diff options
Diffstat (limited to 'nixos')
211 files changed, 3560 insertions, 1630 deletions
diff --git a/nixos/doc/manual/configuration/config-syntax.chapter.md b/nixos/doc/manual/configuration/config-syntax.chapter.md index 56d093c0f6e..9f8d45d5889 100644 --- a/nixos/doc/manual/configuration/config-syntax.chapter.md +++ b/nixos/doc/manual/configuration/config-syntax.chapter.md @@ -15,5 +15,4 @@ NixOS configuration files. <xi:include href="config-file.section.xml" /> <xi:include href="abstractions.section.xml" /> <xi:include href="modularity.section.xml" /> -<xi:include href="summary.section.xml" /> ``` diff --git a/nixos/doc/manual/configuration/summary.section.md b/nixos/doc/manual/configuration/summary.section.md deleted file mode 100644 index 8abbbe257fd..00000000000 --- a/nixos/doc/manual/configuration/summary.section.md +++ /dev/null @@ -1,46 +0,0 @@ -# Syntax Summary {#sec-nix-syntax-summary} - -Below is a summary of the most important syntactic constructs in the Nix -expression language. It's not complete. In particular, there are many -other built-in functions. See the [Nix -manual](https://nixos.org/nix/manual/#chap-writing-nix-expressions) for -the rest. - -| Example | Description | -|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------| -| *Basic values* | | -| `"Hello world"` | A string | -| `"${pkgs.bash}/bin/sh"` | A string containing an expression (expands to `"/nix/store/hash-bash-version/bin/sh"`) | -| `true`, `false` | Booleans | -| `123` | An integer | -| `./foo.png` | A path (relative to the containing Nix expression) | -| *Compound values* | | -| `{ x = 1; y = 2; }` | A set with attributes named `x` and `y` | -| `{ foo.bar = 1; }` | A nested set, equivalent to `{ foo = { bar = 1; }; }` | -| `rec { x = "foo"; y = x + "bar"; }` | A recursive set, equivalent to `{ x = "foo"; y = "foobar"; }` | -| `[ "foo" "bar" ]` | A list with two elements | -| *Operators* | | -| `"foo" + "bar"` | String concatenation | -| `1 + 2` | Integer addition | -| `"foo" == "f" + "oo"` | Equality test (evaluates to `true`) | -| `"foo" != "bar"` | Inequality test (evaluates to `true`) | -| `!true` | Boolean negation | -| `{ x = 1; y = 2; }.x` | Attribute selection (evaluates to `1`) | -| `{ x = 1; y = 2; }.z or 3` | Attribute selection with default (evaluates to `3`) | -| `{ x = 1; y = 2; } // { z = 3; }` | Merge two sets (attributes in the right-hand set taking precedence) | -| *Control structures* | | -| `if 1 + 1 == 2 then "yes!" else "no!"` | Conditional expression | -| `assert 1 + 1 == 2; "yes!"` | Assertion check (evaluates to `"yes!"`). See [](#sec-assertions) for using assertions in modules | -| `let x = "foo"; y = "bar"; in x + y` | Variable definition | -| `with pkgs.lib; head [ 1 2 3 ]` | Add all attributes from the given set to the scope (evaluates to `1`) | -| *Functions (lambdas)* | | -| `x: x + 1` | A function that expects an integer and returns it increased by 1 | -| `(x: x + 1) 100` | A function call (evaluates to 101) | -| `let inc = x: x + 1; in inc (inc (inc 100))` | A function bound to a variable and subsequently called by name (evaluates to 103) | -| `{ x, y }: x + y` | A function that expects a set with required attributes `x` and `y` and concatenates them | -| `{ x, y ? "bar" }: x + y` | A function that expects a set with required attribute `x` and optional `y`, using `"bar"` as default value for `y` | -| `{ x, y, ... }: x + y` | A function that expects a set with required attributes `x` and `y` and ignores any other attributes | -| `{ x, y } @ args: x + y` | A function that expects a set with required attributes `x` and `y`, and binds the whole set to `args` | -| *Built-in functions* | | -| `import ./foo.nix` | Load and return Nix expression in given file | -| `map (x: x + x) [ 1 2 3 ]` | Apply a function to every element of a list (evaluates to `[ 2 4 6 ]`) | diff --git a/nixos/doc/manual/configuration/user-mgmt.chapter.md b/nixos/doc/manual/configuration/user-mgmt.chapter.md index 37990664a8f..5c3aca3ef9e 100644 --- a/nixos/doc/manual/configuration/user-mgmt.chapter.md +++ b/nixos/doc/manual/configuration/user-mgmt.chapter.md @@ -32,8 +32,7 @@ account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. Passwords may still be assigned by setting the user\'s [hashedPassword](#opt-users.users._name_.hashedPassword) option. A -hashed password can be generated using `mkpasswd -m - sha-512`. +hashed password can be generated using `mkpasswd`. A user ID (uid) is assigned automatically. You can also specify a uid manually by adding diff --git a/nixos/doc/manual/development/option-declarations.section.md b/nixos/doc/manual/development/option-declarations.section.md index 0f5673dd4d5..88617ab1920 100644 --- a/nixos/doc/manual/development/option-declarations.section.md +++ b/nixos/doc/manual/development/option-declarations.section.md @@ -11,7 +11,7 @@ options = { type = type specification; default = default value; example = example value; - description = "Description for use in the NixOS manual."; + description = lib.mdDoc "Description for use in the NixOS manual."; }; }; ``` @@ -59,8 +59,9 @@ The function `mkOption` accepts the following arguments. : A textual description of the option, in [Nixpkgs-flavored Markdown]( https://nixos.org/nixpkgs/manual/#sec-contributing-markup) format, that will be included in the NixOS manual. During the migration process from DocBook - to CommonMark the description may also be written in DocBook, but this is - discouraged. + it is necessary to mark descriptions written in CommonMark with `lib.mdDoc`. + The description may still be written in DocBook (without any marker), but this + is discouraged and will be deprecated in the future. ## Utility functions for common option patterns {#sec-option-declarations-util} @@ -83,7 +84,7 @@ lib.mkOption { type = lib.types.bool; default = false; example = true; - description = "Whether to enable magic."; + description = lib.mdDoc "Whether to enable magic."; } ``` @@ -116,7 +117,7 @@ lib.mkOption { type = lib.types.package; default = pkgs.hello; defaultText = lib.literalExpression "pkgs.hello"; - description = "The hello package to use."; + description = lib.mdDoc "The hello package to use."; } ``` @@ -132,7 +133,7 @@ lib.mkOption { default = pkgs.ghc; defaultText = lib.literalExpression "pkgs.ghc"; example = lib.literalExpression "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])"; - description = "The GHC package to use."; + description = lib.mdDoc "The GHC package to use."; } ``` diff --git a/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml b/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml index 01446e53e38..baf9639554c 100644 --- a/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml @@ -17,5 +17,4 @@ <xi:include href="config-file.section.xml" /> <xi:include href="abstractions.section.xml" /> <xi:include href="modularity.section.xml" /> - <xi:include href="summary.section.xml" /> </chapter> diff --git a/nixos/doc/manual/from_md/configuration/summary.section.xml b/nixos/doc/manual/from_md/configuration/summary.section.xml deleted file mode 100644 index 96a178c4930..00000000000 --- a/nixos/doc/manual/from_md/configuration/summary.section.xml +++ /dev/null @@ -1,332 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-nix-syntax-summary"> - <title>Syntax Summary</title> - <para> - Below is a summary of the most important syntactic constructs in the - Nix expression language. It’s not complete. In particular, there are - many other built-in functions. See the - <link xlink:href="https://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix - manual</link> for the rest. - </para> - <informaltable> - <tgroup cols="2"> - <colspec align="left" /> - <colspec align="left" /> - <thead> - <row> - <entry> - Example - </entry> - <entry> - Description - </entry> - </row> - </thead> - <tbody> - <row> - <entry> - <emphasis>Basic values</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>"Hello world"</literal> - </entry> - <entry> - A string - </entry> - </row> - <row> - <entry> - <literal>"${pkgs.bash}/bin/sh"</literal> - </entry> - <entry> - A string containing an expression (expands to - <literal>"/nix/store/hash-bash-version/bin/sh"</literal>) - </entry> - </row> - <row> - <entry> - <literal>true</literal>, <literal>false</literal> - </entry> - <entry> - Booleans - </entry> - </row> - <row> - <entry> - <literal>123</literal> - </entry> - <entry> - An integer - </entry> - </row> - <row> - <entry> - <literal>./foo.png</literal> - </entry> - <entry> - A path (relative to the containing Nix expression) - </entry> - </row> - <row> - <entry> - <emphasis>Compound values</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; }</literal> - </entry> - <entry> - A set with attributes named <literal>x</literal> and - <literal>y</literal> - </entry> - </row> - <row> - <entry> - <literal>{ foo.bar = 1; }</literal> - </entry> - <entry> - A nested set, equivalent to - <literal>{ foo = { bar = 1; }; }</literal> - </entry> - </row> - <row> - <entry> - <literal>rec { x = "foo"; y = x + "bar"; }</literal> - </entry> - <entry> - A recursive set, equivalent to - <literal>{ x = "foo"; y = "foobar"; }</literal> - </entry> - </row> - <row> - <entry> - <literal>[ "foo" "bar" ]</literal> - </entry> - <entry> - A list with two elements - </entry> - </row> - <row> - <entry> - <emphasis>Operators</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>"foo" + "bar"</literal> - </entry> - <entry> - String concatenation - </entry> - </row> - <row> - <entry> - <literal>1 + 2</literal> - </entry> - <entry> - Integer addition - </entry> - </row> - <row> - <entry> - <literal>"foo" == "f" + "oo"</literal> - </entry> - <entry> - Equality test (evaluates to <literal>true</literal>) - </entry> - </row> - <row> - <entry> - <literal>"foo" != "bar"</literal> - </entry> - <entry> - Inequality test (evaluates to <literal>true</literal>) - </entry> - </row> - <row> - <entry> - <literal>!true</literal> - </entry> - <entry> - Boolean negation - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; }.x</literal> - </entry> - <entry> - Attribute selection (evaluates to <literal>1</literal>) - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; }.z or 3</literal> - </entry> - <entry> - Attribute selection with default (evaluates to - <literal>3</literal>) - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; } // { z = 3; }</literal> - </entry> - <entry> - Merge two sets (attributes in the right-hand set taking - precedence) - </entry> - </row> - <row> - <entry> - <emphasis>Control structures</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>if 1 + 1 == 2 then "yes!" else "no!"</literal> - </entry> - <entry> - Conditional expression - </entry> - </row> - <row> - <entry> - <literal>assert 1 + 1 == 2; "yes!"</literal> - </entry> - <entry> - Assertion check (evaluates to - <literal>"yes!"</literal>). See - <xref linkend="sec-assertions" /> for using assertions in - modules - </entry> - </row> - <row> - <entry> - <literal>let x = "foo"; y = "bar"; in x + y</literal> - </entry> - <entry> - Variable definition - </entry> - </row> - <row> - <entry> - <literal>with pkgs.lib; head [ 1 2 3 ]</literal> - </entry> - <entry> - Add all attributes from the given set to the scope - (evaluates to <literal>1</literal>) - </entry> - </row> - <row> - <entry> - <emphasis>Functions (lambdas)</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>x: x + 1</literal> - </entry> - <entry> - A function that expects an integer and returns it increased - by 1 - </entry> - </row> - <row> - <entry> - <literal>(x: x + 1) 100</literal> - </entry> - <entry> - A function call (evaluates to 101) - </entry> - </row> - <row> - <entry> - <literal>let inc = x: x + 1; in inc (inc (inc 100))</literal> - </entry> - <entry> - A function bound to a variable and subsequently called by - name (evaluates to 103) - </entry> - </row> - <row> - <entry> - <literal>{ x, y }: x + y</literal> - </entry> - <entry> - A function that expects a set with required attributes - <literal>x</literal> and <literal>y</literal> and - concatenates them - </entry> - </row> - <row> - <entry> - <literal>{ x, y ? "bar" }: x + y</literal> - </entry> - <entry> - A function that expects a set with required attribute - <literal>x</literal> and optional <literal>y</literal>, - using <literal>"bar"</literal> as default value - for <literal>y</literal> - </entry> - </row> - <row> - <entry> - <literal>{ x, y, ... }: x + y</literal> - </entry> - <entry> - A function that expects a set with required attributes - <literal>x</literal> and <literal>y</literal> and ignores - any other attributes - </entry> - </row> - <row> - <entry> - <literal>{ x, y } @ args: x + y</literal> - </entry> - <entry> - A function that expects a set with required attributes - <literal>x</literal> and <literal>y</literal>, and binds the - whole set to <literal>args</literal> - </entry> - </row> - <row> - <entry> - <emphasis>Built-in functions</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>import ./foo.nix</literal> - </entry> - <entry> - Load and return Nix expression in given file - </entry> - </row> - <row> - <entry> - <literal>map (x: x + x) [ 1 2 3 ]</literal> - </entry> - <entry> - Apply a function to every element of a list (evaluates to - <literal>[ 2 4 6 ]</literal>) - </entry> - </row> - </tbody> - </tgroup> - </informaltable> -</section> diff --git a/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml b/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml index 06492d5c251..a2d7d2a9f11 100644 --- a/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml @@ -39,7 +39,7 @@ users.users.alice = { Passwords may still be assigned by setting the user's <link linkend="opt-users.users._name_.hashedPassword">hashedPassword</link> option. A hashed password can be generated using - <literal>mkpasswd -m sha-512</literal>. + <literal>mkpasswd</literal>. </para> <para> A user ID (uid) is assigned automatically. You can also specify a diff --git a/nixos/doc/manual/from_md/development/option-declarations.section.xml b/nixos/doc/manual/from_md/development/option-declarations.section.xml index 69163853b62..0932a51a18c 100644 --- a/nixos/doc/manual/from_md/development/option-declarations.section.xml +++ b/nixos/doc/manual/from_md/development/option-declarations.section.xml @@ -12,7 +12,7 @@ options = { type = type specification; default = default value; example = example value; - description = "Description for use in the NixOS manual."; + description = lib.mdDoc "Description for use in the NixOS manual."; }; }; </programlisting> @@ -98,9 +98,11 @@ options = { A textual description of the option, in <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-contributing-markup">Nixpkgs-flavored Markdown</link> format, that will be included in the NixOS - manual. During the migration process from DocBook to - CommonMark the description may also be written in DocBook, but - this is discouraged. + manual. During the migration process from DocBook it is + necessary to mark descriptions written in CommonMark with + <literal>lib.mdDoc</literal>. The description may still be + written in DocBook (without any marker), but this is + discouraged and will be deprecated in the future. </para> </listitem> </varlistentry> @@ -132,7 +134,7 @@ lib.mkOption { type = lib.types.bool; default = false; example = true; - description = "Whether to enable magic."; + description = lib.mdDoc "Whether to enable magic."; } </programlisting> <section xml:id="sec-option-declarations-util-mkPackageOption"> @@ -182,7 +184,7 @@ lib.mkOption { type = lib.types.package; default = pkgs.hello; defaultText = lib.literalExpression "pkgs.hello"; - description = "The hello package to use."; + description = lib.mdDoc "The hello package to use."; } </programlisting> <anchor xml:id="ex-options-declarations-util-mkPackageOption-ghc" /> @@ -197,7 +199,7 @@ lib.mkOption { default = pkgs.ghc; defaultText = lib.literalExpression "pkgs.ghc"; example = lib.literalExpression "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])"; - description = "The GHC package to use."; + description = lib.mdDoc "The GHC package to use."; } </programlisting> <section xml:id="sec-option-declarations-eot"> diff --git a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml index 024a24379dd..35309a7aa32 100644 --- a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml @@ -211,7 +211,7 @@ $ sudo groupdel nixbld Generate your NixOS configuration: </para> <programlisting> -$ sudo `which nixos-generate-config` --root / +$ sudo `which nixos-generate-config` </programlisting> <para> Note that this will place the generated configuration files in diff --git a/nixos/doc/manual/from_md/installation/installing.chapter.xml b/nixos/doc/manual/from_md/installation/installing.chapter.xml index 02a0f14b984..f2ed58c0c1f 100644 --- a/nixos/doc/manual/from_md/installation/installing.chapter.xml +++ b/nixos/doc/manual/from_md/installation/installing.chapter.xml @@ -455,8 +455,8 @@ OK <listitem> <para> Finally, add a <emphasis>swap</emphasis> partition. The - size required will vary according to needs, here a 8GiB - one is created. + size required will vary according to needs, here a 8GB one + is created. </para> <programlisting> # parted /dev/sda -- mkpart primary linux-swap -8GB 100% @@ -814,8 +814,8 @@ $ passwd eelco </para> <programlisting> # parted /dev/sda -- mklabel msdos -# parted /dev/sda -- mkpart primary 1MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% +# parted /dev/sda -- mkpart primary 1MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% </programlisting> <anchor xml:id="ex-partition-scheme-UEFI" /> <para> @@ -824,9 +824,9 @@ $ passwd eelco </para> <programlisting> # parted /dev/sda -- mklabel gpt -# parted /dev/sda -- mkpart primary 512MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% -# parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB +# parted /dev/sda -- mkpart primary 512MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% +# parted /dev/sda -- mkpart ESP fat32 1MB 512MB # parted /dev/sda -- set 3 esp on </programlisting> <anchor xml:id="ex-install-sequence" /> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 48431198056..688f0f47676 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -1435,7 +1435,7 @@ Superuser created successfully. <para> The default GNAT version has been changed: The <literal>gnat</literal> attribute now points to - <literal>gnat11</literal> instead of <literal>gnat9</literal>. + <literal>gnat12</literal> instead of <literal>gnat9</literal>. </para> </listitem> <listitem> @@ -2106,7 +2106,7 @@ Superuser created successfully. <literal>ghc810</literal>. Those attributes point to the same compilers and packagesets but have the advantage that e.g. <literal>ghc92</literal> stays stable when we update from - <literal>ghc924</literal> to <literal>ghc925</literal>. + <literal>ghc925</literal> to <literal>ghc926</literal>. </para> </listitem> </itemizedlist> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 6e138ae2155..126f650250c 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -132,6 +132,20 @@ </listitem> <listitem> <para> + PHP is now built <literal>NTS</literal> (Non-Thread Safe) + style by default, for Apache and <literal>mod_php</literal> + usage we still enable <literal>ZTS</literal> (Zend Thread + Safe). This has been a common practice for a long time in + other distributions. + </para> + </listitem> + <listitem> + <para> + PHP 8.2.0 RC 7 is available. + </para> + </listitem> + <listitem> + <para> <literal>protonup</literal> has been aliased to and replaced by <literal>protonup-ng</literal> due to upstream not maintaining it. @@ -198,6 +212,14 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/maxbrunet/automatic-timezoned">automatic-timezoned</link>. + a Linux daemon to automatically update the system timezone + based on location. Available as + <link linkend="opt-services.automatic-timezoned.enable">services.automatic-timezoned</link>. + </para> + </listitem> + <listitem> + <para> [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. @@ -258,6 +280,16 @@ </listitem> <listitem> <para> + <link xlink:href="https://evcc.io">EVCC</link> is an EV charge + controller with PV integration. It supports a multitude of + chargers, meters, vehicle APIs and more and ties that together + with a well-tested backend and a lightweight web frontend. + Available as + <link linkend="opt-services.evcc.enable">services.evcc</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, a hardware True Random Number Generator dongle. Available as <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. @@ -560,6 +592,15 @@ </listitem> <listitem> <para> + The <literal>fetchgit</literal> fetcher supports sparse + checkouts via the <literal>sparseCheckout</literal> option. + This used to accept a multi-line string with + directories/patterns to check out, but now requires a list of + strings. + </para> + </listitem> + <listitem> + <para> <literal>openssh</literal> was updated to version 9.1, disabling the generation of DSA keys when using <literal>ssh-keygen -A</literal> as they are insecure. Also, @@ -609,6 +650,23 @@ </listitem> <listitem> <para> + The <literal>openssl</literal>-extension for the PHP + interpreter used by Nextcloud is built against OpenSSL 1.1 if + <xref linkend="opt-system.stateVersion" /> is below + <literal>22.11</literal>. This is to make sure that people + using + <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side + encryption</link> don’t lose access to their files. + </para> + <para> + In any other case it’s safe to use OpenSSL 3 for PHP’s openssl + extension. This can be done by setting + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" /> + to <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>coq</literal> package and versioned variants starting at <literal>coq_8_14</literal> no longer include CoqIDE, which is now available through @@ -653,6 +711,14 @@ </listitem> <listitem> <para> + <literal>kanidm</literal> has been updated to 1.1.0-alpha.10 + and now requires a tls certificate and key. It will always + start an https and – if enabled – an ldaps server and no http + and ldap server anymore. + </para> + </listitem> + <listitem> + <para> riak package removed along with <literal>services.riak</literal> module, due to lack of maintainer to update the package. @@ -863,6 +929,12 @@ </listitem> <listitem> <para> + Linux 4.9 has been removed because it will reach its end of + life within the lifespan of 22.11. + </para> + </listitem> + <listitem> + <para> (Neo)Vim can not be configured with <literal>configure.pathogen</literal> anymore to reduce maintainance burden. Use <literal>configure.packages</literal> @@ -946,6 +1018,14 @@ </listitem> <listitem> <para> + <literal>obs-studio</literal> hase been updated to version 28. + If you have packaged custom plugins, check if they are + compatible. <literal>obs-websocket</literal> has been + integrated into <literal>obs-studio</literal>. + </para> + </listitem> + <listitem> + <para> <literal>signald</literal> has been bumped to <literal>0.23.0</literal>. For the upgrade, a migration process is necessary. It can be done by running a command like @@ -971,6 +1051,12 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> + <literal>ocamlPackages.ocaml_extlib</literal> has been renamed + to <literal>ocamlPackages.extlib</literal>. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.fetchNextcloudApp</literal> has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to apply patches. This means that your hashes @@ -979,6 +1065,34 @@ signald -d /var/lib/signald/db \ longer accepted. </para> </listitem> + <listitem> + <para> + The Syncthing service now only allows absolute paths—starting + with <literal>/</literal> or <literal>~/</literal>—for + <literal>services.syncthing.folders.<name>.path</literal>. + In a future release other paths will be allowed again and + interpreted relative to + <literal>services.syncthing.dataDir</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>services.github-runner</literal> and + <literal>services.github-runners.<name></literal> gained + the option <literal>serviceOverrides</literal> which allows + overriding the systemd <literal>serviceConfig</literal>. If + you have been overriding the systemd service configuration + (i.e., by defining + <literal>systemd.services.github-runner.serviceConfig</literal>), + you have to use the <literal>serviceOverrides</literal> option + now. Example: + </para> + <programlisting> +services.github-runner.serviceOverrides.SupplementaryGroups = [ + "docker" +]; +</programlisting> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-notable-changes"> @@ -986,6 +1100,17 @@ signald -d /var/lib/signald/db \ <itemizedlist> <listitem> <para> + <literal>firefox</literal>, <literal>thunderbird</literal> and + <literal>librewolf</literal> come with enabled Wayland support + by default. The <literal>firefox-wayland</literal>, + <literal>firefox-esr-wayland</literal>, + <literal>thunderbird-wayland</literal> and + <literal>librewolf-wayland</literal> attributes are obsolete + and have been aliased to their generic attribute. + </para> + </listitem> + <listitem> + <para> The <literal>xplr</literal> package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the <link xlink:href="https://github.com/sayanarijit/xplr/releases/tag/v0.19.0">upstream @@ -994,6 +1119,13 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> + Configuring multiple GitHub runners is now possible through + <literal>services.github-runners.<name></literal>. The + option <literal>services.github-runner</literal> remains. + </para> + </listitem> + <listitem> + <para> <literal>github-runner</literal> gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See @@ -1101,22 +1233,146 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - The <literal>services.grafana</literal> options were converted - to a - <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC - 0042</link> configuration. - </para> - </listitem> - <listitem> - <para> - The <literal>services.grafana.provision.datasources</literal> - and <literal>services.grafana.provision.dashboards</literal> - options were converted to a + The module <literal>services.grafana</literal> was refactored + to be compliant with <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC - 0042</link> configuration. They also now support specifying - the provisioning YAML file with <literal>path</literal> - option. + 0042</link>. To be precise, this means that the following + things have changed: </para> + <itemizedlist> + <listitem> + <para> + The newly introduced option + <xref linkend="opt-services.grafana.settings" /> is an + attribute-set that will be converted into Grafana’s INI + format. This means that the configuration from + <link xlink:href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/">Grafana’s + configuration reference</link> can be directly written as + attribute-set in Nix within this option. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.grafana.extraOptions</literal> has been + removed. This option was an association of environment + variables for Grafana. If you had an expression like + </para> + <programlisting language="bash"> +{ + services.grafana.extraOptions.SECURITY_ADMIN_USER = "foobar"; +} +</programlisting> + <para> + your Grafana instance was running with + <literal>GF_SECURITY_ADMIN_USER=foobar</literal> in its + environment. + </para> + <para> + For the migration, it is recommended to turn it into the + INI format, i.e. to declare + </para> + <programlisting language="bash"> +{ + services.grafana.settings.security.admin_user = "foobar"; +} +</programlisting> + <para> + instead. + </para> + <para> + The keys in + <literal>services.grafana.extraOptions</literal> have the + format + <literal><INI section name>_<Key Name></literal>. + Further details are outlined in the + <link xlink:href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#override-configuration-with-environment-variables">configuration + reference</link>. + </para> + <para> + Alternatively you can also set all your values from + <literal>extraOptions</literal> to + <literal>systemd.services.grafana.environment</literal>, + make sure you don’t forget to add the + <literal>GF_</literal> prefix though! + </para> + </listitem> + <listitem> + <para> + Previously, the options + <xref linkend="opt-services.grafana.provision.datasources" /> + and + <xref linkend="opt-services.grafana.provision.dashboards" /> + expected lists of datasources or dashboards for the + <link xlink:href="https://grafana.com/docs/grafana/latest/administration/provisioning/">declarative + provisioning</link>. + </para> + <para> + To declare lists of + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <emphasis role="strong">datasources</emphasis>, please + rename your declarations to + <xref linkend="opt-services.grafana.provision.datasources.settings.datasources" />. + </para> + </listitem> + <listitem> + <para> + <emphasis role="strong">dashboards</emphasis>, please + rename your declarations to + <xref linkend="opt-services.grafana.provision.dashboards.settings.providers" />. + </para> + </listitem> + </itemizedlist> + <para> + This change was made to support more features for that: + </para> + <itemizedlist> + <listitem> + <para> + It’s possible to declare the + <literal>apiVersion</literal> of your dashboards and + datasources by + <xref linkend="opt-services.grafana.provision.datasources.settings.apiVersion" /> + (or + <xref linkend="opt-services.grafana.provision.dashboards.settings.apiVersion" />). + </para> + </listitem> + <listitem> + <para> + Instead of declaring datasources and dashboards in + pure Nix, it’s also possible to specify configuration + files (or directories) with YAML instead using + <xref linkend="opt-services.grafana.provision.datasources.path" /> + (or + <xref linkend="opt-services.grafana.provision.dashboards.path" />. + This is useful when having provisioning files from + non-NixOS Grafana instances that you also want to + deploy to NixOS. + </para> + <para> + <emphasis role="strong">Note:</emphasis> secrets from + these files will be leaked into the store unless you + use a + <link xlink:href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider"><emphasis role="strong">file</emphasis>-provider + or env-var</link> for secrets! + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.grafana.provision.notifiers" /> + is not affected by this change because this feature is + deprecated by Grafana and will probably removed in + Grafana 10. It’s recommended to use + <literal>services.grafana.provision.alerting.contactPoints</literal> + instead. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> </listitem> <listitem> <para> @@ -1156,6 +1412,14 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> + The <literal>netlify-cli</literal> package has been updated + from 6.13.2 to 12.2.4, see the + <link xlink:href="https://github.com/netlify/cli/releases">changelog</link> + for more details. + </para> + </listitem> + <listitem> + <para> <literal>dockerTools.buildImage</literal> deprecates the misunderstood <literal>contents</literal> parameter, in favor of <literal>copyToRoot</literal>. Use @@ -1165,6 +1429,26 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> + The <literal>proxmox.qemuConf.bios</literal> option was added, + it corresponds to <literal>Hardware->BIOS</literal> field + in Proxmox web interface. Use + <literal>"ovmf"</literal> value to build UEFI image, + default value remains <literal>"bios"</literal>. New + option <literal>proxmox.partitionTableType</literal> defaults + to either <literal>"legacy"</literal> or + <literal>"efi"</literal>, depending on the + <literal>bios</literal> value. Setting + <literal>partitionTableType</literal> to + <literal>"hybrid"</literal> results in an image, + which supports both methods + (<literal>"bios"</literal> and + <literal>"ovmf"</literal>), thereby remaining + bootable after change to Proxmox + <literal>Hardware->BIOS</literal> field. + </para> + </listitem> + <listitem> + <para> memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot’s fork is no longer available. @@ -1356,6 +1640,16 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> + The Mastodon package got upgraded from the major version 3 to + 4. See the + <link xlink:href="https://github.com/mastodon/mastodon/releases/tag/v4.0.0">v4.0.0 + release notes</link> for a list of changes. On standard + setups, no manual migration steps are required. Nevertheless, + a database backup is recommended. + </para> + </listitem> + <listitem> + <para> The <literal>nomad</literal> package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older. </para> @@ -1390,6 +1684,40 @@ signald -d /var/lib/signald/db \ for those who want to use it. </para> </listitem> + <listitem> + <para> + A NixOS module for Firefox has been added which allows + preferences and + <link xlink:href="https://github.com/mozilla/policy-templates/blob/master/README.md">policies</link> + to be set. This also allows extensions to be installed via the + <literal>ExtensionSettings</literal> policy. The new options + are under <literal>programs.firefox</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.picom.experimentalBackends</literal> was + removed since it is now the default and the option will cause + <literal>picom</literal> to quit instead. + </para> + </listitem> + <listitem> + <para> + <literal>haskellPackage.callHackage</literal> is not always + invalidated if <literal>all-cabal-hashes</literal> changes, + leading to less rebuilds of haskell dependencies. + </para> + </listitem> + <listitem> + <para> + <literal>haskellPackages.callHackage</literal> and + <literal>haskellPackages.callCabal2nix</literal> (and related + functions) no longer keep a reference to the + <literal>cabal2nix</literal> call used to generate them. As a + result, they will be garbage collected more often. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml new file mode 100644 index 00000000000..73ea0a9b919 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -0,0 +1,94 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-23.05"> + <title>Release 23.05 (“Stoat”, 2023.05/??)</title> + <para> + Support is planned until the end of December 2023, handing over to + 23.11. + </para> + <section xml:id="sec-release-23.05-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Create the first release note entry in this section! + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-23.05-new-services"> + <title>New Services</title> + <itemizedlist spacing="compact"> + <listitem> + <para> + Create the first release note entry in this section! + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-23.05-incompatibilities"> + <title>Backward Incompatibilities</title> + <itemizedlist> + <listitem> + <para> + <literal>carnix</literal> and <literal>cratesIO</literal> has + been removed due to being unmaintained, use alternatives such + as + <link xlink:href="https://github.com/nix-community/naersk">naersk</link> + and + <link xlink:href="https://github.com/kolloch/crate2nix">crate2nix</link> + instead. + </para> + </listitem> + <listitem> + <para> + The EC2 image module no longer fetches instance metadata in + stage-1. This results in a significantly smaller initramfs, + since network drivers no longer need to be included, and + faster boots, since metadata fetching can happen in parallel + with startup of other services. This breaks services which + rely on metadata being present by the time stage-2 is entered. + Anything which reads EC2 metadata from + <literal>/etc/ec2-metadata</literal> should now have an + <literal>after</literal> dependency on + <literal>fetch-ec2-metadata.service</literal> + </para> + </listitem> + <listitem> + <para> + The EC2 image module previously detected and automatically + mounted ext3-formatted instance store devices and partitions + in stage-1 (initramfs), storing <literal>/tmp</literal> on the + first discovered device. This behaviour, which only catered to + very specific use cases and could not be disabled, has been + removed. Users relying on this should provide their own + implementation, and probably use ext4 and perform the mount in + stage-2. + </para> + </listitem> + <listitem> + <para> + The EC2 image module previously detected and activated + swap-formatted instance store devices and partitions in + stage-1 (initramfs). This behaviour has been removed. Users + relying on this should provide their own implementation. