From c772c572cfabba6a1c6b0f5a9a71bb59cd9b9916 Mon Sep 17 00:00:00 2001 From: Winter Date: Tue, 11 Jan 2022 20:43:08 -0500 Subject: nixos/doc: fix mention of reading test logs --- nixos/doc/manual/development/running-nixos-tests.section.md | 4 ++-- nixos/doc/manual/from_md/development/running-nixos-tests.section.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/running-nixos-tests.section.md b/nixos/doc/manual/development/running-nixos-tests.section.md index d6a456f0188..1bec023b613 100644 --- a/nixos/doc/manual/development/running-nixos-tests.section.md +++ b/nixos/doc/manual/development/running-nixos-tests.section.md @@ -24,8 +24,8 @@ After building/downloading all required dependencies, this will perform a build that starts a QEMU/KVM virtual machine containing a NixOS system. The virtual machine mounts the Nix store of the host; this makes VM creation very fast, as no disk image needs to be created. Afterwards, -you can view a pretty-printed log of the test: +you can view a log of the test: ```ShellSession -$ firefox result/log.html +$ nix-store --read-log result ``` diff --git a/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml b/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml index 7159b95b22b..da2e5076c95 100644 --- a/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml +++ b/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml @@ -26,9 +26,9 @@ machine: QEMU running (pid 8841) perform a build that starts a QEMU/KVM virtual machine containing a NixOS system. The virtual machine mounts the Nix store of the host; this makes VM creation very fast, as no disk image needs to be - created. Afterwards, you can view a pretty-printed log of the test: + created. Afterwards, you can view a log of the test: -$ firefox result/log.html +$ nix-store --read-log result -- cgit 1.4.1 From a813be071ceed15b9238373bd751ee99e2470357 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 26 Jan 2022 15:04:03 +0100 Subject: nixos/polkit: don't enable by default SUID wrappers really shouldn't be enabled by default, unless a consumer relies on them. So in my opinion this falls upon the desktop environments if needed or a user to explicltly enable this if wanted. Most desktop environments and services like CUPS already enable polkit by default, that should really be sufficient. --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 8 ++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/security/polkit.nix | 6 +----- 3 files changed, 11 insertions(+), 5 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9f5279732fe..437c78119d6 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -721,6 +721,14 @@ tmux. + + + The polkit service, available at + security.polkit.enable, is now disabled by + default. It will automatically be enabled through services and + desktop environments as needed. + + diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 629672259b2..43b04be49ce 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -245,4 +245,6 @@ In addition to numerous new and upgraded packages, this release has the followin - `programs.tmux` has a new option `plugins` that accepts a list of packages from the `tmuxPlugins` group. The specified packages are added to the system and loaded by `tmux`. +- The polkit service, available at `security.polkit.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. + diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index d9c58152f1f..1ba149745c6 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -12,11 +12,7 @@ in options = { - security.polkit.enable = mkOption { - type = types.bool; - default = true; - description = "Whether to enable PolKit."; - }; + security.polkit.enable = mkEnableOption "polkit"; security.polkit.extraConfig = mkOption { type = types.lines; -- cgit 1.4.1 From 1df9e95ed751f9a37e7d5d9db1efc4eff242e043 Mon Sep 17 00:00:00 2001 From: Guillaume Girol Date: Sun, 2 Jan 2022 12:00:00 +0000 Subject: nixos/miniflux: no cleartext password in the store --- .../from_md/release-notes/rl-2205.section.xml | 7 ++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/services/web-apps/miniflux.nix | 46 +++++++++------------- nixos/tests/miniflux.nix | 24 ++++++++--- 4 files changed, 46 insertions(+), 33 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 2d2eec1763c..33c3059fa1f 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -325,6 +325,13 @@ support due to python2 deprecation in nixpkgs + + + services.miniflux.adminCredentialFiles is + now required, instead of defaulting to + admin and password. + + The autorestic package has been upgraded diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 448f302afe6..a3438727d6f 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -109,6 +109,8 @@ In addition to numerous new and upgraded packages, this release has the followin - opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs +- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`. + - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details. - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline` diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 14cbfb39540..641c9be85d8 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -7,26 +7,12 @@ let defaultAddress = "localhost:8080"; dbUser = "miniflux"; - dbPassword = "miniflux"; - dbHost = "localhost"; dbName = "miniflux"; - defaultCredentials = pkgs.writeText "miniflux-admin-credentials" '' - ADMIN_USERNAME=admin - ADMIN_PASSWORD=password - ''; - pgbin = "${config.services.postgresql.package}/bin"; preStart = pkgs.writeScript "miniflux-pre-start" '' #!${pkgs.runtimeShell} - db_exists() { - [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ] - } - if ! db_exists "${dbName}"; then - ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'" - ${pgbin}/createdb --owner "${dbUser}" "${dbName}" - ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" - fi + ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" ''; in @@ -54,11 +40,10 @@ in }; adminCredentialsFile = mkOption { - type = types.nullOr types.path; - default = null; + type = types.path; description = '' - File containing the ADMIN_USERNAME, default is "admin", and - ADMIN_PASSWORD (length >= 6), default is "password"; in the format of + File containing the ADMIN_USERNAME and + ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5). ''; example = "/etc/nixos/miniflux-admin-credentials"; @@ -70,16 +55,24 @@ in services.miniflux.config = { LISTEN_ADDR = mkDefault defaultAddress; - DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable"; + DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}"; RUN_MIGRATIONS = "1"; CREATE_ADMIN = "1"; }; - services.postgresql.enable = true; + services.postgresql = { + enable = true; + ensureUsers = [ { + name = dbUser; + ensurePermissions = { + "DATABASE ${dbName}" = "ALL PRIVILEGES"; + }; + } ]; + ensureDatabases = [ dbName ]; + }; systemd.services.miniflux-dbsetup = { description = "Miniflux database setup"; - wantedBy = [ "multi-user.target" ]; requires = [ "postgresql.service" ]; after = [ "network.target" "postgresql.service" ]; serviceConfig = { @@ -92,17 +85,16 @@ in systemd.services.miniflux = { description = "Miniflux service"; wantedBy = [ "multi-user.target" ]; - requires = [ "postgresql.service" ]; + requires = [ "miniflux-dbsetup.service" ]; after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { ExecStart = "${pkgs.miniflux}/bin/miniflux"; + User = dbUser; DynamicUser = true; RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0700"; - EnvironmentFile = if cfg.adminCredentialsFile == null - then defaultCredentials - else cfg.adminCredentialsFile; + EnvironmentFile = cfg.adminCredentialsFile; # Hardening CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; @@ -119,7 +111,7 @@ in ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix index 1015550fa8c..d905aea048a 100644 --- a/nixos/tests/miniflux.nix +++ b/nixos/tests/miniflux.nix @@ -7,6 +7,15 @@ let defaultPort = 8080; defaultUsername = "admin"; defaultPassword = "password"; + adminCredentialsFile = pkgs.writeText "admin-credentials" '' + ADMIN_USERNAME=${defaultUsername} + ADMIN_PASSWORD=${defaultPassword} + ''; + customAdminCredentialsFile = pkgs.writeText "admin-credentials" '' + ADMIN_USERNAME=${username} + ADMIN_PASSWORD=${password} + ''; + in with lib; { @@ -17,13 +26,19 @@ with lib; default = { ... }: { - services.miniflux.enable = true; + services.miniflux = { + enable = true; + inherit adminCredentialsFile; + }; }; withoutSudo = { ... }: { - services.miniflux.enable = true; + services.miniflux = { + enable = true; + inherit adminCredentialsFile; + }; security.sudo.enable = false; }; @@ -36,10 +51,7 @@ with lib; CLEANUP_FREQUENCY = "48"; LISTEN_ADDR = "localhost:${toString port}"; }; - adminCredentialsFile = pkgs.writeText "admin-credentials" '' - ADMIN_USERNAME=${username} - ADMIN_PASSWORD=${password} - ''; + adminCredentialsFile = customAdminCredentialsFile; }; }; }; -- cgit 1.4.1 From 0a6d22c6c3f51407317512cf4c44335f6db664ef Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Mon, 7 Feb 2022 16:03:44 +0000 Subject: nixos/agate: init --- .../from_md/release-notes/rl-2205.section.xml | 8 ++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/web-servers/agate.nix | 148 +++++++++++++++++++++ 4 files changed, 159 insertions(+) create mode 100644 nixos/modules/services/web-servers/agate.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 29aa70fd616..806a03b51e1 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -144,6 +144,14 @@ services.tetrd. + + + agate, + a very simple server for the Gemini hypertext protocol. + Available as + services.agate. + + ArchiSteamFarm, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c4ace1366f2..f6d5a3cd4b0 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -45,6 +45,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). +- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](options.html#opt-services.agate.enable). + - [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable). - [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 28724d1e85d..08536de531a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1055,6 +1055,7 @@ ./services/web-apps/wordpress.nix ./services/web-apps/youtrack.nix ./services/web-apps/zabbix.nix + ./services/web-servers/agate.nix ./services/web-servers/apache-httpd/default.nix ./services/web-servers/caddy/default.nix ./services/web-servers/darkhttpd.nix diff --git a/nixos/modules/services/web-servers/agate.nix b/nixos/modules/services/web-servers/agate.nix new file mode 100644 index 00000000000..3afdb561c0b --- /dev/null +++ b/nixos/modules/services/web-servers/agate.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.agate; +in +{ + options = { + services.agate = { + enable = mkEnableOption "Agate Server"; + + package = mkOption { + type = types.package; + default = pkgs.agate; + defaultText = literalExpression "pkgs.agate"; + description = "The package to use"; + }; + + addresses = mkOption { + type = types.listOf types.str; + default = [ "0.0.0.0:1965" ]; + description = '' + Addresses to listen on, IP:PORT, if you haven't disabled forwarding + only set IPv4. + ''; + }; + + contentDir = mkOption { + default = "/var/lib/agate/content"; + type = types.path; + description = "Root of the content directory."; + }; + + certificatesDir = mkOption { + default = "/var/lib/agate/certificates"; + type = types.path; + description = "Root of the certificate directory."; + }; + + hostnames = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + Domain name of this Gemini server, enables checking hostname and port + in requests. (multiple occurences means basic vhosts) + ''; + }; + + language = mkOption { + default = null; + type = types.nullOr types.str; + description = "RFC 4646 Language code for text/gemini documents."; + }; + + onlyTls_1_3 = mkOption { + default = false; + type = types.bool; + description = "Only use TLSv1.3 (default also allows TLSv1.2)."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ "" ]; + example = [ "--log-ip" ]; + description = "Extra arguments to use running agate."; + }; + }; + }; + + config = mkIf cfg.enable { + # available for generating certs by hand + # it can be a bit arduous with openssl + environment.systemPackages = [ cfg.package ]; + + systemd.services.agate = { + description = "Agate"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "network-online.target" ]; + + script = + let + prefixKeyList = key: list: concatMap (v: [ key v ]) list; + addresses = prefixKeyList "--addr" cfg.addresses; + hostnames = prefixKeyList "--hostname" cfg.hostnames; + in + '' + exec ${cfg.package}/bin/agate ${ + escapeShellArgs ( + [ + "--content" "${cfg.contentDir}" + "--certs" "${cfg.certificatesDir}" + ] ++ + addresses ++ + (optionals (cfg.hostnames != []) hostnames) ++ + (optionals (cfg.language != null) [ "--lang" cfg.language ]) ++ + (optionals cfg.onlyTls_1_3 [ "--only-tls13" ]) ++ + (optionals (cfg.extraArgs != []) cfg.extraArgs) + ) + } + ''; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + DynamicUser = true; + StateDirectory = "agate"; + + # Security options: + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@obsolete" + "~@privileged" + "~@setuid" + ]; + }; + }; + }; +} -- cgit 1.4.1 From b5b3ee4f7884bf70c04f325e043fe76843b5eacd Mon Sep 17 00:00:00 2001 From: Janne Heß Date: Sat, 29 Jan 2022 23:01:24 +0100 Subject: nixos/systemd: Add reloadTriggers to services --- .../manual/from_md/release-notes/rl-2205.section.xml | 17 +++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 3 +++ nixos/lib/systemd-unit-options.nix | 16 ++++++++++++++++ nixos/modules/system/boot/systemd.nix | 5 +++++ 4 files changed, 41 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 04bb7ec12d3..811702f5e52 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -42,6 +42,14 @@ upgrade notes. + + + systemd services can now set + systemd.services.<name>.reloadTriggers + instead of reloadIfChanged for a more + granular distinction between reloads and restarts. + +
@@ -550,6 +558,15 @@ honors restartIfChanged and reloadIfChanged of the units. + + + + Preferring to reload instead of restarting can still + be achieved using + /run/nixos/activation-reload-list. + + + diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index a2e8038ae1f..fca37420977 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -17,6 +17,8 @@ In addition to numerous new and upgraded packages, this release has the followin Migrations may take a while, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release) and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html). +- systemd services can now set [systemd.services.\.reloadTriggers](#opt-systemd.services) instead of `reloadIfChanged` for a more granular distinction between reloads and restarts. + ## New Services {#sec-release-22.05-new-services} - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). @@ -179,6 +181,7 @@ In addition to numerous new and upgraded packages, this release has the followin - `switch-to-configuration` (the script that is run when running `nixos-rebuild switch` for example) has been reworked * The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file `/run/nixos/activation-restart-list` that honors `restartIfChanged` and `reloadIfChanged` of the units. + * Preferring to reload instead of restarting can still be achieved using `/run/nixos/activation-reload-list`. * The script now uses a proper ini-file parser to parse systemd units. Some values are now only searched in one section instead of in the entire unit. This is only relevant for units that don't use the NixOS systemd moule. * `RefuseManualStop`, `X-OnlyManualStart`, `X-StopOnRemoval`, `X-StopOnReconfiguration` are only searched in the `[Unit]` section * `X-ReloadIfChanged`, `X-RestartIfChanged`, `X-StopIfChanged` are only searched in the `[Service]` section diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix index 520f2e982a2..8029ba0e3f6 100644 --- a/nixos/lib/systemd-unit-options.nix +++ b/nixos/lib/systemd-unit-options.nix @@ -201,6 +201,17 @@ in rec { ''; }; + reloadTriggers = mkOption { + default = []; + type = types.listOf unitOption; + description = '' + An arbitrary list of items such as derivations. If any item + in the list changes between reconfigurations, the service will + be reloaded. If anything but a reload trigger changes in the + unit file, the unit will be restarted instead. + ''; + }; + onFailure = mkOption { default = []; type = types.listOf unitNameType; @@ -338,6 +349,11 @@ in rec { configuration switch if its definition has changed. If enabled, the value of is ignored. + + This option should not be used anymore in favor of + which allows more granular + control of when a service is reloaded and when a service + is restarted. ''; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 9dcf9eb769f..1f2dd618698 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -243,6 +243,8 @@ let { Requisite = toString config.requisite; } // optionalAttrs (config.restartTriggers != []) { X-Restart-Triggers = toString config.restartTriggers; } + // optionalAttrs (config.reloadTriggers != []) + { X-Reload-Triggers = toString config.reloadTriggers; } // optionalAttrs (config.description != "") { Description = config.description; } // optionalAttrs (config.documentation != []) { @@ -917,6 +919,9 @@ in (optional hasDeprecated "Service '${name}.service' uses the attribute 'StartLimitInterval' in the Service section, which is deprecated. See https://github.com/NixOS/nixpkgs/issues/45786." ) + (optional (service.reloadIfChanged && service.reloadTriggers != []) + "Service '${name}.service' has both 'reloadIfChanged' and 'reloadTriggers' set. This is probably not what you want, because 'reloadTriggers' behave the same whay as 'restartTriggers' if 'reloadIfChanged' is set." + ) ] ) cfg.services -- cgit 1.4.1 From 8d925cc8db5fcc0fe0e091d819d93f8580e62c53 Mon Sep 17 00:00:00 2001 From: Janne Heß Date: Sun, 30 Jan 2022 00:37:55 +0100 Subject: nixos/doc: Document the activation script This may be helpful to new module developers, curious users, and people who just need a reference without having to look at the implementation --- .../development/activation-script.section.md | 72 ++++++++++ nixos/doc/manual/development/development.xml | 1 + .../manual/development/unit-handling.section.md | 57 ++++++++ .../what-happens-during-a-system-switch.chapter.md | 53 ++++++++ .../development/activation-script.section.xml | 150 +++++++++++++++++++++ .../from_md/development/unit-handling.section.xml | 119 ++++++++++++++++ ...what-happens-during-a-system-switch.chapter.xml | 122 +++++++++++++++++ 7 files changed, 574 insertions(+) create mode 100644 nixos/doc/manual/development/activation-script.section.md create mode 100644 nixos/doc/manual/development/unit-handling.section.md create mode 100644 nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md create mode 100644 nixos/doc/manual/from_md/development/activation-script.section.xml create mode 100644 nixos/doc/manual/from_md/development/unit-handling.section.xml create mode 100644 nixos/doc/manual/from_md/development/what-happens-during-a-system-switch.chapter.xml (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/activation-script.section.md b/nixos/doc/manual/development/activation-script.section.md new file mode 100644 index 00000000000..df683662404 --- /dev/null +++ b/nixos/doc/manual/development/activation-script.section.md @@ -0,0 +1,72 @@ +# Activation script {#sec-activation-script} + +The activation script is a bash script called to activate the new +configuration which resides in a NixOS system in `$out/activate`. Since its +contents depend on your system configuration, the contents may differ. +This chapter explains how the script works in general and some common NixOS +snippets. Please be aware that the script is executed on every boot and system +switch, so tasks that can be performed in other places should be performed +there (for example letting a directory of a service be created by systemd using +mechanisms like `StateDirectory`, `CacheDirectory`, ... or if that's not +possible using `preStart` of the service). + +Activation scripts are defined as snippets using +[](#opt-system.activationScripts). They can either be a simple multiline string +or an attribute set that can depend on other snippets. The builder for the +activation script will take these dependencies into account and order the +snippets accordingly. As a simple example: + +```nix +system.activationScripts.my-activation-script = { + deps = [ "etc" ]; + # supportsDryActivation = true; + text = '' + echo "Hallo i bims" + ''; +}; +``` + +This example creates an activation script snippet that is run after the `etc` +snippet. The special variable `supportsDryActivation` can be set so the snippet +is also run when `nixos-rebuild dry-activate` is run. To differentiate between +real and dry activation, the `$NIXOS_ACTION` environment variable can be +read which is set to `dry-activate` when a dry activation is done. + +An activation script can write to special files instructing +`switch-to-configuration` to restart/reload units. The script will take these +requests into account and will incorperate the unit configuration as described +above. This means that the activation script will "fake" a modified unit file +and `switch-to-configuration` will act accordingly. By doing so, configuration +like [systemd.services.\.restartIfChanged](#opt-systemd.services) is +respected. Since the activation script is run **after** services are already +stopped, [systemd.services.\.stopIfChanged](#opt-systemd.services) +cannot be taken into account anymore and the unit is always restarted instead +of being stopped and started afterwards. + +The files that can be written to are `/run/nixos/activation-restart-list` and +`/run/nixos/activation-reload-list` with their respective counterparts for +dry activation being `/run/nixos/dry-activation-restart-list` and +`/run/nixos/dry-activation-reload-list`. Those files can contain +newline-separated lists of unit names where duplicates are being ignored. These +files are not create automatically and activation scripts must take the +possiblility into account that they have to create them first. + +## NixOS snippets {#sec-activation-script-nixos-snippets} + +There are some snippets NixOS enables by default because disabling them would +most likely break you system. This section lists a few of them and what they +do: + +- `binsh` creates `/bin/sh` which points to the runtime shell +- `etc` sets up the contents of `/etc`, this includes systemd units and + excludes `/etc/passwd`, `/etc/group`, and `/etc/shadow` (which are managed by + the `users` snippet) +- `hostname` sets the system's hostname in the kernel (not in `/etc`) +- `modprobe` sets the path to the `modprobe` binary for module auto-loading +- `nix` prepares the nix store and adds a default initial channel +- `specialfs` is responsible for mounting filesystems like `/proc` and `sys` +- `users` creates and removes users and groups by managing `/etc/passwd`, + `/etc/group` and `/etc/shadow`. This also creates home directories +- `usrbinenv` creates `/usr/bin/env` +- `var` creates some directories in `/var` that are not service-specific +- `wrappers` creates setuid wrappers like `ping` and `sudo` diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml index 0b2ad60a878..21286cdbd2b 100644 --- a/nixos/doc/manual/development/development.xml +++ b/nixos/doc/manual/development/development.xml @@ -12,6 +12,7 @@ + diff --git a/nixos/doc/manual/development/unit-handling.section.md b/nixos/doc/manual/development/unit-handling.section.md new file mode 100644 index 00000000000..d477f2c860f --- /dev/null +++ b/nixos/doc/manual/development/unit-handling.section.md @@ -0,0 +1,57 @@ +# Unit handling {#sec-unit-handling} + +To figure out what units need to be started/stopped/restarted/reloaded, the +script first checks the current state of the system, similar to what `systemctl +list-units` shows. For each of the units, the script goes through the following +checks: + +- Is the unit file still in the new system? If not, **stop** the service unless + it sets `X-StopOnRemoval` in the `[Unit]` section to `false`. + +- Is it a `.target` unit? If so, **start** it unless it sets + `RefuseManualStart` in the `[Unit]` section to `true` or `X-OnlyManualStart` + in the `[Unit]` section to `true`. Also **stop** the unit again unless it + sets `X-StopOnReconfiguration` to `false`. + +- Are the contents of the unit files different? They are compared by parsing + them and comparing their contents. If they are different but only + `X-Reload-Triggers` in the `[Unit]` section is changed, **reload** the unit. + The NixOS module system allows setting these triggers with the option + [systemd.services.\.reloadTriggers](#opt-systemd.services). If the + unit files differ in any way, the following actions are performed: + + - `.path` and `.slice` units are ignored. There is no need to restart them + since changes in their values are applied by systemd when systemd is + reloaded. + + - `.mount` units are **reload**ed. These mostly come from the `/etc/fstab` + parser. + + - `.socket` units are currently ignored. This is to be fixed at a later + point. + + - The rest of the units (mostly `.service` units) are then **reload**ed if + `X-ReloadIfChanged` in the `[Service]` section is set to `true` (exposed + via [systemd.services.\.reloadIfChanged](#opt-systemd.services)). + + - If the reload flag is not set, some more flags decide if the unit is + skipped. These flags are `X-RestartIfChanged` in the `[Service]` section + (exposed via + [systemd.services.\.restartIfChanged](#opt-systemd.services)), + `RefuseManualStop` in the `[Unit]` section, and `X-OnlyManualStart` in the + `[Unit]` section. + + - The rest of the behavior is decided whether the unit has `X-StopIfChanged` + in the `[Service]` section set (exposed via + [systemd.services.\.stopIfChanged](#opt-systemd.services)). This is + set to `true` by default and must be explicitly turned off if not wanted. + If the flag is enabled, the unit is **stop**ped and then **start**ed. If + not, the unit is **restart**ed. The goal of the flag is to make sure that + the new unit never runs in the old environment which is still in place + before the activation script is run. + + - The last thing that is taken into account is whether the unit is a service + and socket-activated. Due to a bug, this is currently only done when + `X-StopIfChanged` is set. If the unit is socket-activated, the socket is + stopped and started, and the service is stopped and to be started by socket + activation. diff --git a/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md b/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md new file mode 100644 index 00000000000..aad82831a3c --- /dev/null +++ b/nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md @@ -0,0 +1,53 @@ +# What happens during a system switch? {#sec-switching-systems} + +Running `nixos-rebuild switch` is one of the more common tasks under NixOS. +This chapter explains some of the internals of this command to make it simpler +for new module developers to configure their units correctly and to make it +easier to understand what is happening and why for curious administrators. + +`nixos-rebuild`, like many deployment solutions, calls `switch-to-configuration` +which resides in a NixOS system at `$out/bin/switch-to-configuration`. The +script is called with the action that is to be performed like `switch`, `test`, +`boot`. There is also the `dry-activate` action which does not really perform +the actions but rather prints what it would do if you called it with `test`. +This feature can be used to check what service states would be changed if the +configuration was switched to. + +If the action is `switch` or `boot`, the bootloader is updated first so the +configuration will be the next one to boot. Unless `NIXOS_NO_SYNC` is set to +`1`, `/nix/store` is synced to disk. + +If the action is `switch` or `test`, the currently running system is inspected +and the actions to switch to the new system are calculated. This process takes +two data sources into account: `/etc/fstab` and the current systemd status. +Mounts and swaps are read from `/etc/fstab` and the corresponding actions are +generated. If a new mount is added, for example, the proper `.mount` unit is +marked to be started. The current systemd state is inspected, the difference +between the current system and the desired configuration is calculated and +actions are generated to get to this state. There are a lot of nuances that can +be controlled by the units which are explained here. + +After calculating what should be done, the actions are carried out. The order +of actions is always the same: +- Stop units (`systemctl stop`) +- Run activation script (`$out/activate`) +- See if the activation script requested more units to restart +- Restart systemd if needed (`systemd daemon-reexec`) +- Forget about the failed state of units (`systemctl reset-failed`) +- Reload systemd (`systemctl daemon-reload`) +- Reload systemd user instances (`systemctl --user daemon-reload`) +- Set up tmpfiles (`systemd-tmpfiles --create`) +- Reload units (`systemctl reload`) +- Restart units (`systemctl restart`) +- Start units (`systemctl start`) +- Inspect what changed during these actions and print units that failed and + that were newly started + +Most of these actions are either self-explaining but some of them have to do +with our units or the activation script. For this reason, these topics are +explained in the next sections. + +```{=docbook} + + +``` diff --git a/nixos/doc/manual/from_md/development/activation-script.section.xml b/nixos/doc/manual/from_md/development/activation-script.section.xml new file mode 100644 index 00000000000..0d9e911216e --- /dev/null +++ b/nixos/doc/manual/from_md/development/activation-script.section.xml @@ -0,0 +1,150 @@ +
+ Activation script + + The activation script is a bash script called to activate the new + configuration which resides in a NixOS system in + $out/activate. Since its contents depend on your + system configuration, the contents may differ. This chapter explains + how the script works in general and some common NixOS snippets. + Please be aware that the script is executed on every boot and system + switch, so tasks that can be performed in other places should be + performed there (for example letting a directory of a service be + created by systemd using mechanisms like + StateDirectory, + CacheDirectory, … or if that’s not possible using + preStart of the service). + + + Activation scripts are defined as snippets using + . They can either be + a simple multiline string or an attribute set that can depend on + other snippets. The builder for the activation script will take + these dependencies into account and order the snippets accordingly. + As a simple example: + + +system.activationScripts.my-activation-script = { + deps = [ "etc" ]; + # supportsDryActivation = true; + text = '' + echo "Hallo i bims" + ''; +}; + + + This example creates an activation script snippet that is run after + the etc snippet. The special variable + supportsDryActivation can be set so the snippet + is also run when nixos-rebuild dry-activate is + run. To differentiate between real and dry activation, the + $NIXOS_ACTION environment variable can be read + which is set to dry-activate when a dry + activation is done. + + + An activation script can write to special files instructing + switch-to-configuration to restart/reload units. + The script will take these requests into account and will + incorperate the unit configuration as described above. This means + that the activation script will fake a modified unit + file and switch-to-configuration will act + accordingly. By doing so, configuration like + systemd.services.<name>.restartIfChanged + is respected. Since the activation script is run + after services are already + stopped, + systemd.services.<name>.stopIfChanged + cannot be taken into account anymore and the unit is always + restarted instead of being stopped and started afterwards. + + + The files that can be written to are + /run/nixos/activation-restart-list and + /run/nixos/activation-reload-list with their + respective counterparts for dry activation being + /run/nixos/dry-activation-restart-list and + /run/nixos/dry-activation-reload-list. Those + files can contain newline-separated lists of unit names where + duplicates are being ignored. These files are not create + automatically and activation scripts must take the possiblility into + account that they have to create them first. + +
