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -74,7 +74,6 @@ let }" "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" - "--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}"; @@ -1563,6 +1562,8 @@ in (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerTimeout" ] + "Deprecated upstream and no longer had any effect") ]; options.services.prometheus = { @@ -1719,14 +1720,6 @@ in ''; }; - alertmanagerTimeout = mkOption { - type = types.int; - default = 10; - description = '' - Alert manager HTTP API timeout (in seconds). - ''; - }; - webExternalUrl = mkOption { type = types.nullOr types.str; default = null; diff --git a/nixos/modules/services/networking/mozillavpn.nix b/nixos/modules/services/networking/mozillavpn.nix new file mode 100644 index 00000000000..e35ba65314e --- /dev/null +++ b/nixos/modules/services/networking/mozillavpn.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: + +{ + options.services.mozillavpn.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable the Mozilla VPN daemon. + ''; + }; + + config = lib.mkIf config.services.mozillavpn.enable { + environment.systemPackages = [ pkgs.mozillavpn ]; + services.dbus.packages = [ pkgs.mozillavpn ]; + systemd.packages = [ pkgs.mozillavpn ]; + }; + + meta.maintainers = with lib.maintainers; [ andersk ]; +} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 7a9d9e5428a..242afd548df 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -5,18 +5,6 @@ with lib; let cfg = config.networking.networkmanager; - basePackages = with pkgs; [ - modemmanager - networkmanager - networkmanager-fortisslvpn - networkmanager-iodine - networkmanager-l2tp - networkmanager-openconnect - networkmanager-openvpn - networkmanager-vpnc - networkmanager-sstp - ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; - delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; enableIwd = cfg.wifi.backend == "iwd"; @@ -145,6 +133,15 @@ let ''; }; + packages = [ + pkgs.modemmanager + pkgs.networkmanager + ] + ++ cfg.plugins + ++ lib.optionals (!delegateWireless && !enableIwd) [ + pkgs.wpa_supplicant + ]; + in { meta = { @@ -227,17 +224,33 @@ in { ''; }; - packages = mkOption { - type = types.listOf types.package; + plugins = mkOption { + type = + let + networkManagerPluginPackage = types.package // { + description = "NetworkManager plug-in"; + check = + p: + lib.assertMsg + (types.package.check p + && p ? networkManagerPlugin + && lib.isString p.networkManagerPlugin) + '' + Package ‘${p.name}’, is not a NetworkManager plug-in. + Those need to have a ‘networkManagerPlugin’ attribute. + ''; + }; + in + types.listOf networkManagerPluginPackage; default = [ ]; description = '' - Extra packages that provide NetworkManager plugins. + List of NetworkManager plug-ins to enable. + Some plug-ins are enabled by the NetworkManager module by default. ''; - apply = list: basePackages ++ list; }; dhcp = mkOption { - type = types.enum [ "dhclient" "dhcpcd" "internal" ]; + type = types.enum [ "dhcpcd" "internal" ]; default = "internal"; description = '' Which program (or internal library) should be used for DHCP. @@ -380,7 +393,7 @@ in { </para><para> If you enable this option the <literal>networkmanager_strongswan</literal> plugin will be added to - the <option>networking.networkmanager.packages</option> option + the <option>networking.networkmanager.plugins</option> option so you don't need to to that yourself. ''; }; @@ -399,6 +412,9 @@ in { }; imports = [ + (mkRenamedOptionModule + [ "networking" "networkmanager" "packages" ] + [ "networking" "networkmanager" "plugins" ]) (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' This option was removed because allowing (multiple) regular users to @@ -426,31 +442,12 @@ in { hardware.wirelessRegulatoryDatabase = true; - environment.etc = with pkgs; { - "NetworkManager/NetworkManager.conf".source = configFile; - - "NetworkManager/VPN/nm-openvpn-service.name".source = - "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; - - "NetworkManager/VPN/nm-vpnc-service.name".source = - "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; - - "NetworkManager/VPN/nm-openconnect-service.name".source = - "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; - - "NetworkManager/VPN/nm-fortisslvpn-service.name".source = - "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; - - "NetworkManager/VPN/nm-l2tp-service.name".source = - "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; - - "NetworkManager/VPN/nm-iodine-service.name".source = - "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; - - "NetworkManager/VPN/nm-sstp-service.name".source = - "${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name"; - + environment.etc = { + "NetworkManager/NetworkManager.conf".source = configFile; } + // builtins.listToAttrs (map (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" { + source = "${pkg}/lib/NetworkManager/${pkg.networkManagerPlugin}"; + }) cfg.plugins) // optionalAttrs cfg.enableFccUnlock { "ModemManager/fcc-unlock.d".source = @@ -460,18 +457,13 @@ in { { "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; } - // optionalAttrs cfg.enableStrongSwan - { - "NetworkManager/VPN/nm-strongswan-service.name".source = - "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; - } // listToAttrs (lib.imap1 (i: s: { name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; value = { mode = "0544"; inherit (s) source; }; }) cfg.dispatcherScripts); - environment.systemPackages = cfg.packages; + environment.systemPackages = packages; users.groups = { networkmanager.gid = config.ids.gids.networkmanager; @@ -490,14 +482,13 @@ in { }; }; - systemd.packages = cfg.packages; + systemd.packages = packages; systemd.tmpfiles.rules = [ "d /etc/NetworkManager/system-connections 0700 root root -" "d /etc/ipsec.d 0700 root root -" "d /var/lib/NetworkManager-fortisslvpn 0700 root root -" - "d /var/lib/dhclient 0755 root root -" "d /var/lib/misc 0755 root root -" # for dnsmasq.leases ]; @@ -534,8 +525,20 @@ in { useDHCP = false; }) + { + networkmanager.plugins = with pkgs; [ + networkmanager-fortisslvpn + networkmanager-iodine + networkmanager-l2tp + networkmanager-openconnect + networkmanager-openvpn + networkmanager-vpnc + networkmanager-sstp + ]; + } + (mkIf cfg.enableStrongSwan { - networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + networkmanager.plugins = [ pkgs.networkmanager_strongswan ]; }) (mkIf enableIwd { @@ -559,10 +562,10 @@ in { security.polkit.enable = true; security.polkit.extraConfig = polkitConf; - services.dbus.packages = cfg.packages + services.dbus.packages = packages ++ optional cfg.enableStrongSwan pkgs.strongswanNM ++ optional (cfg.dns == "dnsmasq") pkgs.dnsmasq; - services.udev.packages = cfg.packages; + services.udev.packages = packages; }; } diff --git a/nixos/modules/services/networking/openconnect.nix b/nixos/modules/services/networking/openconnect.nix new file mode 100644 index 00000000000..de4b505130e --- /dev/null +++ b/nixos/modules/services/networking/openconnect.nix @@ -0,0 +1,137 @@ +{ config, lib, options, pkgs, ... }: +with lib; +let + cfg = config.networking.openconnect; + openconnect = cfg.package; + pkcs11 = types.strMatching "pkcs11:.