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-23.05-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist spacing="compact"> + <listitem> + <para> + The module for the application firewall + <literal>opensnitch</literal> got the ability to configure + rules. Available as + <link linkend="opt-services.opensnitch.rules">services.opensnitch.rules</link> + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/installation/installing-from-other-distro.section.md b/nixos/doc/manual/installation/installing-from-other-distro.section.md index fa8806f791d..b9ccf141517 100644 --- a/nixos/doc/manual/installation/installing-from-other-distro.section.md +++ b/nixos/doc/manual/installation/installing-from-other-distro.section.md @@ -148,7 +148,7 @@ The first steps to all these are the same: Generate your NixOS configuration: ```ShellSession - $ sudo `which nixos-generate-config` --root / + $ sudo `which nixos-generate-config` ``` Note that this will place the generated configuration files in diff --git a/nixos/doc/manual/installation/installing.chapter.md b/nixos/doc/manual/installation/installing.chapter.md index 44e7e29421d..2c86cb923a5 100644 --- a/nixos/doc/manual/installation/installing.chapter.md +++ b/nixos/doc/manual/installation/installing.chapter.md @@ -307,7 +307,7 @@ update /etc/fstab. ``` 4. Finally, add a *swap* partition. The size required will vary - according to needs, here a 8GiB one is created. + according to needs, here a 8GB one is created. ```ShellSession # parted /dev/sda -- mkpart primary linux-swap -8GB 100% @@ -543,8 +543,8 @@ corresponding configuration Nix expression. ::: ```ShellSession # parted /dev/sda -- mklabel msdos -# parted /dev/sda -- mkpart primary 1MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% +# parted /dev/sda -- mkpart primary 1MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% ``` ::: @@ -554,9 +554,9 @@ corresponding configuration Nix expression. ::: ```ShellSession # parted /dev/sda -- mklabel gpt -# parted /dev/sda -- mkpart primary 512MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% -# parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB +# parted /dev/sda -- mkpart primary 512MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% +# parted /dev/sda -- mkpart ESP fat32 1MB 512MB # parted /dev/sda -- set 3 esp on ``` ::: diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index ee5009faf6f..bb5cc677afb 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -8,6 +8,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. </para> + <xi:include href="../from_md/release-notes/rl-2305.section.xml" /> <xi:include href="../from_md/release-notes/rl-2211.section.xml" /> <xi:include href="../from_md/release-notes/rl-2205.section.xml" /> <xi:include href="../from_md/release-notes/rl-2111.section.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index bc3bd639b1b..1ff2e826c60 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -427,7 +427,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The `services.ddclient.password` option was removed, and replaced with `services.ddclient.passwordFile`. -- The default GNAT version has been changed: The `gnat` attribute now points to `gnat11` +- The default GNAT version has been changed: The `gnat` attribute now points to `gnat12` instead of `gnat9`. - `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available. @@ -576,4 +576,4 @@ In addition to numerous new and upgraded packages, this release has the followin - More jdk and jre versions are now exposed via `java-packages.compiler`. -- The sets `haskell.packages` and `haskell.compiler` now contain for every ghc version an attribute with the minor version dropped. E.g. for `ghc8107` there also now exists `ghc810`. Those attributes point to the same compilers and packagesets but have the advantage that e.g. `ghc92` stays stable when we update from `ghc924` to `ghc925`. +- The sets `haskell.packages` and `haskell.compiler` now contain for every ghc version an attribute with the minor version dropped. E.g. for `ghc8107` there also now exists `ghc810`. Those attributes point to the same compilers and packagesets but have the advantage that e.g. `ghc92` stays stable when we update from `ghc925` to `ghc926`. diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 2960b363f58..64f1e089a41 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -53,6 +53,12 @@ In addition to numerous new and upgraded packages, this release has the followin - PHP now defaults to PHP 8.1, updated from 8.0. +- PHP is now built `NTS` (Non-Thread Safe) style by default, for Apache and + `mod_php` usage we still enable `ZTS` (Zend Thread Safe). This has been a + common practice for a long time in other distributions. + +- PHP 8.2.0 RC 7 is available. + - `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it. - Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. @@ -74,6 +80,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). +- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable). + - [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable). - [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable). @@ -90,6 +98,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable). +- [EVCC](https://evcc.io) is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as [services.evcc](#opt-services.evcc.enable). + - [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. Available as [services.infnoise](options.html#opt-services.infnoise.enable). @@ -183,6 +193,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `fetchgit` fetcher now uses [cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling) by default for sparse checkouts. [Non-cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems) can be enabled by passing `nonConeMode = true`, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice. +- The `fetchgit` fetcher supports sparse checkouts via the `sparseCheckout` option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings. + - `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins - `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`. @@ -196,6 +208,13 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. +- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if + [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) + don't lose access to their files. + + In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting + [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. + - The `coq` package and versioned variants starting at `coq_8_14` no longer include CoqIDE, which is now available through `coqPackages.coqide`. It is still possible to get CoqIDE as part of @@ -212,6 +231,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues. Users who still wish to remain using GTK can do so by using `emacs-gtk`. +- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a tls certificate and key. It will always start an https and – if enabled – an ldaps server and no http and ldap server anymore. + - riak package removed along with `services.riak` module, due to lack of maintainer to update the package. - ppd files in `pkgs.cups-drv-rastertosag-gdi` are now gzipped. If you refer to such a ppd file with its path (e.g. via [hardware.printers.ensurePrinters](options.html#opt-hardware.printers.ensurePrinters)) you will need to append `.gz` to the path. @@ -265,6 +286,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The top-level `termonad-with-packages` alias for `termonad` has been removed. +- Linux 4.9 has been removed because it will reach its end of life within the lifespan of 22.11. + - (Neo)Vim can not be configured with `configure.pathogen` anymore to reduce maintainance burden. Use `configure.packages` instead. - Neovim can not be configured with plug anymore (still works for vim). @@ -286,6 +309,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - `percona-server56` has been removed. Please migrate to `mysql` or `mariadb` if possible. +- `obs-studio` hase been updated to version 28. If you have packaged custom plugins, check if they are compatible. `obs-websocket` has been integrated into `obs-studio`. + - `signald` has been bumped to `0.23.0`. For the upgrade, a migration process is necessary. It can be done by running a command like this before starting `signald.service`: @@ -299,16 +324,35 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`. +- `ocamlPackages.ocaml_extlib` has been renamed to `ocamlPackages.extlib`. + - `pkgs.fetchNextcloudApp` has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to apply patches. This means that your hashes are out-of-date and the (previously required) attributes `name` and `version` are no longer accepted. +- The Syncthing service now only allows absolute paths---starting with `/` or + `~/`---for `services.syncthing.folders.<name>.path`. + In a future release other paths will be allowed again and interpreted + relative to `services.syncthing.dataDir`. + +- `services.github-runner` and `services.github-runners.<name>` gained the option `serviceOverrides` which allows overriding the systemd `serviceConfig`. If you have been overriding the systemd service configuration (i.e., by defining `systemd.services.github-runner.serviceConfig`), you have to use the `serviceOverrides` option now. Example: + + ``` + services.github-runner.serviceOverrides.SupplementaryGroups = [ + "docker" + ]; + ``` + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Other Notable Changes {#sec-release-22.11-notable-changes} +- `firefox`, `thunderbird` and `librewolf` come with enabled Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute. + - The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details. +- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The option `services.github-runner` remains. + - `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details. - A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. @@ -341,9 +385,66 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `services.matrix-synapse` systemd unit has been hardened. -- The `services.grafana` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. +- The module `services.grafana` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: + - The newly introduced option [](#opt-services.grafana.settings) is an attribute-set that + will be converted into Grafana's INI format. This means that the configuration from + [Grafana's configuration reference](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/) + can be directly written as attribute-set in Nix within this option. + - The option `services.grafana.extraOptions` has been removed. This option was an association + of environment variables for Grafana. If you had an expression like + + ```nix + { + services.grafana.extraOptions.SECURITY_ADMIN_USER = "foobar"; + } + ``` -- The `services.grafana.provision.datasources` and `services.grafana.provision.dashboards` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. They also now support specifying the provisioning YAML file with `path` option. + your Grafana instance was running with `GF_SECURITY_ADMIN_USER=foobar` in its environment. + + For the migration, it is recommended to turn it into the INI format, i.e. + to declare + + ```nix + { + services.grafana.settings.security.admin_user = "foobar"; + } + ``` + + instead. + + The keys in `services.grafana.extraOptions` have the format `<INI section name>_<Key Name>`. + Further details are outlined in the [configuration reference](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#override-configuration-with-environment-variables). + + Alternatively you can also set all your values from `extraOptions` to + `systemd.services.grafana.environment`, make sure you don't forget to add + the `GF_` prefix though! + - Previously, the options [](#opt-services.grafana.provision.datasources) and + [](#opt-services.grafana.provision.dashboards) expected lists of datasources + or dashboards for the [declarative provisioning](https://grafana.com/docs/grafana/latest/administration/provisioning/). + + To declare lists of + - **datasources**, please rename your declarations to [](#opt-services.grafana.provision.datasources.settings.datasources). + - **dashboards**, please rename your declarations to [](#opt-services.grafana.provision.dashboards.settings.providers). + + This change was made to support more features for that: + + - It's possible to declare the `apiVersion` of your dashboards and datasources + by [](#opt-services.grafana.provision.datasources.settings.apiVersion) (or + [](#opt-services.grafana.provision.dashboards.settings.apiVersion)). + + - Instead of declaring datasources and dashboards in pure Nix, it's also possible + to specify configuration files (or directories) with YAML instead using + [](#opt-services.grafana.provision.datasources.path) (or + [](#opt-services.grafana.provision.dashboards.path). This is useful when having + provisioning files from non-NixOS Grafana instances that you also want to + deploy to NixOS. + + __Note:__ secrets from these files will be leaked into the store unless you use a + [**file**-provider or env-var](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider) for secrets! + + - [](#opt-services.grafana.provision.notifiers) is not affected by this change because + this feature is deprecated by Grafana and will probably removed in Grafana 10. + It's recommended to use `services.grafana.provision.alerting.contactPoints` instead. - The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively. @@ -353,9 +454,13 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `guake` package has been updated from 3.6.3 to 3.9.0, see the [changelog](https://github.com/Guake/guake/releases) for more details. +- The `netlify-cli` package has been updated from 6.13.2 to 12.2.4, see the [changelog](https://github.com/netlify/cli/releases) for more details. + - `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`. Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`. +- The `proxmox.qemuConf.bios` option was added, it corresponds to `Hardware->BIOS` field in Proxmox web interface. Use `"ovmf"` value to build UEFI image, default value remains `"bios"`. New option `proxmox.partitionTableType` defaults to either `"legacy"` or `"efi"`, depending on the `bios` value. Setting `partitionTableType` to `"hybrid"` results in an image, which supports both methods (`"bios"` and `"ovmf"`), thereby remaining bootable after change to Proxmox `Hardware->BIOS` field. + - memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot's fork is no longer available. - Option descriptions, examples, and defaults writting in DocBook are now deprecated. Using CommonMark is preferred and will become the default in a future release. @@ -379,12 +484,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - Add udev rules for the Teensy family of microcontrollers. -- The Qt QML disk cache is now disabled by default. This fixes a - long-standing issue where updating Qt/KDE apps would sometimes cause - them to crash or behave strangely without explanation. Those concerned - about the small (~10%) performance hit to application startup can - re-enable the cache (and expose themselves to gremlins) by setting the - envrionment variable `QML_FORCE_DISK_CACHE` to `1` using e.g. the +- The Qt QML disk cache is now disabled by default. This fixes a + long-standing issue where updating Qt/KDE apps would sometimes cause + them to crash or behave strangely without explanation. Those concerned + about the small (~10%) performance hit to application startup can + re-enable the cache (and expose themselves to gremlins) by setting the + envrionment variable `QML_FORCE_DISK_CACHE` to `1` using e.g. the `environment.sessionVariables` NixOS option. - systemd-oomd is enabled by default. Depending on which systemd units have @@ -412,6 +517,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. +- The Mastodon package got upgraded from the major version 3 to 4. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended. + - The `nomad` package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older. - The `nodePackages` package set now defaults to the LTS release in the `nodejs` package again, instead of being pinned to `nodejs-14_x`. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new `postRebuild` hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies. @@ -420,4 +527,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `mame` package does not ship with its tools anymore in the default output. They were moved to a separate `tools` output instead. For convenience, `mame-tools` package was added for those who want to use it. +- A NixOS module for Firefox has been added which allows preferences and [policies](https://github.com/mozilla/policy-templates/blob/master/README.md) to be set. This also allows extensions to be installed via the `ExtensionSettings` policy. The new options are under `programs.firefox`. + +- The option `services.picom.experimentalBackends` was removed since it is now the default and the option will cause `picom` to quit instead. + +- `haskellPackage.callHackage` is not always invalidated if `all-cabal-hashes` changes, leading to less rebuilds of haskell dependencies. + +- `haskellPackages.callHackage` and `haskellPackages.callCabal2nix` (and related functions) no longer keep a reference to the `cabal2nix` call used to generate them. As a result, they will be garbage collected more often. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md new file mode 100644 index 00000000000..7f42554f322 --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -0,0 +1,36 @@ +# Release 23.05 (“Stoat”, 2023.05/??) {#sec-release-23.05} + +Support is planned until the end of December 2023, handing over to 23.11. + +## Highlights {#sec-release-23.05-highlights} + +In addition to numerous new and upgraded packages, this release has the following highlights: + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- Create the first release note entry in this section! + +## New Services {#sec-release-23.05-new-services} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- Create the first release note entry in this section! + +## Backward Incompatibilities {#sec-release-23.05-incompatibilities} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead. + +- The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. + This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service` + +- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. + +- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. + +## Other Notable Changes {#sec-release-23.05-notable-changes} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules) diff --git a/nixos/lib/make-options-doc/default.nix b/nixos/lib/make-options-doc/default.nix index dde3cac1c1b..e097aa5eebd 100644 --- a/nixos/lib/make-options-doc/default.nix +++ b/nixos/lib/make-options-doc/default.nix @@ -40,6 +40,8 @@ # `false`, and a different renderer may be used with different bugs and performance # characteristics but (hopefully) indistinguishable output. , allowDocBook ? true +# whether lib.mdDoc is required for descriptions to be read as markdown. +, markdownByDefault ? false }: let @@ -152,6 +154,7 @@ in rec { python ${./mergeJSON.py} \ ${lib.optionalString warningsAreErrors "--warnings-are-errors"} \ ${lib.optionalString (! allowDocBook) "--error-on-docbook"} \ + ${lib.optionalString markdownByDefault "--markdown-by-default"} \ $baseJSON $options \ > $dst/options.json diff --git a/nixos/lib/make-options-doc/mergeJSON.py b/nixos/lib/make-options-doc/mergeJSON.py index 8a8498746bf..750cd24fc65 100644 --- a/nixos/lib/make-options-doc/mergeJSON.py +++ b/nixos/lib/make-options-doc/mergeJSON.py @@ -201,19 +201,27 @@ def convertMD(options: Dict[str, Any]) -> str: return option[key]['_type'] == typ for (name, option) in options.items(): - if optionIs(option, 'description', 'mdDoc'): - option['description'] = convertString(name, option['description']['text']) - if optionIs(option, 'example', 'literalMD'): - docbook = convertString(name, option['example']['text']) - option['example'] = { '_type': 'literalDocBook', 'text': docbook } - if optionIs(option, 'default', 'literalMD'): - docbook = convertString(name, option['default']['text']) - option['default'] = { '_type': 'literalDocBook', 'text': docbook } + try: + if optionIs(option, 'description', 'mdDoc'): + option['description'] = convertString(name, option['description']['text']) + elif markdownByDefault: + option['description'] = convertString(name, option['description']) + + if optionIs(option, 'example', 'literalMD'): + docbook = convertString(name, option['example']['text']) + option['example'] = { '_type': 'literalDocBook', 'text': docbook } + if optionIs(option, 'default', 'literalMD'): + docbook = convertString(name, option['default']['text']) + option['default'] = { '_type': 'literalDocBook', 'text': docbook } + except Exception as e: + raise Exception(f"Failed to render option {name}: {str(e)}") + return options warningsAreErrors = False errorOnDocbook = False +markdownByDefault = False optOffset = 0 for arg in sys.argv[1:]: if arg == "--warnings-are-errors": @@ -222,6 +230,9 @@ for arg in sys.argv[1:]: if arg == "--error-on-docbook": optOffset += 1 errorOnDocbook = True + if arg == "--markdown-by-default": + optOffset += 1 + markdownByDefault = True options = pivot(json.load(open(sys.argv[1 + optOffset], 'r'))) overrides = pivot(json.load(open(sys.argv[2 + optOffset], 'r'))) diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index e45c83086fb..ffbc7c18e42 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -684,10 +684,10 @@ class Machine: with self.nested("waiting for {} to appear on tty {}".format(regexp, tty)): retry(tty_matches) - def send_chars(self, chars: str) -> None: + def send_chars(self, chars: str, delay: Optional[float] = 0.01) -> None: with self.nested("sending keys ‘{}‘".format(chars)): for char in chars: - self.send_key(char) + self.send_key(char, delay) def wait_for_file(self, filename: str) -> None: """Waits until the file exists in machine's file system.""" @@ -860,10 +860,11 @@ class Machine: if matches is not None: return - def send_key(self, key: str) -> None: + def send_key(self, key: str, delay: Optional[float] = 0.01) -> None: key = CHAR_TO_KEY.get(key, key) self.send_monitor_command("sendkey {}".format(key)) - time.sleep(0.01) + if delay is not None: + time.sleep(delay) def send_console(self, chars: str) -> None: assert self.process diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index d7204a2bc14..134d38f1b67 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -9,9 +9,6 @@ # Modules to add to each VM , extraConfigurations ? [ ] }: - -with pkgs; - let nixos-lib = import ./default.nix { inherit (pkgs) lib; }; in diff --git a/nixos/maintainers/scripts/ec2/amazon-image.nix b/nixos/maintainers/scripts/ec2/amazon-image.nix index e2a05a09d0c..0db0f4d0dcc 100644 --- a/nixos/maintainers/scripts/ec2/amazon-image.nix +++ b/nixos/maintainers/scripts/ec2/amazon-image.nix @@ -43,7 +43,7 @@ in { sizeMB = mkOption { type = with types; either (enum [ "auto" ]) int; - default = if config.ec2.hvm then 2048 else 8192; + default = 2048; example = 8192; description = lib.mdDoc "The size in MB of the image"; }; @@ -60,9 +60,6 @@ in { '' { modulesPath, ... }: { imports = [ "''${modulesPath}/virtualisation/amazon-image.nix" ]; - ${optionalString config.ec2.hvm '' - ec2.hvm = true; - ''} ${optionalString config.ec2.efi '' ec2.efi = true; ''} @@ -129,9 +126,7 @@ in { pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package fsType = "ext4"; - partitionTableType = if config.ec2.efi then "efi" - else if config.ec2.hvm then "legacy+gpt" - else "none"; + partitionTableType = if config.ec2.efi then "efi" else "legacy+gpt"; diskSize = cfg.sizeMB; diff --git a/nixos/modules/config/console.nix b/nixos/modules/config/console.nix index 1f8f80a554d..f5db5dc5dfc 100644 --- a/nixos/modules/config/console.nix +++ b/nixos/modules/config/console.nix @@ -34,14 +34,16 @@ let "/share/unimaps" ]; }; - - setVconsole = !config.boot.isContainer; in { ###### interface options.console = { + enable = mkEnableOption (lib.mdDoc "virtual console") // { + default = true; + }; + font = mkOption { type = with types; either str path; default = "Lat2-Terminus16"; @@ -125,11 +127,17 @@ in ''); } - (mkIf (!setVconsole) { - systemd.services.systemd-vconsole-setup.enable = false; + (mkIf (!cfg.enable) { + systemd.services = { + "serial-getty@ttyS0".enable = false; + "serial-getty@hvc0".enable = false; + "getty@tty1".enable = false; + "autovt@".enable = false; + systemd-vconsole-setup.enable = false; + }; }) - (mkIf setVconsole (mkMerge [ + (mkIf cfg.enable (mkMerge [ { environment.systemPackages = [ pkgs.kbd ]; # Let systemd-vconsole-setup.service do the work of setting up the diff --git a/nixos/modules/config/gtk/gtk-icon-cache.nix b/nixos/modules/config/gtk/gtk-icon-cache.nix index 87d5483e36a..62f0cc3f090 100644 --- a/nixos/modules/config/gtk/gtk-icon-cache.nix +++ b/nixos/modules/config/gtk/gtk-icon-cache.nix @@ -52,10 +52,8 @@ with lib; environment.extraSetup = '' # For each icon theme directory ... - - find $out/share/icons -mindepth 1 -maxdepth 1 -print0 | while read -d $'\0' themedir + find $out/share/icons -exec test -d {} ';' -mindepth 1 -maxdepth 1 -print0 | while read -d $'\0' themedir do - # In order to build the cache, the theme dir should be # writable. When the theme dir is a symbolic link to somewhere # in the nix store it is not writable and it means that only diff --git a/nixos/modules/config/power-management.nix b/nixos/modules/config/power-management.nix index a4e8028cfbe..e7fd02920e0 100644 --- a/nixos/modules/config/power-management.nix +++ b/nixos/modules/config/power-management.nix @@ -94,7 +94,7 @@ in after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target" ]; script = '' - /run/current-system/systemd/bin/systemctl try-restart post-resume.target + /run/current-system/systemd/bin/systemctl try-restart --no-block post-resume.target ${cfg.resumeCommands} ${cfg.powerUpCommands} ''; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index b538a0119c0..2660b0e6c93 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -35,7 +35,7 @@ let ''; hashedPasswordDescription = '' - To generate a hashed password run `mkpasswd -m sha-512`. + To generate a hashed password run `mkpasswd`. If set to an empty string (`""`), this user will be able to log in without being asked for a password (but not via remote @@ -592,6 +592,26 @@ in { ''; }; + # Warn about user accounts with deprecated password hashing schemes + system.activationScripts.hashes = { + deps = [ "users" ]; + text = '' + users=() + while IFS=: read -r user hash tail; do + if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then + users+=("$user") + fi + done </etc/shadow + + if (( "''${#users[@]}" )); then + echo " + WARNING: The following user accounts rely on password hashes that will + be removed in NixOS 23.05. They should be renewed as soon as possible." + printf ' - %s\n' "''${users[@]}" + fi + ''; + }; + # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; diff --git a/nixos/modules/hardware/brillo.nix b/nixos/modules/hardware/brillo.nix index 92239de5aae..612061718fa 100644 --- a/nixos/modules/hardware/brillo.nix +++ b/nixos/modules/hardware/brillo.nix @@ -8,13 +8,12 @@ in options = { hardware.brillo = { enable = mkEnableOption (lib.mdDoc '' - Enable brillo in userspace. - This will allow brightness control from users in the video group. + brillo in userspace. + This will allow brightness control from users in the video group ''); }; }; - config = mkIf cfg.enable { services.udev.packages = [ pkgs.brillo ]; environment.systemPackages = [ pkgs.brillo ]; diff --git a/nixos/modules/hardware/ubertooth.nix b/nixos/modules/hardware/ubertooth.nix index 4b87abe5beb..e2db2068d90 100644 --- a/nixos/modules/hardware/ubertooth.nix +++ b/nixos/modules/hardware/ubertooth.nix @@ -10,7 +10,7 @@ let }; in { options.hardware.ubertooth = { - enable = mkEnableOption (lib.mdDoc "Enable the Ubertooth software and its udev rules."); + enable = mkEnableOption (lib.mdDoc "Ubertooth software and its udev rules"); group = mkOption { type = types.str; diff --git a/nixos/modules/hardware/wooting.nix b/nixos/modules/hardware/wooting.nix index 2843dbfd7b2..90d046d49f4 100644 --- a/nixos/modules/hardware/wooting.nix +++ b/nixos/modules/hardware/wooting.nix @@ -3,7 +3,7 @@ with lib; { options.hardware.wooting.enable = - mkEnableOption (lib.mdDoc "Enable support for Wooting keyboards"); + mkEnableOption (lib.mdDoc "support for Wooting keyboards"); config = mkIf config.hardware.wooting.enable { environment.systemPackages = [ pkgs.wootility ]; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix index 288cbc94a32..3f3571d2538 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix @@ -14,8 +14,6 @@ in calamares-nixos calamares-nixos-autostart calamares-nixos-extensions - # Needed for calamares QML module packagechooserq - libsForQt5.full # Get list of locales glibcLocales ]; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index cbc3b612059..17ea04cb4ec 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -355,6 +355,7 @@ in pipewire = 323; rstudio-server = 324; localtimed = 325; + automatic-timezoned = 326; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -664,6 +665,7 @@ in pipewire = 323; rstudio-server = 324; localtimed = 325; + automatic-timezoned = 326; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/misc/man-db.nix b/nixos/modules/misc/man-db.nix index 524199ac409..08fb91b3994 100644 --- a/nixos/modules/misc/man-db.nix +++ b/nixos/modules/misc/man-db.nix @@ -52,7 +52,7 @@ in environment.systemPackages = [ cfg.package ]; environment.etc."man_db.conf".text = let - manualCache = pkgs.runCommandLocal "man-cache" { } '' + manualCache = pkgs.runCommand "man-cache" { } '' echo "MANDB_MAP ${cfg.manualPages}/share/man $out" > man.conf ${cfg.package}/bin/mandb -C man.conf -psc >/dev/null 2>&1 ''; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 00460a88d86..7f7417226d1 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -307,7 +307,7 @@ in '' else throw '' - Neither ${opt.hostPlatform} nor or the legacy option ${opt.system} has been set. + Neither ${opt.hostPlatform} nor the legacy option ${opt.system} has been set. You can set ${opt.hostPlatform} in hardware-configuration.nix by re-running a recent version of nixos-generate-config. The option ${opt.system} is still fully supported for NixOS 22.05 interoperability, diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 53439accd65..bc5f6f1d76c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -157,6 +157,7 @@ ./programs/extra-container.nix ./programs/feedbackd.nix ./programs/file-roller.nix + ./programs/firefox.nix ./programs/firejail.nix ./programs/fish.nix ./programs/flashrom.nix @@ -381,6 +382,7 @@ ./services/databases/pgmanage.nix ./services/databases/postgresql.nix ./services/databases/redis.nix + ./services/databases/surrealdb.nix ./services/databases/victoriametrics.nix ./services/desktops/accountsservice.nix ./services/desktops/bamf.nix @@ -489,6 +491,7 @@ ./services/hardware/vdr.nix ./services/home-automation/home-assistant.nix ./services/home-automation/zigbee2mqtt.nix + ./services/home-automation/evcc.nix ./services/logging/SystemdJournal2Gelf.nix ./services/logging/awstats.nix ./services/logging/filebeat.nix @@ -717,6 +720,7 @@ ./services/monitoring/teamviewer.nix ./services/monitoring/telegraf.nix ./services/monitoring/thanos.nix + ./services/monitoring/tremor-rs.nix ./services/monitoring/tuptime.nix ./services/monitoring/unifi-poller.nix ./services/monitoring/ups.nix @@ -773,6 +777,7 @@ ./services/networking/blockbook-frontend.nix ./services/networking/blocky.nix ./services/networking/charybdis.nix + ./services/networking/chisel-server.nix ./services/networking/cjdns.nix ./services/networking/cloudflare-dyndns.nix ./services/networking/cntlm.nix @@ -1047,6 +1052,7 @@ ./services/security/vault.nix ./services/security/vaultwarden/default.nix ./services/security/yubikey-agent.nix + ./services/system/automatic-timezoned.nix ./services/system/cachix-agent/default.nix ./services/system/cachix-watch-store.nix ./services/system/cloud-init.nix diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 249e99ddc47..286faeadc48 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -12,7 +12,7 @@ let cfg = config.programs.bash; bashAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}") + mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) ); diff --git a/nixos/modules/programs/firefox.nix b/nixos/modules/programs/firefox.nix new file mode 100644 index 00000000000..76e6c1a553f --- /dev/null +++ b/nixos/modules/programs/firefox.nix @@ -0,0 +1,91 @@ +{ pkgs, config, lib, ... }: + +with lib; + +let + cfg = config.programs.firefox; + + policyFormat = pkgs.formats.json { }; + + organisationInfo = '' + When this option is in use, Firefox will inform you that "your browser + is managed by your organisation". That message appears because NixOS + installs what you have declared here such that it cannot be overridden + through the user interface. It does not mean that someone else has been + given control of your browser, unless of course they also control your + NixOS configuration. + ''; + +in { + options.programs.firefox = { + enable = mkEnableOption (mdDoc "the Firefox web browser"); + + package = mkOption { + description = mdDoc "Firefox package to use."; + type = types.package; + default = pkgs.firefox; + defaultText = literalExpression "pkgs.firefox"; + relatedPackages = [ + "firefox" + "firefox-beta-bin" + "firefox-bin" + "firefox-devedition-bin" + "firefox-esr" + "firefox-esr-wayland" + "firefox-wayland" + ]; + }; + + policies = mkOption { + description = mdDoc '' + Group policies to install. + + See [Mozilla's documentation](https://github.com/mozilla/policy-templates/blob/master/README.md") + for a list of available options. + + This can be used to install extensions declaratively! Check out the + documentation of the `ExtensionSettings` policy for details. + + ${organisationInfo} + ''; + type = policyFormat.type; + default = {}; + }; + + preferences = mkOption { + description = mdDoc '' + Preferences to set from `about://config`. + + Some of these might be able to be configured more ergonomically + using policies. + + ${organisationInfo} + ''; + type = with types; attrsOf (oneOf [ bool int string ]); + default = {}; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + environment.etc."firefox/policies/policies.json".source = + let policiesJSON = + policyFormat.generate + "firefox-policies.json" + { inherit (cfg) policies; }; + in mkIf (cfg.policies != {}) "${policiesJSON}"; + + # Preferences are converted into a policy + programs.firefox.policies = + mkIf (cfg.preferences != {}) + { + Preferences = (mapAttrs (name: value: { + Value = value; + Status = "locked"; + }) cfg.preferences); + }; + }; + + meta.maintainers = with maintainers; [ danth ]; +} diff --git a/nixos/modules/programs/flashrom.nix b/nixos/modules/programs/flashrom.nix index 5f0de5a4023..ff495558c9e 100644 --- a/nixos/modules/programs/flashrom.nix +++ b/nixos/modules/programs/flashrom.nix @@ -16,11 +16,12 @@ in group. ''; }; + package = mkPackageOption pkgs "flashrom" { }; }; config = mkIf cfg.enable { - services.udev.packages = [ pkgs.flashrom ]; - environment.systemPackages = [ pkgs.flashrom ]; + services.udev.packages = [ cfg.package ]; + environment.systemPackages = [ cfg.package ]; users.groups.flashrom = { }; }; } diff --git a/nixos/modules/programs/kclock.nix b/nixos/modules/programs/kclock.nix index 049e237187e..63d6fb1e2d7 100644 --- a/nixos/modules/programs/kclock.nix +++ b/nixos/modules/programs/kclock.nix @@ -4,7 +4,7 @@ let cfg = config.programs.kclock; kclockPkg = pkgs.libsForQt5.kclock; in { - options.programs.kclock = { enable = mkEnableOption (lib.mdDoc "Enable KClock"); }; + options.programs.kclock = { enable = mkEnableOption (lib.mdDoc "KClock"); }; config = mkIf cfg.enable { services.dbus.packages = [ kclockPkg ]; diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index adbbf5d9ed4..1b69aac9886 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -4,17 +4,31 @@ with lib; let cfg = config.programs.steam; - - steam = pkgs.steam.override { - extraLibraries = pkgs: with config.hardware.opengl; - if pkgs.hostPlatform.is64bit - then [ package ] ++ extraPackages - else [ package32 ] ++ extraPackages32; - }; in { options.programs.steam = { enable = mkEnableOption (lib.mdDoc "steam"); + package = mkOption { + type = types.package; + default = pkgs.steam.override { + extraLibraries = pkgs: with config.hardware.opengl; + if pkgs.hostPlatform.is64bit + then [ package ] ++ extraPackages + else [ package32 ] ++ extraPackages32; + }; + defaultText = literalExpression '' + pkgs.steam.override { + extraLibraries = pkgs: with config.hardware.opengl; + if pkgs.hostPlatform.is64bit + then [ package ] ++ extraPackages + else [ package32 ] ++ extraPackages32; + } + ''; + description = lib.mdDoc '' + steam package to use. + ''; + }; + remotePlay.openFirewall = mkOption { type = types.bool; default = false; @@ -44,7 +58,10 @@ in { hardware.steam-hardware.enable = true; - environment.systemPackages = [ steam steam.run ]; + environment.systemPackages = [ + cfg.package + cfg.package.run + ]; networking.firewall = lib.mkMerge [ (mkIf cfg.remotePlay.openFirewall { diff --git a/nixos/modules/programs/tmux.nix b/nixos/modules/programs/tmux.nix index cf7ea4cfcf7..4fb9175fb8d 100644 --- a/nixos/modules/programs/tmux.nix +++ b/nixos/modules/programs/tmux.nix @@ -178,6 +178,16 @@ in { description = lib.mdDoc "List of plugins to install."; example = lib.literalExpression "[ pkgs.tmuxPlugins.nord ]"; }; + + withUtempter = mkOption { + description = lib.mdDoc '' + Whether to enable libutempter for tmux. + This is required so that tmux can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). + Note, this will add a guid wrapper for the group utmp! + ''; + default = true; + type = types.bool; + }; }; }; @@ -193,6 +203,15 @@ in { TMUX_TMPDIR = lib.optional cfg.secureSocket ''''${XDG_RUNTIME_DIR:-"/run/user/$(id -u)"}''; }; }; + security.wrappers = mkIf cfg.withUtempter { + utempter = { + source = "${pkgs.libutempter}/lib/utempter/utempter"; + owner = "root"; + group = "utmp"; + setuid = false; + setgid = true; + }; + }; }; imports = [ diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 29790e0dd75..0b152e54cf9 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -12,7 +12,7 @@ let opt = options.programs.zsh; zshAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}") + mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) ); @@ -173,10 +173,10 @@ in # This file is read for all shells. # Only execute this file once per shell. - if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi + if [ -n "''${__ETC_ZSHENV_SOURCED-}" ]; then return; fi __ETC_ZSHENV_SOURCED=1 - if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]; then + if [ -z "''${__NIXOS_SET_ENVIRONMENT_DONE-}" ]; then . ${config.system.build.setEnvironment} fi @@ -206,7 +206,7 @@ in ${zshStartupNotes} # Only execute this file once per shell. - if [ -n "$__ETC_ZPROFILE_SOURCED" ]; then return; fi + if [ -n "''${__ETC_ZPROFILE_SOURCED-}" ]; then return; fi __ETC_ZPROFILE_SOURCED=1 # Setup custom login shell init stuff. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 412c5a43360..21e1749d850 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -544,6 +544,7 @@ let # We use try_first_pass the second time to avoid prompting password twice (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs + || config.security.pam.enableFscrypt || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring @@ -558,6 +559,9 @@ let optionalString config.security.pam.enableEcryptfs '' auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap '' + + optionalString config.security.pam.enableFscrypt '' + auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so + '' + optionalString cfg.pamMount '' auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive '' + @@ -606,6 +610,9 @@ let optionalString config.security.pam.enableEcryptfs '' password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so '' + + optionalString config.security.pam.enableFscrypt '' + password optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so + '' + optionalString cfg.pamMount '' password optional ${pkgs.pam_mount}/lib/security/pam_mount.so '' + @@ -652,6 +659,14 @@ let optionalString config.security.pam.enableEcryptfs '' session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so '' + + optionalString config.security.pam.enableFscrypt '' + # Work around https://github.com/systemd/systemd/issues/8598 + # Skips the pam_fscrypt module for systemd-user sessions which do not have a password + # anyways. + # See also https://github.com/google/fscrypt/issues/95 + session [success=1 default=ignore] pam_succeed_if.so service = systemd-user + session optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so + '' + optionalString cfg.pamMount '' session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive '' + @@ -1168,6 +1183,14 @@ in }; security.pam.enableEcryptfs = mkEnableOption (lib.mdDoc "eCryptfs PAM module (mounting ecryptfs home directory on login)"); + security.pam.enableFscrypt = mkEnableOption (lib.mdDoc '' + Enables fscrypt to automatically unlock directories with the user's login password. + + This also enables a service at security.pam.services.fscrypt which is used by + fscrypt to verify the user's password when setting up a new protector. If you + use something other than pam_unix to verify user passwords, please remember to + adjust this PAM service. + ''); users.motd = mkOption { default = null; @@ -1192,6 +1215,7 @@ in ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] + ++ optionals config.security.pam.enableFscrypt [ pkgs.fscrypt-experimental ] ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ]; boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ]; @@ -1233,6 +1257,9 @@ in it complains "Cannot create session: Already running in a session". */ runuser-l = { rootOK = true; unixAuth = false; }; + } // optionalAttrs (config.security.pam.enableFscrypt) { + # Allow fscrypt to verify login passphrase + fscrypt = {}; }; security.apparmor.includes."abstractions/pam" = let @@ -1297,6 +1324,9 @@ in optionalString config.security.pam.enableEcryptfs '' mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, '' + + optionalString config.security.pam.enableFscrypt '' + mr ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so, + '' + optionalString (isEnabled (cfg: cfg.pamMount)) '' mr ${pkgs.pam_mount}/lib/security/pam_mount.so, '' + diff --git a/nixos/modules/services/audio/ympd.nix b/nixos/modules/services/audio/ympd.nix index f14c81cdb8d..811b81030ef 100644 --- a/nixos/modules/services/audio/ympd.nix +++ b/nixos/modules/services/audio/ympd.nix @@ -29,7 +29,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = config.services.mpd.network.port; defaultText = literalExpression "config.services.mpd.network.port"; description = lib.mdDoc "The port where MPD is listening."; diff --git a/nixos/modules/services/backup/bacula.nix b/nixos/modules/services/backup/bacula.nix index d4f6ac8f5d3..0acbf1b3eab 100644 --- a/nixos/modules/services/backup/bacula.nix +++ b/nixos/modules/services/backup/bacula.nix @@ -314,7 +314,7 @@ in { port = mkOption { default = 9102; - type = types.int; + type = types.port; description = lib.mdDoc '' This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in @@ -374,7 +374,7 @@ in { port = mkOption { default = 9103; - type = types.int; + type = types.port; description = lib.mdDoc '' Specifies port number on which the Storage daemon listens for Director connections. @@ -451,7 +451,7 @@ in { port = mkOption { default = 9101; - type = types.int; + type = types.port; description = lib.mdDoc '' Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number diff --git a/nixos/modules/services/backup/duplicati.nix b/nixos/modules/services/backup/duplicati.nix index 47f0b618c8d..007396ebfc9 100644 --- a/nixos/modules/services/backup/duplicati.nix +++ b/nixos/modules/services/backup/duplicati.nix @@ -12,7 +12,7 @@ in port = mkOption { default = 8200; - type = types.int; + type = types.port; description = lib.mdDoc '' Port serving the web interface ''; diff --git a/nixos/modules/services/blockchain/ethereum/erigon.nix b/nixos/modules/services/blockchain/ethereum/erigon.nix index 892262d246b..8ebe0fcaff5 100644 --- a/nixos/modules/services/blockchain/ethereum/erigon.nix +++ b/nixos/modules/services/blockchain/ethereum/erigon.nix @@ -13,13 +13,19 @@ in { services.erigon = { enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier"); - group = mkOption { - type = types.str; - default = "ethereum"; + extraArgs = mkOption { + type = types.listOf types.str; + description = lib.mdDoc "Additional arguments passed to Erigon"; + default = [ ]; + }; + + secretJwtPath = mkOption { + type = types.path; description = lib.mdDoc '' - Group of the user running the lighthouse process. This is used to share the jwt - secret with the execution layer. + Path to the secret jwt used for the http api authentication. ''; + default = ""; + example = "config.age.secrets.ERIGON_JWT.path"; }; settings = mkOption { @@ -64,19 +70,6 @@ in { }; config = mkIf cfg.enable { - users = { - users.erigon = { - name = "erigon"; - group = cfg.group; - description = "Erigon user"; - home = "/var/lib/erigon"; - isSystemUser = true; - }; - groups = mkIf (cfg.group == "ethereum") { - ethereum = {}; - }; - }; - # Default values are the same as in the binary, they are just written here for convenience. services.erigon.settings = { datadir = mkDefault "/var/lib/erigon"; @@ -98,9 +91,9 @@ in { after = [ "network.target" ]; serviceConfig = { - ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile}"; - User = "erigon"; - Group = cfg.group; + LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}"; + ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT ${lib.escapeShellArgs cfg.extraArgs}"; + DynamicUser = true; Restart = "on-failure"; StateDirectory = "erigon"; CapabilityBoundingSet = ""; diff --git a/nixos/modules/services/blockchain/ethereum/lighthouse.nix b/nixos/modules/services/blockchain/ethereum/lighthouse.nix index 6002b16785a..20a4ead689c 100644 --- a/nixos/modules/services/blockchain/ethereum/lighthouse.nix +++ b/nixos/modules/services/blockchain/ethereum/lighthouse.nix @@ -57,15 +57,6 @@ in { ''; }; - group = mkOption { - type = types.str; - default = "ethereum"; - description = lib.mdDoc '' - Group of the user running the lighthouse process. This is used to share the jwt - secret with the execution layer. - ''; - }; - execution = { address = mkOption { type = types.str; @@ -221,19 +212,6 @@ in { config = mkIf (cfg.beacon.enable || cfg.validator.enable) { - users = { - users.lighthouse-beacon = { - name = "lighthouse-beacon"; - group = cfg.beacon.group; - description = "Lighthouse beacon node user"; - home = "${cfg.beacon.dataDir}"; - isSystemUser = true; - }; - groups = mkIf (cfg.beacon.group == "ethereum") { - ethereum = {}; - }; - }; - environment.systemPackages = [ pkgs.lighthouse ] ; networking.firewall = mkIf cfg.beacon.enable { @@ -259,16 +237,17 @@ in { --network ${cfg.network} \ --datadir ${cfg.beacon.dataDir}/${cfg.network} \ --execution-endpoint http://${cfg.beacon.execution.address}:${toString cfg.beacon.execution.port} \ - --execution-jwt ${cfg.beacon.execution.jwtPath} \ + --execution-jwt ''${CREDENTIALS_DIRECTORY}/LIGHTHOUSE_JWT \ ${lib.optionalString cfg.beacon.http.enable '' --http --http-address ${cfg.beacon.http.address} --http-port ${toString cfg.beacon.http.port}''} \ ${lib.optionalString cfg.beacon.metrics.enable '' --metrics --metrics-address ${cfg.beacon.metrics.address} --metrics-port ${toString cfg.beacon.metrics.port}''} \ ${cfg.extraArgs} ${cfg.beacon.extraArgs} ''; serviceConfig = { - User = "lighthouse-beacon"; - Group = cfg.beacon.group; + LoadCredential = "LIGHTHOUSE_JWT:${cfg.beacon.execution.jwtPath}"; + DynamicUser = true; Restart = "on-failure"; StateDirectory = "lighthouse-beacon"; + ReadWritePaths = [ cfg.beacon.dataDir ]; NoNewPrivileges = true; PrivateTmp = true; ProtectHome = true; @@ -309,6 +288,7 @@ in { serviceConfig = { Restart = "on-failure"; StateDirectory = "lighthouse-validator"; + ReadWritePaths = [ cfg.validator.dataDir ]; CapabilityBoundingSet = ""; DynamicUser = true; NoNewPrivileges = true; diff --git a/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixos/modules/services/cluster/kubernetes/flannel.nix index 3ca85a8183c..53003287fc9 100644 --- a/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -12,7 +12,7 @@ in { ###### interface options.services.kubernetes.flannel = { - enable = mkEnableOption (lib.mdDoc "enable flannel networking"); + enable = mkEnableOption (lib.mdDoc "flannel networking"); }; ###### implementation diff --git a/nixos/modules/services/computing/foldingathome/client.nix b/nixos/modules/services/computing/foldingathome/client.nix index d8dd17a5ceb..1229e5ac987 100644 --- a/nixos/modules/services/computing/foldingathome/client.nix +++ b/nixos/modules/services/computing/foldingathome/client.nix @@ -18,7 +18,7 @@ in '') ]; options.services.foldingathome = { - enable = mkEnableOption (lib.mdDoc "Enable the Folding@home client"); + enable = mkEnableOption (lib.mdDoc "Folding@home client"); package = mkOption { type = types.package; diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index 2a570d09a2c..16b82b867a3 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -34,13 +34,7 @@ in { services.couchdb = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to run CouchDB Server. - ''; - }; + enable = mkEnableOption (lib.mdDoc "CouchDB Server"); package = mkOption { type = types.package; diff --git a/nixos/modules/services/databases/opentsdb.nix b/nixos/modules/services/databases/opentsdb.nix index 45c84b12a50..288b716fce0 100644 --- a/nixos/modules/services/databases/opentsdb.nix +++ b/nixos/modules/services/databases/opentsdb.nix @@ -15,13 +15,7 @@ in { services.opentsdb = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to run OpenTSDB. - ''; - }; + enable = mkEnableOption (lib.mdDoc "OpenTSDB"); package = mkOption { type = types.package; @@ -49,7 +43,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 4242; description = lib.mdDoc '' Which port OpenTSDB listens on. diff --git a/nixos/modules/services/databases/pgmanage.nix b/nixos/modules/services/databases/pgmanage.nix index 71ce1d8eca4..cbf988d596f 100644 --- a/nixos/modules/services/databases/pgmanage.nix +++ b/nixos/modules/services/databases/pgmanage.nix @@ -85,7 +85,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 8080; description = lib.mdDoc '' This tells pgmanage what port to listen on for browser requests. diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 1f143f9c66f..95c0afb8f83 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -361,8 +361,10 @@ in { fi echo 'include "${redisConfStore}"' > "${redisConfRun}" ${optionalString (conf.requirePassFile != null) '' - {echo -n "requirepass " - cat ${escapeShellArg conf.requirePassFile}} >> "${redisConfRun}" + { + echo -n "requirepass " + cat ${escapeShellArg conf.requirePassFile} + } >> "${redisConfRun}" ''} ''); Type = "notify"; diff --git a/nixos/modules/services/databases/surrealdb.nix b/nixos/modules/services/databases/surrealdb.nix new file mode 100644 index 00000000000..27269eb02f6 --- /dev/null +++ b/nixos/modules/services/databases/surrealdb.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.surrealdb; +in { + + options = { + services.surrealdb = { + enable = mkEnableOption (lib.mdDoc "A scalable, distributed, collaborative, document-graph database, for the realtime web "); + + dbPath = mkOption { + type = types.str; + description = lib.mdDoc '' + The path that surrealdb will write data to. Use null for in-memory. + Can be one of "memory", "file://:path", "tikv://:addr". + ''; + default = "file:///var/lib/surrealdb/"; + example = "memory"; + }; + + host = mkOption { + type = types.str; + description = lib.mdDoc '' + The host that surrealdb will connect to. + ''; + default = "127.0.0.1"; + example = "127.0.0.1"; + }; + + port = mkOption { + type = types.port; + description = lib.mdDoc '' + The port that surrealdb will connect to. + ''; + default = 8000; + example = 8000; + }; + }; + }; + + config = mkIf cfg.enable { + + # Used to connect to the running service + environment.systemPackages = [ pkgs.surrealdb ] ; + + systemd.services.surrealdb = { + description = "A scalable, distributed, collaborative, document-graph database, for the realtime web "; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.surrealdb}/bin/surreal start --bind ${cfg.host}:${toString cfg.port} ${optionalString (cfg.dbPath != null) "-- ${cfg.dbPath}"}"; + DynamicUser = true; + Restart = "on-failure"; + StateDirectory = "surrealdb"; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/desktops/gnome/at-spi2-core.nix b/nixos/modules/services/desktops/gnome/at-spi2-core.nix index 495ea5af987..10a2f1f9eca 100644 --- a/nixos/modules/services/desktops/gnome/at-spi2-core.nix +++ b/nixos/modules/services/desktops/gnome/at-spi2-core.nix @@ -51,7 +51,10 @@ with lib; }) (mkIf (!config.services.gnome.at-spi2-core.enable) { - environment.variables.NO_AT_BRIDGE = "1"; + environment.variables = { + NO_AT_BRIDGE = "1"; + GTK_A11Y = "none"; + }; }) ]; } diff --git a/nixos/modules/services/games/teeworlds.nix b/nixos/modules/services/games/teeworlds.nix index 083ab3ba94e..ffef440330c 100644 --- a/nixos/modules/services/games/teeworlds.nix +++ b/nixos/modules/services/games/teeworlds.nix @@ -70,7 +70,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8303; description = lib.mdDoc '' Port the server will listen on. diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index cb9bee6130c..dd5c65b1f6a 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -28,8 +28,8 @@ let }; env = { - SANE_CONFIG_DIR = config.hardware.sane.configDir; - LD_LIBRARY_PATH = [ "${saneConfig}/lib/sane" ]; + SANE_CONFIG_DIR = "/etc/sane.d"; + LD_LIBRARY_PATH = [ "/etc/sane-libs" ]; }; backends = [ pkg netConf ] ++ optional config.services.saned.enable sanedConf ++ config.hardware.sane.extraBackends; @@ -158,6 +158,8 @@ in environment.systemPackages = backends; environment.sessionVariables = env; + environment.etc."sane.d".source = config.hardware.sane.configDir; + environment.etc."sane-libs".source = "${saneConfig}/lib/sane"; services.udev.packages = backends; users.groups.scanner.gid = config.ids.gids.scanner; diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 7a7f8330243..d9526133241 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -46,6 +46,11 @@ let SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd" ''; + nixosInitrdRules = '' + # Mark dm devices as db_persist so that they are kept active after switching root + SUBSYSTEM=="block", KERNEL=="dm-[0-9]*", ACTION=="add|change", OPTIONS+="db_persist" + ''; + # Perform substitutions in all udev rules files. udevRulesFor = { name, udevPackages, udevPath, udev, systemd, binPackages, initrdBin ? null }: pkgs.runCommand name { preferLocalBuild = true; @@ -364,8 +369,10 @@ in EOF ''; + boot.initrd.services.udev.rules = nixosInitrdRules; + boot.initrd.systemd.additionalUpstreamUnits = [ - # TODO: "initrd-udevadm-cleanup-db.service" is commented out because of https://github.com/systemd/systemd/issues/12953 + "initrd-udevadm-cleanup-db.service" "systemd-udevd-control.socket" "systemd-udevd-kernel.socket" "systemd-udevd.service" diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index 70667dc6d3b..7368845dafd 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -62,7 +62,12 @@ in environment.systemPackages = [ pkgs.udisks2 ]; - environment.etc = mapAttrs' (name: value: nameValuePair "udisks2/${name}" { source = value; } ) configFiles; + environment.etc = (mapAttrs' (name: value: nameValuePair "udisks2/${name}" { source = value; } ) configFiles) // { + # We need to make sure /etc/libblockdev/conf.d is populated to avoid + # warnings + "libblockdev/conf.d/00-default.cfg".source = "${pkgs.libblockdev}/etc/libblockdev/conf.d/00-default.cfg"; + "libblockdev/conf.d/10-lvm-dbus.cfg".source = "${pkgs.libblockdev}/etc/libblockdev/conf.d/10-lvm-dbus.cfg"; + }; security.polkit.enable = true; diff --git a/nixos/modules/services/home-automation/evcc.nix b/nixos/modules/services/home-automation/evcc.nix new file mode 100644 index 00000000000..c12ba9d0c1e --- /dev/null +++ b/nixos/modules/services/home-automation/evcc.nix @@ -0,0 +1,92 @@ +{ lib +, pkgs +, config +, ... +}: + +with lib; + +let + cfg = config.services.evcc; + + format = pkgs.formats.yaml {}; + configFile = format.generate "evcc.yml" cfg.settings; + + package = pkgs.evcc; +in + +{ + meta.maintainers = with lib.maintainers; [ hexa ]; + + options.services.evcc = with types; { + enable = mkEnableOption (lib.mdDoc "EVCC, the extensible EV Charge Controller with PV integration"); + + extraArgs = mkOption { + type = listOf str; + default = []; + description = lib.mdDoc '' + Extra arguments to pass to the evcc executable. + ''; + }; + + settings = mkOption { + type = format.type; + description = lib.mdDoc '' + evcc configuration as a Nix attribute set. + + Check for possible options in the sample [evcc.dist.yaml](https://github.com/andig/evcc/blob/${package.version}/evcc.dist.yaml]. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.evcc = { + after = [ + "network-online.target" + "mosquitto.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + serviceConfig = { + ExecStart = "${package}/bin/evcc --config ${configFile} ${escapeShellArgs cfg.extraArgs}"; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ + "char-ttyUSB" + ]; + DevicePolicy = "closed"; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups= true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + User = "evcc"; + }; + }; + }; + + meta.buildDocsInSandbox = false; +} diff --git a/nixos/modules/services/home-automation/zigbee2mqtt.nix b/nixos/modules/services/home-automation/zigbee2mqtt.nix index 691ca62208e..71f6e7a2584 100644 --- a/nixos/modules/services/home-automation/zigbee2mqtt.nix +++ b/nixos/modules/services/home-automation/zigbee2mqtt.nix @@ -18,7 +18,7 @@ in ]; options.services.zigbee2mqtt = { - enable = mkEnableOption (lib.mdDoc "enable zigbee2mqtt service"); + enable = mkEnableOption (lib.mdDoc "zigbee2mqtt service"); package = mkOption { description = lib.mdDoc "Zigbee2mqtt package to use"; diff --git a/nixos/modules/services/logging/fluentd.nix b/nixos/modules/services/logging/fluentd.nix index fe9f4b07e16..7764aafb2d1 100644 --- a/nixos/modules/services/logging/fluentd.nix +++ b/nixos/modules/services/logging/fluentd.nix @@ -12,11 +12,7 @@ in { options = { services.fluentd = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Whether to enable fluentd."; - }; + enable = mkEnableOption (lib.mdDoc "fluentd"); config = mkOption { type = types.lines; diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index b1279f0fe58..8a277cea6e4 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -109,13 +109,7 @@ in { options = { services.logcheck = { - enable = mkOption { - default = false; - type = types.bool; - description = lib.mdDoc '' - Enable the logcheck cron job. - ''; - }; + enable = mkEnableOption (lib.mdDoc "logcheck cron job"); user = mkOption { default = "logcheck"; diff --git a/nixos/modules/services/mail/rss2email.nix b/nixos/modules/services/mail/rss2email.nix index 7b74db1e711..54404c5b5f4 100644 --- a/nixos/modules/services/mail/rss2email.nix +++ b/nixos/modules/services/mail/rss2email.nix @@ -110,7 +110,6 @@ in { in { preStart = '' - cp ${conf} /var/rss2email/conf.cfg if [ ! -f /var/rss2email/db.json ]; then echo '{"version":2,"feeds":[]}' > /var/rss2email/db.json fi @@ -118,7 +117,7 @@ in { path = [ pkgs.system-sendmail ]; serviceConfig = { ExecStart = - "${pkgs.rss2email}/bin/r2e -c /var/rss2email/conf.cfg -d /var/rss2email/db.json run"; + "${pkgs.rss2email}/bin/r2e -c ${conf} -d /var/rss2email/db.json run"; User = "rss2email"; }; }; diff --git a/nixos/modules/services/matrix/mautrix-telegram.nix b/nixos/modules/services/matrix/mautrix-telegram.nix index fc8b95051dd..2d9c2dc76c2 100644 --- a/nixos/modules/services/matrix/mautrix-telegram.nix +++ b/nixos/modules/services/matrix/mautrix-telegram.nix @@ -7,8 +7,8 @@ let registrationFile = "${dataDir}/telegram-registration.yaml"; cfg = config.services.mautrix-telegram; settingsFormat = pkgs.formats.json {}; - settingsFileUnsubstituted = settingsFormat.generate "mautrix-telegram-config-unsubstituted.json" cfg.settings; - settingsFile = "${dataDir}/config.json"; + settingsFile = + settingsFormat.generate "mautrix-telegram-config.json" cfg.settings; in { options = { @@ -97,12 +97,23 @@ in { default = null; description = lib.mdDoc '' File containing environment variables to be passed to the mautrix-telegram service, - in which secret tokens can be specified securely by defining values for + in which secret tokens can be specified securely by defining values for e.g. `MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN`, `MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN`, `MAUTRIX_TELEGRAM_TELEGRAM_API_ID`, `MAUTRIX_TELEGRAM_TELEGRAM_API_HASH` and optionally `MAUTRIX_TELEGRAM_TELEGRAM_BOT_TOKEN`. + + These environment variables can also be used to set other options by + replacing hierachy levels by `.`, converting the name to uppercase + and prepending `MAUTRIX_TELEGRAM_`. + For example, the first value above maps to + {option}`settings.appservice.as_token`. + + The environment variable values can be prefixed with `json::` to have + them be parsed as JSON. For example, `login_shared_secret_map` can be + set as follows: + `MAUTRIX_TELEGRAM_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`. ''; }; @@ -141,16 +152,6 @@ in { environment.HOME = dataDir; preStart = '' - # Not all secrets can be passed as environment variable (yet) - # https://github.com/tulir/mautrix-telegram/issues/584 - [ -f ${settingsFile} ] && rm -f ${settingsFile} - old_umask=$(umask) - umask 0177 - ${pkgs.envsubst}/bin/envsubst \ - -o ${settingsFile} \ - -i ${settingsFileUnsubstituted} - umask $old_umask - # generate the appservice's registration file if absent if [ ! -f '${registrationFile}' ]; then ${pkgs.mautrix-telegram}/bin/mautrix-telegram \ @@ -186,8 +187,6 @@ in { --config='${settingsFile}' ''; }; - - restartTriggers = [ settingsFileUnsubstituted ]; }; }; diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index e4448d70a0e..b8e9dcaf466 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -48,7 +48,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 4040; description = lib.mdDoc '' The port on which Airsonic will listen for diff --git a/nixos/modules/services/misc/ankisyncd.nix b/nixos/modules/services/misc/ankisyncd.nix index 907bd348d7e..5198b824202 100644 --- a/nixos/modules/services/misc/ankisyncd.nix +++ b/nixos/modules/services/misc/ankisyncd.nix @@ -44,7 +44,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 27701; description = lib.mdDoc "ankisyncd port"; }; diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index c428cfbc67e..598907aaf1c 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -40,7 +40,7 @@ in { port = mkOption { description = lib.mdDoc "Port number the broker should listen on."; default = 9092; - type = types.int; + type = types.port; }; hostname = mkOption { diff --git a/nixos/modules/services/misc/exhibitor.nix b/nixos/modules/services/misc/exhibitor.nix index d804b21fd4f..91a87b55af5 100644 --- a/nixos/modules/services/misc/exhibitor.nix +++ b/nixos/modules/services/misc/exhibitor.nix @@ -68,17 +68,12 @@ in { options = { services.exhibitor = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to enable the exhibitor server. - ''; - }; + enable = mkEnableOption (lib.mdDoc "exhibitor server"); + # See https://github.com/soabase/exhibitor/wiki/Running-Exhibitor for what these mean # General options for any type of config port = mkOption { - type = types.int; + type = types.port; default = 8080; description = lib.mdDoc '' The port for exhibitor to listen on and communicate with other exhibitors. diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 13453d9cc78..e206d5bb7c6 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -16,22 +16,6 @@ let else pkgs.postgresql_12; - # Git 2.36.1 seemingly contains a commit-graph related bug which is - # easily triggered through GitLab, so we downgrade it to 2.35.x - # until this issue is solved. See - # https://gitlab.com/gitlab-org/gitlab/-/issues/360783#note_992870101. - gitPackage = - let - version = "2.35.4"; - in - pkgs.git.overrideAttrs (oldAttrs: rec { - inherit version; - src = pkgs.fetchurl { - url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz"; - sha256 = "sha256-mv13OdNkXggeKQkJ+47QcJ6lYmcw6Qjri1ZJ2ETCTOk="; - }; - }); - gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; @@ -60,7 +44,7 @@ let prometheus_listen_addr = "localhost:9236" [git] - bin_path = "${gitPackage}/bin/git" + bin_path = "${pkgs.git}/bin/git" [gitaly-ruby] dir = "${cfg.packages.gitaly.ruby}" @@ -157,7 +141,7 @@ let }; workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret"; gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret"; - git.bin_path = "${gitPackage}/bin/git"; + git.bin_path = "git"; monitoring = { ip_whitelist = [ "127.0.0.0/8" "::1/128" ]; sidekiq_exporter = { @@ -1325,7 +1309,7 @@ in { }); path = with pkgs; [ postgresqlPackage - gitPackage + git ruby openssh nodejs @@ -1356,7 +1340,7 @@ in { path = with pkgs; [ openssh procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562 - gitPackage + git cfg.packages.gitaly.rubyEnv cfg.packages.gitaly.rubyEnv.wrappedRuby gzip @@ -1402,7 +1386,7 @@ in { path = with pkgs; [ remarshal exiftool - gitPackage + git gnutar gzip openssh @@ -1475,7 +1459,7 @@ in { environment = gitlabEnv; path = with pkgs; [ postgresqlPackage - gitPackage + git openssh nodejs procps diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index e726f2c5c7c..fa172ed277d 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -90,7 +90,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 3306; description = lib.mdDoc "Database host port."; }; @@ -167,7 +167,7 @@ in }; httpPort = mkOption { - type = types.int; + type = types.port; default = 3000; description = lib.mdDoc "HTTP listen port."; }; diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index ca6f42736a1..4eec9610b5e 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -8,11 +8,7 @@ in { options.services.gollum = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Enable the Gollum service."; - }; + enable = mkEnableOption (lib.mdDoc "Gollum service"); address = mkOption { type = types.str; @@ -21,7 +17,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 4567; description = lib.mdDoc "Port on which the web server will run."; }; diff --git a/nixos/modules/services/misc/languagetool.nix b/nixos/modules/services/misc/languagetool.nix index 20dc9b6b447..9adf792373b 100644 --- a/nixos/modules/services/misc/languagetool.nix +++ b/nixos/modules/services/misc/languagetool.nix @@ -70,7 +70,7 @@ in { --port ${toString cfg.port} \ ${optionalString cfg.public "--public"} \ ${optionalString (cfg.allowOrigin != null) "--allow-origin ${cfg.allowOrigin}"} \ - "--configuration" ${settingsFormat.generate "languagetool.conf" cfg.settings} + "--config" ${settingsFormat.generate "languagetool.conf" cfg.settings} ''; }; }; diff --git a/nixos/modules/services/misc/parsoid.nix b/nixos/modules/services/misc/parsoid.nix index 101ece5ab4c..6f4a340c8a1 100644 --- a/nixos/modules/services/misc/parsoid.nix +++ b/nixos/modules/services/misc/parsoid.nix @@ -70,7 +70,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8000; description = lib.mdDoc '' Port to listen on. diff --git a/nixos/modules/services/misc/pinnwand.nix b/nixos/modules/services/misc/pinnwand.nix index 29476986111..5fca9f4125a 100644 --- a/nixos/modules/services/misc/pinnwand.nix +++ b/nixos/modules/services/misc/pinnwand.nix @@ -19,29 +19,66 @@ in }; settings = mkOption { - type = format.type; + default = {}; description = lib.mdDoc '' Your {file}`pinnwand.toml` as a Nix attribute set. Look up - possible options in the [pinnwand.toml-example](https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example). + possible options in the [documentation](https://pinnwand.readthedocs.io/en/v${pkgs.pinnwand.version}/configuration.html). ''; - default = {}; + type = types.submodule { + freeformType = format.type; + options = { + database_uri = mkOption { + type = types.str; + default = "sqlite:////var/lib/pinnwand/pinnwand.db"; + example = "sqlite:///:memory"; + description = lib.mdDoc '' + Database URI compatible with [SQLAlchemyhttps://docs.sqlalchemy.org/en/14/core/engines.html#database-urls]. + + Additional packages may need to be introduced into the environment for certain databases. + ''; + }; + + paste_size = mkOption { + type = types.ints.positive; + default = 262144; + example = 524288; + description = lib.mdDoc '' + Maximum size of a paste in bytes. + ''; + }; + paste_help = mkOption { + type = types.str; + default = '' + <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> + ''; + description = lib.mdDoc '' + Raw HTML help text shown in the header area. + ''; + }; + footer = mkOption { + type = types.str; + default = '' + View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. + ''; + description = lib.mdDoc '' + The footer in raw HTML. + ''; + }; + }; + }; }; }; config = mkIf cfg.enable { - services.pinnwand.settings = { - database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db"; - paste_size = mkDefault 262144; - paste_help = mkDefault '' - <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> - ''; - footer = mkDefault '' - View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. - ''; - }; + systemd.services.pinnwand = { + description = "Pinnwannd HTTP Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; - systemd.services = let - hardeningOptions = { + serviceConfig = { + ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString cfg.port}"; User = "pinnwand"; DynamicUser = true; @@ -72,32 +109,14 @@ in RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; UMask = "0077"; }; - - command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}"; - in { - pinnwand = { - description = "Pinnwannd HTTP Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; - - serviceConfig = { - ExecStart = "${command} http --port ${toString(cfg.port)}"; - } // hardeningOptions; - }; - - pinnwand-reaper = { - description = "Pinnwand Reaper"; - startAt = "daily"; - - serviceConfig = { - ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes - } // hardeningOptions; - }; }; }; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index d24cd1bfa05..314388e0152 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -28,7 +28,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 1688; description = lib.mdDoc "The port on which to listen."; }; diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 5fd7e79230e..75c5a4e26e0 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -161,7 +161,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = if cfg.database.type == "postgresql" then 5432 else 3306; defaultText = literalExpression "3306"; description = lib.mdDoc "Database host port."; diff --git a/nixos/modules/services/misc/rippled.nix b/nixos/modules/services/misc/rippled.nix index a3ba3dd2c37..d14b6421b74 100644 --- a/nixos/modules/services/misc/rippled.nix +++ b/nixos/modules/services/misc/rippled.nix @@ -98,7 +98,7 @@ let port = mkOption { description = lib.mdDoc "Port where rippled listens."; - type = types.int; + type = types.port; }; protocol = mkOption { diff --git a/nixos/modules/services/misc/tautulli.nix b/nixos/modules/services/misc/tautulli.nix index 0efd0839bc1..b29e9dc0c8d 100644 --- a/nixos/modules/services/misc/tautulli.nix +++ b/nixos/modules/services/misc/tautulli.nix @@ -27,7 +27,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8181; description = lib.mdDoc "TCP port where Tautulli listens."; }; diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index e031fab5970..109415a20ee 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -97,7 +97,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 8095; description = lib.mdDoc '' The port on which to listen. diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index 17d4a00f28f..fb51be698e7 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -24,16 +24,12 @@ let in { options.services.zookeeper = { - enable = mkOption { - description = lib.mdDoc "Whether to enable Zookeeper."; - default = false; - type = types.bool; - }; + enable = mkEnableOption (lib.mdDoc "Zookeeper"); port = mkOption { description = lib.mdDoc "Zookeeper Client port."; default = 2181; - type = types.int; + type = types.port; }; id = mkOption { diff --git a/nixos/modules/services/monitoring/alerta.nix b/nixos/modules/services/monitoring/alerta.nix index cf94f9813e8..6c7ebec4191 100644 --- a/nixos/modules/services/monitoring/alerta.nix +++ b/nixos/modules/services/monitoring/alerta.nix @@ -24,7 +24,7 @@ in enable = mkEnableOption (lib.mdDoc "alerta"); port = mkOption { - type = types.int; + type = types.port; default = 5000; description = lib.mdDoc "Port of Alerta"; }; diff --git a/nixos/modules/services/monitoring/arbtt.nix b/nixos/modules/services/monitoring/arbtt.nix index 8bf4f78cc72..f07ecc5d5dd 100644 --- a/nixos/modules/services/monitoring/arbtt.nix +++ b/nixos/modules/services/monitoring/arbtt.nix @@ -7,13 +7,7 @@ let in { options = { services.arbtt = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enable the arbtt statistics capture service. - ''; - }; + enable = mkEnableOption (lib.mdDoc "Arbtt statistics capture service"); package = mkOption { type = types.package; diff --git a/nixos/modules/services/monitoring/bosun.nix b/nixos/modules/services/monitoring/bosun.nix index 27966e089eb..dc75fda6ed8 100644 --- a/nixos/modules/services/monitoring/bosun.nix +++ b/nixos/modules/services/monitoring/bosun.nix @@ -22,13 +22,7 @@ in { services.bosun = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to run bosun. - ''; - }; + enable = mkEnableOption (lib.mdDoc "bosun"); package = mkOption { type = types.package; diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix index d5e44031016..a8fba4e6e8c 100644 --- a/nixos/modules/services/monitoring/cadvisor.nix +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -8,11 +8,7 @@ let in { options = { services.cadvisor = { - enable = mkOption { - default = false; - type = types.bool; - description = lib.mdDoc "Whether to enable cadvisor service."; - }; + enable = mkEnableOption (lib.mdDoc "Cadvisor service"); listenAddress = mkOption { default = "127.0.0.1"; @@ -22,7 +18,7 @@ in { port = mkOption { default = 8080; - type = types.int; + type = types.port; description = lib.mdDoc "Cadvisor listening port"; }; diff --git a/nixos/modules/services/monitoring/datadog-agent.nix b/nixos/modules/services/monitoring/datadog-agent.nix index a7f6fa23aa6..15deef18b60 100644 --- a/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixos/modules/services/monitoring/datadog-agent.nix @@ -49,13 +49,7 @@ let }; in { options.services.datadog-agent = { - enable = mkOption { - description = lib.mdDoc '' - Whether to enable the datadog-agent v7 monitoring service - ''; - default = false; - type = types.bool; - }; + enable = mkEnableOption (lib.mdDoc "Datadog-agent v7 monitoring service"); package = mkOption { default = pkgs.datadog-agent; diff --git a/nixos/modules/services/monitoring/grafana-reporter.nix b/nixos/modules/services/monitoring/grafana-reporter.nix index add725e7ba2..eac304d63aa 100644 --- a/nixos/modules/services/monitoring/grafana-reporter.nix +++ b/nixos/modules/services/monitoring/grafana-reporter.nix @@ -23,7 +23,7 @@ in { port = mkOption { description = lib.mdDoc "Grafana port."; default = 3000; - type = types.int; + type = types.port; }; }; @@ -36,7 +36,7 @@ in { port = mkOption { description = lib.mdDoc "Listening port."; default = 8686; - type = types.int; + type = types.port; }; templateDir = mkOption { diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 52d5cab9f51..9b3068796d8 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -13,57 +13,96 @@ let settingsFormatIni = pkgs.formats.ini {}; configFile = settingsFormatIni.generate "config.ini" cfg.settings; - datasourceConfiguration = { - apiVersion = 1; - datasources = cfg.provision.datasources; - }; - - datasourceFileNew = if (cfg.provision.datasources.path == null) then provisioningSettingsFormat.generate "datasource.yaml" cfg.provision.datasources.settings else cfg.provision.datasources.path; - datasourceFile = if (builtins.isList cfg.provision.datasources) then provisioningSettingsFormat.generate "datasource.yaml" datasourceConfiguration else datasourceFileNew; - - dashboardConfiguration = { - apiVersion = 1; - providers = cfg.provision.dashboards; - }; - - dashboardFileNew = if (cfg.provision.dashboards.path == null) then provisioningSettingsFormat.generate "dashboard.yaml" cfg.provision.dashboards.settings else cfg.provision.dashboards.path; - dashboardFile = if (builtins.isList cfg.provision.dashboards) then provisioningSettingsFormat.generate "dashboard.yaml" dashboardConfiguration else dashboardFileNew; + mkProvisionCfg = name: attr: provisionCfg: + if provisionCfg.path != null + then provisionCfg.path + else + provisioningSettingsFormat.generate "${name}.yaml" + (if provisionCfg.settings != null + then provisionCfg.settings + else { + apiVersion = 1; + ${attr} = []; + }); + + datasourceFileOrDir = mkProvisionCfg "datasource" "datasources" cfg.provision.datasources; + dashboardFileOrDir = mkProvisionCfg "dashboard" "providers" cfg.provision.dashboards; notifierConfiguration = { apiVersion = 1; notifiers = cfg.provision.notifiers; }; - notifierFile = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration); + notifierFileOrDir = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration); generateAlertingProvisioningYaml = x: if (cfg.provision.alerting."${x}".path == null) then provisioningSettingsFormat.generate "${x}.yaml" cfg.provision.alerting."${x}".settings else cfg.provision.alerting."${x}".path; - rulesFile = generateAlertingProvisioningYaml "rules"; - contactPointsFile = generateAlertingProvisioningYaml "contactPoints"; - policiesFile = generateAlertingProvisioningYaml "policies"; - templatesFile = generateAlertingProvisioningYaml "templates"; - muteTimingsFile = generateAlertingProvisioningYaml "muteTimings"; - - provisionConfDir = pkgs.runCommand "grafana-provisioning" { } '' + rulesFileOrDir = generateAlertingProvisioningYaml "rules"; + contactPointsFileOrDir = generateAlertingProvisioningYaml "contactPoints"; + policiesFileOrDir = generateAlertingProvisioningYaml "policies"; + templatesFileOrDir = generateAlertingProvisioningYaml "templates"; + muteTimingsFileOrDir = generateAlertingProvisioningYaml "muteTimings"; + + ln = { src, dir, filename }: '' + if [[ -d "${src}" ]]; then + pushd $out/${dir} &>/dev/null + lndir "${src}" + popd &>/dev/null + else + ln -sf ${src} $out/${dir}/${filename}.yaml + fi + ''; + provisionConfDir = pkgs.runCommand "grafana-provisioning" { nativeBuildInputs = [ pkgs.xorg.lndir ]; } '' mkdir -p $out/{datasources,dashboards,notifiers,alerting} - ln -sf ${datasourceFile} $out/datasources/datasource.yaml - ln -sf ${dashboardFile} $out/dashboards/dashboard.yaml - ln -sf ${notifierFile} $out/notifiers/notifier.yaml - ln -sf ${rulesFile} $out/alerting/rules.yaml - ln -sf ${contactPointsFile} $out/alerting/contactPoints.yaml - ln -sf ${policiesFile} $out/alerting/policies.yaml - ln -sf ${templatesFile} $out/alerting/templates.yaml - ln -sf ${muteTimingsFile} $out/alerting/muteTimings.yaml + ${ln { src = datasourceFileOrDir; dir = "datasources"; filename = "datasource"; }} + ${ln { src = dashboardFileOrDir; dir = "dashboards"; filename = "dashbaord"; }} + ${ln { src = notifierFileOrDir; dir = "notifiers"; filename = "notifier"; }} + ${ln { src = rulesFileOrDir; dir = "alerting"; filename = "rules"; }} + ${ln { src = contactPointsFileOrDir; dir = "alerting"; filename = "contactPoints"; }} + ${ln { src = policiesFileOrDir; dir = "alerting"; filename = "policies"; }} + ${ln { src = templatesFileOrDir; dir = "alerting"; filename = "templates"; }} + ${ln { src = muteTimingsFileOrDir; dir = "alerting"; filename = "muteTimings"; }} ''; # Get a submodule without any embedded metadata: _filter = x: filterAttrs (k: v: k != "_module") x; + # FIXME(@Ma27) remove before 23.05. This is just a helper-type + # because `mkRenamedOptionModule` doesn't work if `foo.bar` is renamed + # to `foo.bar.baz`. + submodule' = module: types.coercedTo + (mkOptionType { + name = "grafana-provision-submodule"; + description = "Wrapper-type for backwards compat of Grafana's declarative provisioning"; + check = x: + if builtins.isList x then + throw '' + Provisioning dashboards and datasources declaratively by + setting `dashboards` or `datasources` to a list is not supported + anymore. Use `services.grafana.provision.datasources.settings.datasources` + (or `services.grafana.provision.dashboards.settings.providers`) instead. + '' + else isAttrs x || isFunction x; + }) + id + (types.submodule module); + # http://docs.grafana.org/administration/provisioning/#datasources grafanaTypes.datasourceConfig = types.submodule { freeformType = provisioningSettingsFormat.type; + imports = [ + (mkRemovedOptionModule [ "password" ] '' + `services.grafana.provision.datasources.settings.datasources.<name>.password` has been removed + in Grafana 9. Use `secureJsonData` instead. + '') + (mkRemovedOptionModule [ "basicAuthPassword" ] '' + `services.grafana.provision.datasources.settings.datasources.<name>.basicAuthPassword` has been removed + in Grafana 9. Use `secureJsonData` instead. + '') + ]; + options = { name = mkOption { type = types.str; @@ -93,28 +132,6 @@ let default = false; description = lib.mdDoc "Allow users to edit datasources from the UI."; }; - password = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - Database password, if used. Please note that the contents of this option - will end up in a world-readable Nix store. Use the file provider - pointing at a reasonably secured file in the local filesystem - to work around that. Look at the documentation for details: - <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> - ''; - }; - basicAuthPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - Basic auth password. Please note that the contents of this option - will end up in a world-readable Nix store. Use the file provider - pointing at a reasonably secured file in the local filesystem - to work around that. Look at the documentation for details: - <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> - ''; - }; secureJsonData = mkOption { type = types.nullOr types.attrs; default = null; @@ -276,6 +293,10 @@ in { (mkRemovedOptionModule [ "services" "grafana" "auth" "google" "clientSecretFile" ] '' This option has been removed. Use 'services.grafana.settings.google.client_secret' with file provider instead. '') + (mkRemovedOptionModule [ "services" "grafana" "extraOptions" ] '' + This option has been removed. Use 'services.grafana.settings' instead. For a detailed migration guide, please + review the release notes of NixOS 22.11. + '') (mkRemovedOptionModule [ "services" "grafana" "auth" "azuread" "tenantId" ] "This option has been deprecated upstream.") ]; @@ -330,19 +351,7 @@ in { Don't change the value of this option if you are planning to use `services.grafana.provision` options. ''; default = provisionConfDir; - defaultText = literalExpression '' - pkgs.runCommand "grafana-provisioning" { } \'\' - mkdir -p $out/{datasources,dashboards,notifiers,alerting} - ln -sf ''${datasourceFile} $out/datasources/datasource.yaml - ln -sf ''${dashboardFile} $out/dashboards/dashboard.yaml - ln -sf ''${notifierFile} $out/notifiers/notifier.yaml - ln -sf ''${rulesFile} $out/alerting/rules.yaml - ln -sf ''${contactPointsFile} $out/alerting/contactPoints.yaml - ln -sf ''${policiesFile} $out/alerting/policies.yaml - ln -sf ''${templatesFile} $out/alerting/templates.yaml - ln -sf ''${muteTimingsFile} $out/alerting/muteTimings.yaml - \'\' - ''; + defaultText = "directory with links to files generated from services.grafana.provision"; type = types.path; }; }; @@ -564,17 +573,14 @@ in { datasources = mkOption { description = lib.mdDoc '' - Deprecated option for Grafana datasource configuration. Use either - `services.grafana.provision.datasources.settings` or - `services.grafana.provision.datasources.path` instead. + Declaratively provision Grafana's datasources. ''; - default = []; - apply = x: if (builtins.isList x) then map _filter x else x; - type = with types; either (listOf grafanaTypes.datasourceConfig) (submodule { + default = {}; + type = submodule' { options.settings = mkOption { description = lib.mdDoc '' Grafana datasource configuration in Nix. Can't be used with - `services.grafana.provision.datasources.path` simultaneously. See + [](#opt-services.grafana.provision.datasources.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources> for supported options. ''; @@ -591,6 +597,7 @@ in { description = lib.mdDoc "List of datasources to insert/update."; default = []; type = types.listOf grafanaTypes.datasourceConfig; + apply = map (flip builtins.removeAttrs [ "password" "basicAuthPassword" ]); }; deleteDatasources = mkOption { @@ -630,28 +637,26 @@ in { options.path = mkOption { description = lib.mdDoc '' Path to YAML datasource configuration. Can't be used with - `services.grafana.provision.datasources.settings` simultaneously. + [](#opt-services.grafana.provision.datasources.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; }; - }); + }; }; dashboards = mkOption { description = lib.mdDoc '' - Deprecated option for Grafana dashboard configuration. Use either - `services.grafana.provision.dashboards.settings` or - `services.grafana.provision.dashboards.path` instead. + Declaratively provision Grafana's dashboards. ''; - default = []; - apply = x: if (builtins.isList x) then map _filter x else x; - type = with types; either (listOf grafanaTypes.dashboardConfig) (submodule { + default = {}; + type = submodule' { options.settings = mkOption { description = lib.mdDoc '' Grafana dashboard configuration in Nix. Can't be used with - `services.grafana.provision.dashboards.path` simultaneously. See + [](#opt-services.grafana.provision.dashboards.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards> for supported options. ''; @@ -684,12 +689,13 @@ in { options.path = mkOption { description = lib.mdDoc '' Path to YAML dashboard configuration. Can't be used with - `services.grafana.provision.dashboards.settings` simultaneously. + [](#opt-services.grafana.provision.dashboards.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; }; - }); + }; }; @@ -706,7 +712,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML rules configuration. Can't be used with - `services.grafana.provision.alerting.rules.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.rules.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -715,7 +722,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana rules configuration in Nix. Can't be used with - `services.grafana.provision.alerting.rules.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.rules.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#rules> for supported options. ''; @@ -829,7 +836,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML contact points configuration. Can't be used with - `services.grafana.provision.alerting.contactPoints.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.contactPoints.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -838,7 +846,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana contact points configuration in Nix. Can't be used with - `services.grafana.provision.alerting.contactPoints.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.contactPoints.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#contact-points> for supported options. ''; @@ -852,7 +860,7 @@ in { }; contactPoints = mkOption { - description = lib.mdDoc "List of contact points to import or update. Please note that sensitive data will end up in world-readable Nix store."; + description = lib.mdDoc "List of contact points to import or update."; default = []; type = types.listOf (types.submodule { freeformType = provisioningSettingsFormat.type; @@ -909,7 +917,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML notification policies configuration. Can't be used with - `services.grafana.provision.alerting.policies.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.policies.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -918,7 +927,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana notification policies configuration in Nix. Can't be used with - `services.grafana.provision.alerting.policies.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.policies.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#notification-policies> for supported options. ''; @@ -978,7 +987,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML templates configuration. Can't be used with - `services.grafana.provision.alerting.templates.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.templates.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -987,7 +997,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana templates configuration in Nix. Can't be used with - `services.grafana.provision.alerting.templates.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.templates.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#templates> for supported options. ''; @@ -1059,7 +1069,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML mute timings configuration. Can't be used with - `services.grafana.provision.alerting.muteTimings.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.muteTimings.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -1068,7 +1079,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana mute timings configuration in Nix. Can't be used with - `services.grafana.provision.alerting.muteTimings.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.muteTimings.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#mute-timings> for supported options. ''; @@ -1159,52 +1170,50 @@ in { config = mkIf cfg.enable { warnings = let - usesFileProvider = opt: defaultValue: builtins.match "^${defaultValue}$|^\\$__file\\{.*}$" opt != null; - in flatten [ - (optional ( - ! usesFileProvider cfg.settings.database.password "" || - ! usesFileProvider cfg.settings.security.admin_password "admin" - ) "Grafana passwords will be stored as plaintext in the Nix store! Use file provider instead.") - (optional ( + doesntUseFileProvider = opt: defaultValue: let - checkOpts = opt: any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) opt; - datasourcesUsed = if (cfg.provision.datasources.settings == null) then [] else cfg.provision.datasources.settings.datasources; - in if (builtins.isList cfg.provision.datasources) then checkOpts cfg.provision.datasources else checkOpts datasourcesUsed - ) '' - Datasource passwords will be stored as plaintext in the Nix store! - It is not possible to use file provider in provisioning; please provision - datasources via `services.grafana.provision.datasources.path` instead. - '') - (optional ( - any (x: x.secure_settings != null) cfg.provision.notifiers - ) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead.") + regex = "${optionalString (defaultValue != null) "^${defaultValue}$|"}^\\$__(file|env)\\{.*}$|^\\$[^_\\$][^ ]+$"; + in builtins.match regex opt == null; + in + # Ensure that no custom credentials are leaked into the Nix store. Unless the default value + # is specified, this can be achieved by using the file/env provider: + # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion (optional ( - builtins.isList cfg.provision.datasources && cfg.provision.datasources != [] + doesntUseFileProvider cfg.settings.database.password "" || + doesntUseFileProvider cfg.settings.security.admin_password "admin" ) '' - Provisioning Grafana datasources with options has been deprecated. - Use `services.grafana.provision.datasources.settings` or - `services.grafana.provision.datasources.path` instead. - '') - (optional ( - builtins.isList cfg.provision.datasources && cfg.provision.dashboards != [] + Grafana passwords will be stored as plaintext in the Nix store! + Use file provider or an env-var instead. + '') + # Warn about deprecated notifiers. + ++ (optional (cfg.provision.notifiers != []) '' + Notifiers are deprecated upstream and will be removed in Grafana 10. + Use `services.grafana.provision.alerting.contactPoints` instead. + '') + # Ensure that `secureJsonData` of datasources provisioned via `datasources.settings` + # only uses file/env providers. + ++ (optional ( + let + datasourcesToCheck = optionals + (cfg.provision.datasources.settings != null) + cfg.provision.datasources.settings.datasources; + declarationUnsafe = { secureJsonData, ... }: + secureJsonData != null + && any (flip doesntUseFileProvider null) (attrValues secureJsonData); + in any declarationUnsafe datasourcesToCheck ) '' - Provisioning Grafana dashboards with options has been deprecated. - Use `services.grafana.provision.dashboards.settings` or - `services.grafana.provision.dashboards.path` instead. - '') - (optional ( - cfg.provision.notifiers != [] - ) '' - Notifiers are deprecated upstream and will be removed in Grafana 10. - Use `services.grafana.provision.alerting.contactPoints` instead. - '') - ]; + Declarations in the `secureJsonData`-block of a datasource will be leaked to the + Nix store unless a file-provider or an env-var is used! + '') + ++ (optional ( + any (x: x.secure_settings != null) cfg.provision.notifiers + ) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead."); environment.systemPackages = [ cfg.package ]; assertions = [ { - assertion = if (builtins.isList cfg.provision.datasources) then true else cfg.provision.datasources.settings == null || cfg.provision.datasources.path == null; + assertion = cfg.provision.datasources.settings == null || cfg.provision.datasources.path == null; message = "Cannot set both datasources settings and datasources path"; } { @@ -1213,12 +1222,11 @@ in { ({ type, access, ... }: type == "prometheus" -> access != "direct") opt; in - if (builtins.isList cfg.provision.datasources) then prometheusIsNotDirect cfg.provision.datasources - else cfg.provision.datasources.settings == null || prometheusIsNotDirect cfg.provision.datasources.settings.datasources; + cfg.provision.datasources.settings == null || prometheusIsNotDirect cfg.provision.datasources.settings.datasources; message = "For datasources of type `prometheus`, the `direct` access mode is not supported anymore (since Grafana 9.2.0)"; } { - assertion = if (builtins.isList cfg.provision.dashboards) then true else cfg.provision.dashboards.settings == null || cfg.provision.dashboards.path == null; + assertion = cfg.provision.dashboards.settings == null || cfg.provision.dashboards.path == null; message = "Cannot set both dashboards settings and dashboards path"; } { diff --git a/nixos/modules/services/monitoring/heapster.nix b/nixos/modules/services/monitoring/heapster.nix index 2f2467477ae..fc63276b62f 100644 --- a/nixos/modules/services/monitoring/heapster.nix +++ b/nixos/modules/services/monitoring/heapster.nix @@ -6,11 +6,7 @@ let cfg = config.services.heapster; in { options.services.heapster = { - enable = mkOption { - description = lib.mdDoc "Whether to enable heapster monitoring"; - default = false; - type = types.bool; - }; + enable = mkEnableOption (lib.mdDoc "Heapster monitoring"); source = mkOption { description = lib.mdDoc "Heapster metric source"; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 1dc6a65973d..f6bae8f9e96 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -1563,13 +1563,7 @@ in options.services.prometheus = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enable the Prometheus monitoring daemon. - ''; - }; + enable = mkEnableOption (lib.mdDoc "Prometheus monitoring daemon"); package = mkOption { type = types.package; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index d9e380d4274..8826d80a70c 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -77,6 +77,7 @@ let "varnish" "wireguard" "flow" + "zfs" ] (name: import (./. + "/exporters/${name}.nix") { inherit config lib pkgs options; } ); @@ -196,7 +197,7 @@ let serviceConfig.LockPersonality = true; serviceConfig.MemoryDenyWriteExecute = true; serviceConfig.NoNewPrivileges = true; - serviceConfig.PrivateDevices = true; + serviceConfig.PrivateDevices = mkDefault true; serviceConfig.ProtectClock = mkDefault true; serviceConfig.ProtectControlGroups = true; serviceConfig.ProtectHome = true; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index 129c73eba4a..15079f5841f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -33,7 +33,7 @@ let ''; }; port = mkOption { - type = types.int; + type = types.port; example = 587; description = lib.mdDoc '' Port to use for SMTP. diff --git a/nixos/modules/services/monitoring/prometheus/exporters/tor.nix b/nixos/modules/services/monitoring/prometheus/exporters/tor.nix index edf9b57607a..7a9167110a2 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/tor.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/tor.nix @@ -17,7 +17,7 @@ in }; torControlPort = mkOption { - type = types.int; + type = types.port; default = 9051; description = lib.mdDoc '' Tor control port. diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unifi-poller.nix b/nixos/modules/services/monitoring/prometheus/exporters/unifi-poller.nix index d264e68be9a..35de31df88e 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unifi-poller.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unifi-poller.nix @@ -9,10 +9,12 @@ let poller = { inherit (cfg.log) debug quiet; }; unifi = { inherit (cfg) controllers; }; influxdb.disable = true; + datadog.disable = true; # workaround for https://github.com/unpoller/unpoller/issues/442 prometheus = { http_listen = "${cfg.listenAddress}:${toString cfg.port}"; report_errors = cfg.log.prometheusErrors; }; + inherit (cfg) loki; }); in { @@ -20,6 +22,7 @@ in { extraOpts = { inherit (options.services.unifi-poller.unifi) controllers; + inherit (options.services.unifi-poller) loki; log = { debug = mkEnableOption (lib.mdDoc "debug logging including line numbers, high resolution timestamps, per-device logs."); quiet = mkEnableOption (lib.mdDoc "startup and error logs only."); @@ -28,7 +31,7 @@ in { }; serviceOpts.serviceConfig = { - ExecStart = "${pkgs.unifi-poller}/bin/unifi-poller --config ${configFile}"; + ExecStart = "${pkgs.unifi-poller}/bin/unpoller --config ${configFile}"; DynamicUser = false; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/zfs.nix b/nixos/modules/services/monitoring/prometheus/exporters/zfs.nix new file mode 100644 index 00000000000..ff12a52d49a --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/zfs.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.zfs; +in +{ + port = 9134; + + extraOpts = { + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = lib.mdDoc '' + Path under which to expose metrics. + ''; + }; + + pools = mkOption { + type = with types; nullOr (listOf str); + default = [ ]; + description = lib.mdDoc '' + Name of the pool(s) to collect, repeat for multiple pools (default: all pools). + ''; + }; + }; + + serviceOpts = { + # needs zpool + path = [ config.boot.zfs.package ]; + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-zfs-exporter}/bin/zfs_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + ${concatMapStringsSep " " (x: "--pool=${x}") cfg.pools} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + ProtectClock = false; + PrivateDevices = false; + }; + }; +} diff --git a/nixos/modules/services/monitoring/riemann.nix b/nixos/modules/services/monitoring/riemann.nix index 8d61ec2a308..7ab8af85ed7 100644 --- a/nixos/modules/services/monitoring/riemann.nix +++ b/nixos/modules/services/monitoring/riemann.nix @@ -27,13 +27,8 @@ in { options = { services.riemann = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enable the Riemann network monitoring daemon. - ''; - }; + enable = mkEnableOption (lib.mdDoc "Riemann network monitoring daemon"); + config = mkOption { type = types.lines; description = lib.mdDoc '' diff --git a/nixos/modules/services/monitoring/tremor-rs.nix b/nixos/modules/services/monitoring/tremor-rs.nix new file mode 100644 index 00000000000..213e8a47486 --- /dev/null +++ b/nixos/modules/services/monitoring/tremor-rs.nix @@ -0,0 +1,129 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.tremor-rs; + + loggerSettingsFormat = pkgs.formats.yaml { }; + loggerConfigFile = loggerSettingsFormat.generate "logger.yaml" cfg.loggerSettings; +in { + + options = { + services.tremor-rs = { + enable = lib.mkEnableOption (lib.mdDoc "Tremor event- or stream-processing system"); + + troyFileList = mkOption { + type = types.listOf types.path; + default = []; + description = lib.mdDoc "List of troy files to load."; + }; + + tremorLibDir = mkOption { + type = types.path; + default = ""; + description = lib.mdDoc "Directory where to find /lib containing tremor script files"; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc "The host tremor should be listening on"; + }; + + port = mkOption { + type = types.port; + default = 9898; + description = lib.mdDoc "the port tremor should be listening on"; + }; + + loggerSettings = mkOption { + description = lib.mdDoc "Tremor logger configuration"; + default = {}; + type = loggerSettingsFormat.type; + + example = { + refresh_rate = "30 seconds"; + appenders.stdout.kind = "console"; + root = { + level = "warn"; + appenders = [ "stdout" ]; + }; + loggers = { + tremor_runtime = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + tremor = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + }; + }; + + defaultText = literalExpression '' + { + refresh_rate = "30 seconds"; + appenders.stdout.kind = "console"; + root = { + level = "warn"; + appenders = [ "stdout" ]; + }; + loggers = { + tremor_runtime = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + tremor = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + }; + } + ''; + + }; + }; + }; + + config = mkIf (cfg.enable) { + + environment.systemPackages = [ pkgs.tremor-rs ] ; + + systemd.services.tremor-rs = { + description = "Tremor event- or stream-processing system"; + wantedBy = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + environment.TREMOR_PATH = "${pkgs.tremor-rs}/lib:${cfg.tremorLibDir}"; + + serviceConfig = { + ExecStart = "${pkgs.tremor-rs}/bin/tremor --logger-config ${loggerConfigFile} server run ${concatStringsSep " " cfg.troyFileList} --api-host ${cfg.host}:${toString cfg.port}"; + DynamicUser = true; + Restart = "always"; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/monitoring/zabbix-server.nix b/nixos/modules/services/monitoring/zabbix-server.nix index b40437100fc..2b50280e396 100644 --- a/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixos/modules/services/monitoring/zabbix-server.nix @@ -94,7 +94,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = if cfg.database.type == "mysql" then mysql.port else pgsql.port; defaultText = literalExpression '' if config.${opt.database.type} == "mysql" diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index e28fe4cf9c4..24407f05de6 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -9,7 +9,7 @@ in { options = { services.samba-wsdd = { enable = mkEnableOption (lib.mdDoc '' - Enable Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, + Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, to be found by Web Service Discovery Clients like Windows. ::: {.note} diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix index eaeaeaeb6a7..bda99cb7942 100644 --- a/nixos/modules/services/networking/adguardhome.nix +++ b/nixos/modules/services/networking/adguardhome.nix @@ -51,8 +51,8 @@ in }; settings = mkOption { - default = { }; - type = submodule { + default = null; + type = nullOr (submodule { freeformType = (pkgs.formats.yaml { }).type; options = { schema_version = mkOption { @@ -79,7 +79,7 @@ in ''; }; }; - }; + }); description = lib.mdDoc '' AdGuard Home configuration. Refer to <https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file> @@ -89,6 +89,10 @@ in On start and if {option}`mutableSettings` is `true`, these options are merged into the configuration file on start, taking precedence over configuration changes made on the web interface. + + Set this to `null` (default) for a non-declarative configuration without any + Nix-supplied values. + Declarative configurations are supplied with a default `schema_version`, `bind_host`, and `bind_port`. ::: ''; }; @@ -105,15 +109,15 @@ in config = mkIf cfg.enable { assertions = [ { - assertion = cfg.settings != { } - -> (hasAttrByPath [ "dns" "bind_host" ] cfg.settings) + assertion = cfg.settings != null -> cfg.mutableSettings + || (hasAttrByPath [ "dns" "bind_host" ] cfg.settings) || (hasAttrByPath [ "dns" "bind_hosts" ] cfg.settings); message = "AdGuard setting dns.bind_host or dns.bind_hosts needs to be configured for a minimal working configuration"; } { - assertion = cfg.settings != { } - -> hasAttrByPath [ "dns" "bootstrap_dns" ] cfg.settings; + assertion = cfg.settings != null -> cfg.mutableSettings + || hasAttrByPath [ "dns" "bootstrap_dns" ] cfg.settings; message = "AdGuard setting dns.bootstrap_dns needs to be configured for a minimal working configuration"; } @@ -128,7 +132,7 @@ in StartLimitBurst = 10; }; - preStart = optionalString (cfg.settings != { }) '' + preStart = optionalString (cfg.settings != null) '' if [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ] \ && [ "${toString cfg.mutableSettings}" = "1" ]; then # Writing directly to AdGuardHome.yaml results in empty file diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix index 668ed388ae2..88c04597e2b 100644 --- a/nixos/modules/services/networking/bitlbee.nix +++ b/nixos/modules/services/networking/bitlbee.nix @@ -68,7 +68,7 @@ in portNumber = mkOption { default = 6667; - type = types.int; + type = types.port; description = lib.mdDoc '' Number of the port BitlBee will be listening to. ''; diff --git a/nixos/modules/services/networking/chisel-server.nix b/nixos/modules/services/networking/chisel-server.nix new file mode 100644 index 00000000000..d3724743209 --- /dev/null +++ b/nixos/modules/services/networking/chisel-server.nix @@ -0,0 +1,99 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.chisel-server; + +in { + options = { + services.chisel-server = { + enable = mkEnableOption (mdDoc "Chisel Tunnel Server"); + host = mkOption { + description = mdDoc "Address to listen on, falls back to 0.0.0.0"; + type = with types; nullOr str; + default = null; + example = "[::1]"; + }; + port = mkOption { + description = mdDoc "Port to listen on, falls back to 8080"; + type = with types; nullOr int; + default = null; + }; + authfile = mkOption { + description = mdDoc "Path to auth.json file"; + type = with types; nullOr path; + default = null; + }; + keepalive = mkOption { + description = mdDoc "Keepalive interval, falls back to 25s"; + type = with types; nullOr str; + default = null; + example = "5s"; + }; + backend = mkOption { + description = mdDoc "HTTP server to proxy normal requests to"; + type = with types; nullOr str; + default = null; + example = "http://127.0.0.1:8888"; + }; + socks5 = mkOption { + description = mdDoc "Allow clients access to internal SOCKS5 proxy"; + type = types.bool; + default = false; + }; + reverse = mkOption { + description = mdDoc "Allow clients reverse port forwarding"; + type = types.bool; + default = false; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.chisel-server = { + description = "Chisel Tunnel Server"; + wantedBy = [ "network-online.