+ NixOS snippets + + There are some snippets NixOS enables by default because disabling + them would most likely break you system. This section lists a few + of them and what they do: + + + + + binsh creates /bin/sh + which points to the runtime shell + + + + + etc sets up the contents of + /etc, this includes systemd units and + excludes /etc/passwd, + /etc/group, and + /etc/shadow (which are managed by the + users snippet) + + + + + hostname sets the system’s hostname in the + kernel (not in /etc) + + + + + modprobe sets the path to the + modprobe binary for module auto-loading + + + + + nix prepares the nix store and adds a + default initial channel + + + + + specialfs is responsible for mounting + filesystems like /proc and + sys + + + + + users creates and removes users and groups + by managing /etc/passwd, + /etc/group and + /etc/shadow. This also creates home + directories + + + + + usrbinenv creates + /usr/bin/env + + + + + var creates some directories in + /var that are not service-specific + + + + + wrappers creates setuid wrappers like + ping and sudo + + + +
+
diff --git a/nixos/doc/manual/from_md/development/unit-handling.section.xml b/nixos/doc/manual/from_md/development/unit-handling.section.xml new file mode 100644 index 00000000000..a6a654042f6 --- /dev/null +++ b/nixos/doc/manual/from_md/development/unit-handling.section.xml @@ -0,0 +1,119 @@ +
+ Unit handling + + To figure out what units need to be + started/stopped/restarted/reloaded, the script first checks the + current state of the system, similar to what + systemctl list-units shows. For each of the + units, the script goes through the following checks: + + + + + Is the unit file still in the new system? If not, + stop the service unless it + sets X-StopOnRemoval in the + [Unit] section to false. + + + + + Is it a .target unit? If so, + start it unless it sets + RefuseManualStart in the + [Unit] section to true or + X-OnlyManualStart in the + [Unit] section to true. + Also stop the unit again + unless it sets X-StopOnReconfiguration to + false. + + + + + Are the contents of the unit files different? They are compared + by parsing them and comparing their contents. If they are + different but only X-Reload-Triggers in the + [Unit] section is changed, + reload the unit. The NixOS + module system allows setting these triggers with the option + systemd.services.<name>.reloadTriggers. + If the unit files differ in any way, the following actions are + performed: + + + + + .path and .slice units + are ignored. There is no need to restart them since changes + in their values are applied by systemd when systemd is + reloaded. + + + + + .mount units are + reloaded. These mostly + come from the /etc/fstab parser. + + + + + .socket units are currently ignored. This + is to be fixed at a later point. + + + + + The rest of the units (mostly .service + units) are then reloaded + if X-ReloadIfChanged in the + [Service] section is set to + true (exposed via + systemd.services.<name>.reloadIfChanged). + + + + + If the reload flag is not set, some more flags decide if the + unit is skipped. These flags are + X-RestartIfChanged in the + [Service] section (exposed via + systemd.services.<name>.restartIfChanged), + RefuseManualStop in the + [Unit] section, and + X-OnlyManualStart in the + [Unit] section. + + + + + The rest of the behavior is decided whether the unit has + X-StopIfChanged in the + [Service] section set (exposed via + systemd.services.<name>.stopIfChanged). + This is set to true by default and must + be explicitly turned off if not wanted. If the flag is + enabled, the unit is + stopped and then + started. If not, the unit + is restarted. The goal of + the flag is to make sure that the new unit never runs in the + old environment which is still in place before the + activation script is run. + + + + + The last thing that is taken into account is whether the + unit is a service and socket-activated. Due to a bug, this + is currently only done when + X-StopIfChanged is set. If the unit is + socket-activated, the socket is stopped and started, and the + service is stopped and to be started by socket activation. + + + + + +
diff --git a/nixos/doc/manual/from_md/development/what-happens-during-a-system-switch.chapter.xml b/nixos/doc/manual/from_md/development/what-happens-during-a-system-switch.chapter.xml new file mode 100644 index 00000000000..66ba792ddac --- /dev/null +++ b/nixos/doc/manual/from_md/development/what-happens-during-a-system-switch.chapter.xml @@ -0,0 +1,122 @@ + + What happens during a system switch? + + Running nixos-rebuild switch is one of the more + common tasks under NixOS. This chapter explains some of the + internals of this command to make it simpler for new module + developers to configure their units correctly and to make it easier + to understand what is happening and why for curious administrators. + + + nixos-rebuild, like many deployment solutions, + calls switch-to-configuration which resides in a + NixOS system at $out/bin/switch-to-configuration. + The script is called with the action that is to be performed like + switch, test, + boot. There is also the + dry-activate action which does not really perform + the actions but rather prints what it would do if you called it with + test. This feature can be used to check what + service states would be changed if the configuration was switched + to. + + + If the action is switch or + boot, the bootloader is updated first so the + configuration will be the next one to boot. Unless + NIXOS_NO_SYNC is set to 1, + /nix/store is synced to disk. + + + If the action is switch or + test, the currently running system is inspected + and the actions to switch to the new system are calculated. This + process takes two data sources into account: + /etc/fstab and the current systemd status. Mounts + and swaps are read from /etc/fstab and the + corresponding actions are generated. If a new mount is added, for + example, the proper .mount unit is marked to be + started. The current systemd state is inspected, the difference + between the current system and the desired configuration is + calculated and actions are generated to get to this state. There are + a lot of nuances that can be controlled by the units which are + explained here. + + + After calculating what should be done, the actions are carried out. + The order of actions is always the same: + + + + + Stop units (systemctl stop) + + + + + Run activation script ($out/activate) + + + + + See if the activation script requested more units to restart + + + + + Restart systemd if needed + (systemd daemon-reexec) + + + + + Forget about the failed state of units + (systemctl reset-failed) + + + + + Reload systemd (systemctl daemon-reload) + + + + + Reload systemd user instances + (systemctl --user daemon-reload) + + + + + Set up tmpfiles (systemd-tmpfiles --create) + + + + + Reload units (systemctl reload) + + + + + Restart units (systemctl restart) + + + + + Start units (systemctl start) + + + + + Inspect what changed during these actions and print units that + failed and that were newly started + + + + + Most of these actions are either self-explaining but some of them + have to do with our units or the activation script. For this reason, + these topics are explained in the next sections. + + + + -- cgit 1.4.1 From 787219edafa4c79418e3ecc1be06fb8e787d0307 Mon Sep 17 00:00:00 2001 From: Michael Reilly Date: Thu, 3 Feb 2022 14:48:10 -0500 Subject: nixos/modules/misc/wordlist: init Addresses #16545. Allows for user defined environment variables that hold paths to wordlists. This is to allow for easy access to wordlists for users and scripts, (in other distributions a convenient wordlist is typically found in /usr/share/dict/words or similar). The default wordlist is the one found in scowl, for no other reason than that's the one that was mentioned in the linked issue. It is possible to specify multiple environment variables as well. This is for users who need multiple wordlists (such as multilingual users). --- .../from_md/release-notes/rl-2205.section.xml | 8 +++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/misc/wordlist.nix | 59 ++++++++++++++++++++++ nixos/modules/module-list.nix | 1 + 4 files changed, 70 insertions(+) create mode 100644 nixos/modules/misc/wordlist.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 42db2d060be..a86df76a9d6 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -790,6 +790,14 @@ renamed to linux-firmware. + + + It is now possible to specify wordlists to include as handy to + access environment variables using the + config.environment.wordlist configuration + options. + + The services.mbpfan module was converted to diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 7bb7b1c33b1..b8a91195f74 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -269,6 +269,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `firmwareLinuxNonfree` package has been renamed to `linux-firmware`. +- It is now possible to specify wordlists to include as handy to access environment variables using the `config.environment.wordlist` configuration options. + - The `services.mbpfan` module was converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. - The default value for `programs.spacefm.settings.graphical_su` got unset. It previously pointed to `gksu` which has been removed. diff --git a/nixos/modules/misc/wordlist.nix b/nixos/modules/misc/wordlist.nix new file mode 100644 index 00000000000..988b522d743 --- /dev/null +++ b/nixos/modules/misc/wordlist.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: +with lib; +let + concatAndSort = name: files: pkgs.runCommand name {} '' + awk 1 ${lib.escapeShellArgs files} | sed '{ /^\s*$/d; s/^\s\+//; s/\s\+$// }' | sort | uniq > $out + ''; +in +{ + options = { + environment.wordlist = { + enable = mkEnableOption "environment variables for lists of words"; + + lists = mkOption { + type = types.attrsOf (types.nonEmptyListOf types.path); + + default = { + WORDLIST = [ "${pkgs.scowl}/share/dict/words.txt" ]; + }; + + defaultText = literalExpression '' + { + WORDLIST = [ "''${pkgs.scowl}/share/dict/words.txt" ]; + } + ''; + + description = '' + A set with the key names being the environment variable you'd like to + set and the values being a list of paths to text documents containing + lists of words. The various files will be merged, sorted, duplicates + removed, and extraneous spacing removed. + + If you have a handful of words that you want to add to an already + existing wordlist, you may find `builtins.toFile` useful for this + task. + ''; + + example = literalExpression '' + { + WORDLIST = [ "''${pkgs.scowl}/share/dict/words.txt" ]; + AUGMENTED_WORDLIST = [ + "''${pkgs.scowl}/share/dict/words.txt" + "''${pkgs.scowl}/share/dict/words.variants.txt" + (builtins.toFile "extra-words" ''' + desynchonization + oobleck''') + ]; + } + ''; + }; + }; + }; + + config = mkIf config.environment.wordlist.enable { + environment.variables = + lib.mapAttrs + (name: value: "${concatAndSort "wordlist-${name}" value}") + config.environment.wordlist.lists; + }; +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c8b45724b3c..b2e8661ac50 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -115,6 +115,7 @@ ./misc/nixpkgs.nix ./misc/passthru.nix ./misc/version.nix + ./misc/wordlist.nix ./misc/nixops-autoluks.nix ./programs/adb.nix ./programs/appgate-sdp.nix -- cgit 1.4.1 From 91c7b7370748b45f883ad1d80ee5b16df4588d4e Mon Sep 17 00:00:00 2001 From: Luna Nova Date: Thu, 10 Feb 2022 08:55:23 -0800 Subject: nixos/input-remapper: add release note --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 8 ++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ 2 files changed, 10 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 04bb7ec12d3..e1ec0fb48f0 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -114,6 +114,14 @@ services.powerdns-admin. + + + input-remapper, + an easy to use tool to change the mapping of your input device + buttons. Available at + services.input-remapper. + + InvoicePlane, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index a2e8038ae1f..9b44ee063ba 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable). +- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](options.html#opt-services.input-remapper.enable). + - [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](options.html#opt-services.invoiceplane.enable). - [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable). -- cgit 1.4.1 From 61c70dbc97b57188aa4c482cbb79171902e53c6e Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Fri, 11 Feb 2022 17:13:38 +0900 Subject: logrotate: default to enable if any rule is active --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 7 +++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 3 +++ nixos/modules/services/logging/logrotate.nix | 5 ++++- 3 files changed, 14 insertions(+), 1 deletion(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 544b1e13898..a96808014d5 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -865,6 +865,13 @@ Plugins are automatically repackaged using autoPatchelf. + + + services.logrotate.enable now defaults to + true if any rotate path has been defined, and some paths have + been added by default. + + The zrepl package has been updated from diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c748d2dae9e..1b627703989 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -294,6 +294,9 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.mattermost.plugins` has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf. +- `services.logrotate.enable` now defaults to true if any rotate path has + been defined, and some paths have been added by default. + - The `zrepl` package has been updated from 0.4.0 to 0.5: - The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index 26d22d90175..1467e27deba 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -111,7 +111,10 @@ in options = { services.logrotate = { - enable = mkEnableOption "the logrotate systemd service"; + enable = mkEnableOption "the logrotate systemd service" // { + default = foldr (n: a: a || n.enable) false (attrValues cfg.paths); + defaultText = literalExpression "cfg.paths != {}"; + }; paths = mkOption { type = with types; attrsOf (submodule pathOpts); -- cgit 1.4.1 From 6532d3417ea247f5088649027a9719a34ad64406 Mon Sep 17 00:00:00 2001 From: Victor Freire Date: Thu, 10 Feb 2022 19:44:18 -0300 Subject: nixos/blocky: init --- .../from_md/release-notes/rl-2205.section.xml | 7 ++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/blocky.nix | 40 ++++++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/blocky.nix | 34 ++++++++++++++++++ pkgs/applications/networking/blocky/default.nix | 3 ++ 7 files changed, 88 insertions(+) create mode 100644 nixos/modules/services/networking/blocky.nix create mode 100644 nixos/tests/blocky.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 544b1e13898..ff36fdb328a 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -214,6 +214,13 @@ services.headscale + + + blocky, + fast and lightweight DNS proxy as ad-blocker for local network + with many features. + +
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c748d2dae9e..32b222559c2 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -65,6 +65,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable) +- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. + ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 70964ad80f7..f640095308f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -716,6 +716,7 @@ ./services/networking/bird.nix ./services/networking/bitlbee.nix ./services/networking/blockbook-frontend.nix + ./services/networking/blocky.nix ./services/networking/charybdis.nix ./services/networking/cjdns.nix ./services/networking/cntlm.nix diff --git a/nixos/modules/services/networking/blocky.nix b/nixos/modules/services/networking/blocky.nix new file mode 100644 index 00000000000..7488e05fc03 --- /dev/null +++ b/nixos/modules/services/networking/blocky.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.blocky; + + format = pkgs.formats.yaml { }; + configFile = format.generate "config.yaml" cfg.settings; +in +{ + options.services.blocky = { + enable = mkEnableOption "Fast and lightweight DNS proxy as ad-blocker for local network with many features"; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Blocky configuration. Refer to + + for details on supported values. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.blocky = { + description = "A DNS proxy and ad-blocker for the local network"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.blocky}/bin/blocky --config ${configFile}"; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 3fd4945ed35..10a6de93be2 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -51,6 +51,7 @@ in bitcoind = handleTest ./bitcoind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {}; + blocky = handleTest ./blocky.nix {}; boot = handleTestOn ["x86_64-linux" "aarch64-linux"] ./boot.nix {}; boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; diff --git a/nixos/tests/blocky.nix b/nixos/tests/blocky.nix new file mode 100644 index 00000000000..18e7f45e1c7 --- /dev/null +++ b/nixos/tests/blocky.nix @@ -0,0 +1,34 @@ +import ./make-test-python.nix { + name = "blocky"; + + nodes = { + server = { pkgs, ... }: { + environment.systemPackages = [ pkgs.dnsutils ]; + services.blocky = { + enable = true; + + settings = { + customDNS = { + mapping = { + "printer.lan" = "192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344"; + }; + }; + upstream = { + default = [ "8.8.8.8" "1.1.1.1" ]; + }; + port = 53; + httpPort = 5000; + logLevel = "info"; + }; + }; + }; + }; + + testScript = '' + with subtest("Service test"): + server.wait_for_unit("blocky.service") + server.wait_for_open_port(53) + server.wait_for_open_port(5000) + server.succeed("dig @127.0.0.1 +short -x 192.168.178.3 | grep -qF printer.lan") + ''; +} diff --git a/pkgs/applications/networking/blocky/default.nix b/pkgs/applications/networking/blocky/default.nix index 8bc0963338f..842cbe30309 100644 --- a/pkgs/applications/networking/blocky/default.nix +++ b/pkgs/applications/networking/blocky/default.nix @@ -1,6 +1,7 @@ { buildGoModule , fetchFromGitHub , lib +, nixosTests }: buildGoModule rec { @@ -27,4 +28,6 @@ buildGoModule rec { license = licenses.asl20; maintainers = with maintainers; [ ratsclub ]; }; + + passthru.tests = { inherit (nixosTests) blocky; }; } -- cgit 1.4.1 From 152dd4c81daa1c24d6ff65c3771070e8f4f7f098 Mon Sep 17 00:00:00 2001 From: Sarah Brofeldt Date: Tue, 15 Feb 2022 08:21:09 +0100 Subject: nixos/kubernetes: Update deprecated scheduler opts --port and --address have both been deprecated and are nonfunctional starting with kubernetes 1.23. Use --secure-port and --bind-address instead. This means that users can no longer rely on the insecure port for anything, so update the release notes accordingly. --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 11 +++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/services/cluster/kubernetes/scheduler.nix | 4 ++-- 3 files changed, 15 insertions(+), 2 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 50cf06c94ee..7ac06869055 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -278,6 +278,17 @@ removed due to it being an outdated version. + + + services.kubernetes.scheduler.{port,address} + now set --secure-port and + --bind-address instead of + --port and --address, + since the former have been deprecated and are no longer + functional in kubernetes>=1.23. Ensure that you are not + relying on the insecure behaviour before upgrading. + + The DHCP server (services.dhcpd4, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 4f8b098958c..7d6410ca16c 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -96,6 +96,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.kubernetes.addons.dashboard` was removed due to it being an outdated version. +- `services.kubernetes.scheduler.{port,address}` now set `--secure-port` and `--bind-address` instead of `--port` and `--address`, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. + - The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened. The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed. diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 2a522f1db89..2d95528a6ea 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -66,12 +66,12 @@ in serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-scheduler \ - --address=${cfg.address} \ + --bind-address=${cfg.address} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ - --port=${toString cfg.port} \ + --secure-port=${toString cfg.port} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; -- cgit 1.4.1 From 59a367bcabae16ec0c18df29fda4b09dfa36ba53 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 30 Jan 2022 02:41:15 +0100 Subject: nixos/home-assistant: convert to rfc42 style settings After this change users with non-declarative configs need to set `services.home-assistant.config` to an `null`, or their `configuration.yaml` will be overwritten. The reason for this is that with rfc42 style defaults the config attribute set will never be empty by default. --- .../from_md/release-notes/rl-2205.section.xml | 17 ++ nixos/doc/manual/release-notes/rl-2205.section.md | 9 + .../services/home-automation/home-assistant.nix | 261 +++++++++++++-------- 3 files changed, 191 insertions(+), 96 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4e64a02de81..4a6b539bcd0 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -269,6 +269,23 @@ (ghc.withPackages.override { useLLVM = true; }) (p: []). + + + The home-assistant module now requires + users that don’t want their configuration to be managed + declaratively to set + services.home-assistant.config = null;. + This is required due to the way default settings are handled + with the new settings style. + + + Additionally the default list of + extraComponents now includes the minimal + dependencies to successfully complete the + onboarding + procedure. + + pkgs.emacsPackages.orgPackages is removed diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 10349f96d4a..e06e7e385d1 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -91,6 +91,15 @@ In addition to numerous new and upgraded packages, this release has the followin `useLLVM`. So instead of `(ghc.withPackages (p: [])).override { withLLVM = true; }`, one needs to use `(ghc.withPackages.override { useLLVM = true; }) (p: [])`. +- The `home-assistant` module now requires users that don't want their + configuration to be managed declaratively to set + `services.home-assistant.config = null;`. This is required + due to the way default settings are handled with the new settings style. + + Additionally the default list of `extraComponents` now includes the minimal + dependencies to successfully complete the [onboarding](https://www.home-assistant.io/getting-started/onboarding/) + procedure. + - `pkgs.emacsPackages.orgPackages` is removed because org elpa is deprecated. The packages in the top level of `pkgs.emacsPackages`, such as org and org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index db6fc39c306..3c1b5b199d4 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -4,35 +4,27 @@ with lib; let cfg = config.services.home-assistant; + format = pkgs.formats.yaml {}; - # cfg.config != null can be assumed here - configJSON = pkgs.writeText "configuration.json" - (builtins.toJSON (if cfg.applyDefaultConfig then - (recursiveUpdate defaultConfig cfg.config) else cfg.config)); + # Render config attribute sets to YAML + # Values that are null will be filtered from the output, so this is one way to have optional + # options shown in settings. + # We post-process the result to add support for YAML functions, like secrets or includes, see e.g. + # https://www.home-assistant.io/docs/configuration/secrets/ + filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) cfg.config or {}; configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - # Hack to support custom yaml objects, - # i.e. secrets: https://www.home-assistant.io/docs/configuration/secrets/ + cp ${format.generate "configuration.yaml" filteredConfig} $out sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out ''; + lovelaceConfig = cfg.lovelaceConfig or {}; + lovelaceConfigFile = format.generate "ui-lovelace.yaml" lovelaceConfig; - lovelaceConfigJSON = pkgs.writeText "ui-lovelace.json" - (builtins.toJSON cfg.lovelaceConfig); - lovelaceConfigFile = pkgs.runCommand "ui-lovelace.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${lovelaceConfigJSON} -o $out - ''; - + # Components advertised by the home-assistant package availableComponents = cfg.package.availableComponents; + # Components that were added by overriding the package explicitComponents = cfg.package.extraComponents; - - usedPlatforms = config: - if isAttrs config then - optional (config ? platform) config.platform - ++ concatMap usedPlatforms (attrValues config) - else if isList config then - concatMap usedPlatforms config - else [ ]; + useExplicitComponent = component: elem component explicitComponents; # Given a component "platform", looks up whether it is used in the config # as `platform = "platform";`. @@ -42,33 +34,42 @@ let # platform = "mqtt"; # ... # } ]; - useComponentPlatform = component: elem component (usedPlatforms cfg.config); + usedPlatforms = config: + if isAttrs config then + optional (config ? platform) config.platform + ++ concatMap usedPlatforms (attrValues config) + else if isList config then + concatMap usedPlatforms config + else [ ]; - useExplicitComponent = component: elem component explicitComponents; + useComponentPlatform = component: elem component (usedPlatforms cfg.config); - # Returns whether component is used in config or explicitly passed into package + # Returns whether component is used in config, explicitly passed into package or + # configured in the module. useComponent = component: hasAttrByPath (splitString "." component) cfg.config || useComponentPlatform component || useExplicitComponent component; - # List of components used in config + # Final list of components passed into the package to include required dependencies extraComponents = filter useComponent availableComponents; - package = if (cfg.autoExtraComponents && cfg.config != null) - then (cfg.package.override { inherit extraComponents; }) - else cfg.package; - - # If you are changing this, please update the description in applyDefaultConfig - defaultConfig = { - homeassistant.time_zone = config.time.timeZone; - http.server_port = cfg.port; - } // optionalAttrs (cfg.lovelaceConfig != null) { - lovelace.mode = "yaml"; - }; + package = (cfg.package.override { + inherit extraComponents; + }); in { - meta.maintainers = teams.home-assistant.members; + imports = [ + # Migrations in NixOS 22.05 + (mkRemovedOptionModule [ "services" "home-assistant" "applyDefaultConfig" ] "The default config was migrated into services.home-assistant.config") + (mkRemovedOptionModule [ "services" "home-assistant" "autoExtraComponents" ] "Components are now parsed from services.home-assistant.config unconditionally") + (mkRenamedOptionModule [ "services" "home-assistant" "port" ] [ "services" "home-assistant" "config" "http" "server_port" ]) + ]; + + meta = { + buildDocsInSandbox = false; + maintainers = teams.home-assistant.members; + }; options.services.home-assistant = { # Running home-assistant on NixOS is considered an installation method that is unsupported by the upstream project. @@ -81,42 +82,117 @@ in { description = "The config directory, where your configuration.yaml is located."; }; - port = mkOption { - default = 8123; - type = types.port; - description = "The port on which to listen."; - }; + config = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + # This is a partial selection of the most common options, so new users can quickly + # pick up how to match home-assistants config structure to ours. It also lets us preset + # config values intelligently. - applyDefaultConfig = mkOption { - default = true; - type = types.bool; - description = '' - Setting this option enables a few configuration options for HA based on NixOS configuration (such as time zone) to avoid having to manually specify configuration we already have. - - - Currently one side effect of enabling this is that the http component will be enabled. - - - This only takes effect if config != null in order to ensure that a manually managed configuration.yaml is not overwritten. - ''; - }; + homeassistant = { + # https://www.home-assistant.io/docs/configuration/basic/ + name = mkOption { + type = types.nullOr types.str; + default = null; + example = "Home"; + description = '' + Name of the location where Home Assistant is running. + ''; + }; - config = mkOption { - default = null; - # Migrate to new option types later: https://github.com/NixOS/nixpkgs/pull/75584 - type = with lib.types; let - valueType = nullOr (oneOf [ - bool - int - float - str - (lazyAttrsOf valueType) - (listOf valueType) - ]) // { - description = "Yaml value"; - emptyValue.value = {}; + latitude = mkOption { + type = types.nullOr (types.either types.float types.str); + default = null; + example = 52.3; + description = '' + Latitude of your location required to calculate the time the sun rises and sets. + ''; + }; + + longitude = mkOption { + type = types.nullOr (types.either types.float types.str); + default = null; + example = 4.9; + description = '' + Longitude of your location required to calculate the time the sun rises and sets. + ''; + }; + + unit_system = mkOption { + type = types.nullOr (types.enum [ "metric" "imperial" ]); + default = null; + example = "metric"; + description = '' + The unit system to use. This also sets temperature_unit, Celsius for Metric and Fahrenheit for Imperial. + ''; + }; + + temperature_unit = mkOption { + type = types.nullOr (types.enum [ "C" "F" ]); + default = null; + example = "C"; + description = '' + Override temperature unit set by unit_system. C for Celsius, F for Fahrenheit. + ''; + }; + + time_zone = mkOption { + type = types.nullOr types.str; + default = config.time.timeZone or null; + defaultText = literalExpression '' + config.time.timeZone or null + ''; + example = "Europe/Amsterdam"; + description = '' + Pick your time zone from the column TZ of Wikipedia’s list of tz database time zones. + ''; + }; }; - in valueType; + + http = { + # https://www.home-assistant.io/integrations/http/ + server_host = mkOption { + type = types.either types.str (types.listOf types.str); + default = [ + "0.0.0.0" + "::" + ]; + example = "::1"; + description = '' + Only listen to incoming requests on specific IP/host. The default listed assumes support for IPv4 and IPv6. + ''; + }; + + server_port = mkOption { + default = 8123; + type = types.port; + description = '' + The port on which to listen. + ''; + }; + }; + + lovelace = { + # https://www.home-assistant.io/lovelace/dashboards/ + mode = mkOption { + type = types.enum [ "yaml" "storage" ]; + default = if cfg.lovelaceConfig != null + then "yaml" + else "storage"; + defaultText = literalExpression '' + if cfg.lovelaceConfig != null + then "yaml" + else "storage"; + ''; + example = "yaml"; + description = '' + In what mode should the main Lovelace panel be, yaml or storage (UI managed). + ''; + }; + }; + }; + }; example = literalExpression '' { homeassistant = { @@ -130,15 +206,19 @@ in { frontend = { themes = "!include_dir_merge_named themes"; }; - http = { }; + http = {}; feedreader.urls = [ "https://nixos.org/blogs.xml" ]; } ''; description = '' Your configuration.yaml as a Nix attribute set. - Beware that setting this option will delete your previous configuration.yaml. - Secrets - are encoded as strings as shown in the example. + + YAML functions like secrets + can be passed as a string and will be unquoted automatically. + + Unless this option is explicitly set to null + we assume your configuration.yaml is + managed through this module and thereby overwritten on startup. ''; }; @@ -147,16 +227,18 @@ in { type = types.bool; description = '' Whether to make configuration.yaml writable. - This only has an effect if is set. + This will allow you to edit it from Home Assistant's web interface. + + This only has an effect if is set. However, bear in mind that it will be overwritten at every start of the service. ''; }; lovelaceConfig = mkOption { default = null; - type = with types; nullOr attrs; - # from https://www.home-assistant.io/lovelace/yaml-mode/ + type = types.nullOr format.type; + # from https://www.home-assistant.io/lovelace/dashboards/ example = literalExpression '' { title = "My Awesome Home"; @@ -172,8 +254,8 @@ in { ''; description = '' Your ui-lovelace.yaml as a Nix attribute set. - Setting this option will automatically add - lovelace.mode = "yaml"; to your . + Setting this option will automatically set lovelace.mode to yaml. + Beware that setting this option will delete your previous ui-lovelace.yaml ''; }; @@ -183,8 +265,10 @@ in { type = types.bool; description = '' Whether to make ui-lovelace.yaml writable. - This only has an effect if is set. + This will allow you to edit it from Home Assistant's web interface. + + This only has an effect if is set. However, bear in mind that it will be overwritten at every start of the service. ''; }; @@ -212,7 +296,7 @@ in { } ''; description = '' - Home Assistant package to use. By default the tests are disabled, as they take a considerable amout of time to complete. + The Home Assistant package to use. Override extraPackages or extraComponents in order to add additional dependencies. If you specify and do not set to false, overriding extraComponents will have no effect. @@ -220,21 +304,6 @@ in { ''; }; - autoExtraComponents = mkOption { - default = true; - type = types.bool; - description = '' - If set to true, the components used in config - are set as the specified package's extraComponents. - This in turn adds all packaged dependencies to the derivation. - You might still see import errors in your log. - In this case, you will need to package the necessary dependencies yourself - or ask for someone else to package them. - If a dependency is packaged but not automatically added to this list, - you might need to specify it in extraPackages. - ''; - }; - openFirewall = mkOption { default = false; type = types.bool; -- cgit 1.4.1 From 29fd78747ae72b28d06bf19df2b8faf2a1d9a7eb Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Mon, 14 Feb 2022 19:36:49 +0300 Subject: nixos/manual: use system nixpkgs to build pxe image The command in example is expected to be run from nixpkgs checkout, but there's no explanation of this. Let's just use system nixpkgs: most users will have it just working and those who use git checkouts will figure it out. --- nixos/doc/manual/from_md/installation/installing-pxe.section.xml | 4 ++-- nixos/doc/manual/installation/installing-pxe.section.