+" // { + name = "pkcs11"; + description = "PKCS#11 URI"; + }; + interfaceOptions = { + options = { + gateway = mkOption { + description = "Gateway server to connect to."; + example = "gateway.example.com"; + type = types.str; + }; + + protocol = mkOption { + description = "Protocol to use."; + example = "anyconnect"; + type = + types.enum [ "anyconnect" "array" "nc" "pulse" "gp" "f5" "fortinet" ]; + }; + + user = mkOption { + description = "Username to authenticate with."; + example = "example-user"; + type = types.nullOr types.str; + }; + + # Note: It does not make sense to provide a way to declaratively + # set an authentication cookie, because they have to be requested + # for every new connection and would only work once. + passwordFile = mkOption { + description = '' + File containing the password to authenticate with. This + is passed to <code>openconnect</code> via the + <code>--passwd-on-stdin</code> option. + ''; + default = null; + example = "/var/lib/secrets/openconnect-passwd"; + type = types.nullOr types.path; + }; + + certificate = mkOption { + description = "Certificate to authenticate with."; + default = null; + example = "/var/lib/secrets/openconnect_certificate.pem"; + type = with types; nullOr (either path pkcs11); + }; + + privateKey = mkOption { + description = "Private key to authenticate with."; + example = "/var/lib/secrets/openconnect_private_key.pem"; + default = null; + type = with types; nullOr (either path pkcs11); + }; + + extraOptions = mkOption { + description = '' + Extra config to be appended to the interface config. It should + contain long-format options as would be accepted on the command + line by <code>openconnect</code> + (see https://www.infradead.org/openconnect/manual.html). + Non-key-value options like <code>deflate</code> can be used by + declaring them as booleans, i. e. <code>deflate = true;</code>. + ''; + default = { }; + example = { + compression = "stateless"; + + no-http-keepalive = true; + no-dtls = true; + }; + type = with types; attrsOf (either str bool); + }; + }; + }; + generateExtraConfig = extra_cfg: + strings.concatStringsSep "\n" (attrsets.mapAttrsToList + (name: value: if (value == true) then name else "${name}=${value}") + (attrsets.filterAttrs (_: value: value != false) extra_cfg)); + generateConfig = name: icfg: + pkgs.writeText "config" '' + interface=${name} + ${optionalString (icfg.user != null) "user=${icfg.user}"} + ${optionalString (icfg.passwordFile != null) "passwd-on-stdin"} + ${optionalString (icfg.certificate != null) + "certificate=${icfg.certificate}"} + ${optionalString (icfg.privateKey != null) "sslkey=${icfg.privateKey}"} + + ${generateExtraConfig icfg.extraOptions} + ''; + generateUnit = name: icfg: { + description = "OpenConnect Interface - ${name}"; + requires = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${openconnect}/bin/openconnect --config=${ + generateConfig name icfg + } ${icfg.gateway}"; + StandardInput = "file:${icfg.passwordFile}"; + + ProtectHome = true; + }; + }; +in { + options.networking.openconnect = { + package = mkPackageOption pkgs "openconnect" { }; + + interfaces = mkOption { + description = "OpenConnect interfaces."; + default = { }; + example = { + openconnect0 = { + gateway = "gateway.example.com"; + protocol = "anyconnect"; + user = "example-user"; + passwordFile = "/var/lib/secrets/openconnect-passwd"; + }; + }; + type = with types; attrsOf (submodule interfaceOptions); + }; + }; + + config = { + systemd.services = mapAttrs' (name: value: { + name = "openconnect-${name}"; + value = generateUnit name value; + }) cfg.interfaces; + }; + + meta.maintainers = with maintainers; [ alyaeanyx ]; +} diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 2c2911aada3..7dbbf4a12fe 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -609,6 +609,7 @@ in connection_reaper_interval = 30; relative_url_root = null; message_bus_max_backlog_size = 100; + message_bus_clear_every = 50; secret_key_base = cfg.secretKeyBaseFile; fallback_assets_path = null; @@ -655,7 +656,12 @@ in long_polling_interval = null; }; - services.redis.enable = lib.mkDefault (cfg.redis.host == "localhost"); + services.redis.servers.discourse = + lib.mkIf (lib.elem cfg.redis.host [ "localhost" "127.0.0.1" ]) { + enable = true; + bind = cfg.redis.host; + port = cfg.backendSettings.redis_port; + }; services.postgresql = lib.mkIf databaseActuallyCreateLocally { enable = true; @@ -696,12 +702,12 @@ in systemd.services.discourse = { wantedBy = [ "multi-user.target" ]; after = [ - "redis.service" + "redis-discourse.service" "postgresql.service" "discourse-postgresql.service" ]; bindsTo = [ - "redis.service" + "redis-discourse.service" ] ++ lib.optionals (cfg.database.host == null) [ "postgresql.service" "discourse-postgresql.service" diff --git a/nixos/modules/services/web-apps/nifi.nix b/nixos/modules/services/web-apps/nifi.nix new file mode 100644 index 00000000000..21a63127264 --- /dev/null +++ b/nixos/modules/services/web-apps/nifi.nix @@ -0,0 +1,318 @@ +{ lib, pkgs, config, options, ... }: + +let + cfg = config.services.nifi; + opt = options.services.nifi; + + env = { + NIFI_OVERRIDE_NIFIENV = "true"; + NIFI_HOME = "/var/lib/nifi"; + NIFI_PID_DIR = "/run/nifi"; + NIFI_LOG_DIR = "/var/log/nifi"; + }; + + envFile = pkgs.writeText "nifi.env" (lib.concatMapStrings (s: s + "\n") ( + (lib.concatLists (lib.mapAttrsToList (name: value: + if value != null then [ + "${name}=\"${toString value}\"" + ] else [] + ) env)))); + + nifiEnv = pkgs.writeShellScriptBin "nifi-env" '' + set -a + source "${envFile}" + eval -- "\$@" + ''; + +in { + options = { + services.nifi = { + enable = lib.mkEnableOption "Apache NiFi"; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.nifi; + defaultText = lib.literalExpression "pkgs.nifi"; + description = "Apache NiFi package to use."; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "nifi"; + description = "User account where Apache NiFi runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "nifi"; + description = "Group account where Apache NiFi runs."; + }; + + enableHTTPS = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Enable HTTPS protocol. Don`t use in production."; + }; + + listenHost = lib.mkOption { + type = lib.types.str; + default = if cfg.enableHTTPS then "0.0.0.0" else "127.0.0.1"; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "0.0.0.0" + else "127.0.0.1" + ''; + description = "Bind to an ip for Apache NiFi web-ui."; + }; + + listenPort = lib.mkOption { + type = lib.types.int; + default = if cfg.enableHTTPS then 8443 else 8080; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "8443" + else "8000" + ''; + description = "Bind to a port for Apache NiFi web-ui."; + }; + + proxyHost = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = if cfg.enableHTTPS then "0.0.0.0" else null; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "0.0.0.0" + else null + ''; + description = "Allow requests from a specific host."; + }; + + proxyPort = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = if cfg.enableHTTPS then 8443 else null; + defaultText = lib.literalExpression '' + if config.