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " ( + optional (cfg.host != null) "--host ${cfg.host}" + ++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}" + ++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}" + ++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}" + ++ optional (cfg.backend != null) "--backend ${cfg.backend}" + ++ optional cfg.socks5 "--socks5" + ++ optional cfg.reverse "--reverse" + ); + + # Security Hardening + # Refer to systemd.exec(5) for option descriptions. + CapabilityBoundingSet = ""; + + # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=, + # ProtectSystem=strict, ProtectHome=read-only + DynamicUser = true; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with maintainers; [ clerie ]; +} diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index 06b7ea24e2d..082e0195093 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -135,7 +135,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 5353; description = lib.mdDoc '' The DNSCrypt wrapper will listen for DNS queries on this port. @@ -182,7 +182,7 @@ in { }; upstream.port = mkOption { - type = types.int; + type = types.port; default = 53; description = lib.mdDoc '' The port of the upstream DNS server DNSCrypt will "wrap". diff --git a/nixos/modules/services/networking/eternal-terminal.nix b/nixos/modules/services/networking/eternal-terminal.nix index 555307459e3..c6b6b04dcf7 100644 --- a/nixos/modules/services/networking/eternal-terminal.nix +++ b/nixos/modules/services/networking/eternal-terminal.nix @@ -20,7 +20,7 @@ in port = mkOption { default = 2022; - type = types.int; + type = types.port; description = lib.mdDoc '' The port the server should listen on. Will use the server's default (2022) if not specified. diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 0242a3780ff..27119dcc57c 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -325,7 +325,7 @@ in example = literalExpression "pkgs.iptables-legacy"; description = lib.mdDoc '' - The iptables package to use for running the firewall service." + The iptables package to use for running the firewall service. ''; }; diff --git a/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix index 326abe8cfce..9dd1f62350a 100644 --- a/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix +++ b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix @@ -9,7 +9,7 @@ let in { options.services.magic-wormhole-mailbox-server = { - enable = mkEnableOption (lib.mdDoc "Enable Magic Wormhole Mailbox Server"); + enable = mkEnableOption (lib.mdDoc "Magic Wormhole Mailbox Server"); }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/networking/mozillavpn.nix b/nixos/modules/services/networking/mozillavpn.nix index 71cbb047041..cf962879b42 100644 --- a/nixos/modules/services/networking/mozillavpn.nix +++ b/nixos/modules/services/networking/mozillavpn.nix @@ -1,13 +1,8 @@ { config, lib, pkgs, ... }: { - options.services.mozillavpn.enable = lib.mkOption { - type = lib.types.bool; - default = false; - description = lib.mdDoc '' - Enable the Mozilla VPN daemon. - ''; - }; + options.services.mozillavpn.enable = + lib.mkEnableOption (lib.mdDoc "Mozilla VPN daemon"); config = lib.mkIf config.services.mozillavpn.enable { environment.systemPackages = [ pkgs.mozillavpn ]; diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix index 7eb3761aad3..82e68bf92af 100644 --- a/nixos/modules/services/networking/mullvad-vpn.nix +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -14,6 +14,15 @@ with lib; ''; }; + enableExcludeWrapper = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + This option activates the wrapper that allows the use of mullvad-exclude. + Might have minor security impact, so consider disabling if you do not use the feature. + ''; + }; + package = mkOption { type = types.package; default = pkgs.mullvad; @@ -27,12 +36,22 @@ with lib; config = mkIf cfg.enable { boot.kernelModules = [ "tun" ]; + environment.systemPackages = [ cfg.package ]; + # mullvad-daemon writes to /etc/iproute2/rt_tables networking.iproute2.enable = true; # See https://github.com/NixOS/nixpkgs/issues/113589 networking.firewall.checkReversePath = "loose"; + # See https://github.com/NixOS/nixpkgs/issues/176603 + security.wrappers.mullvad-exclude = mkIf cfg.enableExcludeWrapper { + setuid = true; + owner = "root"; + group = "root"; + source = "${cfg.package}/bin/mullvad-exclude"; + }; + systemd.services.mullvad-daemon = { description = "Mullvad VPN daemon"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 0aa301251bb..3b28cec83cb 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -365,7 +365,7 @@ in { If you enable this option the `networkmanager_strongswan` plugin will be added to the {option}`networking.networkmanager.plugins` option - so you don't need to to that yourself. + so you don't need to do that yourself. ''; }; diff --git a/nixos/modules/services/networking/nntp-proxy.nix b/nixos/modules/services/networking/nntp-proxy.nix index 06a8bb8b87d..b887c0e16ef 100644 --- a/nixos/modules/services/networking/nntp-proxy.nix +++ b/nixos/modules/services/networking/nntp-proxy.nix @@ -71,7 +71,7 @@ in }; upstreamPort = mkOption { - type = types.int; + type = types.port; default = 563; description = lib.mdDoc '' Upstream server port @@ -112,7 +112,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 5555; description = lib.mdDoc '' Proxy listen port diff --git a/nixos/modules/services/networking/onedrive.nix b/nixos/modules/services/networking/onedrive.nix index 5a531d7a47f..d782ec05352 100644 --- a/nixos/modules/services/networking/onedrive.nix +++ b/nixos/modules/services/networking/onedrive.nix @@ -26,11 +26,7 @@ in { ### Interface options.services.onedrive = { - enable = lib.mkOption { - type = lib.types.bool; - default = false; - description = lib.mdDoc "Enable OneDrive service"; - }; + enable = lib.mkEnableOption (lib.mdDoc "OneDrive service"); package = lib.mkOption { type = lib.types.package; diff --git a/nixos/modules/services/networking/ostinato.nix b/nixos/modules/services/networking/ostinato.nix index 1e4dcf37f64..40c227ea0c6 100644 --- a/nixos/modules/services/networking/ostinato.nix +++ b/nixos/modules/services/networking/ostinato.nix @@ -29,7 +29,7 @@ in enable = mkEnableOption (lib.mdDoc "Ostinato agent-controller (Drone)"); port = mkOption { - type = types.int; + type = types.port; default = 7878; description = lib.mdDoc '' Port to listen on. diff --git a/nixos/modules/services/networking/owamp.nix b/nixos/modules/services/networking/owamp.nix index e7a5bfea525..32b2dab9e3c 100644 --- a/nixos/modules/services/networking/owamp.nix +++ b/nixos/modules/services/networking/owamp.nix @@ -10,7 +10,7 @@ in ###### interface options = { - services.owamp.enable = mkEnableOption (lib.mdDoc "Enable OWAMP server"); + services.owamp.enable = mkEnableOption (lib.mdDoc "OWAMP server"); }; diff --git a/nixos/modules/services/networking/polipo.nix b/nixos/modules/services/networking/polipo.nix index d820e1b397b..8581553829b 100644 --- a/nixos/modules/services/networking/polipo.nix +++ b/nixos/modules/services/networking/polipo.nix @@ -23,11 +23,7 @@ in services.polipo = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Whether to run the polipo caching web proxy."; - }; + enable = mkEnableOption (lib.mdDoc "polipo caching web proxy"); proxyAddress = mkOption { type = types.str; @@ -36,7 +32,7 @@ in }; proxyPort = mkOption { - type = types.int; + type = types.port; default = 8123; description = lib.mdDoc "TCP port on which Polipo will listen."; }; diff --git a/nixos/modules/services/networking/shadowsocks.nix b/nixos/modules/services/networking/shadowsocks.nix index 8eee40711a6..2034dca6f26 100644 --- a/nixos/modules/services/networking/shadowsocks.nix +++ b/nixos/modules/services/networking/shadowsocks.nix @@ -48,7 +48,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8388; description = lib.mdDoc '' Port which the server uses. diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 3a5fb7dfb9e..2e67f8b77c0 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -49,11 +49,8 @@ in { options = { services.smokeping = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Enable the smokeping service"; - }; + enable = mkEnableOption (lib.mdDoc "smokeping service"); + alertConfig = mkOption { type = types.lines; default = '' @@ -186,7 +183,7 @@ in ''; }; port = mkOption { - type = types.int; + type = types.port; default = 8081; description = lib.mdDoc "TCP port to use for the web server."; }; diff --git a/nixos/modules/services/networking/sslh.nix b/nixos/modules/services/networking/sslh.nix index 9d76d69152f..daf2f2f3668 100644 --- a/nixos/modules/services/networking/sslh.nix +++ b/nixos/modules/services/networking/sslh.nix @@ -70,7 +70,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 443; description = lib.mdDoc "Listening port."; }; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index ea87e5695f8..adbb25ccb9b 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -212,10 +212,18 @@ in { }; path = mkOption { - type = types.str; + # TODO for release 23.05: allow relative paths again and set + # working directory to cfg.dataDir + type = types.str // { + check = x: types.str.check x && (substring 0 1 x == "/" || substring 0 2 x == "~/"); + description = types.str.description + " starting with / or ~/"; + }; default = name; description = lib.mdDoc '' The path to the folder which should be shared. + Only absolute paths (starting with `/`) and paths relative to + the [user](#opt-services.syncthing.user)'s home directory + (starting with `~/`) are allowed. ''; }; @@ -405,7 +413,8 @@ in { example = "yourUser"; description = mdDoc '' The user to run Syncthing as. - By default, a user named `${defaultUser}` will be created. + By default, a user named `${defaultUser}` will be created whose home + directory is [dataDir](#opt-services.syncthing.dataDir). ''; }; diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index eb3afe118c6..26997dd9601 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -41,7 +41,11 @@ in { }; config = mkIf cfg.enable { - warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'"; + warnings = optional (firewallOn && rpfIsStrict) '' + Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting: + + networking.firewall.checkReversePath = "loose"; + ''; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix index 802907a00dc..6433554f87d 100644 --- a/nixos/modules/services/networking/teleport.nix +++ b/nixos/modules/services/networking/teleport.nix @@ -65,7 +65,7 @@ in }; port = mkOption { - type = int; + type = port; default = 3000; description = lib.mdDoc "Metrics and diagnostics port."; }; diff --git a/nixos/modules/services/networking/tox-bootstrapd.nix b/nixos/modules/services/networking/tox-bootstrapd.nix index e6dc36bf9ec..5c7e7a4c220 100644 --- a/nixos/modules/services/networking/tox-bootstrapd.nix +++ b/nixos/modules/services/networking/tox-bootstrapd.nix @@ -29,7 +29,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 33445; description = lib.mdDoc "Listening port (UDP)."; }; diff --git a/nixos/modules/services/networking/toxvpn.nix b/nixos/modules/services/networking/toxvpn.nix index d0ff5bc4e81..3a14b5f7309 100644 --- a/nixos/modules/services/networking/toxvpn.nix +++ b/nixos/modules/services/networking/toxvpn.nix @@ -14,7 +14,7 @@ with lib; }; port = mkOption { - type = types.int; + type = types.port; default = 33445; description = lib.mdDoc "udp port for toxcore, port-forward to help with connectivity if you run many nodes behind one NAT"; }; diff --git a/nixos/modules/services/networking/xrdp.nix b/nixos/modules/services/networking/xrdp.nix index 554fb66f36e..ed7f1dadd37 100644 --- a/nixos/modules/services/networking/xrdp.nix +++ b/nixos/modules/services/networking/xrdp.nix @@ -54,7 +54,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 3389; description = lib.mdDoc '' Specifies on which port the xrdp daemon listens. diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index 30f75cd85d4..0d9e25cfc52 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -19,7 +19,7 @@ in options.services.zerotierone.port = mkOption { default = 9993; - type = types.int; + type = types.port; description = lib.mdDoc '' Network port used by ZeroTier. ''; diff --git a/nixos/modules/services/search/solr.nix b/nixos/modules/services/search/solr.nix index 48570412b0c..05592e9fa24 100644 --- a/nixos/modules/services/search/solr.nix +++ b/nixos/modules/services/search/solr.nix @@ -21,7 +21,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8983; description = lib.mdDoc "Port on which Solr is ran."; }; diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 788e06ffecf..55120799c99 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -100,6 +100,14 @@ in readOnly = true; type = lib.types.path; }; + tls_chain = lib.mkOption { + description = lib.mdDoc "TLS chain in pem format."; + type = lib.types.path; + }; + tls_key = lib.mkOption { + description = lib.mdDoc "TLS key in pem format."; + type = lib.types.path; + }; log_level = lib.mkOption { description = lib.mdDoc "Log level of the server."; default = "default"; diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 1612b0edf01..8f1407b555f 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -5,10 +5,47 @@ with lib; let cfg = config.services.opensnitch; format = pkgs.formats.json {}; + + predefinedRules = flip mapAttrs cfg.rules (name: cfg: { + file = pkgs.writeText "rule" (builtins.toJSON cfg); + }); + in { options = { services.opensnitch = { - enable = mkEnableOption (lib.mdDoc "Opensnitch application firewall"); + enable = mkEnableOption (mdDoc "Opensnitch application firewall"); + + rules = mkOption { + default = {}; + example = literalExpression '' + { + "tor" = { + "name" = "tor"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" ="simple"; + "sensitive" = false; + "operand" = "process.path"; + "data" = "''${lib.getBin pkgs.tor}/bin/tor"; + }; + }; + }; + ''; + + description = mdDoc '' + Declarative configuration of firewall rules. + All rules will be stored in `/var/lib/opensnitch/rules`. + See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules) + for available options. + ''; + + type = types.submodule { + freeformType = format.type; + }; + }; + settings = mkOption { type = types.submodule { freeformType = format.type; @@ -18,7 +55,7 @@ in { Address = mkOption { type = types.str; - description = lib.mdDoc '' + description = mdDoc '' Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is mandatory) or TCP socket (192.168.1.100:50051). ''; @@ -26,7 +63,7 @@ in { LogFile = mkOption { type = types.path; - description = lib.mdDoc '' + description = mdDoc '' File to write logs to (use /dev/stdout to write logs to standard output). ''; @@ -36,7 +73,7 @@ in { DefaultAction = mkOption { type = types.enum [ "allow" "deny" ]; - description = lib.mdDoc '' + description = mdDoc '' Default action whether to block or allow application internet access. ''; @@ -46,28 +83,28 @@ in { type = types.enum [ "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h" ]; - description = lib.mdDoc '' + description = mdDoc '' Default duration of firewall rule. ''; }; InterceptUnknown = mkOption { type = types.bool; - description = lib.mdDoc '' + description = mdDoc '' Wheter to intercept spare connections. ''; }; ProcMonitorMethod = mkOption { type = types.enum [ "ebpf" "proc" "ftrace" "audit" ]; - description = lib.mdDoc '' + description = mdDoc '' Which process monitoring method to use. ''; }; LogLevel = mkOption { type = types.enum [ 0 1 2 3 4 ]; - description = lib.mdDoc '' + description = mdDoc '' Default log level from 0 to 4 (debug, info, important, warning, error). ''; @@ -75,7 +112,7 @@ in { Firewall = mkOption { type = types.enum [ "iptables" "nftables" ]; - description = lib.mdDoc '' + description = mdDoc '' Which firewall backend to use. ''; }; @@ -84,14 +121,14 @@ in { MaxEvents = mkOption { type = types.int; - description = lib.mdDoc '' + description = mdDoc '' Max events to send to the GUI. ''; }; MaxStats = mkOption { type = types.int; - description = lib.mdDoc '' + description = mdDoc '' Max stats per item to keep in backlog. ''; }; @@ -99,9 +136,8 @@ in { }; }; }; - description = lib.mdDoc '' - opensnitchd configuration. Refer to - <https://github.com/evilsocket/opensnitch/wiki/Configurations> + description = mdDoc '' + opensnitchd configuration. Refer to [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Configurations) for details on supported values. ''; }; @@ -118,6 +154,25 @@ in { services.opensnitchd.wantedBy = [ "multi-user.target" ]; }; + systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let + rules = flip mapAttrsToList predefinedRules (file: content: { + inherit (content) file; + local = "/var/lib/opensnitch/rules/${file}.json"; + }); + in '' + # Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path, + # but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from + # `cfg.rules`). + find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) '' + -not \( ${concatMapStringsSep " -o " ({ local, ... }: + "-name '${baseNameOf local}*'") + rules} \) \ + ''} -delete + ${concatMapStrings ({ file, local }: '' + ln -sf '${file}' "${local}" + '') rules} + ''); + environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; }; diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index 81423e57fd2..3ef0bfb090a 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -22,9 +22,9 @@ let # we can only check for values consistently after converting them to their corresponding environment variable name. configEnv = let - configEnv = listToAttrs (concatLists (mapAttrsToList (name: value: - if value != null then [ (nameValuePair (nameToEnvVar name) (if isBool value then boolToString value else toString value)) ] else [] - ) cfg.config)); + configEnv = concatMapAttrs (name: value: optionalAttrs (value != null) { + ${nameToEnvVar name} = if isBool value then boolToString value else toString value; + }) cfg.config; in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault"; } // configEnv; diff --git a/nixos/modules/services/system/automatic-timezoned.nix b/nixos/modules/services/system/automatic-timezoned.nix new file mode 100644 index 00000000000..9bdd64dd33a --- /dev/null +++ b/nixos/modules/services/system/automatic-timezoned.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.automatic-timezoned; +in +{ + options = { + services.automatic-timezoned = { + enable = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Enable `automatic-timezoned`, simple daemon for keeping the system + timezone up-to-date based on the current location. It uses geoclue2 to + determine the current location and systemd-timedated to actually set + the timezone. + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.automatic-timezoned; + defaultText = literalExpression "pkgs.automatic-timezoned"; + description = mdDoc '' + Which `automatic-timezoned` package to use. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.freedesktop.timedate1.set-timezone" + && subject.user == "automatic-timezoned") { + return polkit.Result.YES; + } + }); + ''; + + services.geoclue2 = { + enable = true; + appConfig.automatic-timezoned = { + isAllowed = true; + isSystem = true; + users = [ (toString config.ids.uids.automatic-timezoned) ]; + }; + }; + + systemd.services = { + + automatic-timezoned = { + description = "Automatically update system timezone based on location"; + requires = [ "automatic-timezoned-geoclue-agent.service" ]; + after = [ "automatic-timezoned-geoclue-agent.service" ]; + serviceConfig = { + Type = "exec"; + User = "automatic-timezoned"; + ExecStart = "${cfg.package}/bin/automatic-timezoned --zoneinfo-path=${pkgs.tzdata}/share/zoneinfo/zone1970.tab"; + }; + wantedBy = [ "default.target" ]; + }; + + automatic-timezoned-geoclue-agent = { + description = "Geoclue agent for automatic-timezoned"; + requires = [ "geoclue.service" ]; + after = [ "geoclue.service" ]; + serviceConfig = { + Type = "exec"; + User = "automatic-timezoned"; + ExecStart = "${pkgs.geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/agent"; + Restart = "on-failure"; + PrivateTmp = true; + }; + wantedBy = [ "default.target" ]; + }; + + }; + + users = { + users.automatic-timezoned = { + description = "automatic-timezoned"; + uid = config.ids.uids.automatic-timezoned; + group = "automatic-timezoned"; + }; + groups.automatic-timezoned = { + gid = config.ids.gids.automatic-timezoned; + }; + }; + }; +} diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index c0de00bb914..c677088101f 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -1,8 +1,6 @@ # D-Bus configuration and system bus daemon. -{ config, lib, options, pkgs, ... }: - -with lib; +{ config, lib, pkgs, ... }: let @@ -16,11 +14,11 @@ let serviceDirectories = cfg.packages; }; + inherit (lib) mkOption mkIf mkMerge types; + in { - ###### interface - options = { services.dbus = { @@ -35,6 +33,18 @@ in ''; }; + implementation = mkOption { + type = types.enum [ "dbus" "broker" ]; + default = "dbus"; + description = lib.mdDoc '' + The implementation to use for the message bus defined by the D-Bus specification. + Can be either the classic dbus daemon or dbus-broker, which aims to provide high + performance and reliability, while keeping compatibility to the D-Bus + reference implementation. + ''; + + }; + packages = mkOption { type = types.listOf types.path; default = [ ]; @@ -65,75 +75,117 @@ in ''; default = "disabled"; }; - - socketActivated = mkOption { - type = types.nullOr types.bool; - default = null; - visible = false; - description = lib.mdDoc '' - Removed option, do not use. - ''; - }; }; }; - ###### implementation + config = mkIf cfg.enable (mkMerge [ + { + environment.etc."dbus-1".source = configDir; - config = mkIf cfg.enable { - warnings = optional (cfg.socketActivated != null) ( - let - files = showFiles options.services.dbus.socketActivated.files; - in - "The option 'services.dbus.socketActivated' in ${files} no longer has" - + " any effect and can be safely removed: the user D-Bus session is" - + " now always socket activated." - ); + environment.pathsToLink = [ + "/etc/dbus-1" + "/share/dbus-1" + ]; - environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ]; + users.users.messagebus = { + uid = config.ids.uids.messagebus; + description = "D-Bus system message bus daemon user"; + home = homeDir; + group = "messagebus"; + }; - environment.etc."dbus-1".source = configDir; + users.groups.messagebus.gid = config.ids.gids.messagebus; + + # You still need the dbus reference implementation installed to use dbus-broker + systemd.packages = [ + pkgs.dbus + ]; + + services.dbus.packages = [ + pkgs.dbus + config.system.path + ]; + + systemd.user.sockets.dbus.wantedBy = [ + "sockets.target" + ]; + } + + (mkIf (cfg.implementation == "dbus") { + environment.systemPackages = [ + pkgs.dbus + ]; + + security.wrappers.dbus-daemon-launch-helper = { + source = "${pkgs.dbus}/libexec/dbus-daemon-launch-helper"; + owner = "root"; + group = "messagebus"; + setuid = true; + setgid = false; + permissions = "u+rx,g+rx,o-rx"; + }; - users.users.messagebus = { - uid = config.ids.uids.messagebus; - description = "D-Bus system message bus daemon user"; - home = homeDir; - group = "messagebus"; - }; + systemd.services.dbus = { + # Don't restart dbus-daemon. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ + configDir + ]; + environment = { + LD_LIBRARY_PATH = config.system.nssModules.path; + }; + }; - users.groups.messagebus.gid = config.ids.gids.messagebus; + systemd.user.services.dbus = { + # Don't restart dbus-daemon. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ + configDir + ]; + }; - systemd.packages = [ pkgs.dbus.daemon ]; + }) - security.wrappers.dbus-daemon-launch-helper = { - source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; - owner = "root"; - group = "messagebus"; - setuid = true; - setgid = false; - permissions = "u+rx,g+rx,o-rx"; - }; + (mkIf (cfg.implementation == "broker") { + environment.systemPackages = [ + pkgs.dbus-broker + ]; - services.dbus.packages = [ - pkgs.dbus.out - config.system.path - ]; + systemd.packages = [ + pkgs.dbus-broker + ]; - systemd.services.dbus = { - # Don't restart dbus-daemon. Bad things tend to happen if we do. - reloadIfChanged = true; - restartTriggers = [ configDir ]; - environment = { LD_LIBRARY_PATH = config.system.nssModules.path; }; - }; + # Just to be sure we don't restart through the unit alias + systemd.services.dbus.reloadIfChanged = true; + systemd.user.services.dbus.reloadIfChanged = true; - systemd.user = { - services.dbus = { - # Don't restart dbus-daemon. Bad things tend to happen if we do. + # NixOS Systemd Module doesn't respect 'Install' + # https://github.com/NixOS/nixpkgs/issues/108643 + systemd.services.dbus-broker = { + aliases = [ + "dbus.service" + ]; + # Don't restart dbus. Bad things tend to happen if we do. reloadIfChanged = true; - restartTriggers = [ configDir ]; + restartTriggers = [ + configDir + ]; + environment = { + LD_LIBRARY_PATH = config.system.nssModules.path; + }; }; - sockets.dbus.wantedBy = [ "sockets.target" ]; - }; - environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ]; - }; + systemd.user.services.dbus-broker = { + aliases = [ + "dbus.service" + ]; + # Don't restart dbus. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ + configDir + ]; + }; + }) + + ]); } diff --git a/nixos/modules/services/web-apps/alps.nix b/nixos/modules/services/web-apps/alps.nix index b73cb82925d..1a58df2da1d 100644 --- a/nixos/modules/services/web-apps/alps.nix +++ b/nixos/modules/services/web-apps/alps.nix @@ -70,6 +70,23 @@ in { ''; }; }; + + package = mkOption { + internal = true; + type = types.package; + default = pkgs.alps; + }; + + args = mkOption { + internal = true; + type = types.listOf types.str; + default = [ + "-addr" "${cfg.bindIP}:${toString cfg.port}" + "-theme" "${cfg.theme}" + "imaps://${cfg.imaps.host}:${toString cfg.imaps.port}" + "smpts://${cfg.smtps.host}:${toString cfg.smtps.port}" + ]; + }; }; config = mkIf cfg.enable { @@ -80,16 +97,35 @@ in { after = [ "network.target" "network-online.target" ]; serviceConfig = { - ExecStart = '' - ${pkgs.alps}/bin/alps \ - -addr ${cfg.bindIP}:${toString cfg.port} \ - -theme ${cfg.theme} \ - imaps://${cfg.imaps.host}:${toString cfg.imaps.port} \ - smpts://${cfg.smtps.host}:${toString cfg.smtps.port} - ''; - StateDirectory = "alps"; - WorkingDirectory = "/var/lib/alps"; + ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}"; + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindAllow = cfg.port; + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; }; }; }; diff --git a/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixos/modules/services/web-apps/atlassian/crowd.nix index ac571e18880..c8d1eaef31d 100644 --- a/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -61,7 +61,7 @@ in }; listenPort = mkOption { - type = types.int; + type = types.port; default = 8092; description = lib.mdDoc "Port to listen on."; }; @@ -95,7 +95,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 443; example = 80; description = lib.mdDoc "Port used at the proxy"; diff --git a/nixos/modules/services/web-apps/changedetection-io.nix b/nixos/modules/services/web-apps/changedetection-io.nix index ace4cf1eabc..fc00aee4351 100644 --- a/nixos/modules/services/web-apps/changedetection-io.nix +++ b/nixos/modules/services/web-apps/changedetection-io.nix @@ -138,7 +138,8 @@ in StateDirectory = mkIf defaultStateDir "changedetection-io"; StateDirectoryMode = mkIf defaultStateDir "0750"; WorkingDirectory = cfg.datastorePath; - Environment = lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}" + Environment = [ "HIDE_REFERER=true" ] + ++ lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}" ++ lib.optional cfg.behindProxy "USE_X_SETTINGS=1" ++ lib.optional cfg.webDriverSupport "WEBDRIVER_URL=http://127.0.0.1:${toString cfg.chromePort}/wd/hub" ++ lib.optional cfg.playwrightSupport "PLAYWRIGHT_DRIVER_URL=ws://127.0.0.1:${toString cfg.chromePort}/?stealth=1&--disable-web-security=true"; diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index e26dee68615..e51da7ee866 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -999,8 +999,8 @@ in ``` # snippet of HedgeDoc-related config - services.hedgedoc.configuration.dbURL = "postgres://hedgedoc:\''${DB_PASSWORD}@db-host:5432/hedgedocdb"; - services.hedgedoc.configuration.minio.secretKey = "$MINIO_SECRET_KEY"; + services.hedgedoc.settings.dbURL = "postgres://hedgedoc:\''${DB_PASSWORD}@db-host:5432/hedgedocdb"; + services.hedgedoc.settings.minio.secretKey = "$MINIO_SECRET_KEY"; ``` ``` diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 521cf778a36..d52190a2864 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -482,6 +482,10 @@ in assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null); message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL"; } + { + assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true; + message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably"; + } ]; environment.systemPackages = [ keycloakBuild ]; @@ -544,7 +548,13 @@ in create_role="$(mktemp)" trap 'rm -f "$create_role"' EXIT + # Read the password from the credentials directory and + # escape any single quotes by adding additional single + # quotes after them, following the rules laid out here: + # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")" + db_password="''${db_password//\'/\'\'}" + echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" > "$create_role" psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role" psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' @@ -566,8 +576,16 @@ in script = '' set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + + # Read the password from the credentials directory and + # escape any single quotes by adding additional single + # quotes after them, following the rules laid out here: + # https://dev.mysql.com/doc/refman/8.0/en/string-literals.html db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")" - ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';" + db_password="''${db_password//\'/\'\'}" + + ( echo "SET sql_mode = 'NO_BACKSLASH_ESCAPES';" + echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';" echo "CREATE DATABASE IF NOT EXISTS keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;" echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';" ) | mysql -N @@ -632,12 +650,17 @@ in ${secretReplacements} + # Escape any backslashes in the db parameters, since + # they're otherwise unexpectedly read as escape + # sequences. + sed -i '/db-/ s|\\|\\\\|g' /run/keycloak/conf/keycloak.conf + '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' export KEYCLOAK_ADMIN=admin - export KEYCLOAK_ADMIN_PASSWORD=${cfg.initialAdminPassword} + export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh start --optimized ''; }; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 83890e96990..c3220a03d33 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -372,17 +372,19 @@ in { }; user = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "mastodon@example.com"; description = lib.mdDoc "SMTP login name."; - type = lib.types.str; }; passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/var/lib/mastodon/secrets/smtp-password"; description = lib.mdDoc '' Path to file containing the SMTP password. ''; - default = "/var/lib/mastodon/secrets/smtp-password"; - example = "/run/keys/mastodon-smtp-password"; - type = lib.types.str; }; }; @@ -467,6 +469,20 @@ in { assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user); message = ''For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user and services.mastodon.database.user must be identical.''; } + { + assertion = cfg.smtp.authenticate -> (cfg.smtp.user != null); + message = '' + <option>services.mastodon.smtp.user</option> needs to be set if + <option>services.mastodon.smtp.authenticate</option> is enabled. + ''; + } + { + assertion = cfg.smtp.authenticate -> (cfg.smtp.passwordFile != null); + message = '' + <option>services.mastodon.smtp.passwordFile</option> needs to be set if + <option>services.mastodon.smtp.authenticate</option> is enabled. + ''; + } ]; systemd.services.mastodon-init-dirs = { @@ -623,15 +639,15 @@ in { environment = env; serviceConfig = { Type = "oneshot"; - script = let - olderThanDays = toString cfg.mediaAutoRemove.olderThanDays; - in '' - ${cfg.package}/bin/tootctl media remove --days=${olderThanDays} - ${cfg.package}/bin/tootctl preview_cards remove --days=${olderThanDays} - ''; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - startAt = cfg.mediaAutoRemove.startAt; } // cfgService; + script = let + olderThanDays = toString cfg.mediaAutoRemove.olderThanDays; + in '' + ${cfg.package}/bin/tootctl media remove --days=${olderThanDays} + ${cfg.package}/bin/tootctl preview_cards remove --days=${olderThanDays} + ''; + startAt = cfg.mediaAutoRemove.startAt; }; services.nginx = lib.mkIf cfg.configureNginx { @@ -688,7 +704,7 @@ in { inherit (cfg) group; }; }) - (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package mastodonEnv ]) + (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package mastodonEnv pkgs.imagemagick ]) ]; users.groups.