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/installation/installing-pxe.section.xml b/nixos/doc/manual/from_md/installation/installing-pxe.section.xml index 1dd15ddacba..94172de65ea 100644 --- a/nixos/doc/manual/from_md/installation/installing-pxe.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-pxe.section.xml @@ -7,11 +7,11 @@ These instructions assume that you have an existing PXE or iPXE infrastructure and simply want to add the NixOS installer as another - option. To build the necessary files from a recent version of + option. To build the necessary files from your current version of nixpkgs, you can run: -nix-build -A netboot.x86_64-linux nixos/release.nix +nix-build -A netboot.x86_64-linux '<nixpkgs/nixos/release.nix>' This will create a result directory containing: * diff --git a/nixos/doc/manual/installation/installing-pxe.section.md b/nixos/doc/manual/installation/installing-pxe.section.md index 2016a258251..4fbd6525f8c 100644 --- a/nixos/doc/manual/installation/installing-pxe.section.md +++ b/nixos/doc/manual/installation/installing-pxe.section.md @@ -5,11 +5,11 @@ setup. These instructions assume that you have an existing PXE or iPXE infrastructure and simply want to add the NixOS installer as another -option. To build the necessary files from a recent version of nixpkgs, +option. To build the necessary files from your current version of nixpkgs, you can run: ```ShellSession -nix-build -A netboot.x86_64-linux nixos/release.nix +nix-build -A netboot.x86_64-linux '' ``` This will create a `result` directory containing: \* `bzImage` -- the -- cgit 1.4.1 From 312f5ca1cebc7c510f58760afc3201104c56a93a Mon Sep 17 00:00:00 2001 From: deltadelta Date: Thu, 17 Feb 2022 18:14:52 +0100 Subject: dino: mention update in release notes --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 6 ++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ 2 files changed, 8 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 50cf06c94ee..9de918e2349 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -875,6 +875,12 @@ programs.starship.settings. + + + The Dino XMPP client + was updated to 0.3, adding support for audio and video calls. + + services.mattermost.plugins has been added diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 4f8b098958c..92968ef86fb 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -294,6 +294,8 @@ In addition to numerous new and upgraded packages, this release has the followin - A new module was added for the [Starship](https://starship.rs/) shell prompt, providing the options `programs.starship.enable` and `programs.starship.settings`. +- The [Dino](https://dino.im) XMPP client was updated to 0.3, adding support for audio and video calls. + - `services.mattermost.plugins` has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf. -- cgit 1.4.1 From 57fc08cfdbd1a3a59f26416814dc10f8379d6e67 Mon Sep 17 00:00:00 2001 From: Christian Kögler Date: Thu, 17 Feb 2022 22:07:05 +0100 Subject: nixos: Switch to default systemd-nspawn behaviour --- .../from_md/release-notes/rl-2205.section.xml | 9 +++ nixos/doc/manual/release-notes/rl-2205.section.md | 1 + nixos/modules/system/boot/systemd-nspawn.nix | 8 -- nixos/tests/all-tests.nix | 1 + nixos/tests/systemd-machinectl.nix | 85 ++++++++++++++++++++++ 5 files changed, 96 insertions(+), 8 deletions(-) create mode 100644 nixos/tests/systemd-machinectl.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index c234cda499f..ab37b9f7961 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -542,6 +542,15 @@ ~/.local/share/polymc/polymc.cfg. + + + systemd-nspawn@.service settings have been + reverted to the default systemd behaviour. User namespaces are + now activated by default. If you want to keep running nspawn + containers without user namespaces you need to set + systemd.nspawn.<name>.execConfig.PrivateUsers = false + + The terraform 0.12 compatibility has been removed and the diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 567a6d6780a..61b924f9967 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -174,6 +174,7 @@ In addition to numerous new and upgraded packages, this release has the followin - MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`. +- `systemd-nspawn@.service` settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set `systemd.nspawn..execConfig.PrivateUsers = false` - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under `$out/libexec/terraform-providers/////_/terraform-provider-_v` (which mkProvider does). diff --git a/nixos/modules/system/boot/systemd-nspawn.nix b/nixos/modules/system/boot/systemd-nspawn.nix index 02d2660add8..0c6822319a5 100644 --- a/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixos/modules/system/boot/systemd-nspawn.nix @@ -120,14 +120,6 @@ in { }) { systemd.targets.multi-user.wants = [ "machines.target" ]; - - # Workaround for https://github.com/NixOS/nixpkgs/pull/67232#issuecomment-531315437 and https://github.com/systemd/systemd/issues/13622 - # Once systemd fixes this upstream, we can re-enable -U - systemd.services."systemd-nspawn@".serviceConfig.ExecStart = [ - "" # deliberately empty. signals systemd to override the ExecStart - # Only difference between upstream is that we do not pass the -U flag - "${config.systemd.package}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i" - ]; } ]; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 520c48bc45b..27d6d5fff3a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -498,6 +498,7 @@ in systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-journal = handleTest ./systemd-journal.nix {}; + systemd-machinectl = handleTest ./systemd-machinectl.nix {}; systemd-networkd = handleTest ./systemd-networkd.nix {}; systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {}; systemd-networkd-dhcpserver-static-leases = handleTest ./systemd-networkd-dhcpserver-static-leases.nix {}; diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix new file mode 100644 index 00000000000..4fc5864357c --- /dev/null +++ b/nixos/tests/systemd-machinectl.nix @@ -0,0 +1,85 @@ +import ./make-test-python.nix ( + let + + container = { + # We re-use the NixOS container option ... + boot.isContainer = true; + # ... and revert unwanted defaults + networking.useHostResolvConf = false; + + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + networking.useDHCP = false; + + # systemd-nspawn expects /sbin/init + boot.loader.initScript.enable = true; + + imports = [ ../modules/profiles/minimal.nix ]; + }; + + containerSystem = (import ../lib/eval-config.nix { + modules = [ container ]; + }).config.system.build.toplevel; + + containerName = "container"; + containerRoot = "/var/lib/machines/${containerName}"; + + in + { + name = "systemd-machinectl"; + + machine = { lib, ... }: { + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + networking.useDHCP = false; + services.resolved.enable = false; + + # open DHCP server on interface to container + networking.firewall.trustedInterfaces = [ "ve-+" ]; + + # do not try to access cache.nixos.org + nix.settings.substituters = lib.mkForce [ ]; + + virtualisation.additionalPaths = [ containerSystem ]; + }; + + testScript = '' + start_all() + machine.wait_for_unit("default.target"); + + # Install container + machine.succeed("mkdir -p ${containerRoot}"); + # Workaround for nixos-install + machine.succeed("chmod o+rx /var/lib/machines"); + machine.succeed("nixos-install --root ${containerRoot} --system ${containerSystem} --no-channel-copy --no-root-passwd"); + + # Allow systemd-nspawn to apply user namespace on immutable files + machine.succeed("chattr -i ${containerRoot}/var/empty"); + + # Test machinectl start + machine.succeed("machinectl start ${containerName}"); + machine.wait_until_succeeds("systemctl -M ${containerName} is-active default.target"); + + # Test systemd-nspawn network configuration + machine.succeed("ping -n -c 1 ${containerName}"); + + # Test systemd-nspawn uses a user namespace + machine.succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00"); + + # Test systemd-nspawn reboot + machine.succeed("machinectl shell ${containerName} /run/current-system/sw/bin/reboot"); + machine.wait_until_succeeds("systemctl -M ${containerName} is-active default.target"); + + # Test machinectl reboot + machine.succeed("machinectl reboot ${containerName}"); + machine.wait_until_succeeds("systemctl -M ${containerName} is-active default.target"); + + # Test machinectl stop + machine.succeed("machinectl stop ${containerName}"); + + # Show to to delete the container + machine.succeed("chattr -i ${containerRoot}/var/empty"); + machine.succeed("rm -rf ${containerRoot}"); + ''; + } +) -- cgit 1.4.1 From 41f4d999ad6ea5233e0852daea33d3c375b5a5ee Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sat, 12 Feb 2022 15:45:57 +0300 Subject: nixos/ntopng: update user and redis configuration New ntopng version supports running as specified user. Create a separate user for ntopng with a separate Redis instance. Separate instance is only used for new `system.stateVersion`s to avoid breaking existing setups. To configure that we add two new options, `redis.address` and `redis.createInstance`. They can also be used to specify your own Redis address. --- .../from_md/release-notes/rl-2205.section.xml | 9 ++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/services/networking/ntopng.nix | 55 ++++++++++++++++++---- 3 files changed, 58 insertions(+), 8 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 42db2d060be..5d0a9dc76ea 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -318,6 +318,15 @@ virtualisation.docker.daemon.settings. + + + Ntopng (services.ntopng) is updated to + 5.2.1 and uses a separate Redis instance if + system.stateVersion is at least + 22.05. Existing setups shouldn’t be + affected. + + The backward compatibility in diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 7bb7b1c33b1..7846513c607 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -104,6 +104,8 @@ In addition to numerous new and upgraded packages, this release has the followin - If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`. +- Ntopng (`services.ntopng`) is updated to 5.2.1 and uses a separate Redis instance if `system.stateVersion` is at least `22.05`. Existing setups shouldn't be affected. + - The backward compatibility in `services.wordpress` to configure sites with the old interface has been removed. Please use `services.wordpress.sites` instead. diff --git a/nixos/modules/services/networking/ntopng.nix b/nixos/modules/services/networking/ntopng.nix index 77a004e8ab3..2c45d418a0d 100644 --- a/nixos/modules/services/networking/ntopng.nix +++ b/nixos/modules/services/networking/ntopng.nix @@ -6,7 +6,13 @@ let cfg = config.services.ntopng; opt = options.services.ntopng; - redisCfg = config.services.redis; + + createRedis = cfg.redis.createInstance != null; + redisService = + if cfg.redis.createInstance == "" then + "redis.service" + else + "redis-${cfg.redis.createInstance}.service"; configFile = if cfg.configText != "" then pkgs.writeText "ntopng.conf" '' @@ -16,7 +22,9 @@ let pkgs.writeText "ntopng.conf" '' ${concatStringsSep " " (map (e: "--interface=" + e) cfg.interfaces)} --http-port=${toString cfg.http-port} - --redis=localhost:${toString redisCfg.port} + --redis=${cfg.redis.address} + --data-dir=/var/lib/ntopng + --user=ntopng ${cfg.extraConfig} ''; @@ -64,6 +72,24 @@ in ''; }; + redis.address = mkOption { + type = types.str; + example = literalExpression "config.services.redis.ntopng.unixSocket"; + description = '' + Redis address - may be a Unix socket or a network host and port. + ''; + }; + + redis.createInstance = mkOption { + type = types.nullOr types.str; + default = if versionAtLeast config.system.stateVersion "22.05" then "ntopng" else ""; + description = '' + Local Redis instance name. Set to null to disable + local Redis instance. Defaults to "" for + system.stateVersion older than 22.05. + ''; + }; + configText = mkOption { default = ""; example = '' @@ -95,23 +121,36 @@ in config = mkIf cfg.enable { # ntopng uses redis for data storage - services.redis.enable = true; + services.ntopng.redis.address = + mkIf createRedis config.services.redis.servers.${cfg.redis.createInstance}.unixSocket; + + services.redis.servers = mkIf createRedis { + ${cfg.redis.createInstance} = { + enable = true; + user = mkIf (cfg.redis.createInstance == "ntopng") "ntopng"; + }; + }; # nice to have manual page and ntopng command in PATH environment.systemPackages = [ pkgs.ntopng ]; + systemd.tmpfiles.rules = [ "d /var/lib/ntopng 0700 ntopng ntopng -" ]; + systemd.services.ntopng = { description = "Ntopng Network Monitor"; - requires = [ "redis.service" ]; - after = [ "network.target" "redis.service" ]; + requires = optional createRedis redisService; + after = [ "network.target" ] ++ optional createRedis redisService; wantedBy = [ "multi-user.target" ]; - preStart = "mkdir -p /var/lib/ntopng/"; serviceConfig.ExecStart = "${pkgs.ntopng}/bin/ntopng ${configFile}"; unitConfig.Documentation = "man:ntopng(8)"; }; - # ntopng drops priveleges to user "nobody" and that user is already defined - # in users-groups.nix. + users.extraUsers.ntopng = { + group = "ntopng"; + isSystemUser = true; + }; + + users.extraGroups.ntopng = { }; }; } -- cgit 1.4.1 From e67dd381d33681ce876030db03bc1e58b6ad075d Mon Sep 17 00:00:00 2001 From: K900 Date: Sat, 12 Feb 2022 16:09:44 +0300 Subject: nixos/pipewire: default to wireplumber --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 13 +++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 4 ++++ .../services/desktops/pipewire/pipewire-media-session.nix | 5 ++--- nixos/modules/services/desktops/pipewire/wireplumber.nix | 11 +++++++---- 4 files changed, 26 insertions(+), 7 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 7502214c86b..77cbc796931 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -694,6 +694,19 @@ olimorris/onedarkpro.nvim). + + + services.pipewire.enable will default to + enabling the WirePlumber session manager instead of + pipewire-media-session. pipewire-media-session is deprecated + by upstream and not recommended, but can still be manually + enabled by setting + services.pipewire.media-session.enable to + true and + services.pipewire.wireplumber.enable to + false. + +
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c96f898505a..6e51810a7e0 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -218,6 +218,10 @@ In addition to numerous new and upgraded packages, this release has the followin - `pkgs.vimPlugins.onedark-nvim` now refers to [navarasu/onedark.nvim](https://github.com/navarasu/onedark.nvim) (formerly refers to [olimorris/onedarkpro.nvim](https://github.com/olimorris/onedarkpro.nvim)). +- `services.pipewire.enable` will default to enabling the WirePlumber session manager instead of pipewire-media-session. + pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by setting + `services.pipewire.media-session.enable` to `true` and `services.pipewire.wireplumber.enable` to `false`. + ## Other Notable Changes {#sec-release-22.05-notable-changes} diff --git a/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix b/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix index f7a03a4a3ea..109c91134b9 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix +++ b/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix @@ -38,9 +38,8 @@ in { services.pipewire.media-session = { enable = mkOption { type = types.bool; - default = config.services.pipewire.enable; - defaultText = literalExpression "config.services.pipewire.enable"; - description = "Example pipewire session manager"; + default = false; + description = "Whether to enable the deprecated example Pipewire session manager"; }; package = mkOption { diff --git a/nixos/modules/services/desktops/pipewire/wireplumber.nix b/nixos/modules/services/desktops/pipewire/wireplumber.nix index ad96dc1f974..52ec17b95db 100644 --- a/nixos/modules/services/desktops/pipewire/wireplumber.nix +++ b/nixos/modules/services/desktops/pipewire/wireplumber.nix @@ -8,15 +8,18 @@ in options = { services.pipewire.wireplumber = { - enable = lib.mkEnableOption "A modular session / policy manager for PipeWire"; + enable = lib.mkOption { + type = lib.types.bool; + default = config.services.pipewire.enable; + defaultText = lib.literalExpression "config.services.pipewire.enable"; + description = "Whether to enable Wireplumber, a modular session / policy manager for PipeWire"; + }; package = lib.mkOption { type = lib.types.package; default = pkgs.wireplumber; defaultText = lib.literalExpression "pkgs.wireplumber"; - description = '' - The wireplumber derivation to use. - ''; + description = "The wireplumber derivation to use."; }; }; }; -- cgit 1.4.1 From 8388c525c3c09715e09357b5547c128f931a7cf3 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Wed, 3 Nov 2021 20:56:15 +0000 Subject: vpnc: don't produce non-free binaries by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As explained in vpnc's Makefile, a vpnc with OpenSSL support is non-redistributable. The option to enable OpenSSL support, which is disabled by default, is even called OPENSSL_GPL_VIOLATION — something that was conveniently hidden by the strange way the option was set in the previous version of this package. --- .../from_md/release-notes/rl-2205.section.xml | 6 ++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ pkgs/tools/networking/vpnc/default.nix | 23 ++++++++++++---------- 3 files changed, 21 insertions(+), 10 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 7502214c86b..993267159e7 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -686,6 +686,12 @@ wrapper for assert conditions. + + + The vpnc package has been changed to use + GnuTLS instead of OpenSSL by default for licensing reasons. + + pkgs.vimPlugins.onedark-nvim now refers to diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c96f898505a..1e9b0230233 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -215,6 +215,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `lib.assertMsg` and `lib.assertOneOf` no longer return `false` if the passed condition is `false`, `throw`ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for `assert` conditions. +- The `vpnc` package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons. + - `pkgs.vimPlugins.onedark-nvim` now refers to [navarasu/onedark.nvim](https://github.com/navarasu/onedark.nvim) (formerly refers to [olimorris/onedarkpro.nvim](https://github.com/olimorris/onedarkpro.nvim)). diff --git a/pkgs/tools/networking/vpnc/default.nix b/pkgs/tools/networking/vpnc/default.nix index f67d29f09d4..31a4262d8a6 100644 --- a/pkgs/tools/networking/vpnc/default.nix +++ b/pkgs/tools/networking/vpnc/default.nix @@ -1,4 +1,8 @@ -{ lib, stdenv, fetchsvn, nettools, libgcrypt, openssl, openresolv, perl, gawk, makeWrapper }: +{ lib, stdenv, fetchsvn +, makeWrapper, pkg-config +, gawk, gnutls, libgcrypt, nettools, openresolv, perl +, opensslSupport ? false, openssl # Distributing this is a GPL violation. +}: stdenv.mkDerivation { pname = "vpnc"; @@ -20,22 +24,22 @@ stdenv.mkDerivation { # `ifconfig' as found in net-tools (not GNU Inetutils). propagatedBuildInputs = [ nettools ]; - nativeBuildInputs = [ makeWrapper ]; - buildInputs = [libgcrypt perl openssl ]; + nativeBuildInputs = [ makeWrapper ] + ++ lib.optional (!opensslSupport) pkg-config; + buildInputs = [ libgcrypt perl ] + ++ (if opensslSupport then [ openssl ] else [ gnutls ]); makeFlags = [ "PREFIX=$(out)" "ETCDIR=$(out)/etc/vpnc" "SCRIPT_PATH=$(out)/etc/vpnc/vpnc-script" - ]; + ] ++ lib.optional opensslSupport "OPENSSL_GPL_VIOLATION=yes"; postPatch = '' patchShebangs makeman.pl ''; preConfigure = '' - sed -i 's|^#OPENSSL|OPENSSL|g' Makefile - substituteInPlace "vpnc-script" \ --replace "which" "type -P" \ --replace "awk" "${gawk}/bin/awk" \ @@ -56,11 +60,10 @@ stdenv.mkDerivation { cp README nortel.txt ChangeLog $out/share/doc/vpnc/ ''; - meta = { + meta = with lib; { homepage = "https://www.unix-ag.uni-kl.de/~massar/vpnc/"; description = "Virtual private network (VPN) client for Cisco's VPN concentrators"; - license = lib.licenses.gpl2Plus; - - platforms = lib.platforms.linux; + license = if opensslSupport then licenses.unfree else licenses.gpl2Plus; + platforms = platforms.linux; }; } -- cgit 1.4.1 From 665344f14839ea286a7aeb329fbf4f44da268ce4 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Mon, 2 Aug 2021 21:42:45 +0200 Subject: lib/types: Introduce types.raw for unprocessed values --- lib/tests/modules.sh | 6 +++++ lib/tests/modules/raw.nix | 30 ++++++++++++++++++++++ lib/types.nix | 7 +++++ .../doc/manual/development/option-types.section.md | 11 ++++++++ .../from_md/development/option-types.section.xml | 19 ++++++++++++++ 5 files changed, 73 insertions(+) create mode 100644 lib/tests/modules/raw.nix (limited to 'nixos/doc') diff --git a/lib/tests/modules.sh b/lib/tests/modules.sh index 88d152d3935..a1c592cf4ef 100755 --- a/lib/tests/modules.sh +++ b/lib/tests/modules.sh @@ -293,6 +293,12 @@ checkConfigOutput "{ }" config.submodule.a ./emptyValues.nix checkConfigError 'The option .int.a. is used but not defined' config.int.a ./emptyValues.nix checkConfigError 'The option .nonEmptyList.a. is used but not defined' config.nonEmptyList.a ./emptyValues.nix +## types.raw +checkConfigOutput "{ foo = ; }" config.unprocessedNesting ./raw.nix +checkConfigOutput "10" config.processedToplevel ./raw.nix +checkConfigError "The option .multiple. is defined multiple times" config.multiple ./raw.nix +checkConfigOutput "bar" config.priorities ./raw.nix + cat < + + + types.raw + + + + A type which doesn’t do any checking, merging or nested + evaluation. It accepts a single arbitrary value that is not + recursed into, making it useful for values coming from + outside the module system, such as package sets or arbitrary + data. Options of this type are still evaluated according to + priorities and conditionals, so mkForce, + mkIf and co. still work on the option + value itself, but not for any value nested within it. This + type should only be used when checking, merging and nested + evaluation are not desirable. + + + types.attrs -- cgit 1.4.1 From 2c9c903192e382adbccb6401ffd48c69ac546bc1 Mon Sep 17 00:00:00 2001 From: Eric Bailey Date: Tue, 22 Feb 2022 11:31:35 -0600 Subject: kops: 1.22.2 -> 1.22.4 --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 12 ++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ pkgs/applications/networking/cluster/kops/default.nix | 4 ++-- 3 files changed, 16 insertions(+), 2 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4acdcd7d60f..0c7539e71e2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -50,6 +50,18 @@ granular distinction between reloads and restarts. + + + kops + defaults to 1.22.4, which will enable + Instance + Metadata Service Version 2 and require tokens on new + clusters with Kubernetes 1.22. This will increase security by + default, but may break some types of workloads. See the + release + notes for details. + +
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index e81bdd884d0..fd54af7fb4b 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -19,6 +19,8 @@ In addition to numerous new and upgraded packages, this release has the followin - systemd services can now set [systemd.services.\.reloadTriggers](#opt-systemd.services) instead of `reloadIfChanged` for a more granular distinction between reloads and restarts. +- [`kops`](https://kops.sigs.k8s.io) defaults to 1.22.4, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes 1.22. This will increase security by default, but may break some types of workloads. See the [release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) for details. + ## New Services {#sec-release-22.05-new-services} - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). diff --git a/pkgs/applications/networking/cluster/kops/default.nix b/pkgs/applications/networking/cluster/kops/default.nix index b7a7ab3c5d9..d4a02b6ab9e 100644 --- a/pkgs/applications/networking/cluster/kops/default.nix +++ b/pkgs/applications/networking/cluster/kops/default.nix @@ -65,8 +65,8 @@ rec { }; kops_1_22 = mkKops rec { - version = "1.22.2"; - sha256 = "sha256-9LT4/iwlPFiz+hUHE0y8DK8T9xwL9HkrrFUXrEqKbM8="; + version = "1.22.4"; + sha256 = "sha256-osU7yI77ZALGrAGuP8qAgv+ogDRn+BSVmcjPbi/WEKE="; rev = "v${version}"; }; } -- cgit 1.4.1 From 753a43caf07790a923d8f6394744f1c5b0eb8ee4 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 22 Feb 2022 23:14:17 +0100 Subject: nixos/doc: improve release notes for iptables-nft and systemd with nftables backend This change probably wasn't documented sufficiently in the release notes, neither the fact systemd stopped using iptables on its own in case of nf_tables support. Fixes #156041. --- .../from_md/release-notes/rl-2111.section.xml | 22 ++++++++++++++++++++-- nixos/doc/manual/release-notes/rl-2111.section.md | 10 +++++++++- 2 files changed, 29 insertions(+), 3 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 59da373f38e..fc253a7a8b0 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -26,8 +26,26 @@ - iptables now uses - nf_tables backend. + iptables is now using + nf_tables under the hood, by using + iptables-nft, similar to + Debian + and + Fedora. + This means, ip[6]tables, + arptables and ebtables + commands will actually show rules from some specific tables in + the nf_tables kernel subsystem. + + + + + systemd got an nftables backend, and + configures (networkd) rules in their own + io.systemd.* tables. Check + nft list ruleset to see these rules, not + iptables-save (which only shows + iptables-created rules. diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 1b59842e020..2f667a7eb56 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -8,7 +8,15 @@ In addition to numerous new and upgraded packages, this release has the followin - Nix has been updated to version 2.4, reference its [release notes](https://discourse.nixos.org/t/nix-2-4-released/15822) for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the `nix_2_3` package. -- `iptables` now uses `nf_tables` backend. +- `iptables` is now using `nf_tables` under the hood, by using `iptables-nft`, + similar to [Debian](https://wiki.debian.org/nftables#Current_status) and + [Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default). + This means, `ip[6]tables`, `arptables` and `ebtables` commands will actually + show rules from some specific tables in the `nf_tables` kernel subsystem. + +- systemd got an `nftables` backend, and configures (networkd) rules in their + own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not + `iptables-save` (which only shows `iptables`-created rules. - PHP now defaults to PHP 8.0, updated from 7.4. -- cgit 1.4.1 From f48ff2a079b10a25c063a9002b079dfe1987538b Mon Sep 17 00:00:00 2001 From: Shahar Dawn Or Date: Mon, 29 Nov 2021 15:37:44 +0700 Subject: add `/usr` neededForBoot entry to 21.11 release notes --- nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 11 +++++++++++ nixos/doc/manual/release-notes/rl-2111.section.md | 3 +++ 2 files changed, 14 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 59da373f38e..58b7c1e802d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -1429,6 +1429,17 @@ Superuser created successfully. knob. + + + /usr will always be included in the initial + ramdisk. See the + fileSystems.<name>.neededForBoot + option. If any files exist under /usr + (which is not typical for NixOS), they will be included in the + initial ramdisk, increasing its size to a possibly problematic + extent. + +
