diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 26 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 6 | ||||
| -rw-r--r-- | nixos/modules/config/no-x-libs.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/hardware/printers.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 27 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ircd-hybrid/builder.sh | 1 | ||||
| -rw-r--r-- | nixos/modules/services/printing/cupsd.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/jboss/builder.sh | 1 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd/homed.nix | 43 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd/userdbd.nix | 18 | ||||
| -rw-r--r-- | nixos/release-combined.nix | 3 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 5 | ||||
| -rw-r--r-- | nixos/tests/printing.nix | 187 | ||||
| -rw-r--r-- | nixos/tests/systemd-homed.nix | 99 | ||||
| -rw-r--r-- | nixos/tests/systemd-userdbd.nix | 32 |
17 files changed, 368 insertions, 116 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index 12e4d490300..1014fe517db 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -200,6 +200,17 @@ </listitem> <listitem> <para> + <literal>llvmPackages_rocm.llvm</literal> will not contain + <literal>clang</literal> or <literal>compiler-rt</literal>. + <literal>llvmPackages_rocm.clang</literal> will not contain + <literal>llvm</literal>. + <literal>llvmPackages_rocm.clangNoCompilerRt</literal> has + been removed in favor of using + <literal>llvmPackages_rocm.clang-unwrapped</literal>. + </para> + </listitem> + <listitem> + <para> The Nginx module now validates the syntax of config files at build time. For more complex configurations (using <literal>include</literal> with out-of-store files notably) @@ -255,6 +266,14 @@ that it configures the NixOS boot process, not the Nix daemon. </para> </listitem> + <listitem> + <para> + Deprecated <literal>xlibsWrapper</literal> transitional + package has been removed in favour of direct use of its + constitutents: <literal>xorg.libX11</literal>, + <literal>freetype</literal> and others. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-23.05-notable-changes"> @@ -447,6 +466,13 @@ </listitem> <listitem> <para> + <literal>hip</literal> has been separated into + <literal>hip</literal>, <literal>hip-common</literal> and + <literal>hipcc</literal>. + </para> + </listitem> + <listitem> + <para> Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 07ee346c2c8..fe4eb16700d 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -55,6 +55,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. +- `llvmPackages_rocm.llvm` will not contain `clang` or `compiler-rt`. `llvmPackages_rocm.clang` will not contain `llvm`. `llvmPackages_rocm.clangNoCompilerRt` has been removed in favor of using `llvmPackages_rocm.clang-unwrapped`. + - The Nginx module now validates the syntax of config files at build time. For more complex configurations (using `include` with out-of-store files notably) you may need to disable this check by setting [services.nginx.validateConfig](#opt-services.nginx.validateConfig) to `false`. - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. @@ -67,6 +69,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon. +- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constitutents: `xorg.libX11`, `freetype` and others. + ## Other Notable Changes {#sec-release-23.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -119,6 +123,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion). +- `hip` has been separated into `hip`, `hip-common` and `hipcc`. + - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. - The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it. diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 70e265a65a6..9c83a44d7b0 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -33,12 +33,16 @@ with lib; ffmpeg_4 = super.ffmpeg_4-headless; ffmpeg_5 = super.ffmpeg_5-headless; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; + gst_all_1 = super.gst_all_1 // { + gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableX11 = false; }; + }; gpsd = super.gpsd.override { guiSupport = false; }; imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; }; imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; }; - libextractor = super.libextractor.override { gstreamerSupport = false; gtkSupport = false; }; + libextractor = super.libextractor.override { gtkSupport = false; }; libva = super.libva-minimal; limesuite = super.limesuite.override { withGui = false; }; + mpv-unwrapped = super.mpv-unwrapped.override { sdl2Support = false; x11Support = false; }; msmtp = super.msmtp.override { withKeyring = false; }; networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix index 85e3215127f..846ff6f3fb4 100644 --- a/nixos/modules/hardware/printers.nix +++ b/nixos/modules/hardware/printers.nix @@ -110,21 +110,26 @@ in { }; config = mkIf (cfg.ensurePrinters != [] && config.services.printing.enable) { - systemd.services.ensure-printers = let - cupsUnit = if config.services.printing.startWhenNeeded then "cups.socket" else "cups.service"; - in { + systemd.services.ensure-printers = { description = "Ensure NixOS-configured CUPS printers"; wantedBy = [ "multi-user.target" ]; - requires = [ cupsUnit ]; - after = [ cupsUnit ]; + wants = [ "cups.service" ]; + after = [ "cups.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; - script = concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters - + optionalString (cfg.ensureDefaultPrinter != null) (ensureDefaultPrinter cfg.ensureDefaultPrinter); + script = concatStringsSep "\n" [ + (concatMapStrings ensurePrinter cfg.ensurePrinters) + (optionalString (cfg.ensureDefaultPrinter != null) + (ensureDefaultPrinter cfg.ensureDefaultPrinter)) + # Note: if cupsd is "stateless" the service can't be stopped, + # otherwise the configuration will be wiped on the next start. + (optionalString (with config.services.printing; startWhenNeeded && !stateless) + "systemctl stop cups.service") + ]; }; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b2e80b10fc2..dbebca815be 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1300,6 +1300,8 @@ ./system/boot/systemd/shutdown.nix ./system/boot/systemd/tmpfiles.nix ./system/boot/systemd/user.nix + ./system/boot/systemd/userdbd.nix + ./system/boot/systemd/homed.nix ./system/boot/timesyncd.nix ./system/boot/tmp.nix ./system/boot/uvesafb.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 273bc796341..4224722f879 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -488,6 +488,9 @@ let account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so '' + + optionalString config.services.homed.enable '' + account sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + # The required pam_unix.so module has to come after all the sufficient modules # because otherwise, the account lookup will fail if the user does not exist # locally, for example with MySQL- or LDAP-auth. @@ -541,8 +544,10 @@ let # after it succeeds. Certain modules need to run after pam_unix # prompts the user for password so we run it once with 'optional' at an # earlier point and it will run again with 'sufficient' further down. - # We use try_first_pass the second time to avoid prompting password twice - (optionalString (cfg.unixAuth && + # We use try_first_pass the second time to avoid prompting password twice. + # + # The same principle applies to systemd-homed + (optionalString ((cfg.unixAuth || config.services.homed.enable) && (config.security.pam.enableEcryptfs || config.security.pam.enableFscrypt || cfg.pamMount @@ -553,7 +558,10 @@ let || cfg.failDelay.enable || cfg.duoSecurity.enable)) ( - '' + optionalString config.services.homed.enable '' + auth optional ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + + optionalString cfg.unixAuth '' auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth '' + optionalString config.security.pam.enableEcryptfs '' @@ -584,6 +592,9 @@ let auth required ${pkgs.duo-unix}/lib/security/pam_duo.so '' )) + + optionalString config.services.homed.enable '' + auth sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + optionalString cfg.unixAuth '' auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass '' + @@ -605,6 +616,10 @@ let auth required pam_deny.so # Password management. + '' + + optionalString config.services.homed.enable '' + password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + '' password sufficient pam_unix.so nullok sha512 '' + optionalString config.security.pam.enableEcryptfs '' @@ -650,6 +665,9 @@ let ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}" ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}" )) + + optionalString config.services.homed.enable '' + session required ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + optionalString cfg.makeHomeDir '' session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077 '' + @@ -1361,6 +1379,9 @@ in '' + optionalString config.virtualisation.lxc.lxcfs.enable '' mr ${pkgs.lxc}/lib/security/pam_cgfs.so + '' + + optionalString config.services.homed.enable '' + mr ${config.systemd.package}/lib/security/pam_systemd_home.so ''; }; diff --git a/nixos/modules/services/networking/ircd-hybrid/builder.sh b/nixos/modules/services/networking/ircd-hybrid/builder.sh index 38312210df2..d9d2e4264df 100644 --- a/nixos/modules/services/networking/ircd-hybrid/builder.sh +++ b/nixos/modules/services/networking/ircd-hybrid/builder.sh @@ -1,3 +1,4 @@ +if [ -e .attrs.sh ]; then source .attrs.sh; fi source $stdenv/setup doSub() { diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index ae59dcc226d..9ac89e05762 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -341,7 +341,7 @@ in systemd.sockets.cups = mkIf cfg.startWhenNeeded { wantedBy = [ "sockets.target" ]; - listenStreams = [ "/run/cups/cups.sock" ] + listenStreams = [ "" "/run/cups/cups.sock" ] ++ map (x: replaceStrings ["localhost"] ["127.0.0.1"] (removePrefix "*:" x)) cfg.listenAddresses; }; @@ -395,10 +395,7 @@ in ''} ''; - serviceConfig = { - PrivateTmp = true; - RuntimeDirectory = [ "cups" ]; - }; + serviceConfig.PrivateTmp = true; }; systemd.services.cups-browsed = mkIf avahiEnabled diff --git a/nixos/modules/services/web-servers/jboss/builder.sh b/nixos/modules/services/web-servers/jboss/builder.sh index 0e5af324c13..ac573089cd5 100644 --- a/nixos/modules/services/web-servers/jboss/builder.sh +++ b/nixos/modules/services/web-servers/jboss/builder.sh @@ -1,5 +1,6 @@ set -e +if [ -e .attrs.sh ]; then source .attrs.sh; fi source $stdenv/setup mkdir -p $out/bin diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e37ed853181..679a663362b 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -450,7 +450,7 @@ in (mkAfter [ "systemd" ]) ]); group = (mkMerge [ - (mkAfter [ "systemd" ]) + (mkAfter [ "[success=merge] systemd" ]) # need merge so that NSS won't stop at file-based groups ]); }; diff --git a/nixos/modules/system/boot/systemd/homed.nix b/nixos/modules/system/boot/systemd/homed.nix new file mode 100644 index 00000000000..403d1690124 --- /dev/null +++ b/nixos/modules/system/boot/systemd/homed.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.homed; +in +{ + options.services.homed.enable = lib.mkEnableOption (lib.mdDoc '' + Enable systemd home area/user account manager + ''); + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = config.services.nscd.enable; + message = "systemd-homed requires the use of systemd nss module. services.nscd.enable must be set to true,"; + } + ]; + + systemd.additionalUpstreamSystemUnits = [ + "systemd-homed.service" + "systemd-homed-activate.service" + ]; + + # This is mentioned in homed's [Install] section. + # + # While homed appears to work without it, it's probably better + # to follow upstream recommendations. + services.userdbd.enable = lib.mkDefault true; + + systemd.services = { + systemd-homed = { + # These packages are required to manage encrypted volumes + path = config.system.fsPackages; + aliases = [ "dbus-org.freedesktop.home1.service" ]; + wantedBy = [ "multi-user.target" ]; + }; + + systemd-homed-activate = { + wantedBy = [ "systemd-homed.service" ]; + }; + }; + }; +} diff --git a/nixos/modules/system/boot/systemd/userdbd.nix b/nixos/modules/system/boot/systemd/userdbd.nix new file mode 100644 index 00000000000..994aa3ca3b8 --- /dev/null +++ b/nixos/modules/system/boot/systemd/userdbd.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: + +let + cfg = config.services.userdbd; +in +{ + options.services.userdbd.enable = lib.mkEnableOption (lib.mdDoc '' + Enables the systemd JSON user/group record lookup service + ''); + config = lib.mkIf cfg.enable { + systemd.additionalUpstreamSystemUnits = [ + "systemd-userdbd.socket" + "systemd-userdbd.service" + ]; + + systemd.sockets.systemd-userdbd.wantedBy = [ "sockets.target" ]; + }; +} diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 337b5192776..ed698b63ee6 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -146,7 +146,8 @@ in rec { (onFullSupported "nixos.tests.predictable-interface-names.predictable") (onFullSupported "nixos.tests.predictable-interface-names.unpredictableNetworkd") (onFullSupported "nixos.tests.predictable-interface-names.unpredictable") - (onFullSupported "nixos.tests.printing") + (onFullSupported "nixos.tests.printing-service") + (onFullSupported "nixos.tests.printing-socket") (onFullSupported "nixos.tests.proxy") (onFullSupported "nixos.tests.sddm.default") (onFullSupported "nixos.tests.shadow") diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 83ad7c48a08..1c143602fb2 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -542,7 +542,8 @@ in { power-profiles-daemon = handleTest ./power-profiles-daemon.nix {}; pppd = handleTest ./pppd.nix {}; predictable-interface-names = handleTest ./predictable-interface-names.nix {}; - printing = handleTest ./printing.nix {}; + printing-socket = handleTest ./printing.nix { socket = true; }; + printing-service = handleTest ./printing.nix { socket = false; }; privacyidea = handleTest ./privacyidea.nix {}; privoxy = handleTest ./privoxy.nix {}; prometheus = handleTest ./prometheus.nix {}; @@ -652,6 +653,8 @@ in { systemd-shutdown = handleTest ./systemd-shutdown.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-misc = handleTest ./systemd-misc.nix {}; + systemd-userdbd = handleTest ./systemd-userdbd.nix {}; + systemd-homed = handleTest ./systemd-homed.nix {}; tandoor-recipes = handleTest ./tandoor-recipes.nix {}; taskserver = handleTest ./taskserver.nix {}; tayga = handleTest ./tayga.nix {}; diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index cfebe232d92..7df042e72e9 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -1,19 +1,31 @@ # Test printing via CUPS. -import ./make-test-python.nix ({pkgs, ... }: -let - printingServer = startWhenNeeded: { - services.printing.enable = true; - services.printing.stateless = true; - services.printing.startWhenNeeded = startWhenNeeded; - services.printing.listenAddresses = [ "*:631" ]; - services.printing.defaultShared = true; - services.printing.extraConf = '' - <Location /> - Order allow,deny - Allow from all - </Location> - ''; +import ./make-test-python.nix ( +{ pkgs +, socket ? true # whether to use socket activation +, ... +}: + +{ + name = "printing"; + meta = with pkgs.lib.maintainers; { + maintainers = [ domenkozar eelco matthewbauer ]; + }; + + nodes.server = { ... }: { + services.printing = { + enable = true; + stateless = true; + startWhenNeeded = socket; + listenAddresses = [ "*:631" ]; + defaultShared = true; + extraConf = '' + <Location /> + Order allow,deny + Allow from all + </Location> + ''; + }; networking.firewall.allowedTCPPorts = [ 631 ]; # Add a HP Deskjet printer connected via USB to the server. hardware.printers.ensurePrinters = [{ @@ -22,32 +34,19 @@ let model = "drv:///sample.drv/deskjet.ppd"; }]; }; - printingClient = startWhenNeeded: { + + nodes.client = { ... }: { services.printing.enable = true; - services.printing.startWhenNeeded = startWhenNeeded; + services.printing.startWhenNeeded = socket; # Add printer to the client as well, via IPP. hardware.printers.ensurePrinters = [{ name = "DeskjetRemote"; - deviceUri = "ipp://${if startWhenNeeded then "socketActivatedServer" else "serviceServer"}/printers/DeskjetLocal"; + deviceUri = "ipp://server/printers/DeskjetLocal"; model = "drv:///sample.drv/deskjet.ppd"; }]; hardware.printers.ensureDefaultPrinter = "DeskjetRemote"; }; -in { - name = "printing"; - meta = with pkgs.lib.maintainers; { - maintainers = [ domenkozar eelco matthewbauer ]; - }; - - nodes = { - socketActivatedServer = { ... }: (printingServer true); - serviceServer = { ... }: (printingServer false); - - socketActivatedClient = { ... }: (printingClient true); - serviceClient = { ... }: (printingClient false); - }; - testScript = '' import os import re @@ -55,75 +54,69 @@ in { start_all() with subtest("Make sure that cups is up on both sides and printers are set up"): - serviceServer.wait_for_unit("cups.service") - serviceClient.wait_for_unit("cups.service") - socketActivatedClient.wait_for_unit("ensure-printers.service") - + server.wait_for_unit("cups.${if socket then "socket" else "service"}") + client.wait_for_unit("cups.${if socket then "socket" else "service"}") + + assert "scheduler is running" in client.succeed("lpstat -r") + + with subtest("UNIX socket is used for connections"): + assert "/var/run/cups/cups.sock" in client.succeed("lpstat -H") + + with subtest("HTTP server is available too"): + client.succeed("curl --fail http://localhost:631/") + client.succeed(f"curl --fail http://{server.name}:631/") + server.fail(f"curl --fail --connect-timeout 2 http://{client.name}:631/") + + with subtest("LP status checks"): + assert "DeskjetRemote accepting requests" in client.succeed("lpstat -a") + assert "DeskjetLocal accepting requests" in client.succeed( + f"lpstat -h {server.name}:631 -a" + ) + client.succeed("cupsdisable DeskjetRemote") + out = client.succeed("lpq") + print(out) + assert re.search( + "DeskjetRemote is not ready.