${opt.enableHTTPS} + then "8443" + else null + ''; + description = "Allow requests from a specific port."; + }; + + initUser = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Initial user account for Apache NiFi. Username must be at least 4 characters."; + }; + + initPasswordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/keys/nifi/password-nifi"; + description = "nitial password for Apache NiFi. Password must be at least 12 characters."; + }; + + initJavaHeapSize = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = null; + example = 1024; + description = "Set the initial heap size for the JVM in MB."; + }; + + maxJavaHeapSize = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = null; + example = 2048; + description = "Set the initial heap size for the JVM in MB."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { assertion = cfg.initUser!=null || cfg.initPasswordFile==null; + message = '' + <option>services.nifi.initUser</option> needs to be set if <option>services.nifi.initPasswordFile</option> enabled. + ''; + } + { assertion = cfg.initUser==null || cfg.initPasswordFile!=null; + message = '' + <option>services.nifi.initPasswordFile</option> needs to be set if <option>services.nifi.initUser</option> enabled. + ''; + } + { assertion = cfg.proxyHost==null || cfg.proxyPort!=null; + message = '' + <option>services.nifi.proxyPort</option> needs to be set if <option>services.nifi.proxyHost</option> value specified. + ''; + } + { assertion = cfg.proxyHost!=null || cfg.proxyPort==null; + message = '' + <option>services.nifi.proxyHost</option> needs to be set if <option>services.nifi.proxyPort</option> value specified. + ''; + } + { assertion = cfg.initJavaHeapSize==null || cfg.maxJavaHeapSize!=null; + message = '' + <option>services.nifi.maxJavaHeapSize</option> needs to be set if <option>services.nifi.initJavaHeapSize</option> value specified. + ''; + } + { assertion = cfg.initJavaHeapSize!=null || cfg.maxJavaHeapSize==null; + message = '' + <option>services.nifi.initJavaHeapSize</option> needs to be set if <option>services.nifi.maxJavaHeapSize</option> value specified. + ''; + } + ]; + + warnings = lib.optional (cfg.enableHTTPS==false) '' + Please do not disable HTTPS mode in production. In this mode, access to the nifi is opened without authentication. + ''; + + systemd.tmpfiles.rules = [ + "d '/var/lib/nifi/conf' 0750 ${cfg.user} ${cfg.group}" + "L+ '/var/lib/nifi/lib' - - - - ${cfg.package}/lib" + ]; + + + systemd.services.nifi = { + description = "Apache NiFi"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = env; + path = [ pkgs.gawk ]; + + serviceConfig = { + Type = "forking"; + PIDFile = "/run/nifi/nifi.pid"; + ExecStartPre = pkgs.writeScript "nifi-pre-start.sh" '' + #!/bin/sh + umask 077 + test -f '/var/lib/nifi/conf/authorizers.xml' || (cp '${cfg.package}/share/nifi/conf/authorizers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/authorizers.xml') + test -f '/var/lib/nifi/conf/bootstrap.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap.conf') + test -f '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap-hashicorp-vault.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf') + test -f '/var/lib/nifi/conf/bootstrap-notification-services.xml' || (cp '${cfg.package}/share/nifi/conf/bootstrap-notification-services.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-notification-services.xml') + test -f '/var/lib/nifi/conf/logback.xml' || (cp '${cfg.package}/share/nifi/conf/logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/logback.xml') + test -f '/var/lib/nifi/conf/login-identity-providers.xml' || (cp '${cfg.package}/share/nifi/conf/login-identity-providers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/login-identity-providers.xml') + test -f '/var/lib/nifi/conf/nifi.properties' || (cp '${cfg.package}/share/nifi/conf/nifi.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/nifi.properties') + test -f '/var/lib/nifi/conf/stateless-logback.xml' || (cp '${cfg.package}/share/nifi/conf/stateless-logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless-logback.xml') + test -f '/var/lib/nifi/conf/stateless.properties' || (cp '${cfg.package}/share/nifi/conf/stateless.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless.properties') + test -f '/var/lib/nifi/conf/state-management.xml' || (cp '${cfg.package}/share/nifi/conf/state-management.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/state-management.xml') + test -f '/var/lib/nifi/conf/zookeeper.properties' || (cp '${cfg.package}/share/nifi/conf/zookeeper.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/zookeeper.properties') + test -d '/var/lib/nifi/docs/html' || (mkdir -p /var/lib/nifi/docs && cp -r '${cfg.package}/share/nifi/docs/html' '/var/lib/nifi/docs/html') + ${lib.optionalString ((cfg.initUser != null) && (cfg.initPasswordFile != null)) '' + awk -F'[<|>]' '/property name="Username"/ {if ($3!="") f=1} END{exit !f}' /var/lib/nifi/conf/login-identity-providers.xml || ${cfg.package}/bin/nifi.sh set-single-user-credentials ${cfg.initUser} $(cat ${cfg.initPasswordFile}) + ''} + ${lib.optionalString (cfg.enableHTTPS == false) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=false|g' \ + -e 's|nifi.web.http.host=.*|nifi.web.http.host=${cfg.listenHost}|g' \ + -e 's|nifi.web.http.port=.*|nifi.web.http.port=${(toString cfg.listenPort)}|g' \ + -e 's|nifi.web.https.host=.*|nifi.web.https.host=|g' \ + -e 's|nifi.web.https.port=.*|nifi.web.https.port=|g' \ + -e 's|nifi.security.keystore=.*|nifi.security.keystore=|g' \ + -e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=|g' \ + -e 's|nifi.security.truststore=.*|nifi.security.truststore=|g' \ + -e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=|g' \ + -e '/nifi.security.keystorePasswd/s|^|#|' \ + -e '/nifi.security.keyPasswd/s|^|#|' \ + -e '/nifi.security.truststorePasswd/s|^|#|' + ''} + ${lib.optionalString (cfg.enableHTTPS == true) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=true|g' \ + -e 's|nifi.web.http.host=.*|nifi.web.http.host=|g' \ + -e 's|nifi.web.http.port=.*|nifi.web.http.port=|g' \ + -e 's|nifi.web.https.host=.*|nifi.web.https.host=${cfg.listenHost}|g' \ + -e 's|nifi.web.https.port=.*|nifi.web.https.port=${(toString cfg.listenPort)}|g' \ + -e 's|nifi.security.keystore=.*|nifi.security.keystore=./conf/keystore.p12|g' \ + -e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=PKCS12|g' \ + -e 's|nifi.security.truststore=.