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 1b59842e020..6fe838d1e7a 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -419,6 +419,9 @@ In addition to numerous new and upgraded packages, this release has the followin - The Linux kernel for security reasons now restricts access to BPF syscalls via `BPF_UNPRIV_DEFAULT_OFF=y`. Unprivileged access can be reenabled via the `kernel.unprivileged_bpf_disabled` sysctl knob. +- `/usr` will always be included in the initial ramdisk. See the `fileSystems..neededForBoot` option. + If any files exist under `/usr` (which is not typical for NixOS), they will be included in the initial ramdisk, increasing its size to a possibly problematic extent. + ## Other Notable Changes {#sec-release-21.11-notable-changes} -- cgit 1.4.1 From 72957a2dc0c0307c3dc0e9c13457d9fa15c60bcc Mon Sep 17 00:00:00 2001 From: zseri Date: Fri, 11 Feb 2022 14:26:07 +0100 Subject: element-desktop: make keytar optional --- .../from_md/release-notes/rl-2205.section.xml | 10 ++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 4 ++++ .../instant-messengers/element/element-desktop.nix | 27 ++++++++++++++++++---- .../instant-messengers/element/keytar/default.nix | 4 ++++ .../instant-messengers/element/seshat/default.nix | 7 ++++-- 5 files changed, 46 insertions(+), 6 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 612846122a7..a2a38da2b73 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -917,6 +917,16 @@ true. + + + The element-desktop package now has an + useKeytar option (defaults to + true), which allows disabling + keytar and in turn + libsecret usage (which binds to native + credential managers / keychain libraries). + + The option services.thelounge.plugins has diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index a8017f26708..aed8f1b1dd5 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -307,6 +307,10 @@ In addition to numerous new and upgraded packages, this release has the followin using `fetchgit` or `fetchhg` if the argument `fetchSubmodules` is set to `true`. +- The `element-desktop` package now has an `useKeytar` option (defaults to `true`), + which allows disabling `keytar` and in turn `libsecret` usage + (which binds to native credential managers / keychain libraries). + - The option `services.thelounge.plugins` has been added to allow installing plugins for The Lounge. Plugins can be found in `pkgs.theLoungePlugins.plugins` and `pkgs.theLoungePlugins.themes`. - The `firmwareLinuxNonfree` package has been renamed to `linux-firmware`. diff --git a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix index d9683740667..c9b45b2f8b6 100644 --- a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix +++ b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix @@ -13,12 +13,15 @@ , AppKit , CoreServices , desktopToDarwinBundle +, useKeytar ? true }: let pinData = lib.importJSON ./pin.json; executableName = "element-desktop"; electron_exec = if stdenv.isDarwin then "${electron}/Applications/Electron.app/Contents/MacOS/Electron" else "${electron}/bin/electron"; + keytar = callPackage ./keytar { inherit Security AppKit; }; + seshat = callPackage ./seshat { inherit CoreServices; }; in mkYarnPackage rec { pname = "element-desktop"; @@ -39,8 +42,7 @@ mkYarnPackage rec { nativeBuildInputs = [ makeWrapper ] ++ lib.optionals stdenv.isDarwin [ desktopToDarwinBundle ]; - seshat = callPackage ./seshat { inherit CoreServices; }; - keytar = callPackage ./keytar { inherit Security AppKit; }; + inherit seshat; buildPhase = '' runHook preBuild @@ -51,12 +53,14 @@ mkYarnPackage rec { node ./scripts/copy-res.js popd rm -rf node_modules/matrix-seshat node_modules/keytar - ln -s $keytar node_modules/keytar + ${lib.optionalString useKeytar "ln -s ${keytar} node_modules/keytar"} ln -s $seshat node_modules/matrix-seshat runHook postBuild ''; installPhase = '' + runHook preInstall + # resources mkdir -p "$out/share/element" ln -s '${element-web}' "$out/share/element/webapp" @@ -83,6 +87,8 @@ mkYarnPackage rec { --set LD_PRELOAD ${sqlcipher}/lib/libsqlcipher.so \ --add-flags "$out/share/element/electron" \ --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform --ozone-platform=wayland}}" + + runHook postInstall ''; # Do not attempt generating a tarball for element-web again. @@ -107,7 +113,20 @@ mkYarnPackage rec { ''; }; - passthru.updateScript = ./update.sh; + passthru = { + updateScript = ./update.sh; + + # TL;DR: keytar is optional while seshat isn't. + # + # This prevents building keytar when `useKeytar` is set to `false`, because + # if libsecret is unavailable (e.g. set to `null` or fails to build), then + # this package wouldn't even considered for building because + # "one of the dependencies failed to build", + # although the dependency wouldn't even be used. + # + # It needs to be `passthru` anyways because other packages do depend on it. + inherit keytar; + }; meta = with lib; { description = "A feature-rich client for Matrix.org"; diff --git a/pkgs/applications/networking/instant-messengers/element/keytar/default.nix b/pkgs/applications/networking/instant-messengers/element/keytar/default.nix index ae9627afe30..292b0dfa075 100644 --- a/pkgs/applications/networking/instant-messengers/element/keytar/default.nix +++ b/pkgs/applications/networking/instant-messengers/element/keytar/default.nix @@ -28,6 +28,7 @@ in stdenv.mkDerivation rec { }; buildPhase = '' + runHook preBuild cp ${./yarn.lock} ./yarn.lock chmod u+w . ./yarn.lock export HOME=$PWD/tmp @@ -37,16 +38,19 @@ in stdenv.mkDerivation rec { yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive patchShebangs node_modules/ node_modules/.bin/node-gyp rebuild + runHook postBuild ''; doCheck = false; installPhase = '' + runHook preInstall shopt -s extglob rm -rf node_modules rm -rf $HOME mkdir -p $out cp -r ./!(build) $out install -D -t $out/build/Release build/Release/keytar.node + runHook postInstall ''; } diff --git a/pkgs/applications/networking/instant-messengers/element/seshat/default.nix b/pkgs/applications/networking/instant-messengers/element/seshat/default.nix index de38c7a90ba..5017f853117 100644 --- a/pkgs/applications/networking/instant-messengers/element/seshat/default.nix +++ b/pkgs/applications/networking/instant-messengers/element/seshat/default.nix @@ -27,6 +27,7 @@ in rustPlatform.buildRustPackage rec { }; buildPhase = '' + runHook preBuild cd .. chmod u+w . ./yarn.lock export HOME=$PWD/tmp @@ -36,16 +37,18 @@ in rustPlatform.buildRustPackage rec { yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive patchShebangs node_modules/ node_modules/.bin/neon build --release + runHook postBuild ''; doCheck = false; installPhase = '' + runHook preInstall shopt -s extglob rm -rf native/!(index.node) - rm -rf node_modules - rm -rf $HOME + rm -rf node_modules $HOME cp -r . $out + runHook postInstall ''; cargoSha256 = pinData.cargoHash; -- cgit 1.4.1 From 5f9b2148b775d50027882d82e2a337864aa8882c Mon Sep 17 00:00:00 2001 From: Dustin Frisch Date: Thu, 24 Feb 2022 15:15:36 +0100 Subject: nixos/k40-whisperer: module init --- .../from_md/release-notes/rl-2205.section.xml | 9 +++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/module-list.nix | 1 + nixos/modules/programs/k40-whisperer.nix | 40 ++++++++++++++++++++++ 4 files changed, 52 insertions(+) create mode 100644 nixos/modules/programs/k40-whisperer.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index a6c3fdd1ed2..645b4ac5574 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -145,6 +145,15 @@ services.maddy. + + + K40-Whisperer, + a program to control cheap Chinese laser cutters. Available as + programs.k40-whisperer.enable. + Users must add themselves to the k40 group + to be able to access the device. + + mtr-exporter, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index d55a45f8b2b..542fb24abbd 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -45,6 +45,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable). +- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](options.html#opt-programs.k4-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device. + - [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable). - [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 351fcf7cdbb..28974c17ec7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -167,6 +167,7 @@ ./programs/iftop.nix ./programs/iotop.nix ./programs/java.nix + ./programs/k40-whisperer.nix ./programs/kdeconnect.nix ./programs/kbdlight.nix ./programs/less.nix diff --git a/nixos/modules/programs/k40-whisperer.nix b/nixos/modules/programs/k40-whisperer.nix new file mode 100644 index 00000000000..3163e45f57e --- /dev/null +++ b/nixos/modules/programs/k40-whisperer.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.k40-whisperer; + pkg = cfg.package.override { + udevGroup = cfg.group; + }; +in +{ + options.programs.k40-whisperer = { + enable = mkEnableOption "K40-Whisperer"; + + group = mkOption { + type = types.str; + description = '' + Group assigned to the device when connected. + ''; + default = "k40"; + }; + + package = mkOption { + type = types.package; + default = pkgs.k40-whisperer; + defaultText = literalExpression "pkgs.k40-whisperer"; + example = literalExpression "pkgs.k40-whisperer"; + description = '' + K40 Whisperer package to use. + ''; + }; + }; + + config = mkIf cfg.enable { + users.groups.${cfg.group} = {}; + + environment.systemPackages = [ pkg ]; + services.udev.packages = [ pkg ]; + }; +} -- cgit 1.4.1 From bf021cf990178161f1fe7440250904c80a6f5865 Mon Sep 17 00:00:00 2001 From: Markus Kowalewski Date: Thu, 24 Feb 2022 17:10:58 +0100 Subject: nixos/release-notes: fix typos in 22.05 section. --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 6 +++--- nixos/doc/manual/release-notes/rl-2205.section.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 645b4ac5574..27fbd68a6f3 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -98,7 +98,7 @@ FRRouting, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as - services.frr + services.frr @@ -205,7 +205,7 @@ moosefs, fault tolerant petabyte distributed file system. Available as - moosefs. + moosefs. @@ -1046,7 +1046,7 @@ The option - services.networking.networkmanager.enableFccUnlock + services.networking.networkmanager.enableFccUnlock was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 542fb24abbd..388ddc67fb2 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -31,7 +31,7 @@ In addition to numerous new and upgraded packages, this release has the followin - [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). -- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.ffr.babel.enable) +- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.frr.babel.enable) - [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable). @@ -60,7 +60,7 @@ In addition to numerous new and upgraded packages, this release has the followin - [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable). - [moosefs](https://moosefs.com), fault tolerant petabyte distributed file system. - Available as [moosefs](#opt-services.moosefs). + Available as [moosefs](#opt-services.moosefs.client.enable). - [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable). @@ -344,7 +344,7 @@ In addition to numerous new and upgraded packages, this release has the followin Using the old option name will still work, but produce a warning. - The option - [services.networking.networkmanager.enableFccUnlock](#opt-services.networking.networkmanager.enableFccUnlock) + [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock) was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details. -- cgit 1.4.1 From 5aebf5097b34f8ff2c3de64a7a3d85a9c2d1e6a1 Mon Sep 17 00:00:00 2001 From: Markus Kowalewski Date: Thu, 24 Feb 2022 17:11:30 +0100 Subject: nixos/manual: add 22.05 section to list --- nixos/doc/manual/release-notes/release-notes.xml | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index 74ca57850ea..216fea67775 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -8,6 +8,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. + -- cgit 1.4.1 From 9abf72f229f355c14dc4e332fa16ca8f1d36c1d5 Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Mon, 21 Feb 2022 09:21:12 +0100 Subject: bird1: drop package + modules reason: no longer maintained upstream. --- .../from_md/release-notes/rl-2205.section.xml | 8 + nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/services/networking/bird.nix | 184 ++++++++++----------- nixos/tests/bird.nix | 131 +++------------ pkgs/servers/bird/default.nix | 78 +++------ pkgs/top-level/aliases.nix | 3 + pkgs/top-level/all-packages.nix | 3 +- 7 files changed, 156 insertions(+), 253 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 27fbd68a6f3..34912773161 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -546,6 +546,14 @@ tilp2 was removed together with its module + + + bird1 and its modules + services.bird as well as + services.bird6 have been removed. Upgrade + to services.bird2. + + The options diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 388ddc67fb2..fb5e1975912 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -178,6 +178,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `tilp2` was removed together with its module +- `bird1` and its modules `services.bird` as well as `services.bird6` have been removed. Upgrade to `services.bird2`. + - The options `networking.interfaces..ipv4.routes` and `networking.interfaces..ipv6.routes` are no longer ignored when using networkd instead of the default scripted network backend by setting `networking.useNetworkd` to `true`. - MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`. diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index fc06cdaa6e5..54c75906742 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -3,103 +3,103 @@ let inherit (lib) mkEnableOption mkIf mkOption optionalString types; - generic = variant: - let - cfg = config.services.${variant}; - pkg = pkgs.${variant}; - birdBin = if variant == "bird6" then "bird6" else "bird"; - birdc = if variant == "bird6" then "birdc6" else "birdc"; - descr = - { bird = "1.6.x with IPv4 support"; - bird6 = "1.6.x with IPv6 support"; - bird2 = "2.x"; - }.${variant}; - in { - ###### interface - options = { - services.${variant} = { - enable = mkEnableOption "BIRD Internet Routing Daemon (${descr})"; - config = mkOption { - type = types.lines; - description = '' - BIRD Internet Routing Daemon configuration file. - - ''; - }; - checkConfig = mkOption { - type = types.bool; - default = true; - description = '' - Whether the config should be checked at build time. - When the config can't be checked during build time, for example when it includes - other files, either disable this option or use preCheckConfig to create - the included files before checking. - ''; - }; - preCheckConfig = mkOption { - type = types.lines; - default = ""; - example = '' - echo "cost 100;" > include.conf - ''; - description = '' - Commands to execute before the config file check. The file to be checked will be - available as ${variant}.conf in the current directory. + cfg = config.services.bird2; +in +{ + ###### interface + options = { + services.bird2 = { + enable = mkEnableOption "BIRD Internet Routing Daemon"; + config = mkOption { + type = types.lines; + description = '' + BIRD Internet Routing Daemon configuration file. + + ''; + }; + checkConfig = mkOption { + type = types.bool; + default = true; + description = '' + Whether the config should be checked at build time. + When the config can't be checked during build time, for example when it includes + other files, either disable this option or use preCheckConfig to create + the included files before checking. + ''; + }; + preCheckConfig = mkOption { + type = types.lines; + default = ""; + example = '' + echo "cost 100;" > include.conf + ''; + description = '' + Commands to execute before the config file check. The file to be checked will be + available as bird2.conf in the current directory. - Files created with this option will not be available at service runtime, only during - build time checking. - ''; - }; - }; + Files created with this option will not be available at service runtime, only during + build time checking. + ''; }; + }; + }; - ###### implementation - config = mkIf cfg.enable { - environment.systemPackages = [ pkg ]; - environment.etc."bird/${variant}.conf".source = pkgs.writeTextFile { - name = "${variant}.conf"; - text = cfg.config; - checkPhase = optionalString cfg.checkConfig '' - ln -s $out ${variant}.conf - ${cfg.preCheckConfig} - ${pkg}/bin/${birdBin} -d -p -c ${variant}.conf - ''; - }; + imports = [ + (lib.mkRemovedOptionModule [ "services" "bird" ] "Use services.bird2 instead") + (lib.mkRemovedOptionModule [ "services" "bird6" ] "Use services.bird2 instead") + ]; - systemd.services.${variant} = { - description = "BIRD Internet Routing Daemon (${descr})"; - wantedBy = [ "multi-user.target" ]; - reloadIfChanged = true; - restartTriggers = [ config.environment.etc."bird/${variant}.conf".source ]; - serviceConfig = { - Type = "forking"; - Restart = "on-failure"; - ExecStart = "${pkg}/bin/${birdBin} -c /etc/bird/${variant}.conf -u ${variant} -g ${variant}"; - ExecReload = "/bin/sh -c '${pkg}/bin/${birdBin} -c /etc/bird/${variant}.conf -p && ${pkg}/bin/${birdc} configure'"; - ExecStop = "${pkg}/bin/${birdc} down"; - CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID" - # see bird/sysdep/linux/syspriv.h - "CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_ADMIN" "CAP_NET_RAW" ]; - ProtectSystem = "full"; - ProtectHome = "yes"; - SystemCallFilter="~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; - MemoryDenyWriteExecute = "yes"; - }; - }; - users = { - users.${variant} = { - description = "BIRD Internet Routing Daemon user"; - group = variant; - isSystemUser = true; - }; - groups.${variant} = {}; - }; - }; - }; + ###### implementation + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.bird ]; -in + environment.etc."bird/bird2.conf".source = pkgs.writeTextFile { + name = "bird2"; + text = cfg.config; + checkPhase = optionalString cfg.checkConfig '' + ln -s $out bird2.conf + ${cfg.preCheckConfig} + ${pkgs.bird}/bin/bird -d -p -c bird2.conf + ''; + }; -{ - imports = map generic [ "bird" "bird6" "bird2" ]; + systemd.services.bird2 = { + description = "BIRD Internet Routing Daemon"; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ config.environment.etc."bird/bird2.conf".source ]; + serviceConfig = { + Type = "forking"; + Restart = "on-failure"; + ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2"; + ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'"; + ExecStop = "${pkgs.bird}/bin/birdc down"; + CapabilityBoundingSet = [ + "CAP_CHOWN" + "CAP_FOWNER" + "CAP_DAC_OVERRIDE" + "CAP_SETUID" + "CAP_SETGID" + # see bird/sysdep/linux/syspriv.h + "CAP_NET_BIND_SERVICE" + "CAP_NET_BROADCAST" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + ProtectSystem = "full"; + ProtectHome = "yes"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; + MemoryDenyWriteExecute = "yes"; + }; + }; + users = { + users.bird2 = { + description = "BIRD Internet Routing Daemon user"; + group = "bird2"; + isSystemUser = true; + }; + groups.bird2 = { }; + }; + }; } diff --git a/nixos/tests/bird.nix b/nixos/tests/bird.nix index 50d397be14e..befcf4fb8ac 100644 --- a/nixos/tests/bird.nix +++ b/nixos/tests/bird.nix @@ -9,7 +9,7 @@ let inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; inherit (pkgs.lib) optionalString; - hostShared = hostId: { pkgs, ... }: { + makeBird2Host = hostId: { pkgs, ... }: { virtualisation.vlans = [ 1 ]; environment.systemPackages = with pkgs; [ jq ]; @@ -24,105 +24,6 @@ let name = "eth1"; networkConfig.Address = "10.0.0.${hostId}/24"; }; - }; - - birdTest = v4: - let variant = "bird${optionalString (!v4) "6"}"; in - makeTest { - name = variant; - - nodes.host1 = makeBirdHost variant "1"; - nodes.host2 = makeBirdHost variant "2"; - - testScript = makeTestScript variant v4 (!v4); - }; - - bird2Test = makeTest { - name = "bird2"; - - nodes.host1 = makeBird2Host "1"; - nodes.host2 = makeBird2Host "2"; - - testScript = makeTestScript "bird2" true true; - }; - - makeTestScript = variant: v4: v6: '' - start_all() - - host1.wait_for_unit("${variant}.service") - host2.wait_for_unit("${variant}.service") - - ${optionalString v4 '' - with subtest("Waiting for advertised IPv4 routes"): - host1.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.2\")) | any'") - host2.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.1\")) | any'") - ''} - ${optionalString v6 '' - with subtest("Waiting for advertised IPv6 routes"): - host1.wait_until_succeeds("ip --json -6 r | jq -e 'map(select(.dst == \"fdff::2\")) | any'") - host2.wait_until_succeeds("ip --json -6 r | jq -e 'map(select(.dst == \"fdff::1\")) | any'") - ''} - - with subtest("Check fake routes in preCheckConfig do not exists"): - ${optionalString v4 ''host1.fail("ip --json r | jq -e 'map(select(.dst == \"1.2.3.4\")) | any'")''} - ${optionalString v4 ''host2.fail("ip --json r | jq -e 'map(select(.dst == \"1.2.3.4\")) | any'")''} - - ${optionalString v6 ''host1.fail("ip --json -6 r | jq -e 'map(select(.dst == \"fd00::\")) | any'")''} - ${optionalString v6 ''host2.fail("ip --json -6 r | jq -e 'map(select(.dst == \"fd00::\")) | any'")''} - ''; - - makeBirdHost = variant: hostId: { pkgs, ... }: { - imports = [ (hostShared hostId) ]; - - services.${variant} = { - enable = true; - - config = '' - log syslog all; - - debug protocols all; - - router id 10.0.0.${hostId}; - - protocol device { - } - - protocol kernel { - import none; - export all; - } - - protocol static { - include "static.conf"; - } - - protocol ospf { - export all; - area 0 { - interface "eth1" { - hello 5; - wait 5; - }; - }; - } - ''; - - preCheckConfig = - let - route = { bird = "1.2.3.4/32"; bird6 = "fd00::/128"; }.${variant}; - in - ''echo "route ${route} blackhole;" > static.conf''; - }; - - systemd.tmpfiles.rules = - let - route = { bird = "10.10.0.${hostId}/32"; bird6 = "fdff::${hostId}/128"; }.${variant}; - in - [ "f /etc/bird/static.conf - - - - route ${route} blackhole;" ]; - }; - - makeBird2Host = hostId: { pkgs, ... }: { - imports = [ (hostShared hostId) ]; services.bird2 = { enable = true; @@ -198,8 +99,30 @@ let ]; }; in -{ - bird = birdTest true; - bird6 = birdTest false; - bird2 = bird2Test; +makeTest { + name = "bird2"; + + nodes.host1 = makeBird2Host "1"; + nodes.host2 = makeBird2Host "2"; + + testScript = '' + start_all() + + host1.wait_for_unit("bird2.service") + host2.wait_for_unit("bird2.service") + + with subtest("Waiting for advertised IPv4 routes"): + host1.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.2\")) | any'") + host2.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.1\")) | any'") + with subtest("Waiting for advertised IPv6 routes"): + host1.wait_until_succeeds("ip --json -6 r | jq -e 'map(select(.dst == \"fdff::2\")) | any'") + host2.wait_until_succeeds("ip --json -6 r | jq -e 'map(select(.dst == \"fdff::1\")) | any'") + + with subtest("Check fake routes in preCheckConfig do not exists"): + host1.fail("ip --json r | jq -e 'map(select(.dst == \"1.2.3.4\")) | any'") + host2.fail("ip --json r | jq -e 'map(select(.dst == \"1.2.3.4\")) | any'") + + host1.fail("ip --json -6 r | jq -e 'map(select(.dst == \"fd00::\")) | any'") + host2.fail("ip --json -6 r | jq -e 'map(select(.dst == \"fd00::\")) | any'") + ''; } diff --git a/pkgs/servers/bird/default.nix b/pkgs/servers/bird/default.nix index f87ff8c664d..25936771211 100644 --- a/pkgs/servers/bird/default.nix +++ b/pkgs/servers/bird/default.nix @@ -1,66 +1,34 @@ { lib, stdenv, fetchurl, fetchpatch, flex, bison, readline, libssh, nixosTests }: -with lib; +stdenv.mkDerivation rec { + pname = "bird"; + version = "2.0.9"; -let - - generic = { version, sha256, enableIPv6 ? false }: - stdenv.mkDerivation rec { - pname = "bird"; - inherit version; - - src = fetchurl { - inherit sha256; - url = "ftp://bird.network.cz/pub/bird/${pname}-${version}.tar.gz"; - }; - - nativeBuildInputs = [ flex bison ]; - buildInputs = [ readline libssh ]; - - patches = [ - (./. + "/dont-create-sysconfdir-${builtins.substring 0 1 version}.patch") - ] - ++ optional (lib.versionOlder version "2") - # https://github.com/BIRD/bird/pull/4 - (fetchpatch { - url = "https://github.com/BIRD/bird/commit/fca9ab48e3823c734886f47156a92f6b804c16e9.patch"; - sha256 = "1pnndc3n56lqqcy74ln0w5kn3i9rbzsm2dqiyp1qw7j33dpkln1b"; - }) - ; - - CPP="${stdenv.cc.targetPrefix}cpp -E"; - - configureFlags = [ - "--localstatedir=/var" - ] ++ optional enableIPv6 "--enable-ipv6"; + src = fetchurl { + sha256 = "sha256-dnhrvN7TBh4bsiGwEfLMACIewGPenNoASn2bBhoJbV4="; + url = "ftp://bird.network.cz/pub/bird/${pname}-${version}.tar.gz"; + }; - passthru.tests = nixosTests.bird; + nativeBuildInputs = [ flex bison ]; + buildInputs = [ readline libssh ]; - meta = { - description = "BIRD Internet Routing Daemon"; - homepage = "http://bird.network.cz"; - license = licenses.gpl2Plus; - maintainers = with maintainers; [ fpletz globin ]; - platforms = platforms.linux; - }; - }; + patches = [ + (./. + "/dont-create-sysconfdir-${builtins.substring 0 1 version}.patch") + ]; -in + CPP="${stdenv.cc.targetPrefix}cpp -E"; -{ - bird = generic { - version = "1.6.8"; - sha256 = "1ch0pkkhd7axdjlvhprynh9q08x0nm984nvkm1cjb7gm5rfsnqbc"; - }; + configureFlags = [ + "--localstatedir=/var" + ]; - bird6 = generic { - version = "1.6.8"; - sha256 = "1ch0pkkhd7axdjlvhprynh9q08x0nm984nvkm1cjb7gm5rfsnqbc"; - enableIPv6 = true; - }; + passthru.tests = nixosTests.bird; - bird2 = generic { - version = "2.0.9"; - sha256 = "sha256-dnhrvN7TBh4bsiGwEfLMACIewGPenNoASn2bBhoJbV4="; + meta = with lib; { + description = "BIRD Internet Routing Daemon"; + homepage = "http://bird.network.cz"; + license = licenses.gpl2Plus; + maintainers = with maintainers; [ fpletz globin ]; + platforms = platforms.linux; }; } diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 954eee637b5..4604edf10b2 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -110,6 +110,8 @@ mapAliases ({ bridge_utils = bridge-utils; # Added 2015-02-20 bro = zeek; # Added 2019-09-29 btrfsProgs = btrfs-progs; # Added 2016-01-03 + bird2 = bird; + bird6 = throw "bird6 was dropped. Use bird instead, which has support for both ipv4/ipv6"; # bitwarden_rs renamed to vaultwarden with release 1.21.0 (2021-04-30) bitwarden_rs = vaultwarden; @@ -118,6 +120,7 @@ mapAliases ({ bitwarden_rs-sqlite = vaultwarden-sqlite; bitwarden_rs-vault = vaultwarden-vault; + blink = throw "blink has been removed from nixpkgs, it was unmaintained and required python2 at the time of removal."; # Added 2022-01-12 bs1770gain = throw "bs1770gain has been removed from nixpkgs, as it had no maintainer or reverse dependencies."; # Added 2021-01-02 bsod = throw "bsod has been removed: deleted by upstream"; # Added 2022-01-07 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 6c49c8cbc5f..7de4393416e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -21018,8 +21018,7 @@ with pkgs; dnsutils = bind.dnsutils; dig = bind.dnsutils; - inherit (callPackages ../servers/bird { }) - bird bird6 bird2; + bird = callPackage ../servers/bird { }; bosun = callPackage ../servers/monitoring/bosun { }; -- cgit 1.4.1 From 066a581a80c0939423ff8b2d4b451a07ea8e5865 Mon Sep 17 00:00:00 2001 From: K900 Date: Wed, 23 Feb 2022 10:26:30 +0300 Subject: nixos/doc: add release note for makeDesktopItem changes --- .../from_md/release-notes/rl-2205.section.xml | 64 ++++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 12 ++++ 2 files changed, 76 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 56f9f60f3eb..0760a781ea3 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -746,6 +746,70 @@ false. + + + pkgs.makeDesktopItem has been refactored to + provide a more idiomatic API. Specifically: + + + + + All valid options as of FDO Desktop Entry specification + version 1.4 can now be passed in as explicit arguments + + + + + exec can now be null, for entries that + are not of type Application + + + + + mimeType argument is renamed to + mimeTypes for consistency + + + + + mimeTypes, + categories, + implements, + keywords, onlyShowIn + and notShowIn take lists of strings + instead of one string with semicolon separators + + + + + extraDesktopEntries renamed to + extraConfig for consistency + + + + + Actions should now be provided as an attrset + actions, the Actions + line will be autogenerated. + + + + + extraEntries is removed. + + + + + Additional validation is added both at eval time and at + build time. + + + + + See the vscode package for a more detailed + example. + +