*no entries", + client.succeed("lpq"), + flags=re.DOTALL, + ) + client.succeed("cupsenable DeskjetRemote") + assert re.match( + "DeskjetRemote is ready.*no entries", client.succeed("lpq"), flags=re.DOTALL + ) + + # Test printing various file types. + for file in [ + "${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf", + "${pkgs.groff.doc}/share/doc/*/meref.ps", + "${pkgs.cups.out}/share/doc/cups/images/cups.png", + "${pkgs.pcre.doc}/share/doc/pcre/pcre.txt", + ]: + file_name = os.path.basename(file) + with subtest(f"print {file_name}"): + # Print the file on the client. + print(client.succeed("lpq")) + client.succeed(f"lp {file}") + client.wait_until_succeeds( + f"lpq; lpq | grep -q -E 'active.*root.*{file_name}'" + ) - def test_printing(client, server): - assert "scheduler is running" in client.succeed("lpstat -r") + # Ensure that a raw PCL file appeared in the server's queue + # (showing that the right filters have been applied). Of + # course, since there is no actual USB printer attached, the + # file will stay in the queue forever. + server.wait_for_file("/var/spool/cups/d*-001") + server.wait_until_succeeds(f"lpq -a | grep -q -E '{file_name}'") - with subtest("UNIX socket is used for connections"): - assert "/var/run/cups/cups.sock" in client.succeed("lpstat -H") - with subtest("HTTP server is available too"): - client.succeed("curl --fail http://localhost:631/") - client.succeed(f"curl --fail http://{server.name}:631/") - server.fail(f"curl --fail --connect-timeout 2 http://{client.name}:631/") + # Delete the job on the client. It should disappear on the + # server as well. + client.succeed("lprm") + client.wait_until_succeeds("lpq -a | grep -q -E 'no entries'") - with subtest("LP status checks"): - assert "DeskjetRemote accepting requests" in client.succeed("lpstat -a") - assert "DeskjetLocal accepting requests" in client.succeed( - f"lpstat -h {server.name}:631 -a" - ) - client.succeed("cupsdisable DeskjetRemote") - out = client.succeed("lpq") - print(out) - assert re.search( - "DeskjetRemote is not ready.*no entries", - client.succeed("lpq"), - flags=re.DOTALL, - ) - client.succeed("cupsenable DeskjetRemote") - assert re.match( - "DeskjetRemote is ready.*no entries", client.succeed("lpq"), flags=re.DOTALL - ) + retry(lambda _: "no entries" in server.succeed("lpq -a")) - # Test printing various file types. - for file in [ - "${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf", - "${pkgs.groff.doc}/share/doc/*/meref.ps", - "${pkgs.cups.out}/share/doc/cups/images/cups.png", - "${pkgs.pcre.doc}/share/doc/pcre/pcre.txt", - ]: - file_name = os.path.basename(file) - with subtest(f"print {file_name}"): - # Print the file on the client. - print(client.succeed("lpq")) - client.succeed(f"lp {file}") - client.wait_until_succeeds( - f"lpq; lpq | grep -q -E 'active.*root.*{file_name}'" - ) - - # Ensure that a raw PCL file appeared in the server's queue - # (showing that the right filters have been applied). Of - # course, since there is no actual USB printer attached, the - # file will stay in the queue forever. - server.wait_for_file("/var/spool/cups/d*-001") - server.wait_until_succeeds(f"lpq -a | grep -q -E '{file_name}'") - - # Delete the job on the client. It should disappear on the - # server as well. - client.succeed("lprm") - client.wait_until_succeeds("lpq -a | grep -q -E 'no entries'") - - retry(lambda _: "no entries" in server.succeed("lpq -a")) - - # The queue is empty already, so this should be safe. - # Otherwise, pairs of "c*"-"d*-001" files might persist. - server.execute("rm /var/spool/cups/*") - - - test_printing(serviceClient, serviceServer) - test_printing(socketActivatedClient, socketActivatedServer) + # The queue is empty already, so this should be safe. + # Otherwise, pairs of "c*"-"d*-001" files might persist. + server.execute("rm /var/spool/cups/*") ''; }) diff --git a/nixos/tests/systemd-homed.nix b/nixos/tests/systemd-homed.nix new file mode 100644 index 00000000000..ecc92e98edd --- /dev/null +++ b/nixos/tests/systemd-homed.nix @@ -0,0 +1,99 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +let + password = "foobar"; + newPass = "barfoo"; +in +{ + name = "systemd-homed"; + nodes.machine = { config, pkgs, ... }: { + services.homed.enable = true; + + users.users.test-normal-user = { + extraGroups = [ "wheel" ]; + isNormalUser = true; + initialPassword = password; + }; + }; + testScript = '' + def