*|nifi.security.truststore=./conf/truststore.p12|g' \ + -e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=PKCS12|g' \ + -e '/nifi.security.keystorePasswd/s|^#\+||' \ + -e '/nifi.security.keyPasswd/s|^#\+||' \ + -e '/nifi.security.truststorePasswd/s|^#\+||' + ''} + ${lib.optionalString ((cfg.enableHTTPS == true) && (cfg.proxyHost != null) && (cfg.proxyPort != null)) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=${cfg.proxyHost}:${(toString cfg.proxyPort)}|g' + ''} + ${lib.optionalString ((cfg.enableHTTPS == false) || (cfg.proxyHost == null) && (cfg.proxyPort == null)) '' + sed -i /var/lib/nifi/conf/nifi.properties \ + -e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=|g' + ''} + ${lib.optionalString ((cfg.initJavaHeapSize != null) && (cfg.maxJavaHeapSize != null))'' + sed -i /var/lib/nifi/conf/bootstrap.conf \ + -e 's|java.arg.2=.*|java.arg.2=-Xms${(toString cfg.initJavaHeapSize)}m|g' \ + -e 's|java.arg.3=.*|java.arg.3=-Xmx${(toString cfg.maxJavaHeapSize)}m|g' + ''} + ${lib.optionalString ((cfg.initJavaHeapSize == null) && (cfg.maxJavaHeapSize == null))'' + sed -i /var/lib/nifi/conf/bootstrap.conf \ + -e 's|java.arg.2=.*|java.arg.2=-Xms512m|g' \ + -e 's|java.arg.3=.*|java.arg.3=-Xmx512m|g' + ''} + ''; + ExecStart = "${cfg.package}/bin/nifi.sh start"; + ExecStop = "${cfg.package}/bin/nifi.sh stop"; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "nifi"; + RuntimeDirectoryMode = "0750"; + # State directory and mode + StateDirectory = "nifi"; + StateDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nifi"; + LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # Access write directories + ReadWritePaths = [ cfg.initPasswordFile ]; + UMask = "0027"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = false; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @resources @privileged @setuid" "@chown" ]; + }; + }; + + users.users = lib.mkMerge [ + (lib.mkIf (cfg.user == "nifi") { + nifi = { + group = cfg.group; + isSystemUser = true; + home = cfg.package; + }; + }) + (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package nifiEnv ]) + ]; + + users.groups = lib.optionalAttrs (cfg.group == "nifi") { + nifi = { }; + }; + }; +} diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7caaf5611cc..0c2333399e8 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -255,20 +255,22 @@ let else defaultListen; listenString = { addr, port, ssl, extraParameters ? [], ... }: - "listen ${addr}:${toString port} " - + optionalString ssl "ssl " + (if ssl && vhost.http3 then " + # UDP listener for **QUIC+HTTP/3 + listen ${addr}:${toString port} http3 " + + optionalString vhost.default "default_server " + + optionalString vhost.reuseport "reuseport " + + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) + + ";" else "") + + " + + listen ${addr}:${toString port} " + optionalString (ssl && vhost.http2) "http2 " + + optionalString ssl "ssl " + optionalString vhost.default "default_server " + + optionalString vhost.reuseport "reuseport " + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) - + ";" - + (if ssl && vhost.http3 then '' - # UDP listener for **QUIC+HTTP/3 - listen ${addr}:${toString port} http3 reuseport; - # Advertise that HTTP/3 is available - add_header Alt-Svc 'h3=":443"'; - # Sent when QUIC was used - add_header QUIC-Status $quic; - '' else ""); + + ";"; redirectListen = filter (x: !x.ssl) defaultListen; @@ -321,6 +323,11 @@ let ssl_conf_command Options KTLS; ''} + ${optionalString (hasSSL && vhost.http3) '' + # Advertise that HTTP/3 is available + add_header Alt-Svc 'h3=":443"; ma=86400' always; + ''} + ${mkBasicAuth vhostName vhost} ${mkLocations vhost.locations} diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index c4e8285dc48..2c77d6ee816 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -20,7 +20,7 @@ with lib; serverAliases = mkOption { type = types.listOf types.str; default = []; - example = ["www.example.org" "example.org"]; + example = [ "www.example.org" "example.org" ]; description = '' Additional names of virtual hosts served by this virtual host configuration. ''; @@ -31,11 +31,11 @@ with lib; addr = mkOption { type = str; description = "IP address."; }; port = mkOption { type = int; description = "Port number."; default = 80; }; ssl = mkOption { type = bool; description = "Enable SSL."; default = false; }; - extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "reuseport" "deferred" ]; }; + extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; }; }; }); default = []; example = [ - { addr = "195.154.1.1"; port = 443; ssl = true;} + { addr = "195.154.1.1"; port = 443; ssl = true; } { addr = "192.154.1.1"; port = 80; } ]; description = '' @@ -207,6 +207,15 @@ with lib; ''; }; + reuseport = mkOption { + type = types.bool; + default = false; + description = '' + Create an individual listening socket . + It is required to specify only once on one of the hosts. + ''; + }; + root = mkOption { type = types.nullOr types.path; default = null; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index d09c3cf8820..dd19d9cdff9 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -4,17 +4,6 @@ with lib; let - addToXDGDirs = p: '' - if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} - fi - - if [ -d "${p}/lib/girepository-1.0" ]; then - export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib - fi - ''; - xcfg = config.services.xserver; cfg = xcfg.desktopManager.mate; @@ -48,24 +37,8 @@ in pkgs.mate.mate-session-manager ]; - services.xserver.displayManager.sessionCommands = '' - if test "$XDG_CURRENT_DESKTOP" = "MATE"; then - export XDG_MENU_PREFIX=mate- - - # Let caja find extensions - export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0 - - # Let caja extensions find gsettings schemas - ${concatMapStrings (p: '' - if [ -d "${p}/lib/caja/extensions-2.0" ]; then - ${addToXDGDirs p} - fi - '') config.environment.systemPackages} - - # Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive) - ${addToXDGDirs pkgs.mate.mate-control-center} - fi - ''; + # Let caja find extensions + environment.sessionVariables.CAJA_EXTENSION_DIRS = [ "${config.system.path}/lib/caja/extensions-2.0" ]; # Let mate-panel find applets environment.sessionVariables."MATE_PANEL_APPLETS_DIR" = "${config.system.path}/share/mate-panel/applets"; @@ -83,7 +56,6 @@ in pkgs.gtk3.out pkgs.shared-mime-info pkgs.xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ - pkgs.mate.mate-settings-daemon pkgs.yelp # for 'Contents' in 'Help' menus ]) config.environment.mate.excludePackages; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index b8aeee8c11b..df8db7f34d0 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -55,11 +55,15 @@ let substituteInPlace $out/dry-activate --subst-var out chmod u+x $out/activate $out/dry-activate unset activationScript dryActivationScript - ${pkgs.stdenv.shellDryRun} $out/activate - ${pkgs.stdenv.shellDryRun} $out/dry-activate - cp ${config.system.build.bootStage2} $out/init - substituteInPlace $out/init --subst-var-by systemConfig $out + ${if config.boot.initrd.systemd.enable then '' + cp ${config.system.build.bootStage2} $out/prepare-root + substituteInPlace $out/prepare-root --subst-var-by systemConfig $out + ln -s "$systemd/lib/systemd/systemd" $out/init + '' else '' + cp ${config.system.build.bootStage2} $out/init + substituteInPlace $out/init --subst-var-by systemConfig $out + ''} ln -s ${config.system.build.etc}/etc $out/etc ln -s ${config.system.path} $out/sw diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 1e9f870b32f..d1a6f46bfc4 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -10,6 +10,36 @@ let check = { + global = { + sectionNetwork = checkUnitConfig "Network" [ + (assertOnlyFields [ + "SpeedMeter" + "SpeedMeterIntervalSec" + "ManageForeignRoutingPolicyRules" + "ManageForeignRoutes" + "RouteTable" + ]) + (assertValueOneOf "SpeedMeter" boolValues) + (assertInt "SpeedMeterIntervalSec") + (assertValueOneOf "ManageForeignRoutingPolicyRules" boolValues) + (assertValueOneOf "ManageForeignRoutes" boolValues) + ]; + + sectionDHCPv4 = checkUnitConfig "DHCPv4" [ + (assertOnlyFields [ + "DUIDType" + "DUIDRawData" + ]) + ]; + + sectionDHCPv6 = checkUnitConfig "DHCPv6" [ + (assertOnlyFields [ + "DUIDType" + "DUIDRawData" + ]) + ]; + }; + link = { sectionLink = checkUnitConfig "Link" [ @@ -871,6 +901,44 @@ let }; }; + networkdOptions = { + networkConfig = mkOption { + default = {}; + example = { SpeedMeter = true; ManageForeignRoutingPolicyRules = false; }; + type = types.addCheck (types.attrsOf unitOption) check.global.sectionNetwork; + description = '' + Each attribute in this set specifies an option in the + <literal>[Network]</literal> section of the networkd config. + See <citerefentry><refentrytitle>networkd.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + dhcpV4Config = mkOption { + default = {}; + example = { DUIDType = "vendor"; }; + type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv4; + description = '' + Each attribute in this set specifies an option in the + <literal>[DHCPv4]</literal> section of the networkd config. + See <citerefentry><refentrytitle>networkd.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + dhcpV6Config = mkOption { + default = {}; + example = { DUIDType = "vendor"; }; + type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv6; + description = '' + Each attribute in this set specifies an option in the + <literal>[DHCPv6]</literal> section of the networkd config. + See <citerefentry><refentrytitle>networkd.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + }; + linkOptions = commonNetworkOptions // { # overwrite enable option from above enable = mkOption { @@ -1519,6 +1587,39 @@ let }; }; + networkdConfig = { config, ... }: { + options = { + routeTables = mkOption { + default = {}; + example = { foo = 27; }; + type = with types; attrsOf int; + description = '' + Defines route table names as an attrset of name to number. + See <citerefentry><refentrytitle>networkd.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + + addRouteTablesToIPRoute2 = mkOption { + default = true; + example = false; + type = types.bool; + description = '' + If true and routeTables are set, then the specified route tables + will also be installed into /etc/iproute2/rt_tables. + ''; + }; + }; + + config = { + networkConfig = optionalAttrs (config.routeTables != { }) { + RouteTable = mapAttrsToList + (name: number: "${name}:${toString number}") + config.routeTables; + }; + }; + }; + commonMatchText = def: optionalString (def.matchConfig != { }) '' [Match] ${attrsToSection def.matchConfig} @@ -1600,6 +1701,20 @@ let + def.extraConfig; }; + renderConfig = def: + { text = '' + [Network] + ${attrsToSection def.networkConfig} + '' + + optionalString (def.dhcpV4Config != { }) '' + [DHCPv4] + ${attrsToSection def.dhcpV4Config} + '' + + optionalString (def.dhcpV6Config != { }) '' + [DHCPv6] + ${attrsToSection def.dhcpV6Config} + ''; }; + networkToUnit = name: def: { inherit (def) enable; text = commonMatchText def @@ -1732,6 +1847,12 @@ in description = "Definition of systemd networks."; }; + systemd.network.config = mkOption { + default = {}; + type = with types; submodule [ { options = networkdOptions; } networkdConfig ]; + description = "Definition of global systemd network config."; + }; + systemd.network.units = mkOption { description = "Definition of networkd units."; default = {}; @@ -1823,7 +1944,9 @@ in systemd.services.systemd-networkd = { wantedBy = [ "multi-user.target" ]; aliases = [ "dbus-org.freedesktop.network1.service" ]; - restartTriggers = map (x: x.source) (attrValues unitFiles); + restartTriggers = map (x: x.source) (attrValues unitFiles) ++ [ + config.environment.etc."systemd/networkd.conf".source + ]; }; systemd.services.systemd-networkd-wait-online = { @@ -1846,6 +1969,17 @@ in }; }; + environment.etc."systemd/networkd.conf" = renderConfig cfg.config; + + networking.iproute2 = mkIf (cfg.config.addRouteTablesToIPRoute2 && cfg.config.routeTables != { }) { + enable = mkDefault true; + rttablesExtraConfig = '' + + # Extra tables defined in NixOS systemd.networkd.config.routeTables. + ${concatStringsSep "\n" (mapAttrsToList (name: number: "${toString number} ${name}") cfg.config.routeTables)} + ''; + }; + services.resolved.enable = mkDefault true; }) ]; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 096a051f868..f2a839d0786 100755 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -5,28 +5,30 @@ systemConfig=@systemConfig@ export HOME=/root PATH="@path@" -# Process the kernel command line. -for o in $(</proc/cmdline); do - case $o in - boot.debugtrace) - # Show each command. - set -x - ;; - esac -done - - -# Print a greeting. -echo -echo -e "\e[1;32m<<< NixOS Stage 2 >>>\e[0m" -echo - - -# Normally, stage 1 mounts the root filesystem read/writable. -# However, in some environments, stage 2 is executed directly, and the -# root is read-only. So make it writable here. -if [ -z "$container" ]; then - mount -n -o remount,rw none / +if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then + # Process the kernel command line. + for o in $(</proc/cmdline); do + case $o in + boot.debugtrace) + # Show each command. + set -x + ;; + esac + done + + + # Print a greeting. + echo + echo -e "\e[1;32m<<< NixOS Stage 2 >>>\e[0m" + echo + + + # Normally, stage 1 mounts the root filesystem read/writable. + # However, in some environments, stage 2 is executed directly, and the + # root is read-only. So make it writable here. + if [ -z "$container" ]; then + mount -n -o remount,rw none / + fi fi @@ -39,6 +41,12 @@ if [ ! -e /proc/1 ]; then local options="$3" local fsType="$4" + # We must not overwrite this mount because it's bind-mounted + # from stage 1's /run + if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" = true ] && [ "${mountPoint}" = /run ]; then + return + fi + install -m 0755 -d "$mountPoint" mount -n -t "$fsType" -o "$options" "$device" "$mountPoint" } @@ -46,7 +54,11 @@ if [ ! -e /proc/1 ]; then fi -echo "booting system configuration $systemConfig" > /dev/kmsg +if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" = true ]; then + echo "booting system configuration ${systemConfig}" +else + echo "booting system configuration $systemConfig" > /dev/kmsg +fi # Make /nix/store a read-only bind mount to enforce immutability of @@ -68,24 +80,26 @@ if [ -n "@readOnlyStore@" ]; then fi -# Use /etc/resolv.conf supplied by systemd-nspawn, if applicable. -if [ -n "@useHostResolvConf@" ] && [ -e /etc/resolv.conf ]; then - resolvconf -m 1000 -a host </etc/resolv.conf -fi +if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then + # Use /etc/resolv.conf supplied by systemd-nspawn, if applicable. + if [ -n "@useHostResolvConf@" ] && [ -e /etc/resolv.conf ]; then + resolvconf -m 1000 -a host </etc/resolv.conf + fi -# Log the script output to /dev/kmsg or /run/log/stage-2-init.log. -# Only at this point are all the necessary prerequisites ready for these commands. -exec {logOutFd}>&1 {logErrFd}>&2 -if test -w /dev/kmsg; then - exec > >(tee -i /proc/self/fd/"$logOutFd" | while read -r line; do - if test -n "$line"; then - echo "<7>stage-2-init: $line" > /dev/kmsg - fi - done) 2>&1 -else - mkdir -p /run/log - exec > >(tee -i /run/log/stage-2-init.log) 2>&1 + # Log the script output to /dev/kmsg or /run/log/stage-2-init.log. + # Only at this point are all the necessary prerequisites ready for these commands. + exec {logOutFd}>&1 {logErrFd}>&2 + if test -w /dev/kmsg; then + exec > >(tee -i /proc/self/fd/"$logOutFd" | while read -r line; do + if test -n "$line"; then + echo "<7>stage-2-init: $line" > /dev/kmsg + fi + done) 2>&1 + else + mkdir -p /run/log + exec > >(tee -i /run/log/stage-2-init.log) 2>&1 + fi fi @@ -116,11 +130,15 @@ ln -sfn "$systemConfig" /run/booted-system : >> /etc/machine-id -# Reset the logging file descriptors. -exec 1>&$logOutFd 2>&$logErrFd -exec {logOutFd}>&- {logErrFd}>&- +# No need to restore the stdout/stderr streams we never redirected and +# especially no need to start systemd +if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then + # Reset the logging file descriptors. + exec 1>&$logOutFd 2>&$logErrFd + exec {logOutFd}>&- {logErrFd}>&- -# Start systemd in a clean environment. -echo "starting systemd..." -exec @systemdExecutable@ "$@" + # Start systemd in a clean environment. + echo "starting systemd..." + exec @systemdExecutable@ "$@" +fi diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 844a6793c15..2c9ee9fc319 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -573,14 +573,6 @@ in }) (filterAttrs (name: service: service.enable && service.startAt != []) cfg.services); - # Generate timer units for all services that have a ‘startAt’ value. - systemd.user.timers = - mapAttrs (name: service: - { wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = service.startAt; - }) - (filterAttrs (name: service: service.startAt != []) cfg.user.services); - # Some overrides to upstream units. systemd.services."systemd-backlight@".restartIfChanged = false; systemd.services."systemd-fsck@".restartIfChanged = false; diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index c383486bb0b..3af124d06a9 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -34,7 +34,6 @@ let "initrd-switch-root.service" "initrd-switch-root.target" "initrd.target" - "initrd-udevadm-cleanup-db.service" "kexec.target" "kmod-static-nodes.service" "local-fs-pre.target" @@ -71,12 +70,6 @@ let "systemd-sysctl.service" "systemd-tmpfiles-setup-dev.service" "systemd-tmpfiles-setup.service" - "systemd-udevd-control.socket" - "systemd-udevd-kernel.socket" - "systemd-udevd.service" - "systemd-udev-settle.service" - "systemd-udev-trigger.service" - "systemd-vconsole-setup.service" "timers.target" "umount.target" @@ -125,7 +118,7 @@ let }; initrdBinEnv = pkgs.buildEnv { - name = "initrd-emergency-env"; + name = "initrd-bin-env"; paths = map getBin cfg.initrdBin; pathsToLink = ["/bin" "/sbin"]; postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -s '${v}' $out/bin/'${n}'") cfg.extraBin); @@ -355,8 +348,9 @@ in { boot.initrd.availableKernelModules = [ "autofs4" ]; # systemd needs this for some features boot.initrd.systemd = { - initrdBin = [pkgs.bash pkgs.coreutils pkgs.kmod cfg.package] ++ config.system.fsPackages; + initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages; extraBin = { + less = "${pkgs.less}/bin/less"; mount = "${cfg.package.util-linux}/bin/mount"; umount = "${cfg.package.util-linux}/bin/umount"; }; @@ -367,7 +361,7 @@ in { "/etc/systemd/system.conf".text = '' [Manager] - DefaultEnvironment=PATH=/bin:/sbin + DefaultEnvironment=PATH=/bin:/sbin ${optionalString (isBool cfg.emergencyAccess && cfg.emergencyAccess) "SYSTEMD_SULOGIN_FORCE=1"} ''; "/etc/fstab".source = fstab; @@ -384,6 +378,11 @@ in { "/etc/sysctl.d/nixos.conf".text = "kernel.modprobe = /sbin/modprobe"; "/etc/modprobe.d/systemd.conf".source = "${cfg.package}/lib/modprobe.d/systemd.conf"; + "/etc/modprobe.d/ubuntu.conf".source = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" { } '' + ${pkgs.buildPackages.perl}/bin/perl -0pe 's/## file: iwlwifi.conf(.+?)##/##/s;' $src > $out + ''; + "/etc/modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases; + }; storePaths = [ @@ -394,15 +393,15 @@ in { "${cfg.package}/lib/systemd/systemd-journald" "${cfg.package}/lib/systemd/systemd-makefs" "${cfg.package}/lib/systemd/systemd-modules-load" + "${cfg.package}/lib/systemd/systemd-random-seed" "${cfg.package}/lib/systemd/systemd-remount-fs" + "${cfg.package}/lib/systemd/systemd-shutdown" "${cfg.package}/lib/systemd/systemd-sulogin-shell" "${cfg.package}/lib/systemd/systemd-sysctl" - "${cfg.package}/lib/systemd/systemd-udevd" "${cfg.package}/lib/systemd/systemd-vconsole-setup" # additional systemd directories "${cfg.package}/lib/systemd/system-generators" - "${cfg.package}/lib/udev" # utilities needed by systemd "${cfg.package.util-linux}/bin/mount" @@ -410,7 +409,7 @@ in { "${cfg.package.util-linux}/bin/sulogin" # so NSS can look up usernames - "${pkgs.glibc}/lib/libnss_files.so" + "${pkgs.glibc}/lib/libnss_files.so.2" ] ++ jobScripts; targets.initrd.aliases = ["default.target"]; @@ -428,9 +427,6 @@ in { (v: let n = escapeSystemdPath v.where; in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts); - services.emergency = mkIf (isBool cfg.emergencyAccess && cfg.emergencyAccess) { - environment.SYSTEMD_SULOGIN_FORCE = "1"; - }; # The unit in /run/systemd/generator shadows the unit in # /etc/systemd/system, but will still apply drop-ins from # /etc/systemd/system/foo.service.d/ @@ -445,6 +441,67 @@ in { '')]; services."systemd-makefs@".unitConfig.IgnoreOnIsolate = true; services."systemd-growfs@".unitConfig.IgnoreOnIsolate = true; + + services.initrd-nixos-activation = { + after = [ "initrd-fs.target" ]; + requiredBy = [ "initrd.target" ]; + unitConfig.AssertPathExists = "/etc/initrd-release"; + serviceConfig.Type = "oneshot"; + description = "NixOS Activation"; + + script = /* bash */ '' + set -uo pipefail + export PATH="/bin:${cfg.package.util-linux}/bin" + + # Figure out what closure to boot + closure= + for o in $(< /proc/cmdline); do + case $o in + init=*) + IFS== read -r -a initParam <<< "$o" + closure="$(dirname "''${initParam[1]}")" + ;; + esac + done + + # Sanity check + if [ -z "''${closure:-}" ]; then + echo 'No init= parameter on the kernel command line' >&2 + exit 1 + fi + + # If we are not booting a NixOS closure (e.g. init=/bin/sh), + # we don't know what root to prepare so we don't do anything + if ! [ -x "/sysroot$closure/prepare-root" ]; then + echo "NEW_INIT=''${initParam[1]}" > /etc/switch-root.conf + echo "$closure does not look like a NixOS installation - not activating" + exit 0 + fi + echo 'NEW_INIT=' > /etc/switch-root.conf + + + # We need to propagate /run for things like /run/booted-system + # and /run/current-system. + mkdir -p /sysroot/run + mount --bind /run /sysroot/run + + # Initialize the system + export IN_NIXOS_SYSTEMD_STAGE1=true + exec chroot /sysroot $closure/prepare-root + ''; + }; + + # This will either call systemctl with the new init as the last parameter (which + # is the case when not booting a NixOS system) or with an empty string, causing + # systemd to bypass its verification code that checks whether the next file is a systemd + # and using its compiled-in value + services.initrd-switch-root.serviceConfig = { + EnvironmentFile = "-/etc/switch-root.conf"; + ExecStart = [ + "" + ''systemctl --no-block switch-root /sysroot "''${NEW_INIT}"'' + ]; + }; }; }; } diff --git a/nixos/modules/virtualisation/azure-common.nix b/nixos/modules/virtualisation/azure-common.nix index 8efa177e30d..dc7853b9503 100644 --- a/nixos/modules/virtualisation/azure-common.nix +++ b/nixos/modules/virtualisation/azure-common.nix @@ -21,7 +21,11 @@ with lib; # way to select them anyway. boot.loader.grub.configurationLimit = 0; - fileSystems."/".device = "/dev/disk/by-label/nixos"; + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; # Allow root logins only using the SSH key that the user specified # at instance creation time, ping client connections to avoid timeouts diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index ab87394a30e..e0bccb83a97 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -344,6 +344,10 @@ in restartIfChanged = false; }; + systemd.services.virtchd = { + path = [ pkgs.cloud-hypervisor ]; + }; + systemd.services.libvirt-guests = { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils gawk cfg.package ]; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 20ce129c5a0..b1c5a7a6c95 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -853,8 +853,12 @@ in (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" ]) - (mkIf (!cfg.useBootLoader) [ - "-kernel \${NIXPKGS_QEMU_KERNEL_${config.system.name}:-${config.system.build.toplevel}/kernel}" + (let + alphaNumericChars = lowerChars ++ upperChars ++ (map toString (range 0 9)); + # Replace all non-alphanumeric characters with underscores + sanitizeShellIdent = s: concatMapStrings (c: if builtins.elem c alphaNumericChars then c else "_") (stringToCharacters s); + in mkIf (!cfg.useBootLoader) [ + "-kernel \${NIXPKGS_QEMU_KERNEL_${sanitizeShellIdent config.system.name}:-${config.system.build.toplevel}/kernel}" "-initrd ${config.system.build.toplevel}/initrd" ''-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS"'' ]) diff --git a/nixos/tests/all-terminfo.nix b/nixos/tests/all-terminfo.nix new file mode 100644 index 00000000000..dd47c66ee1c --- /dev/null +++ b/nixos/tests/all-terminfo.nix @@ -0,0 +1,31 @@ +import ./make-test-python.nix ({ pkgs, ... }: rec { + name = "all-terminfo"; + meta = with pkgs.lib.maintainers; { + maintainers = [ jkarlson ]; + }; + + nodes.machine = { pkgs, config, lib, ... }: + let + infoFilter = name: drv: + let + o = builtins.tryEval drv; + in + o.success && lib.isDerivation o.value && o.value ? outputs && builtins.elem "terminfo" o.value.outputs; + terminfos = lib.filterAttrs infoFilter pkgs; + excludedTerminfos = lib.filterAttrs (_: drv: !(builtins.elem drv.terminfo config.environment.systemPackages)) terminfos; + includedOuts = lib.filterAttrs (_: drv: builtins.elem drv.out config.environment.systemPackages) terminfos; + in + { + environment = { + enableAllTerminfo = true; + etc."terminfo-missing".text = builtins.concatStringsSep "\n" (builtins.attrNames excludedTerminfos); + etc."terminfo-extra-outs".text = builtins.concatStringsSep "\n" (builtins.attrNames includedOuts); + }; + }; + + testScript = + '' + machine.fail("grep . /etc/terminfo-missing >&2") + machine.fail("grep . /etc/terminfo-extra-outs >&2") + ''; +}) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index d9429920f13..a1d4e284657 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -35,6 +35,7 @@ in agate = handleTest ./web-servers/agate.nix {}; agda = handleTest ./agda.nix {}; airsonic = handleTest ./airsonic.nix {}; + allTerminfo = handleTest ./all-terminfo.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {}; apfs = handleTest ./apfs.nix {}; apparmor = handleTest ./apparmor.nix {}; @@ -362,6 +363,7 @@ in nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; nginx-variants = handleTest ./nginx-variants.nix {}; + nifi = handleTestOn ["x86_64-linux"] ./web-apps/nifi.nix {}; nitter = handleTest ./nitter.nix {}; nix-ld = handleTest ./nix-ld {}; nix-serve = handleTest ./nix-serve.nix {}; @@ -398,9 +400,10 @@ in pam-file-contents = handleTest ./pam/pam-file-contents.nix {}; pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; pam-u2f = handleTest ./pam/pam-u2f.nix {}; + pam-ussh = handleTest ./pam/pam-ussh.nix {}; pantalaimon = handleTest ./matrix/pantalaimon.nix {}; pantheon = handleTest ./pantheon.nix {}; - paperless-ng = handleTest ./paperless-ng.nix {}; + paperless = handleTest ./paperless.nix {}; parsedmarc = handleTest ./parsedmarc {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; peerflix = handleTest ./peerflix.nix {}; diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index bd517093eb3..a1150097a09 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -878,7 +878,7 @@ let linkConfig.Name = "custom_name"; }; } - else { services.udev.initrdRules = '' + else { boot.initrd.services.udev.rules = '' SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="custom_name" ''; }); diff --git a/nixos/tests/pam/pam-ussh.nix b/nixos/tests/pam/pam-ussh.nix new file mode 100644 index 00000000000..ba0570dbf97 --- /dev/null +++ b/nixos/tests/pam/pam-ussh.nix @@ -0,0 +1,70 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: + +let + testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" { + nativeBuildInputs = [ pkgs.openssh ]; + } '' + mkdir $out + ssh-keygen -t ed25519 -N "" -f $out/ca + + ssh-keygen -t ed25519 -N "" -f $out/alice + ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub + + ssh-keygen -t ed25519 -N "" -f $out/bob + ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub + ''; + makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" '' + set -euo pipefail + + eval $(${pkgs.openssh}/bin/ssh-agent) + + mkdir -p $HOME/.ssh + chmod 700 $HOME/.ssh + cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh + chmod 600 $HOME/.ssh/${user} + chmod 644 $HOME/.ssh/${user}{,-cert}.pub + + set -x + + ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user} + ${pkgs.openssh}/bin/ssh-add -l &>2 + + exec sudo id -u -n + ''; +in { + name = "pam-ussh"; + meta.maintainers = with lib.maintainers; [ lukegb ]; + + machine = + { ... }: + { + users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + + security.pam.ussh = { + enable = true; + authorizedPrincipals = "root"; + caFile = "${testOnlySSHCredentials}/ca.pub"; + }; + + security.sudo = { + enable = true; + extraConfig = '' + Defaults lecture="never" + ''; + }; + }; + + testScript = + '' + with subtest("alice should be allowed to escalate to root"): + machine.succeed( + 'su -c "${makeTestScript "alice"}" -l alice | grep root' + ) + + with subtest("bob should not be allowed to escalate to root"): + machine.fail( + 'su -c "${makeTestScript "bob"}" -l bob | grep root' + ) + ''; +}) diff --git a/nixos/tests/paperless-ng.nix b/nixos/tests/paperless.nix index 618eeec6b12..51fe7c20785 100644 --- a/nixos/tests/paperless-ng.nix +++ b/nixos/tests/paperless.nix @@ -1,30 +1,32 @@ import ./make-test-python.nix ({ lib, ... }: { - name = "paperless-ng"; + name = "paperless"; meta.maintainers = with lib.maintainers; [ earvstedt Flakebi ]; nodes.machine = { pkgs, ... }: { environment.systemPackages = with pkgs; [ imagemagick jq ]; - services.paperless-ng = { + services.paperless = { enable = true; passwordFile = builtins.toFile "password" "admin"; }; }; testScript = '' - machine.wait_for_unit("paperless-ng-consumer.service") + import json - with subtest("Create test doc"): + machine.wait_for_unit("paperless-consumer.service") + + with subtest("Add a document via the file system"): machine.succeed( "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " "-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png" ) with subtest("Web interface gets ready"): - machine.wait_for_unit("paperless-ng-web.service") + machine.wait_for_unit("paperless-web.service") # Wait until server accepts connections machine.wait_until_succeeds("curl -fs localhost:28981") - with subtest("Create web test doc"): + with subtest("Add a document via the web interface"): machine.succeed( "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " "-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png" @@ -35,11 +37,8 @@ import ./make-test-python.nix ({ lib, ... }: { machine.wait_until_succeeds( "(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 2))" ) - assert "2005-10-16" in machine.succeed( - "curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[0] | .created'" - ) - assert "2005-10-16" in machine.succeed( - "curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[1] | .created'" - ) + docs = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/"))['results'] + assert "2005-10-16" in docs[0]['created'] + assert "2005-10-16" in docs[1]['created'] ''; }) diff --git a/nixos/tests/systemd-initrd-simple.nix b/nixos/tests/systemd-initrd-simple.nix index ba62cdf3bbc..959cc87c0f2 100644 --- a/nixos/tests/systemd-initrd-simple.nix +++ b/nixos/tests/systemd-initrd-simple.nix @@ -14,14 +14,31 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { testScript = '' import subprocess - oldAvail = machine.succeed("df --output=avail / | sed 1d") - machine.shutdown() + with subtest("handover to stage-2 systemd works"): + machine.wait_for_unit("multi-user.target") + machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover + machine.succeed("touch /testfile") # / is writable + machine.fail("touch /nix/store/testfile") # /nix/store is not writable + # Special filesystems are mounted by systemd + machine.succeed("[ -e /run/booted-system ]") # /run + machine.succeed("[ -e /sys/class ]") # /sys + machine.succeed("[ -e /dev/null ]") # /dev + machine.succeed("[ -e /proc/1 ]") # /proc + # stage-2-init mounted more special filesystems + machine.succeed("[ -e /dev/shm ]") # /dev/shm + machine.succeed("[ -e /dev/pts/ptmx ]") # /dev/pts + machine.succeed("[ -e /run/keys ]") # /run/keys - subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"]) - machine.start() - newAvail = machine.succeed("df --output=avail / | sed 1d") + with subtest("growfs works"): + oldAvail = machine.succeed("df --output=avail / | sed 1d") + machine.shutdown() - assert int(oldAvail) < int(newAvail), "File system did not grow" + subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"]) + + machine.start() + newAvail = machine.succeed("df --output=avail / | sed 1d") + + assert int(oldAvail) < int(newAvail), "File system did not grow" ''; }) diff --git a/nixos/tests/systemd-networkd.nix b/nixos/tests/systemd-networkd.nix index 7faeae3704e..6c423f4140b 100644 --- a/nixos/tests/systemd-networkd.nix +++ b/nixos/tests/systemd-networkd.nix @@ -8,6 +8,9 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { environment.systemPackages = with pkgs; [ wireguard-tools ]; systemd.network = { enable = true; + config = { + routeTables.custom = 23; + }; netdevs = { "90-wg0" = { netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; @@ -39,6 +42,7 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { address = [ "10.0.0.${nodeId}/32" ]; routes = [ { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; } + { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; Table = "custom"; }; } ]; }; "30-eth1" = { @@ -88,6 +92,12 @@ testScript = '' node2.wait_for_unit("systemd-networkd-wait-online.service") # ================================ + # Networkd Config + # ================================ + node1.succeed("grep RouteTable=custom:23 /etc/systemd/networkd.conf") + node1.succeed("sudo ip route show table custom | grep '10.0.0.0/24 via 10.0.0.1 dev wg0 proto static'") + + # ================================ # Wireguard # ================================ node1.succeed("ping -c 5 10.0.0.2") diff --git a/nixos/tests/web-apps/nifi.nix b/nixos/tests/web-apps/nifi.nix new file mode 100644 index 00000000000..92f7fa231df --- /dev/null +++ b/nixos/tests/web-apps/nifi.nix @@ -0,0 +1,30 @@ +import ../make-test-python.nix ({pkgs, ...}: +{ + name = "nifi"; + meta.maintainers = with pkgs.lib.maintainers; [ izorkin ]; + + nodes = { + nifi = { pkgs, ... }: { + virtualisation = { + memorySize = 2048; + diskSize = 4096; + }; + services.nifi = { + enable = true; + enableHTTPS = false; + }; + }; + }; + + testScript = '' + nifi.start() + + nifi.wait_for_unit("nifi.service") + nifi.wait_for_open_port(8080) + + # Check if NiFi is running + nifi.succeed("curl --fail http://127.0.0.1:8080/nifi/login 2> /dev/null | grep 'NiFi Login'") + + nifi.shutdown() + ''; +}) |