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 2994facffc9..2a931cd7fd6 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -231,6 +231,18 @@ In addition to numerous new and upgraded packages, this release has the followin pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by setting `services.pipewire.media-session.enable` to `true` and `services.pipewire.wireplumber.enable` to `false`. +- `pkgs.makeDesktopItem` has been refactored to provide a more idiomatic API. Specifically: + - All valid options as of FDO Desktop Entry specification version 1.4 can now be passed in as explicit arguments + - `exec` can now be null, for entries that are not of type Application + - `mimeType` argument is renamed to `mimeTypes` for consistency + - `mimeTypes`, `categories`, `implements`, `keywords`, `onlyShowIn` and `notShowIn` take lists of strings instead of one string with semicolon separators + - `extraDesktopEntries` renamed to `extraConfig` for consistency + - Actions should now be provided as an attrset `actions`, the `Actions` line will be autogenerated. + - `extraEntries` is removed. + - Additional validation is added both at eval time and at build time. + + See the `vscode` package for a more detailed example. + ## Other Notable Changes {#sec-release-22.05-notable-changes} -- cgit 1.4.1 From 03fbc3ea99fa1b5379a68019cf81267bcd403db2 Mon Sep 17 00:00:00 2001 From: Maciej Krüger Date: Sat, 26 Feb 2022 14:18:25 +0100 Subject: release-notes: mention pgadmin --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 14 ++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 4 ++++ 2 files changed, 18 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 0760a781ea3..a6bd453b35d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -122,6 +122,13 @@ services.powerdns-admin. + + + pgadmin4, + an admin interface for the PostgreSQL database. Available at + services.pgadmin. + + input-remapper, @@ -623,6 +630,13 @@ otelcorecol and enjoy a 7x smaller binary. + + + pkgs.pgadmin now refers to + pkgs.pgadmin4. If you still need pgadmin3, + use pkgs.pgadmin3. + + pkgs.noto-fonts-cjk is now deprecated in diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 2a931cd7fd6..8f5b4789a42 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -39,6 +39,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable). +- [pgadmin4](https://github.com/postgres/pgadmin4), an admin interface for the PostgreSQL database. Available at [services.pgadmin](options.html#opt-services.pgadmin.enable). + - [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](options.html#opt-services.input-remapper.enable). - [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](options.html#opt-services.invoiceplane.enable). @@ -198,6 +200,8 @@ In addition to numerous new and upgraded packages, this release has the followin you should change the package you refer to. If you don't need them update your commands from `otelcontribcol` to `otelcorecol` and enjoy a 7x smaller binary. +- `pkgs.pgadmin` now refers to `pkgs.pgadmin4`. + If you still need pgadmin3, use `pkgs.pgadmin3`. - `pkgs.noto-fonts-cjk` is now deprecated in favor of `pkgs.noto-fonts-cjk-sans` and `pkgs.noto-fonts-cjk-serif` because they each have different release -- cgit 1.4.1 From 6a96ddb67509064c2d445b3fae73d4c4c38c539d Mon Sep 17 00:00:00 2001 From: Minijackson Date: Sat, 10 Apr 2021 16:04:35 +0200 Subject: pkgs-lib: Implement settings format for Elixir --- .../manual/development/settings-options.section.md | 45 +++++ .../development/settings-options.section.xml | 104 +++++++++++ pkgs/pkgs-lib/formats.nix | 207 +++++++++++++++++++++ 3 files changed, 356 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/settings-options.section.md b/nixos/doc/manual/development/settings-options.section.md index 58a3d8448af..f9bb6ff9cc4 100644 --- a/nixos/doc/manual/development/settings-options.section.md +++ b/nixos/doc/manual/development/settings-options.section.md @@ -66,6 +66,45 @@ have a predefined type and string generator already declared under and returning a set with TOML-specific attributes `type` and `generate` as specified [below](#pkgs-formats-result). +`pkgs.formats.elixirConf { elixir ? pkgs.elixir }` + +: A function taking an attribute set with values + + `elixir` + + : The Elixir package which will be used to format the generated output + + It returns a set with Elixir-Config-specific attributes `type`, `lib`, and + `generate` as specified [below](#pkgs-formats-result). + + The `lib` attribute contains functions to be used in settings, for + generating special Elixir values: + + `mkRaw elixirCode` + + : Outputs the given string as raw Elixir code + + `mkGetEnv { envVariable, fallback ? null }` + + : Makes the configuration fetch an environment variable at runtime + + `mkAtom atom` + + : Outputs the given string as an Elixir atom, instead of the default + Elixir binary string. Note: lowercase atoms still needs to be prefixed + with `:` + + `mkTuple array` + + : Outputs the given array as an Elixir tuple, instead of the default + Elixir list + + `mkMap attrset` + + : Outputs the given attribute set as an Elixir map, instead of the + default Elixir keyword list + + ::: {#pkgs-formats-result} These functions all return an attribute set with these values: ::: @@ -74,6 +113,12 @@ These functions all return an attribute set with these values: : A module system type representing a value of the format +`lib` + +: Utility functions for convenience, or special interactions with the format. + This attribute is optional. It may contain inside a `types` attribute + containing types specific to this format. + `generate` *`filename jsonValue`* : A function that can render a value of the format to a file. Returns diff --git a/nixos/doc/manual/from_md/development/settings-options.section.xml b/nixos/doc/manual/from_md/development/settings-options.section.xml index c9430b77579..746011a2d07 100644 --- a/nixos/doc/manual/from_md/development/settings-options.section.xml +++ b/nixos/doc/manual/from_md/development/settings-options.section.xml @@ -137,6 +137,97 @@ + + + pkgs.formats.elixirConf { elixir ? pkgs.elixir } + + + + A function taking an attribute set with values + + + + + elixir + + + + The Elixir package which will be used to format the + generated output + + + + + + It returns a set with Elixir-Config-specific attributes + type, lib, and + generate as specified + below. + + + The lib attribute contains functions to + be used in settings, for generating special Elixir values: + + + + + mkRaw elixirCode + + + + Outputs the given string as raw Elixir code + + + + + + mkGetEnv { envVariable, fallback ? null } + + + + Makes the configuration fetch an environment variable + at runtime + + + + + + mkAtom atom + + + + Outputs the given string as an Elixir atom, instead of + the default Elixir binary string. Note: lowercase + atoms still needs to be prefixed with + : + + + + + + mkTuple array + + + + Outputs the given array as an Elixir tuple, instead of + the default Elixir list + + + + + + mkMap attrset + + + + Outputs the given attribute set as an Elixir map, + instead of the default Elixir keyword list + + + + + + These functions all return an attribute set with these values: @@ -152,6 +243,19 @@ + + + lib + + + + Utility functions for convenience, or special interactions + with the format. This attribute is optional. It may contain + inside a types attribute containing types + specific to this format. + + + generate diff --git a/pkgs/pkgs-lib/formats.nix b/pkgs/pkgs-lib/formats.nix index 5e17519d4ce..495a7094f9b 100644 --- a/pkgs/pkgs-lib/formats.nix +++ b/pkgs/pkgs-lib/formats.nix @@ -14,6 +14,15 @@ rec { # The description needs to be overwritten for recursive types type = ...; + # Utility functions for convenience, or special interactions with the + # format (optional) + lib = { + exampleFunction = ... + # Types specific to the format (optional) + types = { ... }; + ... + }; + # generate :: Name -> Value -> Path # A function for generating a file with a value of such a type generate = ...; @@ -147,4 +156,202 @@ rec { ''; }; + + /* For configurations of Elixir project, like config.exs or runtime.exs + + Most Elixir project are configured using the [Config] Elixir DSL + + Since Elixir has more types than Nix, we need a way to map Nix types to + more than 1 Elixir type. To that end, this format provides its own library, + and its own set of types. + + To be more detailed, a Nix attribute set could correspond in Elixir to a + [Keyword list] (the more common type), or it could correspond to a [Map]. + + A Nix string could correspond in Elixir to a [String] (also called + "binary"), an [Atom], or a list of chars (usually discouraged). + + A Nix array could correspond in Elixir to a [List] or a [Tuple]. + + Some more types exists, like records, regexes, but since they are less used, + we can leave the `mkRaw` function as an escape hatch. + + For more information on how to use this format in modules, please refer to + the Elixir section of the Nixos documentation. + + TODO: special Elixir values doesn't show up nicely in the documentation + + [Config]: + [Keyword list]: + [Map]: + [String]: + [Atom]: + [List]: + [Tuple]: + */ + elixirConf = { elixir ? pkgs.elixir }: + with lib; let + toElixir = value: with builtins; + if value == null then "nil" else + if value == true then "true" else + if value == false then "false" else + if isInt value || isFloat value then toString value else + if isString value then string value else + if isAttrs value then attrs value else + if isList value then list value else + abort "formats.elixirConf: should never happen (value = ${value})"; + + escapeElixir = escape [ "\\" "#" "\"" ]; + string = value: "\"${escapeElixir value}\""; + + attrs = set: + if set ? _elixirType then specialType set + else + let + toKeyword = name: value: "${name}: ${toElixir value}"; + keywordList = concatStringsSep ", " (mapAttrsToList toKeyword set); + in + "[" + keywordList + "]"; + + listContent = values: concatStringsSep ", " (map toElixir values); + + list = values: "[" + (listContent values) + "]"; + + specialType = { value, _elixirType }: + if _elixirType == "raw" then value else + if _elixirType == "atom" then value else + if _elixirType == "map" then elixirMap value else + if _elixirType == "tuple" then tuple value else + abort "formats.elixirConf: should never happen (_elixirType = ${_elixirType})"; + + elixirMap = set: + let + toEntry = name: value: "${toElixir name} => ${toElixir value}"; + entries = concatStringsSep ", " (mapAttrsToList toEntry set); + in + "%{${entries}}"; + + tuple = values: "{${listContent values}}"; + + toConf = values: + let + keyConfig = rootKey: key: value: + "config ${rootKey}, ${key}, ${toElixir value}"; + keyConfigs = rootKey: values: mapAttrsToList (keyConfig rootKey) values; + rootConfigs = flatten (mapAttrsToList keyConfigs values); + in + '' + import Config + + ${concatStringsSep "\n" rootConfigs} + ''; + in + { + type = with lib.types; let + valueType = nullOr + (oneOf [ + bool + int + float + str + (attrsOf valueType) + (listOf valueType) + ]) // { + description = "Elixir value"; + }; + in + attrsOf (attrsOf (valueType)); + + lib = + let + mkRaw = value: { + inherit value; + _elixirType = "raw"; + }; + + in + { + inherit mkRaw; + + /* Fetch an environment variable at runtime, with optional fallback + */ + mkGetEnv = { envVariable, fallback ? null }: + mkRaw "System.get_env(${toElixir envVariable}, ${toElixir fallback})"; + + /* Make an Elixir atom. + + Note: lowercase atoms still need to be prefixed by ':' + */ + mkAtom = value: { + inherit value; + _elixirType = "atom"; + }; + + /* Make an Elixir tuple out of a list. + */ + mkTuple = value: { + inherit value; + _elixirType = "tuple"; + }; + + /* Make an Elixir map out of an attribute set. + */ + mkMap = value: { + inherit value; + _elixirType = "map"; + }; + + /* Contains Elixir types. Every type it exports can also be replaced + by raw Elixir code (i.e. every type is `either type rawElixir`). + + It also reexports standard types, wrapping them so that they can + also be raw Elixir. + */ + types = with lib.types; let + isElixirType = type: x: (x._elixirType or "") == type; + + rawElixir = mkOptionType { + name = "rawElixir"; + description = "raw elixir"; + check = isElixirType "raw"; + }; + + elixirOr = other: either other rawElixir; + in + { + inherit rawElixir elixirOr; + + atom = elixirOr (mkOptionType { + name = "elixirAtom"; + description = "elixir atom"; + check = isElixirType "atom"; + }); + + tuple = elixirOr (mkOptionType { + name = "elixirTuple"; + description = "elixir tuple"; + check = isElixirType "tuple"; + }); + + map = elixirOr (mkOptionType { + name = "elixirMap"; + description = "elixir map"; + check = isElixirType "map"; + }); + # Wrap standard types, since anything in the Elixir configuration + # can be raw Elixir + } // lib.mapAttrs (_name: type: elixirOr type) lib.types; + }; + + generate = name: value: pkgs.runCommandNoCC name + { + value = toConf value; + passAsFile = [ "value" ]; + nativeBuildInputs = [ elixir ]; + } '' + cp "$valuePath" "$out" + mix format "$out" + ''; + }; + } -- cgit 1.4.1 From 0c766a100e416611807a184ee35a0edbd11b15a4 Mon Sep 17 00:00:00 2001 From: Janne Heß Date: Wed, 16 Jun 2021 12:27:47 +0200 Subject: lib/options: Throw error for options without a type Makes all options rendered in the manual throw an error if they don't have a type specified. This is a follow-up to #76184 Co-Authored-By: Silvan Mosberger --- lib/options.nix | 2 +- nixos/doc/manual/development/option-declarations.section.md | 7 ++++--- .../manual/from_md/development/option-declarations.section.xml | 8 +++++--- nixos/lib/make-options-doc/mergeJSON.py | 9 ++++++++- 4 files changed, 18 insertions(+), 8 deletions(-) (limited to 'nixos/doc') diff --git a/lib/options.nix b/lib/options.nix index 627aac24d2f..9efc1249e58 100644 --- a/lib/options.nix +++ b/lib/options.nix @@ -231,7 +231,7 @@ rec { then true else opt.visible or true; readOnly = opt.readOnly or false; - type = opt.type.description or null; + type = opt.type.description or "unspecified"; } // optionalAttrs (opt ? example) { example = scrubOptionValue opt.example; } // optionalAttrs (opt ? default) { default = scrubOptionValue opt.default; } diff --git a/nixos/doc/manual/development/option-declarations.section.md b/nixos/doc/manual/development/option-declarations.section.md index fff06e1ea5b..cb5043b528f 100644 --- a/nixos/doc/manual/development/option-declarations.section.md +++ b/nixos/doc/manual/development/option-declarations.section.md @@ -27,9 +27,10 @@ The function `mkOption` accepts the following arguments. `type` -: The type of the option (see [](#sec-option-types)). It may be - omitted, but that's not advisable since it may lead to errors that - are hard to diagnose. +: The type of the option (see [](#sec-option-types)). This + argument is mandatory for nixpkgs modules. Setting this is highly + recommended for the sake of documentation and type checking. In case it is + not set, a fallback type with unspecified behavior is used. `default` diff --git a/nixos/doc/manual/from_md/development/option-declarations.section.xml b/nixos/doc/manual/from_md/development/option-declarations.section.xml index 0eeffae628e..c7b62192158 100644 --- a/nixos/doc/manual/from_md/development/option-declarations.section.xml +++ b/nixos/doc/manual/from_md/development/option-declarations.section.xml @@ -38,9 +38,11 @@ options = { The type of the option (see - ). It may be omitted, but - that’s not advisable since it may lead to errors that are hard - to diagnose. + ). This argument is + mandatory for nixpkgs modules. Setting this is highly + recommended for the sake of documentation and type checking. + In case it is not set, a fallback type with unspecified + behavior is used. diff --git a/nixos/lib/make-options-doc/mergeJSON.py b/nixos/lib/make-options-doc/mergeJSON.py index 029787a3158..8e2ea322dc8 100644 --- a/nixos/lib/make-options-doc/mergeJSON.py +++ b/nixos/lib/make-options-doc/mergeJSON.py @@ -66,14 +66,21 @@ for (k, v) in overrides.items(): elif ov is not None or cur.get(ok, None) is None: cur[ok] = ov +severity = "error" if warningsAreErrors else "warning" + # check that every option has a description hasWarnings = False for (k, v) in options.items(): if v.value.get('description', None) is None: - severity = "error" if warningsAreErrors else "warning" hasWarnings = True print(f"\x1b[1;31m{severity}: option {v.name} has no description\x1b[0m", file=sys.stderr) v.value['description'] = "This option has no description." + if v.value.get('type', "unspecified") == "unspecified": + hasWarnings = True + print( + f"\x1b[1;31m{severity}: option {v.name} has no type. Please specify a valid type, see " + + "https://nixos.org/manual/nixos/stable/index.html#sec-option-types\x1b[0m", file=sys.stderr) + if hasWarnings and warningsAreErrors: print( "\x1b[1;31m" + -- cgit 1.4.1 From 5cbeddfde486ca5524baeaf3da6e8944075cf463 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Wed, 8 Dec 2021 19:02:29 +0100 Subject: lib.types: Introduce `types.optionType` This type correctly merges multiple option types together while also annotating them with file information. In a future commit this will be used for `_module.freeformType` --- lib/tests/modules.sh | 7 +++++ lib/tests/modules/optionTypeFile.nix | 28 +++++++++++++++++++ lib/tests/modules/optionTypeMerging.nix | 27 +++++++++++++++++++ lib/types.nix | 31 +++++++++++++++++++++- .../doc/manual/development/option-types.section.md | 7 +++++ .../from_md/development/option-types.section.xml | 14 ++++++++++ 6 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 lib/tests/modules/optionTypeFile.nix create mode 100644 lib/tests/modules/optionTypeMerging.nix (limited to 'nixos/doc') diff --git a/lib/tests/modules.sh b/lib/tests/modules.sh index a1c592cf4ef..d11f32e5996 100755 --- a/lib/tests/modules.sh +++ b/lib/tests/modules.sh @@ -299,6 +299,13 @@ checkConfigOutput "10" config.processedToplevel ./raw.nix checkConfigError "The option .multiple. is defined multiple times" config.multiple ./raw.nix checkConfigOutput "bar" config.priorities ./raw.nix +# Test that types.optionType merges types correctly +checkConfigOutput '^10$' config.theOption.int ./optionTypeMerging.nix +checkConfigOutput '^"hello"$' config.theOption.str ./optionTypeMerging.nix + +# Test that types.optionType correctly annotates option locations +checkConfigError 'The option .theOption.nested. in .other.nix. is already declared in .optionTypeFile.nix.' config.theOption.nested ./optionTypeFile.nix + cat < + + + types.optionType + + + + The type of an option’s type. Its merging operation ensures + that nested options have the correct file location + annotated, and that if possible, multiple option definitions + are correctly merged together. The main use case is as the + type of the _module.freeformType option. + + + types.attrs -- cgit 1.4.1 From 6a0b420d9445ccc5a7171a8f777449b144008711 Mon Sep 17 00:00:00 2001 From: Kartik Gokte Date: Wed, 2 Mar 2022 23:59:33 +0530 Subject: nixos/prometheus-pve-exporter: init at 2.2.2 --- .../from_md/release-notes/rl-2205.section.xml | 8 ++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + .../services/monitoring/prometheus/exporters.nix | 1 + .../monitoring/prometheus/exporters/pve.nix | 118 +++++++++++++++++++++ nixos/tests/prometheus-exporters.nix | 21 ++++ 5 files changed, 150 insertions(+) create mode 100644 nixos/modules/services/monitoring/prometheus/exporters/pve.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 04bb7ec12d3..95d8904666c 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -136,6 +136,14 @@ services.mtr-exporter. + + + prometheus-pve-exporter, + a tool that exposes information from the Proxmox VE API for + use by Prometheus. Available as + services.prometheus.exporters.pve. + + tetrd, share your diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index a2e8038ae1f..f97919417df 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -43,6 +43,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable). +- [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](options.html#opt-services.prometheus.exporters.pve). + - [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). - [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable). diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index d29d50706ef..46e410f11d4 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -55,6 +55,7 @@ let "postfix" "postgres" "process" + "pve" "py-air-control" "redis" "rspamd" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/pve.nix b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix new file mode 100644 index 00000000000..ef708414c95 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix @@ -0,0 +1,118 @@ +{ config, lib, pkgs, options }: + +with lib; +let + cfg = config.services.prometheus.exporters.pve; + + # pve exporter requires a config file so create an empty one if configFile is not provided + emptyConfigFile = pkgs.writeTextFile { + name = "pve.yml"; + text = "default:"; + }; + + computedConfigFile = "${if cfg.configFile == null then emptyConfigFile else cfg.configFile}"; +in +{ + port = 9221; + extraOpts = { + package = mkOption { + type = types.package; + default = pkgs.prometheus-pve-exporter; + defaultText = literalExpression "pkgs.prometheus-pve-exporter"; + example = literalExpression "pkgs.prometheus-pve-exporter"; + description = '' + The package to use for prometheus-pve-exporter + ''; + }; + + environmentFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/etc/prometheus-pve-exporter/pve.env"; + description = '' + Path to the service's environment file. This path can either be a computed path in /nix/store or a path in the local filesystem. + + The environment file should NOT be stored in /nix/store as it contains passwords and/or keys in plain text. + + Environment reference: https://github.com/prometheus-pve/prometheus-pve-exporter#authentication + ''; + }; + + configFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/etc/prometheus-pve-exporter/pve.yml"; + description = '' + Path to the service's config file. This path can either be a computed path in /nix/store or a path in the local filesystem. + + The config file should NOT be stored in /nix/store as it will contain passwords and/or keys in plain text. + + If both configFile and environmentFile are provided, the configFile option will be ignored. + + Configuration reference: https://github.com/prometheus-pve/prometheus-pve-exporter/#authentication + ''; + }; + + collectors = { + status = mkOption { + type = types.bool; + default = true; + description = '' + Collect Node/VM/CT status + ''; + }; + version = mkOption { + type = types.bool; + default = true; + description = '' + Collect PVE version info + ''; + }; + node = mkOption { + type = types.bool; + default = true; + description = '' + Collect PVE node info + ''; + }; + cluster = mkOption { + type = types.bool; + default = true; + description = '' + Collect PVE cluster info + ''; + }; + resources = mkOption { + type = types.bool; + default = true; + description = '' + Collect PVE resources info + ''; + }; + config = mkOption { + type = types.bool; + default = true; + description = '' + Collect PVE onboot status + ''; + }; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/pve_exporter \ + --${if cfg.collectors.status == true then "" else "no-"}collector.status \ + --${if cfg.collectors.version == true then "" else "no-"}collector.version \ + --${if cfg.collectors.node == true then "" else "no-"}collector.node \ + --${if cfg.collectors.cluster == true then "" else "no-"}collector.cluster \ + --${if cfg.collectors.resources == true then "" else "no-"}collector.resources \ + --${if cfg.collectors.config == true then "" else "no-"}collector.config \ + ${computedConfigFile} \ + ${toString cfg.port} ${cfg.listenAddress} + ''; + } // optionalAttrs (cfg.environmentFile != null) { + EnvironmentFile = cfg.environmentFile; + }; + }; +} diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 036c037e426..537809600bf 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -933,6 +933,27 @@ let ''; }; + pve = let + pveExporterEnvFile = pkgs.writeTextFile { + name = "pve.env"; + text = '' + PVE_USER="test_user@pam" + PVE_PASSWORD="hunter3" + PVE_VERIFY_SSL="false" + ''; + }; + in { + exporterConfig = { + enable = true; + environmentFile = pveExporterEnvFile; + }; + exporterTest = '' + wait_for_unit("prometheus-pve-exporter.service") + wait_for_open_port(9221) + wait_until_succeeds("curl localhost:9221") + ''; + }; + py-air-control = { nodeName = "py_air_control"; exporterConfig = { -- cgit 1.4.1 From 671a068a0166a5474e51b4d151b64250f8feaec8 Mon Sep 17 00:00:00 2001 From: Renaud Date: Wed, 2 Mar 2022 20:51:47 +0100 Subject: Remove F-PROT package and service module (EoL) (#160372) --- .../from_md/release-notes/rl-2205.section.xml | 7 ++ nixos/doc/manual/release-notes/rl-2205.section.md | 3 + nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 1 - nixos/modules/rename.nix | 1 + nixos/modules/services/security/fprot.nix | 82 ---------------------- pkgs/tools/security/fprot/default.nix | 42 ----------- pkgs/top-level/all-packages.nix | 2 - 8 files changed, 13 insertions(+), 129 deletions(-) delete mode 100644 nixos/modules/services/security/fprot.nix delete mode 100644 pkgs/tools/security/fprot/default.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index a6bd453b35d..4acf8195a8d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -553,6 +553,13 @@ tilp2 was removed together with its module + + + The F-PROT antivirus (fprot package) and + its service module were removed because it reached + end-of-life. + + bird1 and its modules diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 8f5b4789a42..366f0552589 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -180,6 +180,9 @@ In addition to numerous new and upgraded packages, this release has the followin - `tilp2` was removed together with its module +- The F-PROT antivirus (`fprot` package) and its service module were removed because it + reached [end-of-life](https://kb.cyren.com/av-support/index.php?/Knowledgebase/Article/View/434/0/end-of-sale--end-of-life-for-f-prot-and-csam). + - `bird1` and its modules `services.bird` as well as `services.bird6` have been removed. Upgrade to `services.bird2`. - The options `networking.interfaces..ipv4.routes` and `networking.interfaces..ipv6.routes` are no longer ignored when using networkd instead of the default scripted network backend by setting `networking.useNetworkd` to `true`. diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1b4105c676d..7d1faa50f4b 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -89,7 +89,7 @@ in prayer = 49; mpd = 50; clamav = 51; - fprot = 52; + #fprot = 52; # unused # bind = 53; #dynamically allocated as of 2021-09-03 wwwrun = 54; #adm = 55; # unused @@ -412,7 +412,7 @@ in prayer = 49; mpd = 50; clamav = 51; - fprot = 52; + #fprot = 52; # unused #bind = 53; # unused wwwrun = 54; adm = 55; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fd6bd087fb7..c102f4c97ee 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -951,7 +951,6 @@ ./services/security/clamav.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix - ./services/security/fprot.nix ./services/security/haka.nix ./services/security/haveged.nix ./services/security/hockeypuck.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index d72ff1c6f17..195cf87e6a8 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -50,6 +50,7 @@ with lib; (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.") (mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed") (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") + (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed") (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.") diff --git a/nixos/modules/services/security/fprot.nix b/nixos/modules/services/security/fprot.nix deleted file mode 100644 index df60d553e85..00000000000 --- a/nixos/modules/services/security/fprot.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; -let - fprotUser = "fprot"; - stateDir = "/var/lib/fprot"; - fprotGroup = fprotUser; - cfg = config.services.fprot; -in { - options = { - - services.fprot = { - updater = { - enable = mkEnableOption "automatic F-Prot virus definitions database updates"; - - productData = mkOption { - description = '' - product.data file. Defaults to the one supplied with installation package. - ''; - type = types.path; - }; - - frequency = mkOption { - default = 30; - type = types.int; - description = '' - Update virus definitions every X minutes. - ''; - }; - - licenseKeyfile = mkOption { - type = types.path; - description = '' - License keyfile. Defaults to the one supplied with installation package. - ''; - }; - - }; - }; - }; - - ###### implementation - - config = mkIf cfg.updater.enable { - - services.fprot.updater.productData = mkDefault "${pkgs.fprot}/opt/f-prot/product.data"; - services.fprot.updater.licenseKeyfile = mkDefault "${pkgs.fprot}/opt/f-prot/license.key"; - - environment.systemPackages = [ pkgs.fprot ]; - environment.etc."f-prot.conf" = { - source = "${pkgs.fprot}/opt/f-prot/f-prot.conf"; - }; - - users.users.${fprotUser} = - { uid = config.ids.uids.fprot; - description = "F-Prot daemon user"; - home = stateDir; - }; - - users.groups.${fprotGroup} = - { gid = config.ids.gids.fprot; }; - - services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; - - systemd.services.fprot-updater = { - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = false; - }; - wantedBy = [ "multi-user.target" ]; - - # have to copy fpupdate executable because it insists on storing the virus database in the same dir - preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${fprotUser}:${fprotGroup} ${stateDir} - cp ${pkgs.fprot}/opt/f-prot/fpupdate ${stateDir} - ln -sf ${cfg.updater.productData} ${stateDir}/product.data - ''; - - script = "/var/lib/fprot/fpupdate --keyfile ${cfg.updater.licenseKeyfile}"; - }; - }; -} diff --git a/pkgs/tools/security/fprot/default.nix b/pkgs/tools/security/fprot/default.nix deleted file mode 100644 index 6b930adcc26..00000000000 --- a/pkgs/tools/security/fprot/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ lib, stdenv, fetchurl }: - -stdenv.mkDerivation { - - pname = "f-prot"; - version = "6.2.1"; - - src = fetchurl { - url = "http://files.f-prot.com/files/unix-trial/fp-Linux.x86.32-ws.tar.gz"; - sha256 = "0qlsrkanf0inplwv1i6hqbimdg91syf5ggd1vahsm9lhivmnr0v5"; - }; - - installPhase = '' - mkdir -p $out/bin - cp fpscan $out/bin - - mkdir -p $out/opt/f-prot - cp fpupdate $out/opt/f-prot - cp product.data.default $out/opt/f-prot/product.data - cp license.key $out/opt/f-prot/ - cp f-prot.conf.default $out/opt/f-prot/f-prot.conf - ln -s $out/opt/f-prot/fpupdate $out/bin/fpupdate - - patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $out/opt/f-prot/fpupdate - - mkdir -p $out/share/man/ - mkdir -p $out/share/man/man1 - cp doc/man/fpscan.1 $out/share/man/man1 - mkdir -p $out/share/man/man5 - cp doc/man/f-prot.conf.5 $out/share/man/man5 - mkdir -p $out/share/man/man8 - cp doc/man/fpupdate.8 $out/share/man/man8 - ''; - - meta = with lib; { - homepage = "http://www.f-prot.com"; - description = "A popular proprietary antivirus program"; - license = licenses.unfree; - maintainers = [ ]; - platforms = platforms.linux; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1de42284b3e..5359a2ef981 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5555,8 +5555,6 @@ with pkgs; fpm = callPackage ../tools/package-management/fpm { }; - fprot = callPackage ../tools/security/fprot { }; - fprintd = callPackage ../tools/security/fprintd { }; fprintd-tod = callPackage ../tools/security/fprintd/tod.nix { }; -- cgit 1.4.1 From 1def557525157481da42fbd153a00729cce32d87 Mon Sep 17 00:00:00 2001 From: Janne Heß Date: Fri, 25 Feb 2022 14:32:44 +0100 Subject: nixos/switch-to-configuration: Document and test socket-activated services --- .../manual/development/unit-handling.section.md | 15 ++- .../from_md/development/unit-handling.section.xml | 22 ++-- .../system/activation/switch-to-configuration.pl | 9 +- nixos/tests/switch-test.nix | 143 ++++++++++++++++++++- 4 files changed, 169 insertions(+), 20 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/unit-handling.section.md b/nixos/doc/manual/development/unit-handling.section.md index d477f2c860f..bd4fe9e670f 100644 --- a/nixos/doc/manual/development/unit-handling.section.md +++ b/nixos/doc/manual/development/unit-handling.section.md @@ -41,17 +41,18 @@ checks: `RefuseManualStop` in the `[Unit]` section, and `X-OnlyManualStart` in the `[Unit]` section. - - The rest of the behavior is decided whether the unit has `X-StopIfChanged` - in the `[Service]` section set (exposed via + - Further behavior depends on the unit having `X-StopIfChanged` in the + `[Service]` section set to `true` (exposed via [systemd.services.\.stopIfChanged](#opt-systemd.services)). This is set to `true` by default and must be explicitly turned off if not wanted. If the flag is enabled, the unit is **stop**ped and then **start**ed. If not, the unit is **restart**ed. The goal of the flag is to make sure that the new unit never runs in the old environment which is still in place - before the activation script is run. + before the activation script is run. This behavior is different when the + service is socket-activated, as outlined in the following steps. - The last thing that is taken into account is whether the unit is a service - and socket-activated. Due to a bug, this is currently only done when - `X-StopIfChanged` is set. If the unit is socket-activated, the socket is - stopped and started, and the service is stopped and to be started by socket - activation. + and socket-activated. If `X-StopIfChanged` is **not** set, the service + is **restart**ed with the others. If it is set, both the service and the + socket are **stop**ped and the socket is **start**ed, leaving socket + activation to start the service when it's needed. diff --git a/nixos/doc/manual/from_md/development/unit-handling.section.xml b/nixos/doc/manual/from_md/development/unit-handling.section.xml index a6a654042f6..57c4754c001 100644 --- a/nixos/doc/manual/from_md/development/unit-handling.section.xml +++ b/nixos/doc/manual/from_md/development/unit-handling.section.xml @@ -88,9 +88,10 @@ - The rest of the behavior is decided whether the unit has + Further behavior depends on the unit having X-StopIfChanged in the - [Service] section set (exposed via + [Service] section set to + true (exposed via systemd.services.