${cfg.group}.members = lib.optional cfg.configureNginx config.services.nginx.user; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 04599884f13..da621573f2a 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -13,7 +13,12 @@ let phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: (with all; - enabled + # disable default openssl extension + (lib.filter (e: e.pname != "php-openssl") enabled) + # use OpenSSL 1.1 for RC4 Nextcloud encryption if user + # has acknowledged the brokeness of the ciphers (RC4). + # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. + ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -80,6 +85,40 @@ in { options.services.nextcloud = { enable = mkEnableOption (lib.mdDoc "nextcloud"); + + enableBrokenCiphersForSSE = mkOption { + type = types.bool; + default = versionOlder stateVersion "22.11"; + defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; + description = lib.mdDoc '' + This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 + rather than latest OpenSSL (≥ 3), this is not recommended unless you need + it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is + considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). + + This cipher has been disabled in OpenSSL ≥ 3 and requires + a specific legacy profile to re-enable it. + + If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have + server-side encryption configured, you will not be able to access + your files anymore. Enabling this option can restore access to your files. + Upon testing we didn't encounter any data corruption when turning + this on and off again, but this cannot be guaranteed for + each Nextcloud installation. + + It is `true` by default for systems with a [](#opt-system.stateVersion) below + `22.11` to make sure that existing installations won't break on update. On newer + NixOS systems you have to explicitly enable it on your own. + + Please note that this only provides additional value when using + external storage such as S3 since it's not an end-to-end encryption. + If this is not the case, + it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. + + In the future, Nextcloud may move to AES-256-GCM, by then, + this option will be removed. + ''; + }; hostName = mkOption { type = types.str; description = lib.mdDoc "FQDN for the nextcloud instance."; @@ -649,6 +688,23 @@ in { ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) + ++ (optional cfg.enableBrokenCiphersForSSE '' + You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. + This is only necessary if you're using Nextcloud's server-side encryption. + Please keep in mind that it's using the broken RC4 cipher. + + If you don't use that feature, you can switch to OpenSSL 3 and get + rid of this warning by declaring + + services.nextcloud.enableBrokenCiphersForSSE = false; + + If you need to use server-side encryption you can ignore this waring. + Otherwise you'd have to disable server-side encryption first in order + to be able to safely disable this option and get rid of this warning. + See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this. + + For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 + '') ++ (optional isUnsupportedMariadb '' You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! Please note that this isn't supported officially by Nextcloud. You can either diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index a0b69dbd606..ca57692fc16 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -170,6 +170,20 @@ </listitem> </itemizedlist> </listitem> + <listitem> + <formalpara> + <title>Server-side encryption</title> + <para> + Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>. + This is not an end-to-end encryption, but can be used to encrypt files that will be persisted + to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 + for PHP's openssl extension because this is implemented using the legacy cipher RC4. + If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>, + this is disabled by default. To turn it on again and for further information please refer to + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />. + </para> + </formalpara> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/web-apps/outline.nix b/nixos/modules/services/web-apps/outline.nix index 8a312d79584..701930393f0 100644 --- a/nixos/modules/services/web-apps/outline.nix +++ b/nixos/modules/services/web-apps/outline.nix @@ -6,10 +6,10 @@ let in { # See here for a reference of all the options: - # https://github.com/outline/outline/blob/v0.65.2/.env.sample - # https://github.com/outline/outline/blob/v0.65.2/app.json - # https://github.com/outline/outline/blob/v0.65.2/server/env.ts - # https://github.com/outline/outline/blob/v0.65.2/shared/types.ts + # https://github.com/outline/outline/blob/v0.67.0/.env.sample + # https://github.com/outline/outline/blob/v0.67.0/app.json + # https://github.com/outline/outline/blob/v0.67.0/server/env.ts + # https://github.com/outline/outline/blob/v0.67.0/shared/types.ts # The order is kept the same here to make updating easier. options.services.outline = { enable = lib.mkEnableOption (lib.mdDoc "outline"); @@ -123,7 +123,7 @@ in description = lib.mdDoc '' To support uploading of images for avatars and document attachments an s3-compatible storage must be provided. AWS S3 is recommended for - redundency however if you want to keep all file storage local an + redundancy however if you want to keep all file storage local an alternative such as [minio](https://github.com/minio/minio) can be used. @@ -435,6 +435,16 @@ in ''; }; + sentryTunnel = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = lib.mdDoc '' + Optionally add a + [Sentry proxy tunnel](https://docs.sentry.io/platforms/javascript/troubleshooting/#using-the-tunnel-option) + for bypassing ad blockers in the UI. + ''; + }; + logo = lib.mkOption { type = lib.types.nullOr lib.types.str; default = null; @@ -621,6 +631,7 @@ in DEBUG = cfg.debugOutput; GOOGLE_ANALYTICS_ID = lib.optionalString (cfg.googleAnalyticsId != null) cfg.googleAnalyticsId; SENTRY_DSN = lib.optionalString (cfg.sentryDsn != null) cfg.sentryDsn; + SENTRY_TUNNEL = lib.optionalString (cfg.sentryTunnel != null) cfg.sentryTunnel; TEAM_LOGO = lib.optionalString (cfg.logo != null) cfg.logo; DEFAULT_LANGUAGE = cfg.defaultLanguage; diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index a42d1a1a932..4dbcb09d2ae 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -67,7 +67,11 @@ let node ~/dist/server/tools/peertube.js $@ ''; - nginxCommonHeaders = '' + nginxCommonHeaders = lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; + '' + '' add_header Access-Control-Allow-Origin '*'; add_header Access-Control-Allow-Methods 'GET, OPTIONS'; add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; @@ -75,7 +79,7 @@ let in { options.services.peertube = { - enable = lib.mkEnableOption (lib.mdDoc "Enable Peertube’s service"); + enable = lib.mkEnableOption (lib.mdDoc "Peertube"); user = lib.mkOption { type = lib.types.str; @@ -96,13 +100,13 @@ in { }; listenHttp = lib.mkOption { - type = lib.types.int; + type = lib.types.port; default = 9000; description = lib.mdDoc "listen port for HTTP server."; }; listenWeb = lib.mkOption { - type = lib.types.int; + type = lib.types.port; default = 9000; description = lib.mdDoc "listen port for WEB server."; }; @@ -177,7 +181,7 @@ in { }; port = lib.mkOption { - type = lib.types.int; + type = lib.types.port; default = 5432; description = lib.mdDoc "Database host port."; }; @@ -370,7 +374,7 @@ in { systemd.services.peertube-init-db = lib.mkIf cfg.database.createLocally { description = "Initialization database for PeerTube daemon"; after = [ "network.target" "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; + requires = [ "postgresql.service" ]; script = let psqlSetupCommands = pkgs.writeText "peertube-init.sql" '' @@ -399,7 +403,9 @@ in { systemd.services.peertube = { description = "PeerTube daemon"; after = [ "network.target" ] - ++ lib.optionals cfg.redis.createLocally [ "redis.service" ] + ++ lib.optional cfg.redis.createLocally "redis-peertube.service" + ++ lib.optionals cfg.database.createLocally [ "postgresql.service" "peertube-init-db.service" ]; + requires = lib.optional cfg.redis.createLocally "redis-peertube.service" ++ lib.optionals cfg.database.createLocally [ "postgresql.service" "peertube-init-db.service" ]; wantedBy = [ "multi-user.target" ]; @@ -487,6 +493,10 @@ in { extraConfig = '' client_max_body_size 12G; add_header X-File-Maximum-Size 8G always; + '' + lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; ''; }; @@ -497,6 +507,10 @@ in { extraConfig = '' client_max_body_size 6M; add_header X-File-Maximum-Size 4M always; + '' + lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; ''; }; @@ -560,6 +574,10 @@ in { priority = 1320; extraConfig = '' add_header Cache-Control 'public, max-age=604800, immutable'; + '' + lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; ''; }; @@ -718,6 +736,10 @@ in { rewrite ^/static/webseed/(.*)$ /$1 break; ''; }; + + extraConfig = lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + ''; }; }; diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 69f9b3ebe5b..4b32f06826e 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -69,7 +69,7 @@ in }; listenPort = mkOption { - type = types.int; + type = types.port; default = 3000; description = lib.mdDoc '' Listen port for the virtualhost to use. @@ -132,7 +132,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 25; description = lib.mdDoc '' Port used to connect to SMTP server. diff --git a/nixos/modules/services/web-apps/trilium.nix b/nixos/modules/services/web-apps/trilium.nix index 81ed7ca83bc..a91d64f620b 100644 --- a/nixos/modules/services/web-apps/trilium.nix +++ b/nixos/modules/services/web-apps/trilium.nix @@ -67,7 +67,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8080; description = lib.mdDoc '' The port number to bind to. diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 870e8f4795b..6f494fae4cc 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -208,7 +208,7 @@ let }; port = mkOption { - type = types.nullOr types.int; + type = types.nullOr types.port; default = null; description = lib.mdDoc '' The database's port. If not set, the default ports will be provided (5432 diff --git a/nixos/modules/services/web-apps/youtrack.nix b/nixos/modules/services/web-apps/youtrack.nix index 0db8a98d1eb..09a2b9e965c 100644 --- a/nixos/modules/services/web-apps/youtrack.nix +++ b/nixos/modules/services/web-apps/youtrack.nix @@ -68,7 +68,7 @@ in The port youtrack will listen on. ''; default = 8080; - type = types.int; + type = types.port; }; statePath = mkOption { diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 3ccff8aa500..588f5ee4d00 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -18,7 +18,7 @@ let sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|' ''; - php = cfg.phpPackage.override { apacheHttpd = pkg; }; + php = cfg.phpPackage.override { apxs2Support = true; apacheHttpd = pkg; }; phpModuleName = let majorVersion = lib.versions.major (lib.getVersion php); @@ -660,6 +660,13 @@ in `services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive. ''; } + { + assertion = cfg.enablePHP -> php.ztsSupport; + message = '' + The php package provided by `services.httpd.phpPackage` is not built with zts support. Please + ensure the php has zts support by settings `services.httpd.phpPackage = php.override { ztsSupport = true; }` + ''; + } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 9cbac370612..85c76ed59d6 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -192,14 +192,22 @@ let server_tokens ${if cfg.serverTokens then "on" else "off"}; + ${optionalString (cfg.proxyCache.enable) '' + proxy_cache_path /var/cache/nginx keys_zone=${cfg.proxyCache.keysZoneName}:${cfg.proxyCache.keysZoneSize} + levels=${cfg.proxyCache.levels} + use_temp_path=${if cfg.proxyCache.useTempPath then "on" else "off"} + inactive=${cfg.proxyCache.inactive} + max_size=${cfg.proxyCache.maxSize}; + ''} + ${cfg.commonHttpConfig} ${vhosts} ${optionalString cfg.statusPage '' server { - listen 80; - ${optionalString enableIPv6 "listen [::]:80;" } + listen ${toString cfg.defaultHTTPListenPort}; + ${optionalString enableIPv6 "listen [::]:${toString cfg.defaultHTTPListenPort};" } server_name localhost; @@ -246,8 +254,8 @@ let if vhost.listen != [] then vhost.listen else let addrs = if vhost.listenAddresses != [] then vhost.listenAddresses else cfg.defaultListenAddresses; - in optionals (hasSSL || vhost.rejectSSL) (map (addr: { inherit addr; port = 443; ssl = true; }) addrs) - ++ optionals (!onlySSL) (map (addr: { inherit addr; port = 80; ssl = false; }) addrs); + in optionals (hasSSL || vhost.rejectSSL) (map (addr: { inherit addr; port = cfg.defaultSSLListenPort; ssl = true; }) addrs) + ++ optionals (!onlySSL) (map (addr: { inherit addr; port = cfg.defaultHTTPListenPort; ssl = false; }) addrs); hostListen = if vhost.forceSSL @@ -449,6 +457,24 @@ in ''; }; + defaultHTTPListenPort = mkOption { + type = types.port; + default = 80; + example = 8080; + description = lib.mdDoc '' + If vhosts do not specify listen.port, use these ports for HTTP by default. + ''; + }; + + defaultSSLListenPort = mkOption { + type = types.port; + default = 443; + example = 8443; + description = lib.mdDoc '' + If vhosts do not specify listen.port, use these ports for SSL by default. + ''; + }; + package = mkOption { default = pkgs.nginxStable; defaultText = literalExpression "pkgs.nginxStable"; @@ -689,6 +715,72 @@ in ''; }; + proxyCache = mkOption { + type = types.submodule { + options = { + enable = mkEnableOption (lib.mdDoc "Enable proxy cache"); + + keysZoneName = mkOption { + type = types.str; + default = "cache"; + example = "my_cache"; + description = lib.mdDoc "Set name to shared memory zone."; + }; + + keysZoneSize = mkOption { + type = types.str; + default = "10m"; + example = "32m"; + description = lib.mdDoc "Set size to shared memory zone."; + }; + + levels = mkOption { + type = types.str; + default = "1:2"; + example = "1:2:2"; + description = lib.mdDoc '' + The levels parameter defines structure of subdirectories in cache: from + 1 to 3, each level accepts values 1 or 2. Сan be used any combination of + 1 and 2 in these formats: x, x:x and x:x:x. + ''; + }; + + useTempPath = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + Nginx first writes files that are destined for the cache to a temporary + storage area, and the use_temp_path=off directive instructs Nginx to + write them to the same directories where they will be cached. Recommended + that you set this parameter to off to avoid unnecessary copying of data + between file systems. + ''; + }; + + inactive = mkOption { + type = types.str; + default = "10m"; + example = "1d"; + description = lib.mdDoc '' + Cached data that has not been accessed for the time specified by + the inactive parameter is removed from the cache, regardless of + its freshness. + ''; + }; + + maxSize = mkOption { + type = types.str; + default = "1g"; + example = "2048m"; + description = lib.mdDoc "Set maximum cache size"; + }; + }; + }; + default = {}; + description = lib.mdDoc "Configure proxy cache"; + }; + resolver = mkOption { type = types.submodule { options = { diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index ccf8804943a..e3d4afc074c 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -88,7 +88,7 @@ with lib; type = types.nullOr types.str; default = "/var/lib/acme/acme-challenge"; description = lib.mdDoc '' - Directory for the acme challenge which is PUBLIC, don't put certs or keys in here. + Directory for the ACME challenge, which is **public**. Don't put certs or keys in here. Set to null to inherit from config.security.acme. ''; }; @@ -97,8 +97,12 @@ with lib; type = types.nullOr types.str; default = null; description = lib.mdDoc '' - Host which to proxy requests to if acme challenge is not found. Useful + Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name. + + With this option, you could request certificates for the present domain + with an ACME client that is running on another host, which you would + specify here. ''; }; diff --git a/nixos/modules/services/x11/clight.nix b/nixos/modules/services/x11/clight.nix index 8a17b7e801e..0f66e191fe2 100644 --- a/nixos/modules/services/x11/clight.nix +++ b/nixos/modules/services/x11/clight.nix @@ -28,13 +28,7 @@ let cfg.settings)); in { options.services.clight = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to enable clight or not. - ''; - }; + enable = mkEnableOption (lib.mdDoc "clight"); temperature = { day = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 3d79a3b8513..2c59ee410d5 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -12,6 +12,7 @@ let extraGSettingsOverrides = cfg.extraGSettingsOverrides; }; + notExcluded = pkg: (!(lib.elem pkg config.environment.cinnamon.excludePackages)); in { @@ -65,10 +66,14 @@ in enable = mkDefault true; # Taken from mint-artwork.gschema.override - theme.name = mkDefault "Mint-X"; - theme.package = mkDefault pkgs.cinnamon.mint-themes; - iconTheme.name = mkDefault "Mint-X-Dark"; - iconTheme.package = mkDefault pkgs.cinnamon.mint-x-icons; + theme = mkIf (notExcluded pkgs.cinnamon.mint-themes) { + name = mkDefault "Mint-X"; + package = mkDefault pkgs.cinnamon.mint-themes; + }; + iconTheme = mkIf (notExcluded pkgs.cinnamon.mint-x-icons) { + name = mkDefault "Mint-X-Dark"; + package = mkDefault pkgs.cinnamon.mint-x-icons; + }; }; services.xserver.displayManager.sessionCommands = '' if test "$XDG_CURRENT_DESKTOP" = "Cinnamon"; then @@ -123,11 +128,8 @@ in cinnamon-screensaver = {}; }; - environment.systemPackages = with pkgs.cinnamon // pkgs; [ + environment.systemPackages = with pkgs.cinnamon // pkgs; ([ desktop-file-utils - nixos-artwork.wallpapers.simple-dark-gray - onboard - sound-theme-freedesktop # common-files cinnamon-common @@ -152,24 +154,32 @@ in cinnamon-control-center cinnamon-settings-daemon libgnomekbd - orca # theme gnome.adwaita-icon-theme - hicolor-icon-theme gnome.gnome-themes-extra gtk3.out + + # other + glib # for gsettings + xdg-user-dirs + ] ++ utils.removePackagesByName [ + # accessibility + onboard + orca + + # theme + sound-theme-freedesktop + nixos-artwork.wallpapers.simple-dark-gray mint-artwork mint-themes mint-x-icons mint-y-icons vanilla-dmz + ] config.environment.cinnamon.excludePackages); - # other - glib # for gsettings - shared-mime-info # for update-mime-database - xdg-user-dirs - ]; + xdg.mime.enable = true; + xdg.icons.enable = true; # Override GSettings schemas environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-overrides}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; @@ -183,7 +193,7 @@ in programs.bash.vteIntegration = mkDefault true; programs.zsh.vteIntegration = mkDefault true; - # Harmonize Qt5 applications under Pantheon + # Harmonize Qt5 applications under Cinnamon qt5.enable = true; qt5.platformTheme = "gnome"; qt5.style = "adwaita"; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 44faa19bc22..a6ab3053087 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -590,9 +590,9 @@ in }; }; kwinrc = { - Windows = { - # Forces windows to be maximized - Placement = lib.mkDefault "Maximizing"; + "Wayland" = { + "InputMethod[$e]" = "/run/current-system/sw/share/applications/com.github.maliit.keyboard.desktop"; + "VirtualKeyboardEnabled" = "true"; }; "org.kde.kdecoration2" = { # No decorations (title bar) diff --git a/nixos/modules/services/x11/picom.nix b/nixos/modules/services/x11/picom.nix index d42cf1d7412..4a0578de09c 100644 --- a/nixos/modules/services/x11/picom.nix +++ b/nixos/modules/services/x11/picom.nix @@ -47,6 +47,9 @@ in { since picom v6 and was subsequently removed by upstream. See https://github.com/yshui/picom/commit/bcbc410 '') + (mkRemovedOptionModule [ "services" "picom" "experimentalBackends" ] '' + This option was removed by upstream since picom v10. + '') ]; options.services.picom = { @@ -58,14 +61,6 @@ in { ''; }; - experimentalBackends = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to use the unstable new reimplementation of the backends. - ''; - }; - fade = mkOption { type = types.bool; default = false; @@ -204,10 +199,10 @@ in { }; backend = mkOption { - type = types.enum [ "glx" "xrender" "xr_glx_hybrid" ]; + type = types.enum [ "egl" "glx" "xrender" "xr_glx_hybrid" ]; default = "xrender"; description = lib.mdDoc '' - Backend to use: `glx`, `xrender` or `xr_glx_hybrid`. + Backend to use: `egl`, `glx`, `xrender` or `xr_glx_hybrid`. ''; }; @@ -306,8 +301,7 @@ in { }; serviceConfig = { - ExecStart = "${pkgs.picom}/bin/picom --config ${configFile}" - + (optionalString cfg.experimentalBackends " --experimental-backends"); + ExecStart = "${pkgs.picom}/bin/picom --config ${configFile}"; RestartSec = 3; Restart = "always"; }; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 2ff9acd3e2d..55ff98db538 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -14,7 +14,7 @@ let # Containers don't have their own kernel or initrd. They boot # directly into stage 2. - ${optionalString (!config.boot.isContainer) '' + ${optionalString config.boot.kernel.enable '' if [ ! -f ${kernelPath} ]; then echo "The bootloader cannot find the proper kernel image." echo "(Expecting ${kernelPath})" diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 256aa608ac4..673655f20ee 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -25,7 +25,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 22; description = lib.mdDoc '' Port on which SSH initrd service should listen. diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 8a1630f7e3e..6783f8ec62f 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -20,6 +20,9 @@ in ###### interface options = { + boot.kernel.enable = mkEnableOption (lib.mdDoc "the Linux kernel. This is useful for systemd-like containers which do not require a kernel.") // { + default = true; + }; boot.kernel.features = mkOption { default = {}; @@ -258,7 +261,7 @@ in ]; }) - (mkIf (!config.boot.isContainer) { + (mkIf config.boot.kernel.enable { system.build = { inherit kernel; }; system.modulesTree = [ kernel ] ++ config.boot.extraModulePackages; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index a9d43d027e0..8cb7c7b8e47 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -57,6 +57,12 @@ let --disallow-untyped-defs \ $out ''; + + finalSystemdBootBuilder = pkgs.writeScript "install-systemd-boot.sh" '' + #!${pkgs.runtimeShell} + ${checkedSystemdBootBuilder} "$@" + ${cfg.extraInstallCommands} + ''; in { imports = @@ -99,6 +105,22 @@ in { ''; }; + extraInstallCommands = mkOption { + default = ""; + example = '' + default_cfg=$(cat /boot/loader/loader.conf | grep default | awk '{print $2}') + init_value=$(cat /boot/loader/entries/$default_cfg | grep init= | awk '{print $2}') + sed -i "s|@INIT@|$init_value|g" /boot/custom/config_with_placeholder.conf + ''; + type = types.lines; + description = lib.mdDoc '' + Additional shell commands inserted in the bootloader installer + script after generating menu entries. It can be used to expand + on extra boot entries that cannot incorporate certain pieces of + information (such as the resulting `init=` kernel parameter). + ''; + }; + consoleMode = mkOption { default = "keep"; @@ -277,7 +299,7 @@ in { ]; system = { - build.installBootLoader = checkedSystemdBootBuilder; + build.installBootLoader = finalSystemdBootBuilder; boot.loader.id = "systemd-boot"; diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index c8ab3b0d8e4..54bb7ea9ddd 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -7,6 +7,9 @@ with lib; ###### interface options = { + boot.modprobeConfig.enable = mkEnableOption (lib.mdDoc "modprobe config. This is useful for systemds like containers which do not require a kernel.") // { + default = true; + }; boot.blacklistedKernelModules = mkOption { type = types.listOf types.str; @@ -38,7 +41,7 @@ with lib; ###### implementation - config = mkIf (!config.boot.isContainer) { + config = mkIf config.boot.modprobeConfig.enable { environment.etc."modprobe.d/ubuntu.conf".source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf"; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 994aa0e33cb..4596c160a95 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -342,6 +342,14 @@ checkFS() { return 0 } +escapeFstab() { + local original="$1" + + # Replace space + local escaped="${original// /\\040}" + # Replace tab + echo "${escaped//$'\t'/\\011}" +} # Function for mounting a file system. mountFS() { @@ -569,7 +577,7 @@ while read -u 3 mountPoint; do continue fi - mountFS "$device" "$mountPoint" "$options" "$fsType" + mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType" done exec 3>&- diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index d28e6ed0e27..8f1086c9c53 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -558,7 +558,8 @@ in # Environment of PID 1 systemd.managerEnvironment = { # Doesn't contain systemd itself - everything works so it seems to use the compiled-in value for its tools - PATH = lib.makeBinPath config.system.fsPackages; + # util-linux is needed for the main fsck utility wrapping the fs-specific ones + PATH = lib.makeBinPath (config.system.fsPackages ++ [cfg.package.util-linux]); LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive"; TZDIR = "/etc/zoneinfo"; # If SYSTEMD_UNIT_PATH ends with an empty component (":"), the usual unit load path will be appended to the contents of the variable diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 399ea9eabe0..a093baea6a6 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -33,7 +33,7 @@ let mountPoint = mkOption { example = "/mnt/usb"; type = nonEmptyWithoutTrailingSlash; - description = lib.mdDoc "Location of the mounted the file system."; + description = lib.mdDoc "Location of the mounted file system."; }; device = mkOption { @@ -167,7 +167,7 @@ let else throw "No device specified for mount point ‘${fs.mountPoint}’.") + " " + escape (rootPrefix + fs.mountPoint) + " " + fs.fsType - + " " + builtins.concatStringsSep "," (fs.options ++ (extraOpts fs)) + + " " + escape (builtins.concatStringsSep "," (fs.options ++ (extraOpts fs))) + " " + (optionalString (!excludeChecks) ("0 " + (if skipCheck fs then "0" else if fs.mountPoint == "/" then "1" else "2"))) + "\n" diff --git a/nixos/modules/tasks/filesystems/ext.nix b/nixos/modules/tasks/filesystems/ext.nix index 9b61f21643a..edc0efc5521 100644 --- a/nixos/modules/tasks/filesystems/ext.nix +++ b/nixos/modules/tasks/filesystems/ext.nix @@ -3,13 +3,14 @@ let inInitrd = lib.any (fs: fs == "ext2" || fs == "ext3" || fs == "ext4") config.boot.initrd.supportedFilesystems; + inSystem = lib.any (fs: fs == "ext2" || fs == "ext3" || fs == "ext4") config.boot.supportedFilesystems; in { config = { - system.fsPackages = lib.mkIf (config.boot.initrd.systemd.enable -> inInitrd) [ pkgs.e2fsprogs ]; + system.fsPackages = lib.mkIf (config.boot.initrd.systemd.enable -> (inInitrd || inSystem)) [ pkgs.e2fsprogs ]; # As of kernel 4.3, there is no separate ext3 driver (they're also handled by ext4.ko) boot.initrd.availableKernelModules = lib.mkIf (config.boot.initrd.systemd.enable -> inInitrd) [ "ext2" "ext4" ]; diff --git a/nixos/modules/tasks/lvm.nix b/nixos/modules/tasks/lvm.nix index 760133fafa2..a14f26c02e4 100644 --- a/nixos/modules/tasks/lvm.nix +++ b/nixos/modules/tasks/lvm.nix @@ -5,6 +5,10 @@ let cfg = config.services.lvm; in { options.services.lvm = { + enable = mkEnableOption (lib.mdDoc "lvm2") // { + default = true; + }; + package = mkOption { type = types.package; default = pkgs.lvm2; @@ -30,7 +34,7 @@ in { # minimal configuration file to make lvmconfig/lvm2-activation-generator happy environment.etc."lvm/lvm.conf".text = "config {}"; }) - (mkIf (!config.boot.isContainer) { + (mkIf cfg.enable { systemd.tmpfiles.packages = [ cfg.package.out ]; environment.systemPackages = [ cfg.package ]; systemd.packages = [ cfg.package ]; diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 12fe6fa4447..9751f5755f9 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -10,11 +10,6 @@ with lib; let cfg = config.ec2; - metadataFetcher = import ./ec2-metadata-fetcher.nix { - inherit (pkgs) curl; - targetRoot = "$targetRoot/"; - wgetExtraOptions = "-q"; - }; in { @@ -31,18 +26,12 @@ in config = { assertions = [ - { assertion = cfg.hvm; - message = "Paravirtualized EC2 instances are no longer supported."; - } - { assertion = cfg.efi -> cfg.hvm; - message = "EC2 instances using EFI must be HVM instances."; - } { assertion = versionOlder config.boot.kernelPackages.kernel.version "5.17"; message = "ENA driver fails to build with kernel >= 5.17"; } ]; - boot.growPartition = cfg.hvm; + boot.growPartition = true; fileSystems."/" = mkIf (!cfg.zfs.enable) { device = "/dev/disk/by-label/nixos"; @@ -64,9 +53,9 @@ in boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; - boot.initrd.kernelModules = [ "xen-blkfront" "xen-netfront" ]; - boot.initrd.availableKernelModules = [ "ixgbevf" "ena" "nvme" ]; - boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; + boot.initrd.kernelModules = [ "xen-blkfront" ]; + boot.initrd.availableKernelModules = [ "nvme" ]; + boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; # Prevent the nouveau kernel module from being loaded, as it # interferes with the nvidia/nvidia-uvm modules needed for CUDA. @@ -74,10 +63,7 @@ in # boot. boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; - # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. - boot.loader.grub.version = if cfg.hvm then 2 else 1; - boot.loader.grub.device = if (cfg.hvm && !cfg.efi) then "/dev/xvda" else "nodev"; - boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)"; + boot.loader.grub.device = if cfg.efi then "nodev" else "/dev/xvda"; boot.loader.grub.efiSupport = cfg.efi; boot.loader.grub.efiInstallAsRemovable = cfg.efi; boot.loader.timeout = 1; @@ -87,67 +73,14 @@ in terminal_input console serial ''; - boot.initrd.network.enable = true; - - # Mount all formatted ephemeral disks and activate all swap devices. - # We cannot do this with the ‘fileSystems’ and ‘swapDevices’ options - # because the set of devices is dependent on the instance type - # (e.g. "m1.small" has one ephemeral filesystem and one swap device, - # while "m1.large" has two ephemeral filesystems and no swap - # devices). Also, put /tmp and /var on /disk0, since it has a lot - # more space than the root device. Similarly, "move" /nix to /disk0 - # by layering a unionfs-fuse mount on top of it so we have a lot more space for - # Nix operations. - boot.initrd.postMountCommands = - '' - ${metadataFetcher} - - diskNr=0 - diskForUnionfs= - for device in /dev/xvd[abcde]*; do - if [ "$device" = /dev/xvda -o "$device" = /dev/xvda1 ]; then continue; fi - fsType=$(blkid -o value -s TYPE "$device" || true) - if [ "$fsType" = swap ]; then - echo "activating swap device $device..." - swapon "$device" || true - elif [ "$fsType" = ext3 ]; then - mp="/disk$diskNr" - diskNr=$((diskNr + 1)) - if mountFS "$device" "$mp" "" ext3; then - if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi - fi - else - echo "skipping unknown device type $device" - fi - done - - if [ -n "$diskForUnionfs" ]; then - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root - - mkdir -m 1777 -p $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp - mount --bind $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp - - if [ "$(cat "$metaDir/ami-manifest-path")" != "(unknown)" ]; then - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/var $targetRoot/var - mount --bind $targetRoot/$diskForUnionfs/root/var $targetRoot/var - - mkdir -p /unionfs-chroot/ro-nix - mount --rbind $targetRoot/nix /unionfs-chroot/ro-nix - - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/nix - mkdir -p /unionfs-chroot/rw-nix - mount --rbind $targetRoot/$diskForUnionfs/root/nix /unionfs-chroot/rw-nix - - unionfs -o allow_other,cow,nonempty,chroot=/unionfs-chroot,max_files=32768 /rw-nix=RW:/ro-nix=RO $targetRoot/nix - fi - fi - ''; - - boot.initrd.extraUtilsCommands = - '' - # We need swapon in the initrd. - copy_bin_and_libs ${pkgs.util-linux}/sbin/swapon - ''; + systemd.services.fetch-ec2-metadata = { + wantedBy = [ "multi-user.target" ]; + after = ["network-online.target"]; + path = [ pkgs.curl ]; + script = builtins.readFile ./ec2-metadata-fetcher.sh; + serviceConfig.Type = "oneshot"; + serviceConfig.StandardOutput = "journal+console"; + }; # Allow root logins only using the SSH key that the user specified # at instance creation time. @@ -166,8 +99,6 @@ in # Always include cryptsetup so that Charon can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - boot.initrd.supportedFilesystems = [ "unionfs-fuse" ]; - # EC2 has its own NTP server provided by the hypervisor networking.timeServers = [ "169.254.169.123" ]; diff --git a/nixos/modules/virtualisation/amazon-options.nix b/nixos/modules/virtualisation/amazon-options.nix index 227f3e433c1..915bbf9763d 100644 --- a/nixos/modules/virtualisation/amazon-options.nix +++ b/nixos/modules/virtualisation/amazon-options.nix @@ -2,6 +2,9 @@ let inherit (lib) literalExpression types; in { + imports = [ + (lib.mkRemovedOptionModule [ "ec2" "hvm" ] "Only HVM instances are supported, so specifying it is no longer necessary.") + ]; options = { ec2 = { zfs = { @@ -41,13 +44,6 @@ in { }); }; }; - hvm = lib.mkOption { - default = lib.versionAtLeast config.system.stateVersion "17.03"; - internal = true; - description = lib.mdDoc '' - Whether the EC2 instance is a HVM instance. - ''; - }; efi = lib.mkOption { default = pkgs.stdenv.hostPlatform.isAarch64; defaultText = literalExpression "pkgs.stdenv.hostPlatform.isAarch64"; diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index a7f5044fb9c..2460ec45e3f 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -7,6 +7,13 @@ with lib; config = mkIf config.boot.isContainer { # Disable some features that are not useful in a container. + + # containers don't have a kernel + boot.kernel.enable = false; + boot.modprobeConfig.enable = false; + + console.enable = mkDefault false; + nix.optimise.automatic = mkDefault false; # the store is host managed powerManagement.enable = mkDefault false; documentation.nixos.enable = mkDefault false; @@ -19,6 +26,9 @@ with lib; # containers do not need to setup devices services.udev.enable = false; + # containers normally do not need to manage logical volumes + services.lvm.enable = lib.mkDefault false; + # Shut up warnings about not having a boot loader. system.build.installBootLoader = lib.mkDefault "${pkgs.coreutils}/bin/true"; diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 1b764e7e4d8..0cc6d9938e2 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -18,6 +18,7 @@ with lib; wantedBy = [ "multi-user.target" "sshd.service" ]; before = [ "sshd.service" ]; + after = ["fetch-ec2-metadata.service"]; path = [ pkgs.iproute2 ]; diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix deleted file mode 100644 index 760f024f33f..00000000000 --- a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ curl, targetRoot, wgetExtraOptions }: -# Note: be very cautious about dependencies, each dependency grows -# the closure of the initrd. Ideally we would not even require curl, -# but there is no reasonable way to send an HTTP PUT request without -# it. Note: do not be fooled: the wget referenced in this script -# is busybox's wget, not the fully featured one with --method support. -# -# Make sure that every package you depend on here is already listed as -# a channel blocker for both the full-sized and small channels. -# Otherwise, we risk breaking user deploys in released channels. -# -# Also note: OpenStack's metadata service for its instances aims to be -# compatible with the EC2 IMDS. Where possible, try to keep the set of -# fetched metadata in sync with ./openstack-metadata-fetcher.nix . -'' - metaDir=${targetRoot}etc/ec2-metadata - mkdir -m 0755 -p "$metaDir" - rm -f "$metaDir/*" - - get_imds_token() { - # retry-delay of 1 selected to give the system a second to get going, - # but not add a lot to the bootup time - ${curl}/bin/curl \ - -v \ - --retry 3 \ - --retry-delay 1 \ - --fail \ - -X PUT \ - --connect-timeout 1 \ - -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \ - http://169.254.169.254/latest/api/token - } - - preflight_imds_token() { - # retry-delay of 1 selected to give the system a second to get going, - # but not add a lot to the bootup time - ${curl}/bin/curl \ - -v \ - --retry 3 \ - --retry-delay 1 \ - --fail \ - --connect-timeout 1 \ - -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \ - http://169.254.169.254/1.0/meta-data/instance-id - } - - try=1 - while [ $try -le 3 ]; do - echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..." - IMDS_TOKEN=$(get_imds_token) && break - try=$((try + 1)) - sleep 1 - done - - if [ "x$IMDS_TOKEN" == "x" ]; then - echo "failed to fetch an IMDS2v token." - fi - - try=1 - while [ $try -le 10 ]; do - echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..." - preflight_imds_token && break - try=$((try + 1)) - sleep 1 - done - - echo "getting EC2 instance metadata..." - - wget_imds() { - wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@"; - } - - wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) - wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname - wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key -'' diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.sh b/nixos/modules/virtualisation/ec2-metadata-fetcher.sh new file mode 100644 index 00000000000..9e204d45dbd --- /dev/null +++ b/nixos/modules/virtualisation/ec2-metadata-fetcher.sh @@ -0,0 +1,67 @@ +metaDir=/etc/ec2-metadata +mkdir -m 0755 -p "$metaDir" +rm -f "$metaDir/*" + +get_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + curl \ + --silent \ + --show-error \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + -X PUT \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \ + http://169.254.169.254/latest/api/token +} + +preflight_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + curl \ + --silent \ + --show-error \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \ + -o /dev/null \ + http://169.254.169.254/1.0/meta-data/instance-id +} + +try=1 +while [ $try -le 3 ]; do + echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..." + IMDS_TOKEN=$(get_imds_token) && break + try=$((try + 1)) + sleep 1 +done + +if [ "x$IMDS_TOKEN" == "x" ]; then + echo "failed to fetch an IMDS2v token." +fi + +try=1 +while [ $try -le 10 ]; do + echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..." + preflight_imds_token && break + try=$((try + 1)) + sleep 1 +done + +echo "getting EC2 instance metadata..." + +get_imds() { + # Intentionally no --fail here, so that we proceed even if e.g. a + # 404 was returned (but we still fail if we can't reach the IMDS + # server). + curl --silent --show-error --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@" +} + +get_imds -o "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path +(umask 077 && get_imds -o "$metaDir/user-data" http://169.254.169.254/1.0/user-data) +get_imds -o "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname +get_imds -o "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index be6ebb3eacc..3b30bc8c416 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -336,6 +336,7 @@ in }; systemd.services.libvirtd = { + wantedBy = [ "multi-user.target" ]; requires = [ "libvirtd-config.service" ]; after = [ "libvirtd-config.service" ] ++ optional vswitch.enable "ovs-vswitchd.service"; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 02414b7d60e..e1e640c4474 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -9,6 +9,10 @@ let configurationDirectory = "/etc/${configurationDirectoryName}"; stateDirectory = "/var/lib/${configurationPrefix}containers"; + nixos-container = pkgs.nixos-container.override { + inherit stateDirectory configurationDirectory; + }; + # The container's init script, a small wrapper around the regular # NixOS stage-2 init script. containerInit = (cfg: @@ -250,7 +254,7 @@ let ExecReload = pkgs.writeScript "reload-container" '' #! ${pkgs.runtimeShell} -e - ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ + ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \ bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" ''; @@ -868,9 +872,7 @@ in ''; environment.systemPackages = [ - (pkgs.nixos-container.override { - inherit stateDirectory configurationDirectory; - }) + nixos-container ]; boot.kernelModules = [ diff --git a/nixos/modules/virtualisation/proxmox-image.nix b/nixos/modules/virtualisation/proxmox-image.nix index 4fca8ce9e7e..42c52c12edf 100644 --- a/nixos/modules/virtualisation/proxmox-image.nix +++ b/nixos/modules/virtualisation/proxmox-image.nix @@ -53,6 +53,13 @@ with lib; Guest memory in MB ''; }; + bios = mkOption { + type = types.enum [ "seabios" "ovmf" ]; + default = "seabios"; + description = '' + Select BIOS implementation (seabios = Legacy BIOS, ovmf = UEFI). + ''; + }; # optional configs name = mkOption { @@ -99,6 +106,17 @@ with lib; Additional options appended to qemu-server.conf ''; }; + partitionTableType = mkOption { + type = types.enum [ "efi" "hybrid" "legacy" "legacy+gpt" ]; + description = '' + Partition table type to use. See make-disk-image.nix partitionTableType for details. + Defaults to 'legacy' for 'proxmox.qemuConf.bios="seabios"' (default), other bios values defaults to 'efi'. + Use 'hybrid' to build grub-based hybrid bios+efi images. + ''; + default = if config.proxmox.qemuConf.bios == "seabios" then "legacy" else "efi"; + defaultText = lib.literalExpression ''if config.proxmox.qemuConf.bios == "seabios" then "legacy" else "efi"''; + example = "hybrid"; + }; filenameSuffix = mkOption { type = types.str; default = config.proxmox.qemuConf.name; @@ -122,9 +140,33 @@ with lib; ${lib.concatStrings (lib.mapAttrsToList cfgLine properties)} #qmdump#map:virtio0:drive-virtio0:local-lvm:raw: ''; + inherit (cfg) partitionTableType; + supportEfi = partitionTableType == "efi" || partitionTableType == "hybrid"; + supportBios = partitionTableType == "legacy" || partitionTableType == "hybrid" || partitionTableType == "legacy+gpt"; + hasBootPartition = partitionTableType == "efi" || partitionTableType == "hybrid"; + hasNoFsPartition = partitionTableType == "hybrid" || partitionTableType == "legacy+gpt"; in { + assertions = [ + { + assertion = config.boot.loader.systemd-boot.enable -> config.proxmox.qemuConf.bios == "ovmf"; + message = "systemd-boot requires 'ovmf' bios"; + } + { + assertion = partitionTableType == "efi" -> config.proxmox.qemuConf.bios == "ovmf"; + message = "'efi' disk partitioning requires 'ovmf' bios"; + } + { + assertion = partitionTableType == "legacy" -> config.proxmox.qemuConf.bios == "seabios"; + message = "'legacy' disk partitioning requires 'seabios' bios"; + } + { + assertion = partitionTableType == "legacy+gpt" -> config.proxmox.qemuConf.bios == "seabios"; + message = "'legacy+gpt' disk partitioning requires 'seabios' bios"; + } + ]; system.build.VMA = import ../../lib/make-disk-image.nix { name = "proxmox-${cfg.filenameSuffix}"; + inherit partitionTableType; postVM = let # Build qemu with PVE's patch that adds support for the VMA format vma = (pkgs.qemu_kvm.override { @@ -181,7 +223,18 @@ with lib; boot = { growPartition = true; kernelParams = [ "console=ttyS0" ]; - loader.grub.device = lib.mkDefault "/dev/vda"; + loader.grub = { + device = lib.mkDefault (if (hasNoFsPartition || supportBios) then + # Even if there is a separate no-fs partition ("/dev/disk/by-partlabel/no-fs" i.e. "/dev/vda2"), + # which will be used the bootloader, do not set it as loader.grub.device. + # GRUB installation fails, unless the whole disk is selected. + "/dev/vda" + else + "nodev"); + efiSupport = lib.mkDefault supportEfi; + efiInstallAsRemovable = lib.mkDefault supportEfi; + }; + loader.timeout = 0; initrd.availableKernelModules = [ "uas" "virtio_blk" "virtio_pci" ]; }; @@ -191,6 +244,10 @@ with lib; autoResize = true; fsType = "ext4"; }; + fileSystems."