switchTTY(number): + machine.send_key(f"alt-f{number}") + machine.wait_until_succeeds(f"[ $(fgconsole) = {number} ]") + machine.wait_for_unit(f"getty@tty{number}.service") + machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{number}'") + + machine.wait_for_unit("multi-user.target") + + # Smoke test to make sure the pam changes didn't break regular users. + machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + with subtest("login as regular user"): + switchTTY(2) + machine.wait_until_tty_matches("2", "login: ") + machine.send_chars("test-normal-user\n") + machine.wait_until_tty_matches("2", "login: test-normal-user") + machine.wait_until_tty_matches("2", "Password: ") + machine.send_chars("${password}\n") + machine.wait_until_succeeds("pgrep -u test-normal-user bash") + machine.send_chars("whoami > /tmp/1\n") + machine.wait_for_file("/tmp/1") + assert "test-normal-user" in machine.succeed("cat /tmp/1") + + with subtest("create homed encrypted user"): + # TODO: Figure out how to pass password manually. + # + # This environment variable is used for homed internal testing + # and is not documented. + machine.succeed("NEWPASSWORD=${password} homectl create --shell=/run/current-system/sw/bin/bash --storage=luks -G wheel test-homed-user") + + with subtest("login as homed user"): + switchTTY(3) + machine.wait_until_tty_matches("3", "login: ") + machine.send_chars("test-homed-user\n") + machine.wait_until_tty_matches("3", "login: test-homed-user") + machine.wait_until_tty_matches("3", "Password: ") + machine.send_chars("${password}\n") + machine.wait_until_succeeds("pgrep -t tty3 -u test-homed-user bash") + machine.send_chars("whoami > /tmp/2\n") + machine.wait_for_file("/tmp/2") + assert "test-homed-user" in machine.succeed("cat /tmp/2") + + with subtest("change homed user password"): + switchTTY(4) + machine.wait_until_tty_matches("4", "login: ") + machine.send_chars("test-homed-user\n") + machine.wait_until_tty_matches("4", "login: test-homed-user") + machine.wait_until_tty_matches("4", "Password: ") + machine.send_chars("${password}\n") + machine.wait_until_succeeds("pgrep -t tty4 -u test-homed-user bash") + machine.send_chars("passwd\n") + # homed does it in a weird order, it asks for new passes, then it asks + # for the old one. + machine.sleep(2) + machine.send_chars("${newPass}\n") + machine.sleep(2) + machine.send_chars("${newPass}\n") + machine.sleep(4) + machine.send_chars("${password}\n") + machine.wait_until_fails("pgrep -t tty4 passwd") + + @polling_condition + def not_logged_in_tty5(): + machine.fail("pgrep -t tty5 bash") + + switchTTY(5) + with not_logged_in_tty5: # type: ignore[union-attr] + machine.wait_until_tty_matches("5", "login: ") + machine.send_chars("test-homed-user\n") + machine.wait_until_tty_matches("5", "login: test-homed-user") + machine.wait_until_tty_matches("5", "Password: ") + machine.send_chars("${password}\n") + machine.wait_until_tty_matches("5", "Password incorrect or not sufficient for authentication of user test-homed-user.") + machine.wait_until_tty_matches("5", "Sorry, try again: ") + machine.send_chars("${newPass}\n") + machine.send_chars("whoami > /tmp/4\n") + machine.wait_for_file("/tmp/4") + assert "test-homed-user" in machine.succeed("cat /tmp/4") + + with subtest("homed user should be in wheel according to NSS"): + machine.succeed("userdbctl group wheel -s io.systemd.NameServiceSwitch | grep test-homed-user") + ''; +}) diff --git a/nixos/tests/systemd-userdbd.nix b/nixos/tests/systemd-userdbd.nix new file mode 100644 index 00000000000..5d0233ffd9f --- /dev/null +++ b/nixos/tests/systemd-userdbd.nix @@ -0,0 +1,32 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "systemd-userdbd"; + nodes.machine = { config, pkgs, ... }: { + services.userdbd.enable = true; + + users.users.test-user-nss = { + isNormalUser = true; + }; + + environment.etc."userdb/test-user-dropin.user".text = builtins.toJSON { + userName = "test-user-dropin"; + }; + + environment.systemPackages = with pkgs; [ libvarlink ]; + }; + testScript = '' + import json + from shlex import quote + + def getUserRecord(name): + Interface = "unix:/run/systemd/userdb/io.systemd.Multiplexer/io.systemd.UserDatabase" + payload = json.dumps({ + "service": "io.systemd.Multiplexer", + "userName": name + }) + return json.loads(machine.succeed(f"varlink call {Interface}.GetUserRecord {quote(payload)}")) + + machine.wait_for_unit("systemd-userdbd.socket") + getUserRecord("test-user-nss") + getUserRecord("test-user-dropin") + ''; +}) |