<name>.stopIfChanged). This is set to true by default and must be explicitly turned off if not wanted. If the flag is @@ -100,17 +101,22 @@ is restarted. The goal of the flag is to make sure that the new unit never runs in the old environment which is still in place before the - activation script is run. + activation script is run. This behavior is different when + the service is socket-activated, as outlined in the + following steps. The last thing that is taken into account is whether the - unit is a service and socket-activated. Due to a bug, this - is currently only done when - X-StopIfChanged is set. If the unit is - socket-activated, the socket is stopped and started, and the - service is stopped and to be started by socket activation. + unit is a service and socket-activated. If + X-StopIfChanged is + not set, the service is + restarted with the + others. If it is set, both the service and the socket are + stopped and the socket is + started, leaving socket + activation to start the service when it’s needed. diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index a8fe14c58f0..3a5ffe822ed 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -307,6 +307,7 @@ sub handleModifiedUnit { # seem to get applied on daemon-reload. } elsif ($unit =~ /\.mount$/) { # Reload the changed mount unit to force a remount. + # FIXME: only reload when Options= changed, restart otherwise $unitsToReload->{$unit} = 1; recordUnit($reloadListFile, $unit); } elsif ($unit =~ /\.socket$/) { @@ -339,7 +340,7 @@ sub handleModifiedUnit { # If this unit is socket-activated, then stop the # socket unit(s) as well, and restart the # socket(s) instead of the service. - my $socketActivated = 0; + my $socket_activated = 0; if ($unit =~ /\.service$/) { my @sockets = split(/ /, join(" ", @{$unitInfo{Service}{Sockets} // []})); if (scalar @sockets == 0) { @@ -347,13 +348,15 @@ sub handleModifiedUnit { } foreach my $socket (@sockets) { if (defined $activePrev->{$socket}) { + # We can now be sure this is a socket-activate unit + $unitsToStop->{$socket} = 1; # Only restart sockets that actually # exist in new configuration: if (-e "$out/etc/systemd/system/$socket") { $unitsToStart->{$socket} = 1; recordUnit($startListFile, $socket); - $socketActivated = 1; + $socket_activated = 1; } # Remove from units to reload so we don't restart and reload if ($unitsToReload->{$unit}) { @@ -368,7 +371,7 @@ sub handleModifiedUnit { # that this unit needs to be started below. # We write this to a file to ensure that the # service gets restarted if we're interrupted. - if (!$socketActivated) { + if (!$socket_activated) { $unitsToStart->{$unit} = 1; recordUnit($startListFile, $unit); } diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index b429babce83..090bbe298a4 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -1,6 +1,46 @@ # Test configuration switching. -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : let + + # Simple service that can either be socket-activated or that will + # listen on port 1234 if not socket-activated. + # A connection to the socket causes 'hello' to be written to the client. + socketTest = pkgs.writeScript "socket-test.py" /* python */ '' + #!${pkgs.python3}/bin/python3 + + from socketserver import TCPServer, StreamRequestHandler + import socket + import os + + + class Handler(StreamRequestHandler): + def handle(self): + self.wfile.write("hello".encode("utf-8")) + + + class Server(TCPServer): + def __init__(self, server_address, handler_cls): + listenFds = os.getenv('LISTEN_FDS') + if listenFds is None or int(listenFds) < 1: + print(f'Binding to {server_address}') + TCPServer.__init__( + self, server_address, handler_cls, bind_and_activate=True) + else: + TCPServer.__init__( + self, server_address, handler_cls, bind_and_activate=False) + # Override socket + print(f'Got activated by {os.getenv("LISTEN_FDNAMES")} ' + f'with {listenFds} FDs') + self.socket = socket.fromfd(3, self.address_family, + self.socket_type) + + + if __name__ == "__main__": + server = Server(("localhost", 1234), Handler) + server.serve_forever() + ''; + +in { name = "switch-test"; meta = with pkgs.lib.maintainers; { maintainers = [ gleber das_j ]; @@ -8,6 +48,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { nodes = { machine = { pkgs, lib, ... }: { + environment.systemPackages = [ pkgs.socat ]; # for the socket activation stuff users.mutableUsers = false; specialisation = rec { @@ -231,6 +272,40 @@ import ./make-test-python.nix ({ pkgs, ...} : { systemd.services.reload-triggers-and-restart.serviceConfig.X-Modified = "test"; }; + simple-socket.configuration = { + systemd.services.socket-activated = { + description = "A socket-activated service"; + stopIfChanged = lib.mkDefault false; + serviceConfig = { + ExecStart = socketTest; + ExecReload = "${pkgs.coreutils}/bin/true"; + }; + }; + systemd.sockets.socket-activated = { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "/run/test.sock" ]; + socketConfig.SocketMode = lib.mkDefault "0777"; + }; + }; + + simple-socket-service-modified.configuration = { + imports = [ simple-socket.configuration ]; + systemd.services.socket-activated.serviceConfig.X-Test = "test"; + }; + + simple-socket-stop-if-changed.configuration = { + imports = [ simple-socket.configuration ]; + systemd.services.socket-activated.stopIfChanged = true; + }; + + simple-socket-stop-if-changed-and-reloadtrigger.configuration = { + imports = [ simple-socket.configuration ]; + systemd.services.socket-activated = { + stopIfChanged = true; + reloadTriggers = [ "test" ]; + }; + }; + mount.configuration = { systemd.mounts = [ { @@ -676,7 +751,71 @@ import ./make-test-python.nix ({ pkgs, ...} : { assert_contains(out, "would reload the following units: reload-triggers.service, simple-reload-service.service\n") assert_contains(out, "would restart the following units: reload-triggers-and-restart-by-as.service, reload-triggers-and-restart.service, simple-restart-service.service, simple-service.service\n") assert_lacks(out, "\nwould start the following units:") - assert_lacks(out, "as well:") + + with subtest("socket-activated services"): + # Socket-activated services don't get started, just the socket + machine.fail("[ -S /run/test.sock ]") + out = switch_to_specialisation("${machine}", "simple-socket") + # assert_lacks(out, "stopping the following units:") nobody cares + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_contains(out, "the following new units were started: socket-activated.socket\n") + machine.succeed("[ -S /run/test.sock ]") + + # Changing a non-activated service does nothing + out = switch_to_specialisation("${machine}", "simple-socket-service-modified") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + machine.succeed("[ -S /run/test.sock ]") + # The unit is properly activated when the socket is accessed + if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": + raise Exception("Socket was not properly activated") # idk how that would happen tbh + + # Changing an activated service with stopIfChanged=false restarts the service + out = switch_to_specialisation("${machine}", "simple-socket") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: socket-activated.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + machine.succeed("[ -S /run/test.sock ]") + # Socket-activation of the unit still works + if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": + raise Exception("Socket was not properly activated after the service was restarted") + + # Changing an activated service with stopIfChanged=true stops the service and + # socket and starts the socket + out = switch_to_specialisation("${machine}", "simple-socket-stop-if-changed") + assert_contains(out, "stopping the following units: socket-activated.service, socket-activated.socket\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_contains(out, "\nstarting the following units: socket-activated.socket\n") + assert_lacks(out, "the following new units were started:") + machine.succeed("[ -S /run/test.sock ]") + # Socket-activation of the unit still works + if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": + raise Exception("Socket was not properly activated after the service was restarted") + + # Changing a reload trigger of a socket-activated unit only reloads it + out = switch_to_specialisation("${machine}", "simple-socket-stop-if-changed-and-reloadtrigger") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_contains(out, "reloading the following units: socket-activated.service\n") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units: socket-activated.socket") + assert_lacks(out, "the following new units were started:") + machine.succeed("[ -S /run/test.sock ]") + # Socket-activation of the unit still works + if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": + raise Exception("Socket was not properly activated after the service was restarted") with subtest("mounts"): switch_to_specialisation("${machine}", "mount") -- cgit 1.4.1 From 38246ed1942a9f6f55e28c8c452cec9f3c3ad772 Mon Sep 17 00:00:00 2001 From: Yaya Date: Thu, 3 Mar 2022 18:02:27 +0000 Subject: nixos/snowflake-proxy: init This commit introduces snowflake-proxy [1], a system to circumvent internet censorship. [1] https://snowflake.torproject.org/ --- .../from_md/release-notes/rl-2205.section.xml | 7 ++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/module-list.nix | 1 + .../services/networking/snowflake-proxy.nix | 81 ++++++++++++++++++++++ 4 files changed, 91 insertions(+) create mode 100644 nixos/modules/services/networking/snowflake-proxy.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4f9cd121799..2bcfc86b432 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -120,6 +120,13 @@ services.heisenbridge. + + + snowflake-proxy, + a system to defeat internet censorship. Available as + services.snowflake-proxy. + + ergochat, a modern diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index de384c102dc..650ace8d9d2 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable). +- [snowflake-proxy](https://snowflake.torproject.org/), a system to defeat internet censorship. Available as [services.snowflake-proxy](options.html#opt-services.snowflake-proxy.enable). + - [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](options.html#opt-services.ergochat.enable). - [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c102f4c97ee..7bce1119d73 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -877,6 +877,7 @@ ./services/networking/shorewall6.nix ./services/networking/shout.nix ./services/networking/sniproxy.nix + ./services/networking/snowflake-proxy.nix ./services/networking/smartdns.nix ./services/networking/smokeping.nix ./services/networking/softether.nix diff --git a/nixos/modules/services/networking/snowflake-proxy.nix b/nixos/modules/services/networking/snowflake-proxy.nix new file mode 100644 index 00000000000..2124644ed9b --- /dev/null +++ b/nixos/modules/services/networking/snowflake-proxy.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.snowflake-proxy; +in +{ + options = { + services.snowflake-proxy = { + enable = mkEnableOption "System to defeat internet censorship"; + + broker = mkOption { + description = "Broker URL (default \"https://snowflake-broker.torproject.net/\")"; + type = with types; nullOr str; + default = null; + }; + + capacity = mkOption { + description = "Limits the amount of maximum concurrent clients allowed."; + type = with types; nullOr int; + default = null; + }; + + relay = mkOption { + description = "websocket relay URL (default \"wss://snowflake.bamsoftware.com/\")"; + type = with types; nullOr str; + default = null; + }; + + stun = mkOption { + description = "STUN broker URL (default \"stun:stun.stunprotocol.org:3478\")"; + type = with types; nullOr str; + default = null; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.snowflake-proxy = { + wantedBy = [ "network-online.target" ]; + serviceConfig = { + ExecStart = + "${pkgs.snowflake}/bin/proxy " + concatStringsSep " " ( + optional (cfg.broker != null) "-broker ${cfg.broker}" + ++ optional (cfg.capacity != null) "-capacity ${builtins.toString cfg.capacity}" + ++ optional (cfg.relay != null) "-relay ${cfg.relay}" + ++ optional (cfg.stun != null) "-stun ${cfg.stun}" + ); + + # Security Hardening + # Refer to systemd.exec(5) for option descriptions. + CapabilityBoundingSet = ""; + + # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=, + # ProtectSystem=strict, ProtectHome=read-only + DynamicUser = true; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with maintainers; [ yayayayaka ]; +} -- cgit 1.4.1 From 625ba6b0faad37d321eee6c3f11fd89298553deb Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 8 Feb 2022 16:11:53 +0100 Subject: nixos/doc/2205: explain matrix-synapse rfc42 migration --- .../from_md/release-notes/rl-2205.section.xml | 110 +++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 89 +++++++++++++++++ 2 files changed, 199 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 2bcfc86b432..69981e94a81 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -388,6 +388,116 @@ its reliance on python2. + + + The matrix-synapse service + (services.matrix-synapse) has been + converted to use the settings option + defined in RFC42. This means that options that are part of + your homeserver.yaml configuration, and + that were specified at the top-level of the module + (services.matrix-synapse) now need to be + moved into + services.matrix-synapse.settings. And while + not all options you may use are defined in there, they are + still supported, because you can set arbitrary values in this + freeform type. + + + An example to make the required migration clearer: + + + Before: + + +{ + services.matrix-synapse = { + enable = true; + + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut"; + macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l"; + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_address = ""; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + + }; +} + + + After: + + +{ + services.matrix-synapse = { + enable = true; + + # this attribute set holds all values that go into your homeserver.yaml configuration + # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for + # possible values. + settings = { + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_address = [ + "::" + "0.0.0.0" + ]; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + }; + + extraConfigFiles = [ + /run/keys/matrix-synapse/secrets.yaml + ]; + }; +} + + + The secrets in your original config should be migrated into a + YAML file that is included via + extraConfigFiles. + + + Additionally a few option defaults have been synced up with + upstream default values, for example the + max_upload_size grew from + 10M to 50M. + + The MoinMoin wiki engine diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 650ace8d9d2..e35c9c8c6ad 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -128,6 +128,95 @@ In addition to numerous new and upgraded packages, this release has the followin - The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2. +- The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42. + This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the + module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you + may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type. + + An example to make the required migration clearer: + + Before: + ```nix + { + services.matrix-synapse = { + enable = true; + + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut"; + macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l"; + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_address = ""; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + + }; + } + ``` + + After: + ```nix + { + services.matrix-synapse = { + enable = true; + + # this attribute set holds all values that go into your homeserver.yaml configuration + # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for + # possible values. + settings = { + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_address = [ + "::" + "0.0.0.0" + ]; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + }; + + extraConfigFiles = [ + /run/keys/matrix-synapse/secrets.yaml + ]; + }; + } + ``` + + The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. + + Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. + - The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs. - The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`. -- cgit 1.4.1 From f386c42a48397d232869e03f123e2bb5f8bfd3d8 Mon Sep 17 00:00:00 2001 From: Alexandru Scvortov Date: Fri, 4 Mar 2022 20:08:09 +0000 Subject: nixos/doc: improve wording in "Options Types" and "Option Declarations" --- .../development/option-declarations.section.md | 26 +++++++++---------- .../doc/manual/development/option-types.section.md | 6 ++--- .../development/option-declarations.section.xml | 29 +++++++++++----------- .../from_md/development/option-types.section.xml | 8 +++--- 4 files changed, 35 insertions(+), 34 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/option-declarations.section.md b/nixos/doc/manual/development/option-declarations.section.md index fff06e1ea5b..819fc6d891f 100644 --- a/nixos/doc/manual/development/option-declarations.section.md +++ b/nixos/doc/manual/development/option-declarations.section.md @@ -145,26 +145,26 @@ As an example, we will take the case of display managers. There is a central display manager module for generic display manager options and a module file per display manager backend (sddm, gdm \...). -There are two approach to this module structure: +There are two approaches we could take with this module structure: -- Managing the display managers independently by adding an enable +- Configuring the display managers independently by adding an enable option to every display manager module backend. (NixOS) -- Managing the display managers in the central module by adding an - option to select which display manager backend to use. +- Configuring the display managers in the central module by adding + an option to select which display manager backend to use. Both approaches have problems. Making backends independent can quickly become hard to manage. For -display managers, there can be only one enabled at a time, but the type -system can not enforce this restriction as there is no relation between -each backend `enable` option. As a result, this restriction has to be -done explicitely by adding assertions in each display manager backend -module. +display managers, there can only be one enabled at a time, but the +type system cannot enforce this restriction as there is no relation +between each backend's `enable` option. As a result, this restriction +has to be done explicitly by adding assertions in each display manager +backend module. -On the other hand, managing the display managers backends in the central -module will require to change the central module option every time a new -backend is added or removed. +On the other hand, managing the display manager backends in the +central module will require changing the central module option every +time a new backend is added or removed. By using extensible option types, it is possible to create a placeholder option in the central module @@ -175,7 +175,7 @@ and to extend it in each backend module As a result, `displayManager.enable` option values can be added without changing the main service module file and the type system automatically -enforce that there can only be a single display manager enabled. +enforces that there can only be a single display manager enabled. ::: {#ex-option-declaration-eot-service .example} ::: {.title} diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index 071e7751eb6..c34ac0367c4 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -16,9 +16,9 @@ merging is handled. `types.path` -: A filesystem path, defined as anything that when coerced to a string - starts with a slash. Even if derivations can be considered as path, - the more specific `types.package` should be preferred. +: A filesystem path is anything that starts with a slash when + coerced to a string. Even if derivations can be considered as + paths, the more specific `types.package` should be preferred. `types.package` diff --git a/nixos/doc/manual/from_md/development/option-declarations.section.xml b/nixos/doc/manual/from_md/development/option-declarations.section.xml index 0eeffae628e..554705e2e42 100644 --- a/nixos/doc/manual/from_md/development/option-declarations.section.xml +++ b/nixos/doc/manual/from_md/development/option-declarations.section.xml @@ -215,21 +215,22 @@ lib.mkOption { manager backend (sddm, gdm ...). - There are two approach to this module structure: + There are two approaches we could take with this module + structure: - Managing the display managers independently by adding an - enable option to every display manager module backend. - (NixOS) + Configuring the display managers independently by adding + an enable option to every display manager module + backend. (NixOS) - Managing the display managers in the central module by - adding an option to select which display manager backend - to use. + Configuring the display managers in the central module + by adding an option to select which display manager + backend to use. @@ -238,16 +239,16 @@ lib.mkOption { Making backends independent can quickly become hard to - manage. For display managers, there can be only one enabled - at a time, but the type system can not enforce this - restriction as there is no relation between each backend + manage. For display managers, there can only be one enabled + at a time, but the type system cannot enforce this + restriction as there is no relation between each backend’s enable option. As a result, this - restriction has to be done explicitely by adding assertions + restriction has to be done explicitly by adding assertions in each display manager backend module. - On the other hand, managing the display managers backends in - the central module will require to change the central module + On the other hand, managing the display manager backends in + the central module will require changing the central module option every time a new backend is added or removed. @@ -268,7 +269,7 @@ lib.mkOption { As a result, displayManager.enable option values can be added without changing the main service module - file and the type system automatically enforce that there + file and the type system automatically enforces that there can only be a single display manager enabled. diff --git a/nixos/doc/manual/from_md/development/option-types.section.xml b/nixos/doc/manual/from_md/development/option-types.section.xml index 50a3da0ef5b..e16453df51e 100644 --- a/nixos/doc/manual/from_md/development/option-types.section.xml +++ b/nixos/doc/manual/from_md/development/option-types.section.xml @@ -30,10 +30,10 @@ - A filesystem path, defined as anything that when coerced to - a string starts with a slash. Even if derivations can be - considered as path, the more specific - types.package should be preferred. + A filesystem path is anything that starts with a slash when + coerced to a string. Even if derivations can be considered + as paths, the more specific types.package + should be preferred. -- cgit 1.4.1 From 5a6b36e498bbc5de5be9a5b85f66f31b6beaaf82 Mon Sep 17 00:00:00 2001 From: tim-tx Date: Sat, 5 Mar 2022 11:41:31 -0500 Subject: dendrite: 0.5.1 -> 0.6.5 --- .../from_md/release-notes/rl-2205.section.xml | 12 +++ nixos/doc/manual/release-notes/rl-2205.section.md | 8 ++ nixos/modules/services/misc/dendrite.nix | 94 ++++++++++++++++++++++ pkgs/servers/dendrite/default.nix | 6 +- 4 files changed, 117 insertions(+), 3 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4f4a5a3394e..f6b42c38655 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -752,6 +752,18 @@ directly. + + + The dendrite package has been upgraded from + 0.5.1 to + 0.6.5. + Instances configured with split sqlite databases, which has + been the default in NixOS, require merging of the federation + sender and signing key databases. See upstream + release + notes on version 0.6.0 for details on database changes. + + The existing pkgs.opentelemetry-collector diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c4281561f16..9dc751c5839 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -289,6 +289,14 @@ In addition to numerous new and upgraded packages, this release has the followin This breaks back-compat so it's not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from [nixpkgs-terraform-providers-bin](https://github.com/numtide/nixpkgs-terraform-providers-bin) directly. +- The `dendrite` package has been upgraded from 0.5.1 to + [0.6.5](https://github.com/matrix-org/dendrite/releases/tag/v0.6.5). Instances + configured with split sqlite databases, which has been the default + in NixOS, require merging of the federation sender and signing key + databases. See upstream [release + notes](https://github.com/matrix-org/dendrite/releases/tag/v0.6.0) + on version 0.6.0 for details on database changes. + - The existing `pkgs.opentelemetry-collector` has been moved to `pkgs.opentelemetry-collector-contrib` to match the actual source being the "contrib" edition. `pkgs.opentelemetry-collector` is now the actual core diff --git a/nixos/modules/services/misc/dendrite.nix b/nixos/modules/services/misc/dendrite.nix index c967fc3a362..b2885b09415 100644 --- a/nixos/modules/services/misc/dendrite.nix +++ b/nixos/modules/services/misc/dendrite.nix @@ -110,6 +110,15 @@ in ''; }; }; + options.app_service_api.database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:federationapi.db"; + description = '' + Database for the Appservice API. + ''; + }; + }; options.client_api = { registration_disabled = lib.mkOption { type = lib.types.bool; @@ -120,6 +129,91 @@ in ''; }; }; + options.federation_api.database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:federationapi.db"; + description = '' + Database for the Federation API. + ''; + }; + }; + options.key_server.database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:keyserver.db"; + description = '' + Database for the Key Server (for end-to-end encryption). + ''; + }; + }; + options.media_api = { + database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:mediaapi.db"; + description = '' + Database for the Media API. + ''; + }; + }; + base_path = lib.mkOption { + type = lib.types.str; + default = "${workingDir}/media_store"; + description = '' + Storage path for uploaded media. + ''; + }; + }; + options.room_server.database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:roomserver.db"; + description = '' + Database for the Room Server. + ''; + }; + }; + options.sync_api.database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:syncserver.db"; + description = '' + Database for the Sync API. + ''; + }; + }; + options.user_api = { + account_database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:userapi_accounts.db"; + description = '' + Database for the User API, accounts. + ''; + }; + }; + device_database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:userapi_devices.db"; + description = '' + Database for the User API, devices. + ''; + }; + }; + }; + options.mscs = { + database = { + connection_string = lib.mkOption { + type = lib.types.str; + default = "file:mscs.db"; + description = '' + Database for exerimental MSC's. + ''; + }; + }; + }; }; default = { }; description = '' diff --git a/pkgs/servers/dendrite/default.nix b/pkgs/servers/dendrite/default.nix index 3d92b2cd4ba..b1c0f1424d9 100644 --- a/pkgs/servers/dendrite/default.nix +++ b/pkgs/servers/dendrite/default.nix @@ -2,16 +2,16 @@ buildGoModule rec { pname = "matrix-dendrite"; - version = "0.5.1"; + version = "0.6.5"; src = fetchFromGitHub { owner = "matrix-org"; repo = "dendrite"; rev = "v${version}"; - sha256 = "1HCVWSxXOR2syN+dLDSvrNzYHTj/vXZRHkXhU0f3m1k="; + sha256 = "jSn2awZsfsniSOTNkaEdQw/sZm7nUfiMntsxigy/51Y="; }; - vendorSha256 = "sha256-RqEt0RAsKWKy6NvMzulqY56nZ7fIxgJkgN/WpEZ3F2I="; + vendorSha256 = "sha256-B4d3FGXy8TrED3oikTjETQso/AtEfIWWcdY6FykD/8A="; passthru.tests = { inherit (nixosTests) dendrite; -- cgit 1.4.1 From e6d1c597f137ee8a4439d7d9c3d24e22b86eb03c Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Sat, 5 Mar 2022 00:43:47 -0800 Subject: nixos/k3s: use the systemd driver for docker + unified cgroups This is necessary for it to work at all. The single-node-docker test will fail without this change. Also add a release note for it. --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 14 ++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 4 ++++ nixos/modules/services/cluster/k3s/default.nix | 1 + 3 files changed, 19 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 2bcfc86b432..33cc929b466 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -364,6 +364,20 @@ relying on the insecure behaviour before upgrading. + + + services.k3s.enable no longer implies + systemd.enableUnifiedCgroupHierarchy = false, + and will default to the systemd cgroup driver + when using services.k3s.docker = true. This + change may require a reboot to take effect, and k3s may not be + able to run if the boot cgroup hierarchy does not match its + configuration. The previous behavior may be retained by + explicitly setting + systemd.enableUnifiedCgroupHierarchy = false + in your configuration. + + The DHCP server (services.dhcpd4, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 650ace8d9d2..b5d5574a988 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -121,6 +121,10 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.kubernetes.scheduler.{port,address}` now set `--secure-port` and `--bind-address` instead of `--port` and `--address`, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. +- `services.k3s.enable` no longer implies `systemd.enableUnifiedCgroupHierarchy = false`, and will default to the 'systemd' cgroup driver when using `services.k3s.docker = true`. + This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration. + The previous behavior may be retained by explicitly setting `systemd.enableUnifiedCgroupHierarchy = false` in your configuration. + - The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened. The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed. diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index 7bda11afedf..3a36cfa3f37 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -114,6 +114,7 @@ in [ "${cfg.package}/bin/k3s ${cfg.role}" ] ++ (optional cfg.docker "--docker") + ++ (optional (cfg.docker && config.systemd.enableUnifiedCgroupHierarchy) "--kubelet-arg=cgroup-driver=systemd") ++ (optional cfg.disableAgent "--disable-agent") ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}") ++ (optional (cfg.token != "") "--token ${cfg.token}") -- cgit 1.4.1 From 34b5dd453b13c2c09334e3def42416b5b2442a0a Mon Sep 17 00:00:00 2001 From: Ryan Gibb Date: Mon, 7 Mar 2022 16:29:00 +0000 Subject: nixos/zsh-autosuggestions: ZSH_AUTOSUGGEST_STRATEGY array zsh-autosuggestions supports having fallback strategies expressed through the ZSH_AUTOSUGGEST_STRATEGY array. For example, `ZSH_AUTOSUGGEST_STRATEGY=(history completion)`. We should also support this. --- .../from_md/release-notes/rl-2205.section.xml | 6 ++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/programs/zsh/zsh-autosuggestions.nix | 21 +++++++++++---------- 3 files changed, 19 insertions(+), 10 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 27fbd68a6f3..1ad1a8e3a36 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -846,6 +846,12 @@ compatibilty, but will be removed at a later date. + + + programs.zsh.autosuggestions.strategy now + takes a list of strings instead of a string. + + The services.unifi.openPorts option default diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 388ddc67fb2..bf66e66da62 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -278,6 +278,8 @@ In addition to numerous new and upgraded packages, this release has the followin combined `influxdb2` package is still provided in this release for backwards compatibilty, but will be removed at a later date. +- `programs.zsh.autosuggestions.strategy` now takes a list of strings instead of a string. + - The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11. Configurations using this default will print a warning when rebuilt. diff --git a/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixos/modules/programs/zsh/zsh-autosuggestions.nix index fee324cc732..2e53e907d54 100644 --- a/nixos/modules/programs/zsh/zsh-autosuggestions.nix +++ b/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -22,17 +22,18 @@ in }; strategy = mkOption { - type = types.enum [ "history" "match_prev_cmd" ]; - default = "history"; + type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]); + default = [ "history" ]; description = '' - Set ZSH_AUTOSUGGEST_STRATEGY to choose the strategy for generating suggestions. - There are currently two to choose from: + `ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated. + The strategies in the array are tried successively until a suggestion is found. + There are currently three built-in strategies to choose from: - * history: Chooses the most recent match. - * match_prev_cmd: Chooses the most recent match whose preceding history item matches - the most recently executed command (more info). Note that this strategy won't work as - expected with ZSH options that don't preserve the history order such as - HIST_IGNORE_ALL_DUPS or HIST_EXPIRE_DUPS_FIRST. + - `history`: Chooses the most recent match from history. + - `completion`: Chooses a suggestion based on what tab-completion would suggest. (requires `zpty` module) + - `match_prev_cmd`: Like `history`, but chooses the most recent match whose preceding history item matches + the most recently executed command. Note that this strategy won't work as expected with ZSH options that + don't preserve the history order such as `HIST_IGNORE_ALL_DUPS` or `HIST_EXPIRE_DUPS_FIRST`. ''; }; @@ -62,7 +63,7 @@ in source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="${cfg.highlightStyle}" - export ZSH_AUTOSUGGEST_STRATEGY=("${cfg.strategy}") + export ZSH_AUTOSUGGEST_STRATEGY=(${concatStringsSep " " cfg.strategy}) ${optionalString (!cfg.async) "unset ZSH_AUTOSUGGEST_USE_ASYNC"} ${concatStringsSep "\n" (mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)} -- cgit 1.4.1 From 70c1e849c0b5741e07e7d8d0d418764e2fdb4e24 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 8 Mar 2022 02:46:26 +0100 Subject: nixos/tests/pacemaker: init --- .../from_md/release-notes/rl-2205.section.xml | 6 ++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/tests/all-tests.nix | 1 + nixos/tests/pacemaker.nix | 110 +++++++++++++++++++++ pkgs/misc/logging/pacemaker/default.nix | 7 +- pkgs/servers/corosync/default.nix | 4 + 6 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/pacemaker.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4f4a5a3394e..2f89e7144da 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -280,6 +280,12 @@ with many features. + + + pacemaker + cluster resource manager + +