/boot" = lib.mkIf hasBootPartition { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; services.qemuGuest.enable = lib.mkDefault true; }; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index bd7b452735f..337b5192776 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -77,6 +77,7 @@ in rec { (onFullSupported "nixos.tests.i3wm") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSimple") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSubvolDefault") + (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSubvolEscape") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSubvols") (onSystems ["x86_64-linux"] "nixos.tests.installer.luksroot") (onSystems ["x86_64-linux"] "nixos.tests.installer.lvm") diff --git a/nixos/tests/adguardhome.nix b/nixos/tests/adguardhome.nix index 5be69e22e53..ec1cc1e497b 100644 --- a/nixos/tests/adguardhome.nix +++ b/nixos/tests/adguardhome.nix @@ -2,6 +2,15 @@ name = "adguardhome"; nodes = { + nullConf = { ... }: { services.adguardhome = { enable = true; }; }; + + emptyConf = { lib, ... }: { + services.adguardhome = { + enable = true; + settings = {}; + }; + }; + declarativeConf = { ... }: { services.adguardhome = { enable = true; @@ -34,6 +43,13 @@ }; testScript = '' + with subtest("Minimal (settings = null) config test"): + nullConf.wait_for_unit("adguardhome.service") + + with subtest("Default config test"): + emptyConf.wait_for_unit("adguardhome.service") + emptyConf.wait_for_open_port(3000) + with subtest("Declarative config test, DNS will be reachable"): declarativeConf.wait_for_unit("adguardhome.service") declarativeConf.wait_for_open_port(53) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index c7aa9ed78ba..726884d7cd9 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -74,6 +74,7 @@ in { agda = handleTest ./agda.nix {}; airsonic = handleTest ./airsonic.nix {}; allTerminfo = handleTest ./all-terminfo.nix {}; + alps = handleTest ./alps.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {}; apfs = handleTest ./apfs.nix {}; apparmor = handleTest ./apparmor.nix {}; @@ -179,6 +180,7 @@ in { ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {}; ecryptfs = handleTest ./ecryptfs.nix {}; + fscrypt = handleTest ./fscrypt.nix {}; ejabberd = handleTest ./xmpp/ejabberd.nix {}; elk = handleTestOn ["x86_64-linux"] ./elk.nix {}; emacs-daemon = handleTest ./emacs-daemon.nix {}; @@ -196,6 +198,7 @@ in { etebase-server = handleTest ./etebase-server.nix {}; etesync-dav = handleTest ./etesync-dav.nix {}; extra-python-packages = handleTest ./extra-python-packages.nix {}; + evcc = handleTest ./evcc.nix {}; fancontrol = handleTest ./fancontrol.nix {}; fcitx = handleTest ./fcitx {}; fenics = handleTest ./fenics.nix {}; @@ -250,8 +253,8 @@ in { haproxy = handleTest ./haproxy.nix {}; hardened = handleTest ./hardened.nix {}; healthchecks = handleTest ./web-apps/healthchecks.nix {}; - hbase1 = handleTest ./hbase.nix { package=pkgs.hbase1; }; hbase2 = handleTest ./hbase.nix { package=pkgs.hbase2; }; + hbase_2_4 = handleTest ./hbase.nix { package=pkgs.hbase_2_4; }; hbase3 = handleTest ./hbase.nix { package=pkgs.hbase3; }; hedgedoc = handleTest ./hedgedoc.nix {}; herbstluftwm = handleTest ./herbstluftwm.nix {}; @@ -477,7 +480,7 @@ in { pam-u2f = handleTest ./pam/pam-u2f.nix {}; pam-ussh = handleTest ./pam/pam-ussh.nix {}; pass-secret-service = handleTest ./pass-secret-service.nix {}; - patroni = handleTest ./patroni.nix {}; + patroni = handleTestOn ["x86_64-linux"] ./patroni.nix {}; pantalaimon = handleTest ./matrix/pantalaimon.nix {}; pantheon = handleTest ./pantheon.nix {}; paperless = handleTest ./paperless.nix {}; @@ -489,9 +492,11 @@ in { pgadmin4-standalone = handleTest ./pgadmin4-standalone.nix {}; pgjwt = handleTest ./pgjwt.nix {}; pgmanage = handleTest ./pgmanage.nix {}; + phosh = handleTest ./phosh.nix {}; php = handleTest ./php {}; php80 = handleTest ./php { php = pkgs.php80; }; php81 = handleTest ./php { php = pkgs.php81; }; + php82 = handleTest ./php { php = pkgs.php82; }; phylactery = handleTest ./web-apps/phylactery.nix {}; pict-rs = handleTest ./pict-rs.nix {}; pinnwand = handleTest ./pinnwand.nix {}; @@ -581,6 +586,7 @@ in { sourcehut = handleTest ./sourcehut.nix {}; spacecookie = handleTest ./spacecookie.nix {}; spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {}; + sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {}; sslh = handleTest ./sslh.nix {}; sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {}; sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {}; @@ -684,6 +690,7 @@ in { virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; vscodium = discoverTests (import ./vscodium.nix); vsftpd = handleTest ./vsftpd.nix {}; + warzone2100 = handleTest ./warzone2100.nix {}; wasabibackend = handleTest ./wasabibackend.nix {}; wiki-js = handleTest ./wiki-js.nix {}; wine = handleTest ./wine.nix {}; diff --git a/nixos/tests/alps.nix b/nixos/tests/alps.nix new file mode 100644 index 00000000000..3c30be1c188 --- /dev/null +++ b/nixos/tests/alps.nix @@ -0,0 +1,105 @@ +let + certs = import ./common/acme/server/snakeoil-certs.nix; + domain = certs.domain; +in +import ./make-test-python.nix ({ pkgs, ... }: { + name = "alps"; + + nodes = { + server = { + imports = [ ./common/user-account.nix ]; + security.pki.certificateFiles = [ + certs.ca.cert + ]; + networking.extraHosts = '' + 127.0.0.1 ${domain} + ''; + networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + services.postfix = { + enable = true; + enableSubmission = true; + enableSubmissions = true; + tlsTrustedAuthorities = "${certs.ca.cert}"; + sslCert = "${certs.${domain}.cert}"; + sslKey = "${certs.${domain}.key}"; + }; + services.dovecot2 = { + enable = true; + enableImap = true; + sslCACert = "${certs.ca.cert}"; + sslServerCert = "${certs.${domain}.cert}"; + sslServerKey = "${certs.${domain}.key}"; + }; + }; + + client = { nodes, config, ... }: { + security.pki.certificateFiles = [ + certs.ca.cert + ]; + networking.extraHosts = '' + ${nodes.server.config.networking.primaryIPAddress} ${domain} + ''; + services.alps = { + enable = true; + theme = "alps"; + imaps = { + host = domain; + port = 993; + }; + smtps = { + host = domain; + port = 465; + }; + }; + environment.systemPackages = [ + (pkgs.writers.writePython3Bin "test-alps-login" { } '' + from urllib.request import build_opener, HTTPCookieProcessor, Request + from urllib.parse import urlencode, urljoin + from http.cookiejar import CookieJar + + baseurl = "http://localhost:${toString config.services.alps.port}" + username = "alice" + password = "${nodes.server.config.users.users.alice.password}" + cookiejar = CookieJar() + cookieprocessor = HTTPCookieProcessor(cookiejar) + opener = build_opener(cookieprocessor) + + data = urlencode({"username": username, "password": password}).encode() + req = Request(urljoin(baseurl, "login"), data=data, method="POST") + with opener.open(req) as ret: + # Check that the alps_session cookie is set + print(cookiejar) + assert any(cookie.name == "alps_session" for cookie in cookiejar) + + req = Request(baseurl) + with opener.open(req) as ret: + # Check that the alps_session cookie is still there... + print(cookiejar) + assert any(cookie.name == "alps_session" for cookie in cookiejar) + # ...and that we have not been redirected back to the login page + print(ret.url) + assert ret.url == urljoin(baseurl, "mailbox/INBOX") + + req = Request(urljoin(baseurl, "logout")) + with opener.open(req) as ret: + # Check that the alps_session cookie is now gone + print(cookiejar) + assert all(cookie.name != "alps_session" for cookie in cookiejar) + '') + ]; + }; + }; + + testScript = { nodes, ... }: '' + server.start() + server.wait_for_unit("postfix.service") + server.wait_for_unit("dovecot2.service") + server.wait_for_open_port(465) + server.wait_for_open_port(993) + + client.start() + client.wait_for_unit("alps.service") + client.wait_for_open_port(${toString nodes.client.config.services.alps.port}) + client.succeed("test-alps-login") + ''; +}) diff --git a/nixos/tests/common/acme/server/acme.test.cert.pem b/nixos/tests/common/acme/server/acme.test.cert.pem index 76b0d916a81..48f488ab8f9 100644 --- a/nixos/tests/common/acme/server/acme.test.cert.pem +++ b/nixos/tests/common/acme/server/acme.test.cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDLDCCAhSgAwIBAgIIRDAN3FHH//IwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE -AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMB4XDTIwMTAyMTEzMjgzNloXDTIyMTEy -MDEzMjgzNlowFDESMBAGA1UEAxMJYWNtZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9 -Z4Xu5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeH -pImHO/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCN -Xf/LjIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/l -EnHrkcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOY -H+RfQfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABo3YwdDAOBgNVHQ8B +MIIDLDCCAhSgAwIBAgIIajCXIUnozqQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMjMwYjU4MB4XDTIyMTEyMTE3MTcxMFoXDTQyMTEy +MTE3MTcxMFowFDESMBAGA1UEAxMJYWNtZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA5INxJwKDVYNfTnkXwvKM/SufBNjvxWZxlkaMFbkAN5wJ +6HwuesRZE9IgfRO9N+rSq1U2lDBm9gFPERqsQJVZHHJ5kkaNUr89h25+wgX5emGy +UV2KEpCFssDD4aSBF+b0sryguCa1ZRj9b+pdfRxiYaORjSh5UzlXZoRm9iwHdzHT +oKLlmqozqzEt0o9qpZL8gv+rv8C5BGOY6hfXAHYmkWRt87FN5BkSjgEWiY++DOAU +X0TdobdSTrs/xJP+IbadRchqTH2kiG0g2BoCSXUsl7Mdh4IOUeQGDz/F5tH8PAtz +p3dyjdQEFex2J5tlScLfVHoCBKV3gpCg+Keuum2j8QIDAQABo3YwdDAOBgNVHQ8B Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB -/wQCMAAwHwYDVR0jBBgwFoAU+8IZlLV/Qp5CXqpXMLvtxWlxcJwwFAYDVR0RBA0w -C4IJYWNtZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQB0pe8I5/VDkB5VMgQB2GJV -GKzyigfWbVez9uLmqMj9PPP/zzYKSYeq+91aMuOZrnH7NqBxSTwanULkmqAmhbJJ -YkXw+FlFekf9FyxcuArzwzzNZDSGcjcdXpN8S2K1qkBd00iSJF9kU7pdZYCIKR20 -QirdBrELEfsJ3GU62a6N3a2YsrisZUvq5TbjGJDcytAtt+WG3gmV7RInLdFfPwbw -bEHPCnx0uiV0nxLjd/aVT+RceVrFQVt4hR99jLoMlBitSKluZ1ljsrpIyroBhQT0 -pp/pVi6HJdijG0fsPrC325NEGAwcpotLUhczoeM/rffKJd54wLhDkfYxOyRZXivs +/wQCMAAwHwYDVR0jBBgwFoAUvTCE3Lj/P6OWkmOGtsjcTcIDzkAwFAYDVR0RBA0w +C4IJYWNtZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQAvZM4Ik1NOXQfbPRgbolyL +b3afsSHbhHl9B2f0HGi5EAPdwyeWZsK3BF+SKFGAW5BlXr2SSlW/MQOMiUKTadnS +8xTOFc1Ws8JWWc82zQqWcOWEXhU+AI8p70sTVFeXPWwLFy3nBRwDH4ZPU8UFHeje +YXqbfxrsdEFXrbCfWSzPQP24xqVt7n9Am/5XFGtDkRsYlVgLwq/F6lN9hO0/gYIx +8NsZ8Xy+QvBlGL+z9Zo7EylB8bP9OBtOtEv9fZcnxgughieiTDs36GwdQRE2aI+d +cG3lQX8NGxgcpDoH8+rNx7Uw7odg0gVbI3agyyvax6DPht+/bzXmHm8ogklGTOoG -----END CERTIFICATE----- diff --git a/nixos/tests/common/acme/server/acme.test.key.pem b/nixos/tests/common/acme/server/acme.test.key.pem index 741df99a372..4837f19b302 100644 --- a/nixos/tests/common/acme/server/acme.test.key.pem +++ b/nixos/tests/common/acme/server/acme.test.key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9Z4Xu -5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeHpImH -O/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCNXf/L -jIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/lEnHr -kcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOYH+Rf -QfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABAoIBADox/2FwVFo8ioS4 -R+Ex5OZjMAcjU6sX/516jTmlT05q2+UFerYgqB/YqXqtW/V9/brulN8VhmRRuRbO -grq9TBu5o3hMDK0f18EkZB/MBnLbx594H033y6gEkPBZAyhRYtuNOEH3VwxdZhtW -1Lu1EoiYSUqLcNMBy6+KWJ8GRaXyacMYBlj2lMHmyzkA/t1+2mwTGC3lT6zN0F5Y -E5umXOxsn6Tb6q3KM9O5IvtmMMKpgj4HIHZLZ6j40nNgHwGRaAv4Sha/vx0DeBw3 -6VlNiTTPdShEkhESlM5/ocqTfI92VHJpM5gkqTYOWBi2aKIPfAopXoqoJdWl4pQ/ -NCFIu2ECgYEAzntNKIcQtf0ewe0/POo07SIFirvz6jVtYNMTzeQfL6CoEjYArJeu -Vzc4wEQfA4ZFVerBb1/O6M449gI3zex1PH4AX0h8q8DSjrppK1Jt2TnpVh97k7Gg -Tnat/M/yW3lWYkcMVJJ3AYurXLFTT1dYP0HvBwZN04yInrEcPNXKfmcCgYEAywyJ -51d4AE94PrANathKqSI/gk8sP+L1gzylZCcUEAiGk/1r45iYB4HN2gvWbS+CvSdp -F7ShlDWrTaNh2Bm1dgTjc4pWb4J+CPy/KN2sgLwIuM4+ZWIZmEDcio6khrM/gNqK -aR7xUsvWsqU26O84woY/xR8IHjSNF7cFWE1H2c8CgYEAt6SSi2kVQ8dMg84uYE8t -o3qO00U3OycpkOQqyQQLeKC62veMwfRl6swCfX4Y11mkcTXJtPTRYd2Ia8StPUkB -PDwUuKoPt/JXUvoYb59wc7M+BIsbrdBdc2u6cw+/zfutCNuH6/AYSBeg4WAVaIuW -wSwzG1xP+8cR+5IqOzEqWCECgYATweeVTCyQEyuHJghYMi2poXx+iIesu7/aAkex -pB/Oo5W8xrb90XZRnK7UHbzCqRHWqAQQ23Gxgztk9ZXqui2vCzC6qGZauV7cLwPG -zTMg36sVmHP314DYEM+k59ZYiQ6P0jQPoIQo407D2VGrfsOOIhQIcUmP7tsfyJ5L -hlGMfwKBgGq4VNnnuX8I5kl03NpaKfG+M8jEHmVwtI9RkPTCCX9bMjeG0cDxqPTF -TRkf3r8UWQTZ5QfAfAXYAOlZvmGhHjSembRbXMrMdi3rGsYRSrQL6n5NHnORUaMy -FCWo4gyAnniry7tx9dVNgmHmbjEHuQnf8AC1r3dibRCjvJWUiQ8H +MIIEpQIBAAKCAQEA5INxJwKDVYNfTnkXwvKM/SufBNjvxWZxlkaMFbkAN5wJ6Hwu +esRZE9IgfRO9N+rSq1U2lDBm9gFPERqsQJVZHHJ5kkaNUr89h25+wgX5emGyUV2K +EpCFssDD4aSBF+b0sryguCa1ZRj9b+pdfRxiYaORjSh5UzlXZoRm9iwHdzHToKLl +mqozqzEt0o9qpZL8gv+rv8C5BGOY6hfXAHYmkWRt87FN5BkSjgEWiY++DOAUX0Td +obdSTrs/xJP+IbadRchqTH2kiG0g2BoCSXUsl7Mdh4IOUeQGDz/F5tH8PAtzp3dy +jdQEFex2J5tlScLfVHoCBKV3gpCg+Keuum2j8QIDAQABAoIBAHfnUHQ7qVYxfMzc +VU+BneEqBmKwwf8+ZdOIaPDtBeQoCDrpDip05Ji15T48IUk5+hjUubLAQwZKYYaE +DGZG918p4giS5IzKtCpgHDsKj4FbyglPn6dmFgFZjG7VtrcoBLXUrDB0fzHxDuqu +eyeuwSCihzkeR6sXp3iveKcrKy+rA31aqWvJZb24qyAu1y8KIcf2ZMUiYcJF2kpL +XZz4uyx4x/B9NE+PmLqo7x/9iS+p5aT2kWVCVUGmhII0ChFnWSnjxqecBMhWFY1O +3U0lKhloj6UKBya91hGospEJdaLHpHCWUgYPvA5mG+48kqYkPkecmTf8Xha3TxPf +g1qv3sECgYEA+hMO1qTlnqhBajCMcAGIlpRHwr97hQMdSylHBXob1xCnuTEJKHOo +7UmQw9hJgD4JgYxcivg/OFErXdefbSae9NqSNdOshxmrxz6DFTN3Ms3WR1I1be3c +B2mpGllMPbxJ3CKFet2CQSvOM9jfbK68R7Jlhiap0bESvWrT9ztUCWUCgYEA6e2Y +iMNNo1dWushSMVvCkWR9CLAsnWnjFG4FYIPz/iuxJjRXDiWyR6x4WYjUx3ZBhpf5 +wVFUK7VaPJBfOn7KCan59dqOvL3LSB/5SupwRMecCEhYPQvSaxn4MNrx0Vi83O4C +togyD9/UJ4ji+TXwMj2eMzwRspmO/26hXkQGzZ0CgYEA0qlLTrYKWOUUdgf/xjsE +fRTcfsofm6VMAAz9rzd2TG3TXMZaGKGWJI5cTR7ejBG2oFNFgiwt1ZtLFPqXarOm +JE4b7QwrwoN1mZqngiygtUOAxwQRzlEZkYUI1xFykG8VKURLfX0sRQpJ4pNHY56v +LRazP5dCZ0rrpnVfql1oJaECgYEAxtvT728XcOOuNtpUBOGcZTynjds2EhsRjyx4 +JbQGlutNjMyxtLUW+RcEuBg5ydYdne1Tw6L/iqiALTwNuAxQdCaq9vT0oj41sPp9 +UdI53j5Rxji5yitilOlesylsqCpnYuhyJflhlV0RXQpg6LmRlyQKeEN4R/uCNGI3 +i4sIvYECgYEA4DC2qObfB0UkN81uGluwwM5rR04qvIc5xX3QIvHuIJOs/uP54daD +OiEDTxTpiqDNsFL0Pyl07aL7jubHNqU/eQpQIEZRlDy4Mr31QSbQ9R2/NNBwHu22 +BnnNKzZ97T0NVgxJXOqcOlRGjwb/5OUDpaIClJY+GqilEdOeu7Pl3aA= -----END RSA PRIVATE KEY----- diff --git a/nixos/tests/common/acme/server/ca.cert.pem b/nixos/tests/common/acme/server/ca.cert.pem index 5c33e879b67..b6f2b9e3a91 100644 --- a/nixos/tests/common/acme/server/ca.cert.pem +++ b/nixos/tests/common/acme/server/ca.cert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDSzCCAjOgAwIBAgIIeHRvRrNvbGQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE -AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMCAXDTIwMTAyMTEzMjgzNloYDzIxMjAx -MDIxMTMyODM2WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3ODc0NmYwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrNTzVLDJOKtGYGLU98EEcLKps -tXHCLC6G54LKbEcU80fn+ArX8qsPSHyhdXQkcYjq6Vh/EDJ1TctyRSnvAjwyG4Aa -1Zy1QFc/JnjMjvzimCkUc9lQ+wkLwHSM/KGwR1cGjmtQ/EMClZTA0NwulJsXMKVz -bd5asXbq/yJTQ5Ww25HtdNjwRQXTvB7r3IKcY+DsED9CvFvC9oG/ZhtZqZuyyRdC -kFUrrv8WNUDkWSN+lMR6xMx8v0583IN6f11IhX0b+svK98G81B2eswBdkzvVyv9M -unZBO0JuJG8sdM502KhWLmzBC1ZbvgUBF9BumDRpMFH4DCj7+qQ2taWeGyc7AgMB +MIIDSzCCAjOgAwIBAgIIIwtYp+WlBbswDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMjMwYjU4MCAXDTIyMTEyMTE3MTcxMFoYDzIxMjIx +MTIxMTcxNzEwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAyMzBiNTgwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvqAoAyV8igrmBnU6T1nQDfkkQ +HjQp+ANCthNCi4kGPOoTxrYrUMWa6d/aSIv5hKO2A+r2GdTeM1RvSo6GUr3GmsJc +WUMbIsJ0SJSLQEyvmFPpzfV3NdfIt6vZRiqJbLt7yuDiZil33GdQEKYywJxIsCb2 +CSd55V1cZSiLItWEIURAhHhSxHabMRmIF/xZWxKFEDeagzXOxUBPAvIwzzqQroBv +3vZhfgcAjCyS0crJ/E2Wa6GLKfFvaXGEj/KlXftwpbvFtnNBtmtJcNy9a8LJoOcA +E+ZjD21hidnCc+Yag7LaR3ZtAVkpeRJ9rRNBkVP4rv2mq2skIkgDfY/F8smPAgMB AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr -BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBT7whmUtX9CnkJe -qlcwu+3FaXFwnDAfBgNVHSMEGDAWgBT7whmUtX9CnkJeqlcwu+3FaXFwnDANBgkq -hkiG9w0BAQsFAAOCAQEARMe1wKmF33GjEoLLw0oDDS4EdAv26BzCwtrlljsEtwQN -95oSzUNd6o4Js7WCG2o543OX6cxzM+yju8TES3+vJKDgsbNMU0bWCv//tdrb0/G8 -OkU3Kfi5q4fOauZ1pqGv/pXdfYhZ5ieB/zwis3ykANe5JfB0XqwCb1Vd0C3UCIS2 -NPKngRwNSzphIsbzfvxGDkdM1enuGl5CVyDhrwTMqGaJGDSOv6U5jKFxKRvigqTN -Ls9lPmT5NXYETduWLBR3yUIdH6kZXrcozZ02B9vjOB2Cv4RMDc+9eM30CLIWpf1I -097e7JkhzxFhfC/bMMt3P1FeQc+fwH91wdBmNi7tQw== +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS9MITcuP8/o5aS +Y4a2yNxNwgPOQDAfBgNVHSMEGDAWgBS9MITcuP8/o5aSY4a2yNxNwgPOQDANBgkq +hkiG9w0BAQsFAAOCAQEADCcgaxrI/pqjkYb0c3QHwfKCNz4khSWs/9tBpBfdxdUX +uvG7rZzVW7pkzML+m4tSo2wm9sHRAgG+dIpzbSoRTouMntWlvYEnrr1SCw4NyBo1 +cwmNUz4JL+E3dnpI4FSOpyFyO87qL9ep0dxQEADWSppyCA762wfFpY+FvT6b/he8 +eDEc/Umjfm+X0tqNWx3aVoeyIJT46AeElry2IRLAk7z/vEPGFFzgd2Jh6Qsdeagk +YkU0tFl9q9BotPYGlCMtVjmzbJtxh4uM9YCgiz1THzFjrUvfaTM8VjuBxbpoCZkS +85mNhFZvNq8/cgYc0kYZOg8+jRdy87xmTRp64LBd6w== -----END CERTIFICATE----- diff --git a/nixos/tests/common/acme/server/ca.key.pem b/nixos/tests/common/acme/server/ca.key.pem index ed46f5dccf4..5d46c025788 100644 --- a/nixos/tests/common/acme/server/ca.key.pem +++ b/nixos/tests/common/acme/server/ca.key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAqzU81SwyTirRmBi1PfBBHCyqbLVxwiwuhueCymxHFPNH5/gK -1/KrD0h8oXV0JHGI6ulYfxAydU3LckUp7wI8MhuAGtWctUBXPyZ4zI784pgpFHPZ -UPsJC8B0jPyhsEdXBo5rUPxDApWUwNDcLpSbFzClc23eWrF26v8iU0OVsNuR7XTY -8EUF07we69yCnGPg7BA/QrxbwvaBv2YbWambsskXQpBVK67/FjVA5FkjfpTEesTM -fL9OfNyDen9dSIV9G/rLyvfBvNQdnrMAXZM71cr/TLp2QTtCbiRvLHTOdNioVi5s -wQtWW74FARfQbpg0aTBR+Awo+/qkNrWlnhsnOwIDAQABAoIBAA3ykVkgd5ysmlSU -trcsCnHcJaojgff6l3PACoSpG4VWaGY6a8+54julgRm6MtMBONFCX0ZCsImj484U -Wl0xRmwil2YYPuL5MeJgJPktMObY1IfpBCw3tz3w2M3fiuCMf0d2dMGtO1xLiUnH -+hgFXTkfamsj6ThkOrbcQBSebeRxbKM5hqyCaQoieV+0IJnyxUVq/apib8N50VsH -SHd4oqLUuEZgg6N70+l5DpzedJUb4nrwS/KhUHUBgnoPItYBCiGPmrwLk7fUhPs6 -kTDqJDtc/xW/JbjmzhWEpVvtumcC/OEKULss7HLdeQqwVBrRQkznb0M9AnSra3d0 -X11/Y4ECgYEA3FC8SquLPFb2lHK4+YbJ4Ac6QVWeYFEHiZ0Rj+CmONmjcAvOGLPE -SblRLm3Nbrkxbm8FF6/AfXa/rviAKEVPs5xqGfSDw/3n1uInPcmShiBCLwM/jHH5 -NeVG+R5mTg5zyQ/pQMLWRcs+Ail+ZAnZuoGpW3Cdc8OtCUYFQ7XB6nsCgYEAxvBJ -zFxcTtsDzWbMWXejugQiUqJcEbKWwEfkRbf3J2rAVO2+EFr7LxdRfN2VwPiTQcWc -LnN2QN+ouOjqBMTh3qm5oQY+TLLHy86k9g1k0gXWkMRQgP2ZdfWH1HyrwjLUgLe1 -VezFN7N1azgy6xFkInAAvuA4loxElZNvkGBgekECgYA/Xw26ILvNIGqO6qzgQXAh -+5I7JsiGheg4IjDiBMlrQtbrLMoceuD0H9UFGNplhel9DXwWgxxIOncKejpK2x0A -2fX+/0FDh+4+9hA5ipiV8gN3iGSoHkSDxy5yC9d7jlapt+TtFt4Rd1OfxZWwatDw -/8jaH3t6yAcmyrhK8KYVrwKBgAE5KwsBqmOlvyE9N5Z5QN189wUREIXfVkP6bTHs -jq2EX4hmKdwJ4y+H8i1VY31bSfSGlY5HkXuWpH/2lrHO0CDBZG3UDwADvWzIaYVF -0c/kz0v2mRQh+xaZmus4lQnNrDbaalgL666LAPbW0qFVaws3KxoBYPe0BxvwWyhF -H3LBAoGBAKRRNsq2pWQ8Gqxc0rVoH0FlexU9U2ci3lsLmgEB0A/o/kQkSyAxaRM+ -VdKp3sWfO8o8lX5CVQslCNBSjDTNcat3Co4NEBLg6Xv1yKN/WN1GhusnchP9szsP -oU47gC89QhUyWSd6vvr2z2NG9C3cACxe4dhDSHQcE4nHSldzCKv2 +MIIEowIBAAKCAQEAr6gKAMlfIoK5gZ1Ok9Z0A35JEB40KfgDQrYTQouJBjzqE8a2 +K1DFmunf2kiL+YSjtgPq9hnU3jNUb0qOhlK9xprCXFlDGyLCdEiUi0BMr5hT6c31 +dzXXyLer2UYqiWy7e8rg4mYpd9xnUBCmMsCcSLAm9gkneeVdXGUoiyLVhCFEQIR4 +UsR2mzEZiBf8WVsShRA3moM1zsVATwLyMM86kK6Ab972YX4HAIwsktHKyfxNlmuh +iynxb2lxhI/ypV37cKW7xbZzQbZrSXDcvWvCyaDnABPmYw9tYYnZwnPmGoOy2kd2 +bQFZKXkSfa0TQZFT+K79pqtrJCJIA32PxfLJjwIDAQABAoIBAErEFJXnIIY47Cq+ +QS7t7e16uDCTGpLujLy9cQ83AzjTfrKyNuHS/HkGqRBpJqMrEN+tZTohHpkBciP4 +sRd9amd5gdb663RGZExIhGmNEdb/2F/BGYUHNvSpMQ1HL13VGSwE25mh8G6jMppC +q+sYTq0lxT+d/96DgSyNpicqyYT2S2CTCRkWGAsc6KQwRpBYqoEqUeakyGfe2k85 +pj32H53Si/49fkWkQ9RciPdg7qcu7u/iegwAkkjKoATeEjNf0NqBlkWag1qU0UHR +r2xDin+3ffEU2GQEwSvnGwlo7uyAN0UsryEWa9suuhX5T4eSWAMgTL4iVkh8Aa24 ++YEFOGkCgYEA0DUb++31+nuxU8N+GPaPQXiob8C0RmSzSzSHJ3daJpzq8k576jqs +3TgkhLDzQepcTYVU2ucn6+9ziXEsz4H06W3FNGktnyK4BRqYitt5TjZvPc+WTPhR +0U+iUqBZilCAhUkIsNUiGvnMhz9VfcS/gn+NqhL7kvYi11/jAc4bbB0CgYEA1/oh ++t1ZKVLkbANrma/M8AX27Vl3k4jgOWGzFwAVD10zN31gGyVjv1knmG22pmL2+N+Z +8CnVmdHQQQIWV1pYbgwRkvpnZWyH7AvHd9l1XLYyOU3VEpz+e2bpMtzesaza3UWW +k8NELNE5sBopY939XkQ9G3aMXtbkx01zX+0BZJsCgYB+MdJ2TfKrEVGXfYPuSXLm +seUVZu1dRSfOy1WnvBVuFenpV1yPyWSA6MhpjH7EUvIDIm8eBsERpZ6XjXslgpUY +7ql6bM10CK0UmtwePYw2tZOTGUD2AgRFI0k1X28mAEkFgBC+bVAwnXsz9lUw15Fj +3T/V9493savIcpu6uluwmQKBgQCE/I4jzFv0aAgiwlBlB6znNqT/LRHGFIgMjS4b +QX+2QCsjRd4BmRo8XodVAmlvNozgXb6J9RiDaIAVJ1XeX9EHogLIP8ue1h8zp2Uh +VRNBDScLxfMnTOgd0BZTrVCqkscJbKn1Pk0iU4pz9wf5aF10yAvgdzSjySqB1hzu +uh8bdQKBgEpFIyhqfXf/NzchI5y23Cok14LFIPJ1yERD/B8taS7muVQwpgffy+Ld +BH7dhafWSDVqIk1e6yl+82b4amleTEmDfopgc6FR7uPid1JoFxrwhnEfC3FjZamp +1OzXAOE/mX3jHf1spqpB2J/rDVPKi934ocQVoWnBeRopGTXxzbed -----END RSA PRIVATE KEY----- diff --git a/nixos/tests/common/acme/server/generate-certs.nix b/nixos/tests/common/acme/server/generate-certs.nix index cd8fe0dffca..85c751c56ad 100644 --- a/nixos/tests/common/acme/server/generate-certs.nix +++ b/nixos/tests/common/acme/server/generate-certs.nix @@ -10,7 +10,11 @@ let domain = conf.domain; in mkDerivation { name = "test-certs"; - buildInputs = [ minica ]; + buildInputs = [ (minica.overrideAttrs (old: { + prePatch = '' + sed -i 's_NotAfter: time.Now().AddDate(2, 0, 30),_NotAfter: time.Now().AddDate(20, 0, 0),_' main.go + ''; + })) ]; phases = [ "buildPhase" "installPhase" ]; buildPhase = '' diff --git a/nixos/tests/deluge.nix b/nixos/tests/deluge.nix index 0cd1d21870a..e8945fdea00 100644 --- a/nixos/tests/deluge.nix +++ b/nixos/tests/deluge.nix @@ -54,8 +54,10 @@ import ./make-test-python.nix ({ pkgs, ...} : { declarative.wait_for_unit("deluged") declarative.wait_for_unit("delugeweb") declarative.wait_until_succeeds("curl --fail http://declarative:3142") + + # deluge-console always exits with 1. https://dev.deluge-torrent.org/ticket/3291 declarative.succeed( - "deluge-console 'connect 127.0.0.1:58846 andrew password; help' | grep -q 'rm.*Remove a torrent'" + "(deluge-console 'connect 127.0.0.1:58846 andrew password; help' || true) | grep -q 'rm.*Remove a torrent'" ) ''; }) diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix index a0de2911777..021042fafdb 100644 --- a/nixos/tests/dhparams.nix +++ b/nixos/tests/dhparams.nix @@ -1,81 +1,69 @@ -let - common = { pkgs, ... }: { - security.dhparams.enable = true; - environment.systemPackages = [ pkgs.openssl ]; - }; - -in import ./make-test-python.nix { +import ./make-test-python.nix { name = "dhparams"; - nodes.generation1 = { pkgs, config, ... }: { - imports = [ common ]; - security.dhparams.params = { - # Use low values here because we don't want the test to run for ages. - foo.bits = 16; - # Also use the old format to make sure the type is coerced in the right - # way. - bar = 17; - }; + nodes.machine = { pkgs, ... }: { + security.dhparams.enable = true; + environment.systemPackages = [ pkgs.openssl ]; - systemd.services.foo = { - description = "Check systemd Ordering"; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - # This is to make sure that the dhparams generation of foo occurs - # before this service so we need this service to start as early as - # possible to provoke a race condition. - DefaultDependencies = false; - - # We check later whether the service has been started or not. - ConditionPathExists = config.security.dhparams.params.foo.path; + specialisation = { + gen1.configuration = { config, ... }: { + security.dhparams.params = { + # Use low values here because we don't want the test to run for ages. + foo.bits = 1024; + # Also use the old format to make sure the type is coerced in the right + # way. + bar = 1025; + }; + + systemd.services.foo = { + description = "Check systemd Ordering"; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + # This is to make sure that the dhparams generation of foo occurs + # before this service so we need this service to start as early as + # possible to provoke a race condition. + DefaultDependencies = false; + + # We check later whether the service has been started or not. + ConditionPathExists = config.security.dhparams.params.foo.path; + }; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + # The reason we only provide an ExecStop here is to ensure that we don't + # accidentally trigger an error because a file system is not yet ready + # during very early startup (we might not even have the Nix store + # available, for example if future changes in NixOS use systemd mount + # units to do early file system initialisation). + serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true"; + }; + }; + gen2.configuration = { + security.dhparams.params.foo.bits = 1026; + }; + gen3.configuration = {}; + gen4.configuration = { + security.dhparams.stateful = false; + security.dhparams.params.foo2.bits = 1027; + security.dhparams.params.bar2.bits = 1028; + }; + gen5.configuration = { + security.dhparams.defaultBitSize = 1029; + security.dhparams.params.foo3 = {}; + security.dhparams.params.bar3 = {}; }; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - # The reason we only provide an ExecStop here is to ensure that we don't - # accidentally trigger an error because a file system is not yet ready - # during very early startup (we might not even have the Nix store - # available, for example if future changes in NixOS use systemd mount - # units to do early file system initialisation). - serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true"; }; }; - nodes.generation2 = { - imports = [ common ]; - security.dhparams.params.foo.bits = 18; - }; - - nodes.generation3 = common; - - nodes.generation4 = { - imports = [ common ]; - security.dhparams.stateful = false; - security.dhparams.params.foo2.bits = 18; - security.dhparams.params.bar2.bits = 19; - }; - - nodes.generation5 = { - imports = [ common ]; - security.dhparams.defaultBitSize = 30; - security.dhparams.params.foo3 = {}; - security.dhparams.params.bar3 = {}; - }; - testScript = { nodes, ... }: let getParamPath = gen: name: let - node = "generation${toString gen}"; - in nodes.${node}.config.security.dhparams.params.${name}.path; + node = "gen${toString gen}"; + in nodes.machine.config.specialisation.${node}.configuration.security.dhparams.params.${name}.path; switchToGeneration = gen: let - node = "generation${toString gen}"; - inherit (nodes.${node}.config.system.build) toplevel; - switchCmd = "${toplevel}/bin/switch-to-configuration test"; + switchCmd = "${nodes.machine.config.system.build.toplevel}/specialisation/gen${toString gen}/bin/switch-to-configuration test"; in '' with machine.nested("switch to generation ${toString gen}"): - machine.succeed( - "${switchCmd}" - ) - machine = ${node} + machine.succeed("${switchCmd}") ''; in '' @@ -92,22 +80,20 @@ in import ./make-test-python.nix { if match[1] != str(bits): raise Exception(f"bit size should be {bits} but it is {match[1]} instead.") - - machine = generation1 - machine.wait_for_unit("multi-user.target") + ${switchToGeneration 1} with subtest("verify startup order"): machine.succeed("systemctl is-active foo.service") with subtest("check bit sizes of dhparam files"): - assert_param_bits("${getParamPath 1 "foo"}", 16) - assert_param_bits("${getParamPath 1 "bar"}", 17) + assert_param_bits("${getParamPath 1 "foo"}", 1024) + assert_param_bits("${getParamPath 1 "bar"}", 1025) ${switchToGeneration 2} with subtest("check whether bit size has changed"): - assert_param_bits("${getParamPath 2 "foo"}", 18) + assert_param_bits("${getParamPath 2 "foo"}", 1026) with subtest("ensure that dhparams file for 'bar' was deleted"): machine.fail("test -e ${getParamPath 1 "bar"}") @@ -115,16 +101,16 @@ in import ./make-test-python.nix { ${switchToGeneration 3} with subtest("ensure that 'security.dhparams.path' has been deleted"): - machine.fail("test -e ${nodes.generation3.config.security.dhparams.path}") + machine.fail("test -e ${nodes.machine.config.specialisation.gen3.configuration.security.dhparams.path}") ${switchToGeneration 4} with subtest("check bit sizes dhparam files"): assert_param_bits( - "${getParamPath 4 "foo2"}", 18 + "${getParamPath 4 "foo2"}", 1027 ) assert_param_bits( - "${getParamPath 4 "bar2"}", 19 + "${getParamPath 4 "bar2"}", 1028 ) with subtest("check whether dhparam files are in the Nix store"): @@ -136,7 +122,7 @@ in import ./make-test-python.nix { ${switchToGeneration 5} with subtest("check whether defaultBitSize works as intended"): - assert_param_bits("${getParamPath 5 "foo3"}", 30) - assert_param_bits("${getParamPath 5 "bar3"}", 30) + assert_param_bits("${getParamPath 5 "foo3"}", 1029) + assert_param_bits("${getParamPath 5 "bar3"}", 1029) ''; } diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 21a727dbd97..e76a4613192 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -431,5 +431,58 @@ import ./make-test-python.nix ({ pkgs, ... }: { docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt") docker.succeed("docker image rm image-with-certs:latest") + with subtest("buildNixShellImage: Can build a basic derivation"): + docker.succeed( + "${examples.nix-shell-basic} | docker load", + "docker run --rm nix-shell-basic bash -c 'buildDerivation && $out/bin/hello' | grep '^Hello, world!