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c4281561f16..68bccce6738 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -81,6 +81,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. +- [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager + ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 15b54cd9fe1..4f077a540dd 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -383,6 +383,7 @@ in os-prober = handleTestOn ["x86_64-linux"] ./os-prober.nix {}; osrm-backend = handleTest ./osrm-backend.nix {}; overlayfs = handleTest ./overlayfs.nix {}; + pacemaker = handleTest ./pacemaker.nix {}; packagekit = handleTest ./packagekit.nix {}; pam-file-contents = handleTest ./pam/pam-file-contents.nix {}; pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; diff --git a/nixos/tests/pacemaker.nix b/nixos/tests/pacemaker.nix new file mode 100644 index 00000000000..68455761495 --- /dev/null +++ b/nixos/tests/pacemaker.nix @@ -0,0 +1,110 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: rec { + name = "pacemaker"; + meta = with pkgs.lib.maintainers; { + maintainers = [ astro ]; + }; + + nodes = + let + node = i: { + networking.interfaces.eth1.ipv4.addresses = [ { + address = "192.168.0.${toString i}"; + prefixLength = 24; + } ]; + + services.corosync = { + enable = true; + clusterName = "zentralwerk-network"; + nodelist = lib.imap (i: name: { + nodeid = i; + inherit name; + ring_addrs = [ + (builtins.head nodes.${name}.networking.interfaces.eth1.ipv4.addresses).address + ]; + }) (builtins.attrNames nodes); + }; + environment.etc."corosync/authkey" = { + source = builtins.toFile "authkey" + # minimum length: 128 bytes + "testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest"; + mode = "0400"; + }; + + services.pacemaker.enable = true; + + # used for pacemaker resource + systemd.services.ha-cat = { + description = "Highly available netcat"; + serviceConfig.ExecStart = "${pkgs.netcat}/bin/nc -l discard"; + }; + }; + in { + node1 = node 1; + node2 = node 2; + node3 = node 3; + }; + + # sets up pacemaker with resources configuration, then crashes a + # node and waits for service restart on another node + testScript = + let + resources = builtins.toFile "cib-resources.xml" '' + + + + + + + + + + ''; + in '' + import re + import time + + start_all() + + ${lib.concatMapStrings (node: '' + ${node}.wait_until_succeeds("corosync-quorumtool") + ${node}.wait_for_unit("pacemaker.service") + '') (builtins.attrNames nodes)} + + # No STONITH device + node1.succeed("crm_attribute -t crm_config -n stonith-enabled -v false") + # Configure the cat resource + node1.succeed("cibadmin --replace --scope resources --xml-file ${resources}") + + # wait until the service is started + while True: + output = node1.succeed("crm_resource -r cat --locate") + match = re.search("is running on: (.+)", output) + if match: + for machine in machines: + if machine.name == match.group(1): + current_node = machine + break + time.sleep(1) + + current_node.log("Service running here!") + current_node.crash() + + # pick another node that's still up + for machine in machines: + if machine.booted: + check_node = machine + # find where the service has been started next + while True: + output = check_node.succeed("crm_resource -r cat --locate") + match = re.search("is running on: (.+)", output) + # output will remain the old current_node until the crash is detected by pacemaker + if match and match.group(1) != current_node.name: + for machine in machines: + if machine.name == match.group(1): + next_node = machine + break + time.sleep(1) + + next_node.log("Service migrated here!") + ''; +}) diff --git a/pkgs/misc/logging/pacemaker/default.nix b/pkgs/misc/logging/pacemaker/default.nix index 7277ae091e7..07194380d4a 100644 --- a/pkgs/misc/logging/pacemaker/default.nix +++ b/pkgs/misc/logging/pacemaker/default.nix @@ -17,6 +17,7 @@ , pam , pkg-config , python3 +, nixosTests # Pacemaker is compiled twice, once with forOCF = true to extract its # OCF definitions for use in the ocf-resource-agents derivation, then @@ -87,11 +88,15 @@ stdenv.mkDerivation rec { rm -r $out/nix ''; + passthru.tests = { + inherit (nixosTests) pacemaker; + }; + meta = with lib; { homepage = "https://clusterlabs.org/pacemaker/"; description = "Pacemaker is an open source, high availability resource manager suitable for both small and large clusters."; license = licenses.gpl2Plus; platforms = platforms.linux; - maintainers = with maintainers; [ ryantm ]; + maintainers = with maintainers; [ ryantm astro ]; }; } diff --git a/pkgs/servers/corosync/default.nix b/pkgs/servers/corosync/default.nix index 257837f1414..4df8a547dff 100644 --- a/pkgs/servers/corosync/default.nix +++ b/pkgs/servers/corosync/default.nix @@ -65,6 +65,10 @@ stdenv.mkDerivation rec { --prefix PATH ":" "$out/sbin:${libqb}/sbin" ''; + passthru.tests = { + inherit (nixosTests) pacemaker; + }; + meta = { homepage = "http://corosync.org/"; description = "A Group Communication System with features for implementing high availability within applications"; -- cgit 1.4.1 From 252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06 Mon Sep 17 00:00:00 2001 From: Alexandru Scvortov Date: Sun, 6 Mar 2022 13:49:57 +0000 Subject: nbd: add programs.nbd, services.nbd, and test Changes: nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: Update nixos/tests/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: generalize options in nbd service nbd: harden service nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: refactor code a bit and BindPaths automatically --- .../from_md/release-notes/rl-2205.section.xml | 7 + nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/module-list.nix | 2 + nixos/modules/programs/nbd.nix | 19 +++ nixos/modules/services/networking/nbd.nix | 146 +++++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/nbd.nix | 87 ++++++++++++ pkgs/tools/networking/nbd/default.nix | 6 +- 8 files changed, 269 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/programs/nbd.nix create mode 100644 nixos/modules/services/networking/nbd.nix create mode 100644 nixos/tests/nbd.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4f4a5a3394e..749a50c8f5a 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -248,6 +248,13 @@ services.ethercalc. + + + nbd, a + Network Block Device server. Available as + services.nbd. + + timetagger, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c4281561f16..0b78c189917 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -73,6 +73,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable). +- [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](options.html#opt-services.nbd.server.enable). + - [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable). - [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f3570c3f123..442bcc39d59 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -179,6 +179,7 @@ ./programs/msmtp.nix ./programs/mtr.nix ./programs/nano.nix + ./programs/nbd.nix ./programs/neovim.nix ./programs/nm-applet.nix ./programs/npm.nix @@ -818,6 +819,7 @@ ./services/networking/nar-serve.nix ./services/networking/nat.nix ./services/networking/nats.nix + ./services/networking/nbd.nix ./services/networking/ndppd.nix ./services/networking/nebula.nix ./services/networking/networkmanager.nix diff --git a/nixos/modules/programs/nbd.nix b/nixos/modules/programs/nbd.nix new file mode 100644 index 00000000000..fea9bc1ff71 --- /dev/null +++ b/nixos/modules/programs/nbd.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.nbd; +in +{ + options = { + programs.nbd = { + enable = mkEnableOption "Network Block Device (nbd) support"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ nbd ]; + boot.kernelModules = [ "nbd" ]; + }; +} diff --git a/nixos/modules/services/networking/nbd.nix b/nixos/modules/services/networking/nbd.nix new file mode 100644 index 00000000000..87f8c41a8e5 --- /dev/null +++ b/nixos/modules/services/networking/nbd.nix @@ -0,0 +1,146 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nbd; + configFormat = pkgs.formats.ini { }; + iniFields = with types; attrsOf (oneOf [ bool int float str ]); + serverConfig = configFormat.generate "nbd-server-config" + ({ + generic = + (cfg.server.extraOptions // { + user = "root"; + group = "root"; + port = cfg.server.listenPort; + } // (optionalAttrs (cfg.server.listenAddress != null) { + listenaddr = cfg.server.listenAddress; + })); + } + // (mapAttrs + (_: { path, allowAddresses, extraOptions }: + extraOptions // { + exportname = path; + } // (optionalAttrs (allowAddresses != null) { + authfile = pkgs.writeText "authfile" (concatStringsSep "\n" allowAddresses); + })) + cfg.server.exports) + ); + splitLists = + partition + (path: hasPrefix "/dev/" path) + (mapAttrsToList (_: { path, ... }: path) cfg.server.exports); + allowedDevices = splitLists.right; + boundPaths = splitLists.wrong; +in +{ + options = { + services.nbd = { + server = { + enable = mkEnableOption "the Network Block Device (nbd) server"; + + listenPort = mkOption { + type = types.port; + default = 10809; + description = "Port to listen on. The port is NOT automatically opened in the firewall."; + }; + + extraOptions = mkOption { + type = iniFields; + default = { + allowlist = false; + }; + description = '' + Extra options for the server. See + nbd-server + 5. + ''; + }; + + exports = mkOption { + description = "Files or block devices to make available over the network."; + default = { }; + type = with types; attrsOf + (submodule { + options = { + path = mkOption { + type = str; + description = "File or block device to export."; + example = "/dev/sdb1"; + }; + + allowAddresses = mkOption { + type = nullOr (listOf str); + default = null; + example = [ "10.10.0.0/24" "127.0.0.1" ]; + description = "IPs and subnets that are authorized to connect for this device. If not specified, the server will allow all connections."; + }; + + extraOptions = mkOption { + type = iniFields; + default = { + flush = true; + fua = true; + }; + description = '' + Extra options for this export. See + nbd-server + 5. + ''; + }; + }; + }); + }; + + listenAddress = mkOption { + type = with types; nullOr str; + description = "Address to listen on. If not specified, the server will listen on all interfaces."; + default = null; + example = "10.10.0.1"; + }; + }; + }; + }; + + config = mkIf cfg.server.enable { + boot.kernelModules = [ "nbd" ]; + + systemd.services.nbd-server = { + after = [ "network-online.target" ]; + before = [ "multi-user.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.nbd}/bin/nbd-server -C ${serverConfig}"; + Type = "forking"; + + DeviceAllow = map (path: "${path} rw") allowedDevices; + BindPaths = boundPaths; + + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = false; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + ProtectSystem = "strict"; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0077"; + }; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 342e8f461b5..3548d50009a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -328,6 +328,7 @@ in nat.standalone = handleTest ./nat.nix { withFirewall = false; }; nats = handleTest ./nats.nix {}; navidrome = handleTest ./navidrome.nix {}; + nbd = handleTest ./nbd.nix {}; ncdns = handleTest ./ncdns.nix {}; ndppd = handleTest ./ndppd.nix {}; nebula = handleTest ./nebula.nix {}; diff --git a/nixos/tests/nbd.nix b/nixos/tests/nbd.nix new file mode 100644 index 00000000000..16255e68e8a --- /dev/null +++ b/nixos/tests/nbd.nix @@ -0,0 +1,87 @@ +import ./make-test-python.nix ({ pkgs, ... }: + let + listenPort = 30123; + testString = "It works!"; + mkCreateSmallFileService = { path, loop ? false }: { + script = '' + ${pkgs.coreutils}/bin/dd if=/dev/zero of=${path} bs=1K count=100 + ${pkgs.lib.optionalString loop + "${pkgs.util-linux}/bin/losetup --find ${path}"} + ''; + serviceConfig = { + Type = "oneshot"; + }; + wantedBy = [ "multi-user.target" ]; + before = [ "nbd-server.service" ]; + }; + in + { + name = "nbd"; + + nodes = { + server = { config, pkgs, ... }: { + # Create some small files of zeros to use as the ndb disks + ## `vault-pub.disk` is accessible from any IP + systemd.services.create-pub-file = + mkCreateSmallFileService { path = "/vault-pub.disk"; }; + ## `vault-priv.disk` is accessible only from localhost. + ## It's also a loopback device to test exporting /dev/... + systemd.services.create-priv-file = + mkCreateSmallFileService { path = "/vault-priv.disk"; loop = true; }; + + # Needed only for nbd-client used in the tests. + environment.systemPackages = [ pkgs.nbd ]; + + # Open the nbd port in the firewall + networking.firewall.allowedTCPPorts = [ listenPort ]; + + # Run the nbd server and expose the small file created above + services.nbd.server = { + enable = true; + exports = { + vault-pub = { + path = "/vault-pub.disk"; + }; + vault-priv = { + path = "/dev/loop0"; + allowAddresses = [ "127.0.0.1" "::1" ]; + }; + }; + listenAddress = "0.0.0.0"; + listenPort = listenPort; + }; + }; + + client = { config, pkgs, ... }: { + programs.nbd.enable = true; + }; + }; + + testScript = '' + testString = "${testString}" + + start_all() + server.wait_for_open_port(${toString listenPort}) + + # Client: Connect to the server, write a small string to the nbd disk, and cleanly disconnect + client.succeed("nbd-client server ${toString listenPort} /dev/nbd0 -name vault-pub -persist") + client.succeed(f"echo '{testString}' | dd of=/dev/nbd0 conv=notrunc") + client.succeed("nbd-client -d /dev/nbd0") + + # Server: Check that the string written by the client is indeed in the file + foundString = server.succeed(f"dd status=none if=/vault-pub.disk count={len(testString)}")[:len(testString)] + if foundString != testString: + raise Exception(f"Read the wrong string from nbd disk. Expected: '{testString}'. Found: '{foundString}'") + + # Client: Fail to connect to the private disk + client.fail("nbd-client server ${toString listenPort} /dev/nbd0 -name vault-priv -persist") + + # Server: Successfully connect to the private disk + server.succeed("nbd-client localhost ${toString listenPort} /dev/nbd0 -name vault-priv -persist") + server.succeed(f"echo '{testString}' | dd of=/dev/nbd0 conv=notrunc") + foundString = server.succeed(f"dd status=none if=/dev/loop0 count={len(testString)}")[:len(testString)] + if foundString != testString: + raise Exception(f"Read the wrong string from nbd disk. Expected: '{testString}'. Found: '{foundString}'") + server.succeed("nbd-client -d /dev/nbd0") + ''; + }) diff --git a/pkgs/tools/networking/nbd/default.nix b/pkgs/tools/networking/nbd/default.nix index 95c2f970999..13179389484 100644 --- a/pkgs/tools/networking/nbd/default.nix +++ b/pkgs/tools/networking/nbd/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, pkg-config, glib, which }: +{ lib, stdenv, fetchurl, pkg-config, glib, which, nixosTests }: stdenv.mkDerivation rec { pname = "nbd"; @@ -21,6 +21,10 @@ stdenv.mkDerivation rec { doCheck = true; + passthru.tests = { + test = nixosTests.nbd; + }; + # Glib calls `clock_gettime', which is in librt. Linking that library # here ensures that a proper rpath is added to the executable so that # it can be loaded at run-time. -- cgit 1.4.1 From 788abdba4b1d0444be0c7131004d74edcaff8d71 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 9 Mar 2022 15:29:35 +0100 Subject: nixos/doc: update rl-2111 w.r.t. iptables-nft migration Follow-up on https://github.com/NixOS/nixpkgs/pull/161426. Explain why having legacy iptables rules installed can lead to confusing firewall behaviour, and provide some guidance on how to fix this. --- nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 12 +++++++++++- nixos/doc/manual/release-notes/rl-2111.section.md | 7 +++++++ 2 files changed, 18 insertions(+), 1 deletion(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index a11baa91dea..b61a0268dee 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -35,7 +35,17 @@ This means, ip[6]tables, arptables and ebtables commands will actually show rules from some specific tables in - the nf_tables kernel subsystem. + the nf_tables kernel subsystem. In case + you’re migrating from an older release without rebooting, + there might be cases where you end up with iptable rules + configured both in the legacy iptables + kernel backend, as well as in the nf_tables + backend. This can lead to confusing firewall behaviour. An + iptables-save after switching will complain + about iptables-legacy tables present. It’s + probably best to reboot after the upgrade, or manually + removing all legacy iptables rules (via the + iptables-legacy package). diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index f3644c32832..310d32cfdd7 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -13,6 +13,13 @@ In addition to numerous new and upgraded packages, this release has the followin [Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default). This means, `ip[6]tables`, `arptables` and `ebtables` commands will actually show rules from some specific tables in the `nf_tables` kernel subsystem. + In case you're migrating from an older release without rebooting, there might + be cases where you end up with iptable rules configured both in the legacy + `iptables` kernel backend, as well as in the `nf_tables` backend. + This can lead to confusing firewall behaviour. An `iptables-save` after + switching will complain about "iptables-legacy tables present". + It's probably best to reboot after the upgrade, or manually removing all + legacy iptables rules (via the `iptables-legacy` package). - systemd got an `nftables` backend, and configures (networkd) rules in their own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not -- cgit 1.4.1 From ee1ff0797b6f16e5a6fe7caf2ec50907c6de99d2 Mon Sep 17 00:00:00 2001 From: Connor Baker Date: Wed, 9 Mar 2022 23:48:06 -0500 Subject: spark: update release notes for 22.05 --- .../from_md/release-notes/rl-2205.section.xml | 40 ++++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 9 +++++ 2 files changed, 49 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4f4a5a3394e..223f16e2ca7 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1303,6 +1303,46 @@ desktop environments as needed. + + + The hadoop package has added support for + aarch64-linux and + aarch64-darwin as of 3.3.1 + (#158613). + + + + + The R package now builds again on + aarch64-darwin + (#158992). + + + + + The spark3 package has been updated from + 3.1.2 to 3.2.1 + (#160075): + + + + + Testing has been enabled for + aarch64-linux in addition to + x86_64-linux. + + + + + The spark3 package is now usable on + aarch64-darwin as a result of + #158613 + and + #158992. + + + +
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index c4281561f16..37432e7abd0 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -471,4 +471,13 @@ In addition to numerous new and upgraded packages, this release has the followin - The polkit service, available at `security.polkit.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. +- The `hadoop` package has added support for `aarch64-linux` and `aarch64-darwin` as of 3.3.1 ([#158613](https://github.com/NixOS/nixpkgs/pull/158613)). + +- The `R` package now builds again on `aarch64-darwin` ([#158992](https://github.com/NixOS/nixpkgs/pull/158992)). + +- The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)): + + - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`. + - The `spark3` package is now usable on `aarch64-darwin` as a result of [#158613](https://github.com/NixOS/nixpkgs/pull/158613) and [#158992](https://github.com/NixOS/nixpkgs/pull/158992). + -- cgit 1.4.1 From a7827ecfae20a31d47aad8d1798460886936b002 Mon Sep 17 00:00:00 2001 From: illustris Date: Wed, 9 Mar 2022 00:34:07 +0530 Subject: nixos/hadoop: add release notes --- .../from_md/release-notes/rl-2205.section.xml | 46 ++++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 13 ++++++ 2 files changed, 59 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 0c10451add4..ccbcb0a9a2a 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -519,6 +519,25 @@ because Python 2 is being retired from nixpkgs. + + + Services in the hadoop module previously + set openFirewall to true by default. This + has now been changed to false. Node definitions for multi-node + clusters would need openFirewall = true; to + be added to to hadoop services when upgrading from NixOS + 21.11. + + + + + services.hadoop.yarn.nodemanager now uses + cgroup-based CPU limit enforcement by default. Additionally, + the option useCGroups was added to + nodemanagers as an easy way to switch back to the old + behavior. + + The wafHook hook now honors @@ -1071,6 +1090,33 @@ using the PyPy interpreter were added. + + + Some improvements have been made to the + hadoop module: + + + + + A gatewayRole option has been added, + for deploying hadoop cluster configuration files to a node + that does not have any active services + + + + + Support for older versions of hadoop have been added to + the module + + + + + Overriding and extending site XML files has been made + easier + + + + If you are using Wayland you can choose to use the Ozone diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index b9402ba5f9d..6d91ee1dffc 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -223,6 +223,14 @@ In addition to numerous new and upgraded packages, this release has the followin - The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs. +- Services in the `hadoop` module previously set `openFirewall` to true by default. + This has now been changed to false. Node definitions for multi-node clusters would need + `openFirewall = true;` to be added to to hadoop services when upgrading from NixOS 21.11. + +- `services.hadoop.yarn.nodemanager` now uses cgroup-based CPU limit enforcement by default. + Additionally, the option `useCGroups` was added to nodemanagers as an easy way to switch + back to the old behavior. + - The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`. - `pkgs.claws-mail-gtk2`, representing Claws Mail's older release version three, was removed in order to get rid of Python 2. @@ -391,6 +399,11 @@ In addition to numerous new and upgraded packages, this release has the followin - The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. +- Some improvements have been made to the `hadoop` module: + - A `gatewayRole` option has been added, for deploying hadoop cluster configuration files to a node that does not have any active services + - Support for older versions of hadoop have been added to the module + - Overriding and extending site XML files has been made easier + - If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable `NIXOS_OZONE_WL=1` (for example via -- cgit 1.4.1 From 9c2266c03171dcf492b6accdb0cde0cb28e156b5 Mon Sep 17 00:00:00 2001 From: Naïm Favier Date: Wed, 9 Mar 2022 13:14:22 +0100 Subject: lib.types.package: only call toDerivation when necessary The current logic assumes that everything that isn't a derivation is a store path, but it can also be something that's *coercible* to a store path, like a flake input. Unnecessary uses of `lib.toDerivation` result in errors in pure evaluation mode when `builtins.storePath` is disabled. Also document what a `package` is. --- lib/types.nix | 12 ++++++++++-- nixos/doc/manual/development/option-types.section.md | 3 ++- .../doc/manual/from_md/development/option-types.section.xml | 4 +++- 3 files changed, 15 insertions(+), 4 deletions(-) (limited to 'nixos/doc') diff --git a/lib/types.nix b/lib/types.nix index 3fcac9c31b3..bf18866e55e 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -368,13 +368,21 @@ rec { emptyValue = { value = {}; }; }; - # derivation is a reserved keyword. + # A package is a top-level store path (/nix/store/hash-name). This includes: + # - derivations + # - more generally, attribute sets with an `outPath` or `__toString` attribute + # pointing to a store path, e.g. flake inputs + # - strings with context, e.g. "${pkgs.foo}" or (toString pkgs.foo) + # - hardcoded store path literals (/nix/store/hash-foo) or strings without context + # ("/nix/store/hash-foo"). These get a context added to them using builtins.storePath. package = mkOptionType { name = "package"; check = x: isDerivation x || isStorePath x; merge = loc: defs: let res = mergeOneOption loc defs; - in if isDerivation res then res else toDerivation res; + in if builtins.isPath res || (builtins.isString res && ! builtins.hasContext res) + then toDerivation res + else res; }; shellPackage = package // { diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index c34ac0367c4..00f1d85bdb6 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -22,7 +22,8 @@ merging is handled. `types.package` -: A derivation or a store path. +: A top-level store path. This can be an attribute set pointing + to a store path, like a derivation or a flake input. `types.anything` diff --git a/nixos/doc/manual/from_md/development/option-types.section.xml b/nixos/doc/manual/from_md/development/option-types.section.xml index e16453df51e..44472929270 100644 --- a/nixos/doc/manual/from_md/development/option-types.section.xml +++ b/nixos/doc/manual/from_md/development/option-types.section.xml @@ -43,7 +43,9 @@ - A derivation or a store path. + A top-level store path. This can be an attribute set + pointing to a store path, like a derivation or a flake + input. -- cgit 1.4.1 From c96180c53fcd4f36a7163c3e59a2e6bcd9233f06 Mon Sep 17 00:00:00 2001 From: Janne Heß Date: Sun, 6 Mar 2022 19:22:04 +0100 Subject: nixos/switch-to-configuration: Ignore some unit keys Some unit keys don't need to restart the service to make them effective. Reduce the amount of service restarts by ignoring these keys --- .../manual/development/unit-handling.section.md | 3 +- .../from_md/development/unit-handling.section.xml | 5 +- .../system/activation/switch-to-configuration.pl | 67 +++++++++++++++++----- nixos/tests/switch-test.nix | 14 +++++ 4 files changed, 71 insertions(+), 18 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/unit-handling.section.md b/nixos/doc/manual/development/unit-handling.section.md index bd4fe9e670f..c51704ad0da 100644 --- a/nixos/doc/manual/development/unit-handling.section.md +++ b/nixos/doc/manual/development/unit-handling.section.md @@ -17,7 +17,8 @@ checks: them and comparing their contents. If they are different but only `X-Reload-Triggers` in the `[Unit]` section is changed, **reload** the unit. The NixOS module system allows setting these triggers with the option - [systemd.services.\.reloadTriggers](#opt-systemd.services). If the + [systemd.services.\.reloadTriggers](#opt-systemd.services). There are + some additional keys in the `[Unit]` section that are ignored as well. If the unit files differ in any way, the following actions are performed: - `.path` and `.slice` units are ignored. There is no need to restart them diff --git a/nixos/doc/manual/from_md/development/unit-handling.section.xml b/nixos/doc/manual/from_md/development/unit-handling.section.xml index 57c4754c001..642cc5cccc7 100644 --- a/nixos/doc/manual/from_md/development/unit-handling.section.xml +++ b/nixos/doc/manual/from_md/development/unit-handling.section.xml @@ -38,8 +38,9 @@ reload the unit. The NixOS module system allows setting these triggers with the option systemd.services.