$'" + ) + + with subtest("buildNixShellImage: Runs the shell hook"): + docker.succeed( + "${examples.nix-shell-hook} | docker load", + "docker run --rm -it nix-shell-hook | grep 'This is the shell hook!'" + ) + + with subtest("buildNixShellImage: Sources stdenv, making build inputs available"): + docker.succeed( + "${examples.nix-shell-inputs} | docker load", + "docker run --rm -it nix-shell-inputs | grep 'Hello, world!'" + ) + + with subtest("buildNixShellImage: passAsFile works"): + docker.succeed( + "${examples.nix-shell-pass-as-file} | docker load", + "docker run --rm -it nix-shell-pass-as-file | grep 'this is a string'" + ) + + with subtest("buildNixShellImage: run argument works"): + docker.succeed( + "${examples.nix-shell-run} | docker load", + "docker run --rm -it nix-shell-run | grep 'This shell is not interactive'" + ) + + with subtest("buildNixShellImage: command argument works"): + docker.succeed( + "${examples.nix-shell-command} | docker load", + "docker run --rm -it nix-shell-command | grep 'This shell is interactive'" + ) + + with subtest("buildNixShellImage: home directory is writable by default"): + docker.succeed( + "${examples.nix-shell-writable-home} | docker load", + "docker run --rm -it nix-shell-writable-home" + ) + + with subtest("buildNixShellImage: home directory can be made non-existent"): + docker.succeed( + "${examples.nix-shell-nonexistent-home} | docker load", + "docker run --rm -it nix-shell-nonexistent-home" + ) + + with subtest("buildNixShellImage: can build derivations"): + docker.succeed( + "${examples.nix-shell-build-derivation} | docker load", + "docker run --rm -it nix-shell-build-derivation" + ) ''; }) diff --git a/nixos/tests/ec2.nix b/nixos/tests/ec2.nix index aa3c2b7051f..e649761d029 100644 --- a/nixos/tests/ec2.nix +++ b/nixos/tests/ec2.nix @@ -16,8 +16,6 @@ let ../modules/testing/test-instrumentation.nix ../modules/profiles/qemu-guest.nix { - ec2.hvm = true; - # Hack to make the partition resizing work in QEMU. boot.initrd.postDeviceCommands = mkBefore '' ln -s vda /dev/xvda diff --git a/nixos/tests/evcc.nix b/nixos/tests/evcc.nix new file mode 100644 index 00000000000..0fc261142f7 --- /dev/null +++ b/nixos/tests/evcc.nix @@ -0,0 +1,96 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "evcc"; + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + machine = { config, ... }: { + services.evcc = { + enable = true; + settings = { + network = { + schema = "http"; + host = "localhost"; + port = 7070; + }; + + log = "info"; + + site = { + title = "NixOS Test"; + meters = { + grid = "grid"; + pv = "pv"; + }; + }; + + meters = [ { + type = "custom"; + name = "grid"; + power = { + source = "script"; + cmd = "/bin/sh -c 'echo -4500'"; + }; + } { + type = "custom"; + name = "pv"; + power = { + source = "script"; + cmd = "/bin/sh -c 'echo 7500'"; + }; + } ]; + + chargers = [ { + name = "dummy-charger"; + type = "custom"; + status = { + source = "script"; + cmd = "/bin/sh -c 'echo charger status F'"; + }; + enabled = { + source = "script"; + cmd = "/bin/sh -c 'echo charger enabled state false'"; + }; + enable = { + source = "script"; + cmd = "/bin/sh -c 'echo set charger enabled state true'"; + }; + maxcurrent = { + source = "script"; + cmd = "/bin/sh -c 'echo set charger max current 7200'"; + }; + } ]; + + loadpoints = [ { + title = "Dummy"; + charger = "dummy-charger"; + } ]; + }; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("evcc.service") + machine.wait_for_open_port(7070) + + with subtest("Check package version propagates into frontend"): + machine.fail( + "curl --fail http://localhost:7070 | grep '0.0.1-alpha'" + ) + machine.succeed( + "curl --fail http://localhost:7070 | grep '${pkgs.evcc.version}'" + ) + + with subtest("Check journal for errors"): + _, output = machine.execute("journalctl -o cat -u evcc.service") + assert "ERROR" not in output + + with subtest("Check systemd hardening"): + _, output = machine.execute("systemd-analyze security evcc.service | grep -v '✓'") + machine.log(output) + ''; +}) diff --git a/nixos/tests/fscrypt.nix b/nixos/tests/fscrypt.nix new file mode 100644 index 00000000000..03367979359 --- /dev/null +++ b/nixos/tests/fscrypt.nix @@ -0,0 +1,50 @@ +import ./make-test-python.nix ({ ... }: +{ + name = "fscrypt"; + + nodes.machine = { pkgs, ... }: { + imports = [ ./common/user-account.nix ]; + security.pam.enableFscrypt = true; + }; + + testScript = '' + def login_as_alice(): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("foobar\n") + machine.wait_until_tty_matches("1", "alice\@machine") + + + def logout(): + machine.send_chars("logout\n") + machine.wait_until_tty_matches("1", "login: ") + + + machine.wait_for_unit("default.target") + + with subtest("Enable fscrypt on filesystem"): + machine.succeed("tune2fs -O encrypt /dev/vda") + machine.succeed("fscrypt setup --quiet --force --time=1ms") + + with subtest("Set up alice with an fscrypt-enabled home directory"): + machine.succeed("(echo foobar; echo foobar) | passwd alice") + machine.succeed("chown -R alice.users ~alice") + machine.succeed("echo foobar | fscrypt encrypt --skip-unlock --source=pam_passphrase --user=alice /home/alice") + + with subtest("Create file as alice"): + login_as_alice() + machine.succeed("echo hello > /home/alice/world") + logout() + # Wait for logout to be processed + machine.sleep(1) + + with subtest("File should not be readable without being logged in as alice"): + machine.fail("cat /home/alice/world") + + with subtest("File should be readable again as alice"): + login_as_alice() + machine.succeed("cat /home/alice/world") + logout() + ''; +}) diff --git a/nixos/tests/grafana/provision/default.nix b/nixos/tests/grafana/provision/default.nix index 7a707ab9fed..1eb927632eb 100644 --- a/nixos/tests/grafana/provision/default.nix +++ b/nixos/tests/grafana/provision/default.nix @@ -17,7 +17,7 @@ let security = { admin_user = "testadmin"; - admin_password = "snakeoilpwd"; + admin_password = "$__file{${pkgs.writeText "pwd" "snakeoilpwd"}}"; }; }; }; @@ -28,17 +28,24 @@ let }; extraNodeConfs = { - provisionOld = { + provisionLegacyNotifiers = { services.grafana.provision = { - datasources = [{ - name = "Test Datasource"; - type = "testdata"; - access = "proxy"; - uid = "test_datasource"; - }]; - - dashboards = [{ options.path = "/var/lib/grafana/dashboards"; }]; - + datasources.settings = { + apiVersion = 1; + datasources = [{ + name = "Test Datasource"; + type = "testdata"; + access = "proxy"; + uid = "test_datasource"; + }]; + }; + dashboards.settings = { + apiVersion = 1; + providers = [{ + name = "default"; + options.path = "/var/lib/grafana/dashboards"; + }]; + }; notifiers = [{ uid = "test_notifiers"; name = "Test Notifiers"; @@ -50,7 +57,6 @@ let }]; }; }; - provisionNix = { services.grafana.provision = { datasources.settings = { @@ -157,6 +163,22 @@ let }; }; }; + + provisionYamlDirs = let + mkdir = p: pkgs.writeTextDir (baseNameOf p) (builtins.readFile p); + in { + services.grafana.provision = { + datasources.path = mkdir ./datasources.yaml; + dashboards.path = mkdir ./dashboards.yaml; + alerting = { + rules.path = mkdir ./rules.yaml; + contactPoints.path = mkdir ./contact-points.yaml; + policies.path = mkdir ./policies.yaml; + templates.path = mkdir ./templates.yaml; + muteTimings.path = mkdir ./mute-timings.yaml; + }; + }; + }; }; nodes = builtins.mapAttrs (_: val: mkMerge [ val baseGrafanaConf ]) extraNodeConfs; @@ -172,58 +194,58 @@ in { testScript = '' start_all() - nodeOld = ("Nix (old format)", provisionOld) nodeNix = ("Nix (new format)", provisionNix) nodeYaml = ("Nix (YAML)", provisionYaml) + nodeYamlDir = ("Nix (YAML in dirs)", provisionYamlDirs) - for nodeInfo in [nodeOld, nodeNix, nodeYaml]: - with subtest(f"Should start provision node: {nodeInfo[0]}"): - nodeInfo[1].wait_for_unit("grafana.service") - nodeInfo[1].wait_for_open_port(3000) + for description, machine in [nodeNix, nodeYaml, nodeYamlDir]: + with subtest(f"Should start provision node: {description}"): + machine.wait_for_unit("grafana.service") + machine.wait_for_open_port(3000) - with subtest(f"Successful datasource provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful datasource provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/datasources/uid/test_datasource | grep Test\ Datasource" ) - with subtest(f"Successful dashboard provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful dashboard provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/dashboards/uid/test_dashboard | grep Test\ Dashboard" ) - - - with subtest(f"Successful notifiers provision with {nodeOld[0]}"): - nodeOld[1].succeed( - "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers | grep Test\ Notifiers" - ) - - - - for nodeInfo in [nodeNix, nodeYaml]: - with subtest(f"Successful rule provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful rule provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/alert-rules/test_rule | grep Test\ Rule" ) - with subtest(f"Successful contact point provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful contact point provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/contact-points | grep Test\ Contact\ Point" ) - with subtest(f"Successful policy provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful policy provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/policies | grep Test\ Contact\ Point" ) - with subtest(f"Successful template provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful template provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/templates | grep Test\ Template" ) - with subtest("Successful mute timings provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest("Successful mute timings provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/mute-timings | grep Test\ Mute\ Timing" ) + + with subtest("Successful notifiers provision"): + provisionLegacyNotifiers.wait_for_unit("grafana.service") + provisionLegacyNotifiers.wait_for_open_port(3000) + print(provisionLegacyNotifiers.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers" + )) + provisionLegacyNotifiers.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers | grep Test\ Notifiers" + ) ''; }) diff --git a/nixos/tests/hibernate.nix b/nixos/tests/hibernate.nix index 7a4b331169a..cb75322ca5f 100644 --- a/nixos/tests/hibernate.nix +++ b/nixos/tests/hibernate.nix @@ -26,8 +26,9 @@ let powerManagement.resumeCommands = "systemctl --no-block restart backdoor.service"; - fileSystems = { - "/".device = "/dev/vda2"; + fileSystems."/" = { + device = "/dev/vda2"; + fsType = "ext3"; }; swapDevices = mkOverride 0 [ { device = "/dev/vda1"; } ]; boot.resumeDevice = mkIf systemdStage1 "/dev/vda1"; diff --git a/nixos/tests/installer-systemd-stage-1.nix b/nixos/tests/installer-systemd-stage-1.nix index d02387ee80e..03f0ec8d746 100644 --- a/nixos/tests/installer-systemd-stage-1.nix +++ b/nixos/tests/installer-systemd-stage-1.nix @@ -8,9 +8,10 @@ # them when fixed. inherit (import ./installer.nix { inherit system config pkgs; systemdStage1 = true; }) # bcache - # btrfsSimple - # btrfsSubvolDefault - # btrfsSubvols + btrfsSimple + btrfsSubvolDefault + btrfsSubvolEscape + btrfsSubvols # encryptedFSWithKeyfile # grub1 # luksroot diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index d9f64a781c5..9b3c8a76299 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -911,4 +911,25 @@ in { ) ''; }; + + # Test to see if we can deal with subvols that need to be escaped in fstab + btrfsSubvolEscape = makeInstallerTest "btrfsSubvolEscape" { + createPartitions = '' + machine.succeed( + "sgdisk -Z /dev/vda", + "sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda", + "mkswap /dev/vda2 -L swap", + "swapon -L swap", + "mkfs.btrfs -L root /dev/vda3", + "btrfs device scan", + "mount LABEL=root /mnt", + "btrfs subvol create '/mnt/nixos in space'", + "btrfs subvol create /mnt/boot", + "umount /mnt", + "mount -o 'defaults,subvol=nixos in space' LABEL=root /mnt", + "mkdir /mnt/boot", + "mount -o defaults,subvol=boot LABEL=root /mnt/boot", + ) + ''; + }; } diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix index 7f8a4e50177..33c65026b9b 100644 --- a/nixos/tests/kanidm.nix +++ b/nixos/tests/kanidm.nix @@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }: serverSettings = { origin = "https://${serverDomain}"; domain = serverDomain; - bindaddress = "[::1]:8443"; + bindaddress = "[::]:443"; ldapbindaddress = "[::1]:636"; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts."${serverDomain}" = { - forceSSL = true; - sslCertificate = certs."${serverDomain}".cert; - sslCertificateKey = certs."${serverDomain}".key; - locations."/".proxyPass = "http://[::1]:8443"; + tls_chain = certs."${serverDomain}".cert; + tls_key = certs."${serverDomain}".key; }; }; security.pki.certificateFiles = [ certs.ca.cert ]; networking.hosts."::1" = [ serverDomain ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 443 ]; users.users.kanidm.shell = pkgs.bashInteractive; @@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }: start_all() server.wait_for_unit("kanidm.service") server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm") - server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'") + server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'") client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}") rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'") assert rv == 0 diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 6ce136330d4..228e57d1cdd 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -5,10 +5,13 @@ let certs = import ./common/acme/server/snakeoil-certs.nix; frontendUrl = "https://${certs.domain}"; - initialAdminPassword = "h4IhoJFnt2iQIR9"; keycloakTest = import ./make-test-python.nix ( { pkgs, databaseType, ... }: + let + initialAdminPassword = "h4Iho\"JFn't2>iQIR9"; + adminPasswordFile = pkgs.writeText "admin-password" "${initialAdminPassword}"; + in { name = "keycloak"; meta = with pkgs.lib.maintainers; { @@ -37,7 +40,7 @@ let type = databaseType; username = "bogus"; name = "also bogus"; - passwordFile = "${pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"}"; + passwordFile = "${pkgs.writeText "dbPassword" ''wzf6\"vO"Cb\nP>p#6;c&o?eu=q'THE'''H''''E''}"; }; plugins = with config.services.keycloak.package.plugins; [ keycloak-discord @@ -111,7 +114,7 @@ let keycloak.succeed(""" curl -sSf -d 'client_id=admin-cli' \ -d 'username=admin' \ - -d 'password=${initialAdminPassword}' \ + -d "password=$(<${adminPasswordFile})" \ -d 'grant_type=password' \ '${frontendUrl}/realms/master/protocol/openid-connect/token' \ | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header @@ -119,10 +122,10 @@ let # Register the metrics SPI keycloak.succeed( - "${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt", - "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password '${initialAdminPassword}'", - "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'", - "curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'" + """${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""", + """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """, + """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""", + """curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'""" ) # Publish the realm, including a test OIDC client and user diff --git a/nixos/tests/libvirtd.nix b/nixos/tests/libvirtd.nix index ce122682da7..49258fcb93e 100644 --- a/nixos/tests/libvirtd.nix +++ b/nixos/tests/libvirtd.nix @@ -26,7 +26,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { in '' start_all() - virthost.wait_for_unit("sockets.target") + virthost.wait_for_unit("multi-user.target") with subtest("enable default network"): virthost.succeed("virsh net-start default") @@ -46,13 +46,16 @@ import ./make-test-python.nix ({ pkgs, ... }: { virthost.succeed("virsh pool-start zfs_storagepool") virthost.succeed("virsh vol-create-as zfs_storagepool disk1 25MB") - with subtest("check if nixos install iso boots and network works"): + with subtest("check if nixos install iso boots, network and autostart works"): virthost.succeed( - "virt-install -n nixos --osinfo=nixos-unstable --ram=1024 --graphics=none --disk=`find ${nixosInstallISO}/iso -type f | head -n1`,readonly=on --import --noautoconsole" + "virt-install -n nixos --osinfo nixos-unstable --memory 1024 --graphics none --disk `find ${nixosInstallISO}/iso -type f | head -n1`,readonly=on --import --noautoconsole --autostart" ) virthost.succeed("virsh domstate nixos | grep running") virthost.wait_until_succeeds("ping -c 1 nixos") virthost.succeed("virsh ${virshShutdownCmd} nixos") virthost.wait_until_succeeds("virsh domstate nixos | grep 'shut off'") + virthost.shutdown() + virthost.wait_for_unit("multi-user.target") + virthost.wait_until_succeeds("ping -c 1 nixos") ''; }) diff --git a/nixos/tests/make-test-python.nix b/nixos/tests/make-test-python.nix index 7a96f538d8d..28569f1d295 100644 --- a/nixos/tests/make-test-python.nix +++ b/nixos/tests/make-test-python.nix @@ -1,6 +1,6 @@ f: { system ? builtins.currentSystem, - pkgs ? import ../.. { inherit system; }, + pkgs ? import ../.. { inherit system; config = {}; overlays = []; }, ... } @ args: diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index eb37470a4c7..a475049e7b2 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -37,6 +37,8 @@ in { "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" ]; + system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3 + services.nextcloud = { enable = true; datadir = "/var/lib/nextcloud-data"; @@ -99,6 +101,10 @@ in { # This is just to ensure the nextcloud-occ program is working nextcloud.succeed("nextcloud-occ status") nextcloud.succeed("curl -sSf http://nextcloud/login") + # Ensure that no OpenSSL 1.1 is used. + nextcloud.succeed( + "${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1" + ) nextcloud.succeed( "${withRcloneEnv} ${copySharedFile}" ) @@ -108,5 +114,6 @@ in { "${withRcloneEnv} ${diffSharedFile}" ) assert "hi" in client.succeed("cat /mnt/dav/test-shared-file") + nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file") ''; })) args diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index 7dbdff98823..b8d3ba75b51 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -8,6 +8,10 @@ with pkgs.lib; foldl (matrix: ver: matrix // { "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; + "openssl-sse${toString ver}" = import ./openssl-sse.nix { + inherit system pkgs; + nextcloudVersion = ver; + }; "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { inherit system pkgs; nextcloudVersion = ver; diff --git a/nixos/tests/nextcloud/openssl-sse.nix b/nixos/tests/nextcloud/openssl-sse.nix new file mode 100644 index 00000000000..7595ee2c67e --- /dev/null +++ b/nixos/tests/nextcloud/openssl-sse.nix @@ -0,0 +1,105 @@ +args@{ pkgs, nextcloudVersion ? 25, ... }: + +(import ../make-test-python.nix ({ pkgs, ...}: let + adminuser = "root"; + adminpass = "notproduction"; + nextcloudBase = { + networking.firewall.allowedTCPPorts = [ 80 ]; + system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default + services.nextcloud = { + enable = true; + config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; + package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; + }; + }; +in { + name = "nextcloud-openssl"; + meta = with pkgs.lib.maintainers; { + maintainers = [ ma27 ]; + }; + nodes.nextcloudwithopenssl1 = { + imports = [ nextcloudBase ]; + services.nextcloud.hostName = "nextcloudwithopenssl1"; + }; + nodes.nextcloudwithopenssl3 = { + imports = [ nextcloudBase ]; + services.nextcloud = { + hostName = "nextcloudwithopenssl3"; + enableBrokenCiphersForSSE = false; + }; + }; + testScript = { nodes, ... }: let + withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' + #!${pkgs.runtimeShell} + export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav + export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" + export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" + export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" + export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" + "''${@}" + ''; + withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; + withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; + copySharedFile1 = pkgs.writeScript "copy-shared-file" '' + #!${pkgs.runtimeShell} + echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file + ''; + copySharedFile3 = pkgs.writeScript "copy-shared-file" '' + #!${pkgs.runtimeShell} + echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 + ''; + openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; + openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; + in '' + nextcloudwithopenssl1.start() + nextcloudwithopenssl1.wait_for_unit("multi-user.target") + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") + + with subtest("With OpenSSL 1 SSE can be enabled and used"): + nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") + + with subtest("Upload file and ensure it's encrypted"): + nextcloudwithopenssl1.succeed("${copySharedFile1}") + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + + with subtest("Switch to OpenSSL 3"): + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + + with subtest("Existing encrypted files cannot be read, but new files can be added"): + nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") + nextcloudwithopenssl1.succeed("${copySharedFile3}") + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + + with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): + nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") + + with subtest("Ensure that everything can be decrypted"): + nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + + with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + + nextcloudwithopenssl1.shutdown() + ''; +})) args diff --git a/nixos/tests/patroni.nix b/nixos/tests/patroni.nix index f512fddcdbd..1f15cd59677 100644 --- a/nixos/tests/patroni.nix +++ b/nixos/tests/patroni.nix @@ -166,6 +166,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: start_all() + etcd.wait_for_unit("etcd.service") + with subtest("should bootstrap a new patroni cluster"): wait_for_all_nodes_ready() diff --git a/nixos/tests/phosh.nix b/nixos/tests/phosh.nix new file mode 100644 index 00000000000..25bf4848542 --- /dev/null +++ b/nixos/tests/phosh.nix @@ -0,0 +1,70 @@ +import ./make-test-python.nix ({ pkgs, ...}: let + pin = "1234"; +in { + name = "phosh"; + meta = with pkgs.lib.maintainers; { + maintainers = [ zhaofengli ]; + }; + + nodes = { + phone = { config, pkgs, ... }: { + users.users.nixos = { + isNormalUser = true; + password = pin; + }; + + services.xserver.desktopManager.phosh = { + enable = true; + user = "nixos"; + group = "users"; + + phocConfig = { + outputs.Virtual-1 = { + scale = 2; + }; + }; + }; + + systemd.services.phosh = { + environment = { + # Accelerated graphics fail on phoc 0.20 (wlroots 0.15) + "WLR_RENDERER" = "pixman"; + }; + }; + + virtualisation.resolution = { x = 720; y = 1440; }; + virtualisation.qemu.options = [ "-vga none -device virtio-gpu-pci,xres=720,yres=1440" ]; + }; + }; + + enableOCR = true; + + testScript = '' + import time + + start_all() + phone.wait_for_unit("phosh.service") + + with subtest("Check that we can see the lock screen info page"): + # Saturday, January 1 + phone.succeed("timedatectl set-time '2022-01-01 07:00'") + + phone.wait_for_text("Saturday") + phone.screenshot("01lockinfo") + + with subtest("Check that we can unlock the screen"): + phone.send_chars("${pin}", delay=0.2) + time.sleep(1) + phone.screenshot("02unlock") + + phone.send_chars("\n") + + phone.wait_for_text("All Apps") + phone.screenshot("03launcher") + + with subtest("Check the on-screen keyboard shows"): + phone.send_chars("setting", delay=0.2) + phone.wait_for_text("123") # A button on the OSK + phone.screenshot("04osk") + ''; +}) diff --git a/nixos/tests/pinnwand.nix b/nixos/tests/pinnwand.nix index 0391c413311..42b26e08c18 100644 --- a/nixos/tests/pinnwand.nix +++ b/nixos/tests/pinnwand.nix @@ -1,27 +1,7 @@ import ./make-test-python.nix ({ pkgs, ...}: let - pythonEnv = pkgs.python3.withPackages (py: with py; [ appdirs toml ]); - port = 8000; baseUrl = "http://server:${toString port}"; - - configureSteck = pkgs.writeScript "configure.py" '' - #!${pythonEnv.interpreter} - import appdirs - import toml - import os - - CONFIG = { - "base": "${baseUrl}/", - "confirm": False, - "magic": True, - "ignore": True - } - - os.makedirs(appdirs.user_config_dir('steck')) - with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd: - toml.dump(CONFIG, fd) - ''; in { name = "pinnwand"; @@ -44,7 +24,32 @@ in client = { pkgs, ... }: { - environment.systemPackages = [ pkgs.steck ]; + environment.systemPackages = [ + pkgs.steck + + (pkgs.writers.writePython3Bin "setup-steck.py" { + libraries = with pkgs.python3.pkgs; [ appdirs toml ]; + flakeIgnore = [ + "E501" + ]; + } + '' + import appdirs + import toml + import os + + CONFIG = { + "base": "${baseUrl}/", + "confirm": False, + "magic": True, + "ignore": True + } + + os.makedirs(appdirs.user_config_dir('steck')) + with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd: + toml.dump(CONFIG, fd) + '') + ]; }; }; @@ -55,7 +60,7 @@ in client.wait_for_unit("network.target") # create steck.toml config file - client.succeed("${configureSteck}") + client.succeed("setup-steck.py") # wait until the server running pinnwand is reachable client.wait_until_succeeds("ping -c1 server") @@ -75,12 +80,6 @@ in if line.startswith("Removal link:"): removal_link = line.split(":", 1)[1] - - # start the reaper, it shouldn't do anything meaningful here - server.systemctl("start pinnwand-reaper.service") - server.wait_until_fails("systemctl is-active -q pinnwand-reaper.service") - server.log(server.execute("journalctl -u pinnwand-reaper -e --no-pager")[1]) - # check whether paste matches what we sent client.succeed(f"curl {raw_url} > /tmp/machine-id") client.succeed("diff /tmp/machine-id /etc/machine-id") @@ -89,6 +88,6 @@ in client.succeed(f"curl {removal_link}") client.fail(f"curl --fail {raw_url}") - server.log(server.succeed("systemd-analyze security pinnwand")) + server.log(server.execute("systemd-analyze security pinnwand | grep '✗'")[1]) ''; }) diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index a8737eb504d..d91fc52f1cb 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -1396,6 +1396,22 @@ let ) ''; }; + + zfs = { + exporterConfig = { + enable = true; + }; + metricProvider = { + boot.supportedFilesystems = [ "zfs" ]; + networking.hostId = "7327ded7"; + }; + exporterTest = '' + wait_for_unit("prometheus-zfs-exporter.service") + wait_for_unit("zfs.target") + wait_for_open_port(9134) + wait_until_succeeds("curl -f localhost:9134/metrics | grep 'zfs_scrape_collector_success{.*} 1'") + ''; + }; }; in mapAttrs diff --git a/nixos/tests/sqlite3-to-mysql.nix b/nixos/tests/sqlite3-to-mysql.nix new file mode 100644 index 00000000000..029058187df --- /dev/null +++ b/nixos/tests/sqlite3-to-mysql.nix @@ -0,0 +1,65 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: + +/* + This test suite replaces the typical pytestCheckHook function in + sqlite3-to-mysql due to the need of a running mysql instance. +*/ + +{ + name = "sqlite3-to-mysql"; + meta.maintainers = with lib.maintainers; [ gador ]; + + nodes.machine = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ + sqlite3-to-mysql + # create one coherent python environment + (python3.withPackages + (ps: sqlite3-to-mysql.propagatedBuildInputs ++ + [ + python3Packages.pytest + python3Packages.pytest-mock + python3Packages.pytest-timeout + python3Packages.factory_boy + python3Packages.docker # only needed so import does not fail + sqlite3-to-mysql + ]) + ) + ]; + services.mysql = { + package = pkgs.mariadb; + enable = true; + # from https://github.com/techouse/sqlite3-to-mysql/blob/master/tests/conftest.py + # and https://github.com/techouse/sqlite3-to-mysql/blob/master/.github/workflows/test.yml + initialScript = pkgs.writeText "mysql-init.sql" '' + create database test_db DEFAULT CHARACTER SET utf8mb4; + create user tester identified by 'testpass'; + grant all on test_db.* to tester; + create user tester@localhost identified by 'testpass'; + grant all on test_db.* to tester@localhost; + ''; + settings = { + mysqld = { + character-set-server = "utf8mb4"; + collation-server = "utf8mb4_unicode_ci"; + log_warnings = 1; + }; + }; + }; + }; + + testScript = '' + machine.wait_for_unit("mysql") + + machine.succeed( + "sqlite3mysql --version | grep ${pkgs.sqlite3-to-mysql.version}" + ) + + # invalid_database_name: assert '1045 (28000): Access denied' in "1044 (42000): Access denied [...] + # invalid_database_user: does not return non-zero exit for some reason + # test_version: has problems importing sqlite3_to_mysql and determining the version + machine.succeed( + "cd ${pkgs.sqlite3-to-mysql.src} \ + && pytest -v --no-docker -k \"not test_invalid_database_name and not test_invalid_database_user and not test_version\"" + ) + ''; +}) diff --git a/nixos/tests/stratis/encryption.nix b/nixos/tests/stratis/encryption.nix index 3faa3171843..a555ff8a8e8 100644 --- a/nixos/tests/stratis/encryption.nix +++ b/nixos/tests/stratis/encryption.nix @@ -26,8 +26,7 @@ import ../make-test-python.nix ({ pkgs, ... }: # test rebinding encrypted pool machine.succeed("stratis pool rebind keyring testpool testkey2") # test restarting encrypted pool - uuid = machine.succeed("stratis pool list | grep -oE '[0-9a-fA-F-]{36}'").rstrip('\n') - machine.succeed(" stratis pool stop testpool") - machine.succeed(f"stratis pool start {uuid} --unlock-method keyring") + machine.succeed("stratis pool stop testpool") + machine.succeed("stratis pool start --name testpool --unlock-method keyring") ''; }) diff --git a/nixos/tests/systemd-initrd-luks-password.nix b/nixos/tests/systemd-initrd-luks-password.nix index e8e651f7b35..55d0b4324b4 100644 --- a/nixos/tests/systemd-initrd-luks-password.nix +++ b/nixos/tests/systemd-initrd-luks-password.nix @@ -23,6 +23,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { cryptroot2.device = "/dev/vdd"; }; virtualisation.bootDevice = "/dev/mapper/cryptroot"; + # test mounting device unlocked in initrd after switching root + virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2"; }; }; @@ -31,6 +33,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { machine.wait_for_unit("multi-user.target") machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdd -") + machine.succeed("echo -n supersecret | cryptsetup luksOpen -q /dev/vdd cryptroot2") + machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2") # Boot from the encrypted disk machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") @@ -44,5 +48,6 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { machine.wait_for_unit("multi-user.target") assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount") ''; }) diff --git a/nixos/tests/vector.nix b/nixos/tests/vector.nix index ecf94e33ff1..9309f6a14dd 100644 --- a/nixos/tests/vector.nix +++ b/nixos/tests/vector.nix @@ -21,7 +21,7 @@ with pkgs.lib; type = "file"; inputs = [ "journald" ]; path = "/var/lib/vector/logs.log"; - encoding = { codec = "ndjson"; }; + encoding = { codec = "json"; }; }; }; }; diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 1c1b0dac7f3..0be22bdcaea 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -28,8 +28,8 @@ let messagebus:x:1: EOF - "${pkgs.dbus.daemon}/bin/dbus-daemon" --fork \ - --config-file="${pkgs.dbus.daemon}/share/dbus-1/system.conf" + "${pkgs.dbus}/bin/dbus-daemon" --fork \ + --config-file="${pkgs.dbus}/share/dbus-1/system.conf" ${guestAdditions}/bin/VBoxService ${(attrs.vmScript or (const "")) pkgs} diff --git a/nixos/tests/warzone2100.nix b/nixos/tests/warzone2100.nix new file mode 100644 index 00000000000..568e04a4699 --- /dev/null +++ b/nixos/tests/warzone2100.nix @@ -0,0 +1,26 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "warzone2100"; + meta = with pkgs.lib.maintainers; { + maintainers = [ fgaz ]; + }; + + nodes.machine = { config, pkgs, ... }: { + imports = [ + ./common/x11.nix + ]; + + services.xserver.enable = true; + environment.systemPackages = [ pkgs.warzone2100 ]; + }; + + enableOCR = true; + + testScript = + '' + machine.wait_for_x() + machine.execute("warzone2100 >&2 &") + machine.wait_for_window("Warzone 2100") + machine.wait_for_text(r"(Single Player|Multi Player|Tutorial|Options|Quit Game)") + machine.screenshot("screen") + ''; +}) diff --git a/nixos/tests/web-apps/mastodon.nix b/nixos/tests/web-apps/mastodon.nix index 279a1c59169..d3d53dc3194 100644 --- a/nixos/tests/web-apps/mastodon.nix +++ b/nixos/tests/web-apps/mastodon.nix @@ -1,65 +1,29 @@ import ../make-test-python.nix ({pkgs, ...}: let - test-certificates = pkgs.runCommandLocal "test-certificates" { } '' + cert = pkgs: pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=mastodon.local' -days 36500 mkdir -p $out - echo insecure-root-password > $out/root-password-file - echo insecure-intermediate-password > $out/intermediate-password-file - ${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca - ${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key + cp key.pem cert.pem $out ''; hosts = '' - 192.168.2.10 ca.local - 192.168.2.11 mastodon.local + 192.168.2.101 mastodon.local ''; in { name = "mastodon"; - meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ]; + meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin turion ]; nodes = { - ca = { pkgs, ... }: { - networking = { - interfaces.eth1 = { - ipv4.addresses = [ - { address = "192.168.2.10"; prefixLength = 24; } - ]; - }; - extraHosts = hosts; - }; - services.step-ca = { - enable = true; - address = "0.0.0.0"; - port = 8443; - openFirewall = true; - intermediatePasswordFile = "${test-certificates}/intermediate-password-file"; - settings = { - dnsNames = [ "ca.local" ]; - root = "${test-certificates}/root_ca.crt"; - crt = "${test-certificates}/intermediate_ca.crt"; - key = "${test-certificates}/intermediate_ca.key"; - db = { - type = "badger"; - dataSource = "/var/lib/step-ca/db"; - }; - authority = { - provisioners = [ - { - type = "ACME"; - name = "acme"; - } - ]; - }; - }; - }; - }; - server = { pkgs, ... }: { + + virtualisation.memorySize = 2048; + networking = { interfaces.eth1 = { ipv4.addresses = [ - { address = "192.168.2.11"; prefixLength = 24; } + { address = "192.168.2.101"; prefixLength = 24; } ]; }; extraHosts = hosts; @@ -67,12 +31,7 @@ in }; security = { - acme = { - acceptTerms = true; - defaults.server = "https://ca.local:8443/acme/acme/directory"; - defaults.email = "mastodon@mastodon.local"; - }; - pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; }; services.redis.servers.mastodon = { @@ -86,16 +45,6 @@ in configureNginx = true; localDomain = "mastodon.local"; enableUnixSocket = false; - redis = { - createLocally = true; - host = "127.0.0.1"; - port = 31637; - }; - database = { - createLocally = true; - host = "/run/postgresql"; - port = 5432; - }; smtp = { createLocally = false; fromAddress = "mastodon@mastodon.local"; @@ -104,6 +53,14 @@ in EMAIL_DOMAIN_ALLOWLIST = "example.com"; }; }; + + services.nginx = { + virtualHosts."mastodon.local" = { + enableACME = pkgs.lib.mkForce false; + sslCertificate = "${cert pkgs}/cert.pem"; + sslCertificateKey = "${cert pkgs}/key.pem"; + }; + }; }; client = { pkgs, ... }: { @@ -111,14 +68,14 @@ in networking = { interfaces.eth1 = { ipv4.addresses = [ - { address = "192.168.2.12"; prefixLength = 24; } + { address = "192.168.2.102"; prefixLength = 24; } ]; }; extraHosts = hosts; }; security = { - pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; }; }; }; @@ -126,9 +83,6 @@ in testScript = '' start_all() - ca.wait_for_unit("step-ca.service") - ca.wait_for_open_port(8443) - server.wait_for_unit("nginx.service") server.wait_for_unit("redis-mastodon.service") server.wait_for_unit("postgresql.service") @@ -138,10 +92,17 @@ in server.wait_for_open_port(55000) server.wait_for_open_port(55001) + # Check that mastodon-media-auto-remove is scheduled + server.succeed("systemctl status mastodon-media-auto-remove.timer") + # Check Mastodon version from remote client client.succeed("curl --fail https://mastodon.local/api/v1/instance | jq -r '.version' | grep '${pkgs.mastodon.version}'") - # Check using admin CLI + # Check access from remote client + client.succeed("curl --fail https://mastodon.local/about | grep 'Mastodon hosted on mastodon.local'") + client.succeed("curl --fail $(curl https://mastodon.local/api/v1/instance 2> /dev/null | jq -r .thumbnail) --output /dev/null") + + # Simple check tootctl commands # Check Mastodon version server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl version' | grep '${pkgs.mastodon.version}'") @@ -158,12 +119,11 @@ in # Manage IP access server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks add 192.168.0.0/16 --severity=no_access'") server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks export' | grep '192.168.0.0/16'") - server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl p_blocks export' | grep '172.16.0.0/16'") + server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks export' | grep '172.16.0.0/16'") client.fail("curl --fail https://mastodon.local/about") server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks remove 192.168.0.0/16'") client.succeed("curl --fail https://mastodon.local/about") - ca.shutdown() server.shutdown() client.shutdown() ''; diff --git a/nixos/tests/xmpp/prosody.nix b/nixos/tests/xmpp/prosody.nix index 14eab56fb82..045ae6430fd 100644 --- a/nixos/tests/xmpp/prosody.nix +++ b/nixos/tests/xmpp/prosody.nix @@ -42,7 +42,7 @@ in import ../make-test-python.nix { ${nodes.server.config.networking.primaryIPAddress} uploads.example.com ''; environment.systemPackages = [ - (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; }) + (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = "example.com"; }) ]; }; server = { config, pkgs, ... }: { @@ -82,6 +82,7 @@ in import ../make-test-python.nix { testScript = { nodes, ... }: '' # Check with sqlite storage + start_all() server.wait_for_unit("prosody.service") server.succeed('prosodyctl status | grep "Prosody is running"') diff --git a/nixos/tests/xmpp/xmpp-sendmessage.nix b/nixos/tests/xmpp/xmpp-sendmessage.nix index 4c009464b70..8ccac061249 100644 --- a/nixos/tests/xmpp/xmpp-sendmessage.nix +++ b/nixos/tests/xmpp/xmpp-sendmessage.nix @@ -12,6 +12,7 @@ in writeScriptBin "send-message" '' #!${(python3.withPackages (ps: [ ps.slixmpp ])).interpreter} import logging import sys +import signal from types import MethodType from slixmpp import ClientXMPP @@ -64,8 +65,13 @@ class CthonTest(ClientXMPP): log.info('MUC join success!') log.info('XMPP SCRIPT TEST SUCCESS') +def timeout_handler(signalnum, stackframe): + print('ERROR: xmpp-sendmessage timed out') + sys.exit(1) if __name__ == '__main__': + signal.signal(signal.SIGALRM, timeout_handler) + signal.alarm(120) logging.basicConfig(level=logging.DEBUG, format='%(levelname)-8s %(message)s') @@ -76,7 +82,7 @@ if __name__ == '__main__': ct.register_plugin('xep_0363') # MUC ct.register_plugin('xep_0045') - ct.connect(("server", 5222)) + ct.connect(("${connectTo}", 5222)) ct.process(forever=False) if not ct.test_succeeded: |