<name>.reloadTriggers. - If the unit files differ in any way, the following actions are - performed: + There are some additional keys in the [Unit] + section that are ignored as well. If the unit files differ in + any way, the following actions are performed: diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index a1653d451fe..ca45fc9c286 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -226,10 +226,20 @@ sub unrecord_unit { sub compare_units { my ($old_unit, $new_unit) = @_; my $ret = 0; + # Keys to ignore in the [Unit] section + my %unit_section_ignores = map { $_ => 1 } qw( + X-Reload-Triggers + Description Documentation + OnFailure OnSuccess OnFailureJobMode + IgnoreOnIsolate StopWhenUnneeded + RefuseManualStart RefuseManualStop + AllowIsolate CollectMode + SourcePath + ); my $comp_array = sub { my ($a, $b) = @_; - return join("\0", @{$a}) eq join("\0", @{$b}); + return join("\0", @{$a}) eq join "\0", @{$b}; }; # Comparison hash for the sections @@ -238,6 +248,18 @@ sub compare_units { foreach my $section_name (keys %{$old_unit}) { # Missing section in the new unit? if (not exists $section_cmp{$section_name}) { + # If the [Unit] section was removed, make sure that only keys + # were in it that are ignored + if ($section_name eq 'Unit') { + foreach my $ini_key (keys %{$old_unit->{'Unit'}}) { + if (not defined $unit_section_ignores{$ini_key}) { + return 1; + } + } + next; # check the next section + } else { + return 1; + } if ($section_name eq 'Unit' and %{$old_unit->{'Unit'}} == 1 and defined(%{$old_unit->{'Unit'}}{'X-Reload-Triggers'})) { # If a new [Unit] section was removed that only contained X-Reload-Triggers, # do nothing. @@ -255,8 +277,8 @@ sub compare_units { my @old_value = @{$old_unit->{$section_name}{$ini_key}}; # If the key is missing in the new unit, they are different... if (not $new_unit->{$section_name}{$ini_key}) { - # ... unless the key that is now missing was the reload trigger - if ($section_name eq 'Unit' and $ini_key eq 'X-Reload-Triggers') { + # ... unless the key that is now missing is one of the ignored keys + if ($section_name eq 'Unit' and defined $unit_section_ignores{$ini_key}) { next; } return 1; @@ -264,19 +286,30 @@ sub compare_units { my @new_value = @{$new_unit->{$section_name}{$ini_key}}; # If the contents are different, the units are different if (not $comp_array->(\@old_value, \@new_value)) { - # Check if only the reload triggers changed - if ($section_name eq 'Unit' and $ini_key eq 'X-Reload-Triggers') { - $ret = 2; - } else { - return 1; + # Check if only the reload triggers changed or one of the ignored keys + if ($section_name eq 'Unit') { + if ($ini_key eq 'X-Reload-Triggers') { + $ret = 2; + next; + } elsif (defined $unit_section_ignores{$ini_key}) { + next; + } } + return 1; } } # A key was introduced that was missing in the old unit if (%ini_cmp) { - if ($section_name eq 'Unit' and %ini_cmp == 1 and defined($ini_cmp{'X-Reload-Triggers'})) { - # If the newly introduced key was the reload triggers, reload the unit - $ret = 2; + if ($section_name eq 'Unit') { + foreach my $ini_key (keys %ini_cmp) { + if ($ini_key eq 'X-Reload-Triggers') { + $ret = 2; + } elsif (defined $unit_section_ignores{$ini_key}) { + next; + } else { + return 1; + } + } } else { return 1; } @@ -284,10 +317,14 @@ sub compare_units { } # A section was introduced that was missing in the old unit if (%section_cmp) { - if (%section_cmp == 1 and defined($section_cmp{'Unit'}) and %{$new_unit->{'Unit'}} == 1 and defined(%{$new_unit->{'Unit'}}{'X-Reload-Triggers'})) { - # If a new [Unit] section was introduced that only contains X-Reload-Triggers, - # reload instead of restarting - $ret = 2; + if (%section_cmp == 1 and defined $section_cmp{'Unit'}) { + foreach my $ini_key (keys %{$new_unit->{'Unit'}}) { + if (not defined $unit_section_ignores{$ini_key}) { + return 1; + } elsif ($ini_key eq 'X-Reload-Triggers') { + $ret = 2; + } + } } else { return 1; } diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 4160e481853..a994fb78160 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -64,6 +64,11 @@ in { }; }; + simpleServiceDifferentDescription.configuration = { + imports = [ simpleService.configuration ]; + systemd.services.test.description = "Test unit"; + }; + simpleServiceModified.configuration = { imports = [ simpleService.configuration ]; systemd.services.test.serviceConfig.X-Test = true; @@ -497,6 +502,15 @@ in { assert_lacks(out, "\nstarting the following units:") assert_lacks(out, "the following new units were started:") + # Only changing the description does nothing + out = switch_to_specialisation("${machine}", "simpleServiceDifferentDescription") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + # Restart the simple service out = switch_to_specialisation("${machine}", "simpleServiceModified") assert_contains(out, "stopping the following units: test.service\n") -- cgit 1.4.1 From bc58430068d0bd0ffd3ef561a92a05f5970d149c Mon Sep 17 00:00:00 2001 From: Janne Heß Date: Sun, 6 Mar 2022 22:43:47 +0100 Subject: nixos/switch-to-configuration: Fix reloading of stopped services --- .../manual/development/unit-handling.section.md | 3 ++ .../from_md/development/unit-handling.section.xml | 5 ++ .../system/activation/switch-to-configuration.pl | 31 ++++++++++++ nixos/tests/switch-test.nix | 59 ++++++++++++++++++++++ 4 files changed, 98 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/unit-handling.section.md b/nixos/doc/manual/development/unit-handling.section.md index c51704ad0da..a7ccb3dbd04 100644 --- a/nixos/doc/manual/development/unit-handling.section.md +++ b/nixos/doc/manual/development/unit-handling.section.md @@ -34,6 +34,9 @@ checks: - The rest of the units (mostly `.service` units) are then **reload**ed if `X-ReloadIfChanged` in the `[Service]` section is set to `true` (exposed via [systemd.services.\.reloadIfChanged](#opt-systemd.services)). + A little exception is done for units that were deactivated in the meantime, + for example because they require a unit that got stopped before. These + are **start**ed instead of reloaded. - If the reload flag is not set, some more flags decide if the unit is skipped. These flags are `X-RestartIfChanged` in the `[Service]` section diff --git a/nixos/doc/manual/from_md/development/unit-handling.section.xml b/nixos/doc/manual/from_md/development/unit-handling.section.xml index 642cc5cccc7..4c980e1213a 100644 --- a/nixos/doc/manual/from_md/development/unit-handling.section.xml +++ b/nixos/doc/manual/from_md/development/unit-handling.section.xml @@ -72,6 +72,11 @@ [Service] section is set to true (exposed via systemd.services.<name>.reloadIfChanged). + A little exception is done for units that were deactivated + in the meantime, for example because they require a unit + that got stopped before. These are + started instead of + reloaded. diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index a67a9b05778..d83198bc346 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -104,6 +104,19 @@ sub getActiveUnits { return $res; } +# Returns whether a systemd unit is active +sub unit_is_active { + my ($unit_name) = @_; + + my $mgr = Net::DBus->system->get_service('org.freedesktop.systemd1')->get_object('/org/freedesktop/systemd1'); + my $units = $mgr->ListUnitsByNames([$unit_name]); + if (@{$units} == 0) { + return 0; + } + my $active_state = $units->[0]->[3]; ## no critic (ValuesAndExpressions::ProhibitMagicNumbers) + return $active_state eq 'active' || $active_state eq 'activating'; +} + sub parseFstab { my ($filename) = @_; my ($fss, $swaps); @@ -744,6 +757,24 @@ close $listActiveUsers; print STDERR "setting up tmpfiles\n"; system("@systemd@/bin/systemd-tmpfiles", "--create", "--remove", "--exclude-prefix=/dev") == 0 or $res = 3; +# Before reloading we need to ensure that the units are still active. They may have been +# deactivated because one of their requirements got stopped. If they are inactive +# but should have been reloaded, the user probably expects them to be started. +if (scalar(keys %unitsToReload) > 0) { + for my $unit (keys %unitsToReload) { + if (!unit_is_active($unit)) { + # Figure out if we need to start the unit + my %unit_info = parse_unit("$out/etc/systemd/system/$unit"); + if (!(parseSystemdBool(\%unit_info, 'Unit', 'RefuseManualStart', 0) || parseSystemdBool(\%unit_info, 'Unit', 'X-OnlyManualStart', 0))) { + $unitsToStart{$unit} = 1; + recordUnit($startListFile, $unit); + } + # Don't reload the unit, reloading would fail + delete %unitsToReload{$unit}; + unrecord_unit($reloadListFile, $unit); + } + } +} # Reload units that need it. This includes remounting changed mount # units. if (scalar(keys %unitsToReload) > 0) { diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index a994fb78160..93eee4babc2 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -208,6 +208,39 @@ in { systemd.services."escaped\\x2ddash".serviceConfig.X-Test = "test"; }; + unitWithRequirement.configuration = { + systemd.services.required-service = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.coreutils}/bin/true"; + ExecReload = "${pkgs.coreutils}/bin/true"; + }; + }; + systemd.services.test-service = { + wantedBy = [ "multi-user.target" ]; + requires = [ "required-service.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.coreutils}/bin/true"; + ExecReload = "${pkgs.coreutils}/bin/true"; + }; + }; + }; + + unitWithRequirementModified.configuration = { + imports = [ unitWithRequirement.configuration ]; + systemd.services.required-service.serviceConfig.X-Test = "test"; + systemd.services.test-service.reloadTriggers = [ "test" ]; + }; + + unitWithRequirementModifiedNostart.configuration = { + imports = [ unitWithRequirement.configuration ]; + systemd.services.test-service.unitConfig.RefuseManualStart = true; + }; + restart-and-reload-by-activation-script.configuration = { systemd.services = rec { simple-service = { @@ -574,6 +607,32 @@ in { assert_contains(out, "\nstarting the following units: escaped\\x2ddash.service\n") assert_lacks(out, "the following new units were started:") + # Ensure units that require changed units are properly reloaded + out = switch_to_specialisation("${machine}", "unitWithRequirement") + assert_contains(out, "stopping the following units: escaped\\x2ddash.service\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_lacks(out, "\nstarting the following units:") + assert_contains(out, "the following new units were started: required-service.service, test-service.service\n") + + out = switch_to_specialisation("${machine}", "unitWithRequirementModified") + assert_contains(out, "stopping the following units: required-service.service\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_contains(out, "\nstarting the following units: required-service.service, test-service.service\n") + assert_lacks(out, "the following new units were started:") + + # Unless the unit asks to be not restarted + out = switch_to_specialisation("${machine}", "unitWithRequirementModifiedNostart") + assert_contains(out, "stopping the following units: required-service.service\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_lacks(out, "\nrestarting the following units:") + assert_contains(out, "\nstarting the following units: required-service.service\n") + assert_lacks(out, "the following new units were started:") + with subtest("failing units"): # Let the simple service fail switch_to_specialisation("${machine}", "simpleServiceModified") -- cgit 1.4.1 From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 11 Mar 2022 14:07:12 +0000 Subject: pomerium: note changes in packaging in 22.05 release notes --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++ 2 files changed, 15 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9cf27e56827..333994c0957 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1322,6 +1322,16 @@ warning. + + + The pomerium-cli command has been moved out + of the pomerium package into the + pomerium-cli package, following upstream’s + repository split. If you are using the + pomerium-cli command, you should now + install the pomerium-cli package. + + The option diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 58a1b23d17b..222c101a284 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning. +- The `pomerium-cli` command has been moved out of the `pomerium` package into + the `pomerium-cli` package, following upstream's repository split. If you are + using the `pomerium-cli` command, you should now install the `pomerium-cli` + package. + - The option [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock) was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager -- cgit 1.4.1 From 40a35299fa30421de85a56f084f6c59d05ea883e Mon Sep 17 00:00:00 2001 From: pennae Date: Sun, 9 Jan 2022 08:46:55 +0100 Subject: nixos: add functions and documentation for escaping systemd Exec* directives it's really easy to accidentally write the wrong systemd Exec* directive, ones that works most of the time but fails when users include systemd metacharacters in arguments that are interpolated into an Exec* directive. add a few functions analogous to escapeShellArg{,s} and some documentation on how and when to use them. --- .../manual/development/writing-modules.chapter.md | 42 +++++++++++++++++++ .../development/writing-modules.chapter.xml | 49 ++++++++++++++++++++++ nixos/lib/utils.nix | 20 +++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/empty-file | 0 nixos/tests/systemd-escaping.nix | 45 ++++++++++++++++++++ 6 files changed, 157 insertions(+) create mode 100644 nixos/tests/empty-file create mode 100644 nixos/tests/systemd-escaping.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/development/writing-modules.chapter.md b/nixos/doc/manual/development/writing-modules.chapter.md index 2e3c6b34f1f..0c41cbd3cb7 100644 --- a/nixos/doc/manual/development/writing-modules.chapter.md +++ b/nixos/doc/manual/development/writing-modules.chapter.md @@ -90,6 +90,17 @@ modules: `systemd.services` (the set of all systemd services) and `systemd.timers` (the list of commands to be executed periodically by `systemd`). +Care must be taken when writing systemd services using `Exec*` directives. By +default systemd performs substitution on `%` specifiers in these +directives, expands environment variables from `$FOO` and `${FOO}`, splits +arguments on whitespace, and splits commands on `;`. All of these must be escaped +to avoid unexpected substitution or splitting when interpolating into an `Exec*` +directive, e.g. when using an `extraArgs` option to pass additional arguments to +the service. The functions `utils.escapeSystemdExecArg` and +`utils.escapeSystemdExecArgs` are provided for this, see [Example: Escaping in +Exec directives](#exec-escaping-example) for an example. When using these +functions system environment substitution should *not* be disabled explicitly. + ::: {#locate-example .example} ::: {.title} **Example: NixOS Module for the "locate" Service** @@ -153,6 +164,37 @@ in { ``` ::: +::: {#exec-escaping-example .example} +::: {.title} +**Example: Escaping in Exec directives** +::: +```nix +{ config, lib, pkgs, utils, ... }: + +with lib; + +let + cfg = config.services.echo; + echoAll = pkgs.writeScript "echo-all" '' + #! ${pkgs.runtimeShell} + for s in "$@"; do + printf '%s\n' "$s" + done + ''; + args = [ "a%Nything" "lang=\${LANG}" ";" "/bin/sh -c date" ]; +in { + systemd.services.echo = + { description = "Echo to the journal"; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.ExecStart = '' + ${echoAll} ${utils.escapeSystemdExecArgs args} + ''; + }; +} +``` +::: + ```{=docbook} diff --git a/nixos/doc/manual/from_md/development/writing-modules.chapter.xml b/nixos/doc/manual/from_md/development/writing-modules.chapter.xml index e33c24f4f12..367731eda09 100644 --- a/nixos/doc/manual/from_md/development/writing-modules.chapter.xml +++ b/nixos/doc/manual/from_md/development/writing-modules.chapter.xml @@ -122,6 +122,25 @@ services) and systemd.timers (the list of commands to be executed periodically by systemd). + + Care must be taken when writing systemd services using + Exec* directives. By default systemd performs + substitution on %<char> specifiers in these + directives, expands environment variables from + $FOO and ${FOO}, splits + arguments on whitespace, and splits commands on + ;. All of these must be escaped to avoid + unexpected substitution or splitting when interpolating into an + Exec* directive, e.g. when using an + extraArgs option to pass additional arguments to + the service. The functions + utils.escapeSystemdExecArg and + utils.escapeSystemdExecArgs are provided for + this, see Example: Escaping in + Exec directives for an example. When using these functions + system environment substitution should not be + disabled explicitly. + Example: NixOS Module for the @@ -183,6 +202,36 @@ in { }; }; } + + + + Example: Escaping in Exec + directives + + +{ config, lib, pkgs, utils, ... }: + +with lib; + +let + cfg = config.services.echo; + echoAll = pkgs.writeScript "echo-all" '' + #! ${pkgs.runtimeShell} + for s in "$@"; do + printf '%s\n' "$s" + done + ''; + args = [ "a%Nything" "lang=\${LANG}" ";" "/bin/sh -c date" ]; +in { + systemd.services.echo = + { description = "Echo to the journal"; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.ExecStart = '' + ${echoAll} ${utils.escapeSystemdExecArgs args} + ''; + }; +} diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index bbebf8ba35a..29135024195 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -45,6 +45,26 @@ rec { replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"] (removePrefix "/" s); + # Quotes an argument for use in Exec* service lines. + # systemd accepts "-quoted strings with escape sequences, toJSON produces + # a subset of these. + # Additionally we escape % to disallow expansion of % specifiers. Any lone ; + # in the input will be turned it ";" and thus lose its special meaning. + # Every $ is escaped to $$, this makes it unnecessary to disable environment + # substitution for the directive. + escapeSystemdExecArg = arg: + let + s = if builtins.isPath arg then "${arg}" + else if builtins.isString arg then arg + else if builtins.isInt arg || builtins.isFloat arg then toString arg + else throw "escapeSystemdExecArg only allows strings, paths and numbers"; + in + replaceChars [ "%" "$" ] [ "%%" "$$" ] (builtins.toJSON s); + + # Quotes a list of arguments into a single string for use in a Exec* + # line. + escapeSystemdExecArgs = concatMapStringsSep " " escapeSystemdExecArg; + # Returns a system path for a given shell package toShellPath = shell: if types.shellPackage.check shell then diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 9f3e97ceb13..01708fe0679 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -459,6 +459,7 @@ in systemd-boot = handleTest ./systemd-boot.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; + systemd-escaping = handleTest ./systemd-escaping.nix {}; systemd-journal = handleTest ./systemd-journal.nix {}; systemd-networkd = handleTest ./systemd-networkd.nix {}; systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {}; diff --git a/nixos/tests/empty-file b/nixos/tests/empty-file new file mode 100644 index 00000000000..e69de29bb2d diff --git a/nixos/tests/systemd-escaping.nix b/nixos/tests/systemd-escaping.nix new file mode 100644 index 00000000000..7f93eb5e4f7 --- /dev/null +++ b/nixos/tests/systemd-escaping.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix ({ pkgs, ... }: + +let + echoAll = pkgs.writeScript "echo-all" '' + #! ${pkgs.runtimeShell} + for s in "$@"; do + printf '%s\n' "$s" + done + ''; + # deliberately using a local empty file instead of pkgs.emptyFile to have + # a non-store path in the test + args = [ "a%Nything" "lang=\${LANG}" ";" "/bin/sh -c date" ./empty-file 4.2 23 ]; +in +{ + name = "systemd-escaping"; + + machine = { pkgs, lib, utils, ... }: { + systemd.services.echo = + assert !(builtins.tryEval (utils.escapeSystemdExecArgs [ [] ])).success; + assert !(builtins.tryEval (utils.escapeSystemdExecArgs [ {} ])).success; + assert !(builtins.tryEval (utils.escapeSystemdExecArgs [ null ])).success; + assert !(builtins.tryEval (utils.escapeSystemdExecArgs [ false ])).success; + assert !(builtins.tryEval (utils.escapeSystemdExecArgs [ (_:_) ])).success; + { description = "Echo to the journal"; + serviceConfig.Type = "oneshot"; + serviceConfig.ExecStart = '' + ${echoAll} ${utils.escapeSystemdExecArgs args} + ''; + }; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + machine.succeed("systemctl start echo.service") + # skip the first 'Starting ...' line + logs = machine.succeed("journalctl -u echo.service -o cat").splitlines()[1:] + assert "a%Nything" == logs[0] + assert "lang=''${LANG}" == logs[1] + assert ";" == logs[2] + assert "/bin/sh -c date" == logs[3] + assert "/nix/store/ij3gw72f4n5z4dz6nnzl1731p9kmjbwr-empty-file" == logs[4] + assert "4.2" in logs[5] # toString produces extra fractional digits! + assert "23" == logs[6] + ''; +}) -- cgit 1.4.1 From 561c0c28519c7b378078d5ee510c6727fb310d28 Mon Sep 17 00:00:00 2001 From: midchildan Date: Mon, 14 Feb 2022 00:49:15 +0900 Subject: nixos/rl-2205: add entries for EPGStation v2 --- .../from_md/release-notes/rl-2205.section.xml | 53 ++++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 24 ++++++++++ .../modules/services/video/epgstation/default.nix | 8 ++-- 3 files changed, 81 insertions(+), 4 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9cf27e56827..b4b31ad4b66 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -826,6 +826,59 @@ include serif fonts. + + + pkgs.epgstation has been upgraded from v1 + to v2, resulting in incompatible changes in the database + scheme and configuration format. + + + + + Some top-level settings under + services.epgstation + is now deprecated because it was redudant due to the same + options being present in + services.epgstation.settings. + + + + + The option + services.epgstation.basicAuth + was removed because basic authentication support was dropped + by upstream. + + + + + The option + services.epgstation.database.passwordFile + no longer has a default value. Make sure to set this option + explicitly before upgrading. Change the database password if + necessary. + + + + + The + services.epgstation.settings + option now expects options for config.yml + in EPGStation v2. + + + + + Existing data for the + services.epgstation + module would have to be backed up prior to the upgrade. To + back up exising data to + /tmp/epgstation.bak, run + sudo -u epgstation epgstation run backup /tmp/epgstation.bak. + To import that data after to the upgrade, run + sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak + + switch-to-configuration (the script that is diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 58a1b23d17b..1c4a8735277 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -321,6 +321,30 @@ In addition to numerous new and upgraded packages, this release has the followin `pkgs.noto-fonts-cjk` is currently an alias of `pkgs.noto-fonts-cjk-sans` and doesn't include serif fonts. +- `pkgs.epgstation` has been upgraded from v1 to v2, resulting in incompatible + changes in the database scheme and configuration format. + +- Some top-level settings under [services.epgstation](#opt-services.epgstation) + is now deprecated because it was redudant due to the same options being + present in [services.epgstation.settings](#opt-services.epgstation.settings). + +- The option [services.epgstation.basicAuth](#opt-services.epgstation.basicAuth) + was removed because basic authentication support was dropped by upstream. + +- The option [services.epgstation.database.passwordFile](#opt-services.epgstation.database.passwordFile) + no longer has a default value. Make sure to set this option explicitly before + upgrading. Change the database password if necessary. + +- The [services.epgstation.settings](#opt-services.epgstation.settings) + option now expects options for `config.yml` in EPGStation v2. + +- Existing data for the [services.epgstation](#opt-services.epgstation.enable) + module would have to be backed up prior to the upgrade. To back up exising + data to `/tmp/epgstation.bak`, run + `sudo -u epgstation epgstation run backup /tmp/epgstation.bak`. + To import that data after to the upgrade, run + `sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak` + - `switch-to-configuration` (the script that is run when running `nixos-rebuild switch` for example) has been reworked * The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file `/run/nixos/activation-restart-list` that honors `restartIfChanged` and `reloadIfChanged` of the units. * Preferring to reload instead of restarting can still be achieved using `/run/nixos/activation-reload-list`. diff --git a/nixos/modules/services/video/epgstation/default.nix b/nixos/modules/services/video/epgstation/default.nix index 71428a00e4d..191f6eb52e5 100644 --- a/nixos/modules/services/video/epgstation/default.nix +++ b/nixos/modules/services/video/epgstation/default.nix @@ -171,20 +171,20 @@ in options.socketioPort = lib.mkOption { type = lib.types.port; default = cfg.settings.port + 1; - defaultText = lib.literalExpression "config.${opt.settings.port} + 1"; + defaultText = lib.literalExpression "config.${opt.settings}.port + 1"; description = '' Socket.io port for EPGStation to listen on. It is valid to share - ports with . + ports with . ''; }; options.clientSocketioPort = lib.mkOption { type = lib.types.port; default = cfg.settings.socketioPort; - defaultText = lib.literalExpression "config.${opt.settings.socketioPort}"; + defaultText = lib.literalExpression "config.${opt.settings}.socketioPort"; description = '' Socket.io port that the web client is going to connect to. This may - be different from if + be different from if EPGStation is hidden behind a reverse proxy. ''; }; -- cgit 1.4.1 From 552c9930626feca85abf7075f4b925fa6c50238c Mon Sep 17 00:00:00 2001 From: midchildan Date: Sun, 27 Feb 2022 15:31:43 +0900 Subject: nixos/rl-2205: fix invalid link --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 5 ++--- nixos/doc/manual/release-notes/rl-2205.section.md | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index b4b31ad4b66..4a2177ca9e2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -836,7 +836,7 @@ Some top-level settings under - services.epgstation + services.epgstation is now deprecated because it was redudant due to the same options being present in services.epgstation.settings. @@ -844,8 +844,7 @@ - The option - services.epgstation.basicAuth + The option services.epgstation.basicAuth was removed because basic authentication support was dropped by upstream. diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 1c4a8735277..b8fa641a565 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -324,12 +324,12 @@ In addition to numerous new and upgraded packages, this release has the followin - `pkgs.epgstation` has been upgraded from v1 to v2, resulting in incompatible changes in the database scheme and configuration format. -- Some top-level settings under [services.epgstation](#opt-services.epgstation) +- Some top-level settings under [services.epgstation](#opt-services.epgstation.enable) is now deprecated because it was redudant due to the same options being present in [services.epgstation.settings](#opt-services.epgstation.settings). -- The option [services.epgstation.basicAuth](#opt-services.epgstation.basicAuth) - was removed because basic authentication support was dropped by upstream. +- The option `services.epgstation.basicAuth` was removed because basic + authentication support was dropped by upstream. - The option [services.epgstation.database.passwordFile](#opt-services.epgstation.database.passwordFile) no longer has a default value. Make sure to set this option explicitly before -- cgit 1.4.1 From 9fad223ad1d5ab3810e17cdb9323fe49f478f51c Mon Sep 17 00:00:00 2001 From: Pierre Bourdon Date: Sat, 12 Mar 2022 16:33:46 +0100 Subject: matrix-synapse: fix release notes and doc for #158605 changes --- .../manual/from_md/release-notes/rl-2205.section.xml | 17 +++++++++++++++-- nixos/doc/manual/release-notes/rl-2205.section.md | 9 +++++++-- nixos/modules/services/matrix/matrix-synapse.xml | 6 +++--- 3 files changed, 25 insertions(+), 7 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9cf27e56827..3c7c420ed89 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -432,6 +432,12 @@ still supported, because you can set arbitrary values in this freeform type. + + The listeners.*.bind_address option was + renamed to bind_addresses in order to match + the upstream homeserver.yaml option name. + It is now also a list of strings instead of a string. + An example to make the required migration clearer: @@ -493,7 +499,7 @@ listeners = [ { port = 8448; - bind_address = [ + bind_addresses = [ "::" "0.0.0.0" ]; @@ -524,7 +530,14 @@ Additionally a few option defaults have been synced up with upstream default values, for example the max_upload_size grew from - 10M to 50M. + 10M to 50M. For the same + reason, the default media_store_path was + changed from ${dataDir}/media to + ${dataDir}/media_store if + system.stateVersion is at least + 22.05. Files will need to be manually moved + to the new location if the stateVersion is + updated. diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 58a1b23d17b..3f366598f11 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -141,6 +141,9 @@ In addition to numerous new and upgraded packages, this release has the followin module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type. + The `listeners.*.bind_address` option was renamed to `bind_addresses` in order to match the upstream `homeserver.yaml` option + name. It is now also a list of strings instead of a string. + An example to make the required migration clearer: Before: @@ -198,7 +201,7 @@ In addition to numerous new and upgraded packages, this release has the followin listeners = [ { port = 8448; - bind_address = [ + bind_addresses = [ "::" "0.0.0.0" ]; @@ -223,7 +226,9 @@ In addition to numerous new and upgraded packages, this release has the followin The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. - Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. + Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. For the same reason, the default + `media_store_path` was changed from `${dataDir}/media` to `${dataDir}/media_store` if `system.stateVersion` is at least `22.05`. Files will need to be manually moved to the new + location if the `stateVersion` is updated. - The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs. diff --git a/nixos/modules/services/matrix/matrix-synapse.xml b/nixos/modules/services/matrix/matrix-synapse.xml index cdc4b4de1a7..cf33957d58e 100644 --- a/nixos/modules/services/matrix/matrix-synapse.xml +++ b/nixos/modules/services/matrix/matrix-synapse.xml @@ -119,7 +119,7 @@ in { listeners = [ { port = 8008; - bind_address = [ "::1" ]; + bind_addresses = [ "::1" ]; type = "http"; tls = false; x_forwarded = true; @@ -152,10 +152,10 @@ in { If you want to run a server with public registration by anybody, you can - then enable services.matrix-synapse.enable_registration = + then enable services.matrix-synapse.settings.enable_registration = true;. Otherwise, or you can generate a registration secret with pwgen -s 64 1 and set it with - . + . To create a new user or admin, run the following after you have set the secret and have rebuilt NixOS: -- cgit 1.4.1 From 27e32bbfde6c0c27c78859b23943e79b84e3c860 Mon Sep 17 00:00:00 2001 From: Peter Hoeg Date: Mon, 12 Jul 2021 15:34:26 +0800 Subject: nixos/systembus-notify: add support for system services notifying users --- .../from_md/release-notes/rl-2205.section.xml | 11 ++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/system/systembus-notify.nix | 27 +++++++++++++ .../applications/misc/systembus-notify/default.nix | 44 +++++++++++++++++++--- 5 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 nixos/modules/services/system/systembus-notify.nix (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index bdf51211378..d3a944533ab 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -249,6 +249,17 @@ services.prosody-filer. + + + systembus-notify, + allow system level notifications to reach the users. Available + as + services.systembus-notify. + Please keep in mind that this service should only be enabled + on machines with fully trusted users, as any local user is + able to DoS user sessions by spamming notifications. + + ethercalc, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index b8d6078a21d..fe30cbc3cf5 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -72,6 +72,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable). +- [systembus-notify](https://github.com/rfjakob/systembus-notify), allow system level notifications to reach the users. Available as [services.systembus-notify](opt-services.systembus-notify.enable). Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications. + - [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ff95d6500b9..13703968167 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -987,6 +987,7 @@ ./services/system/nscd.nix ./services/system/saslauthd.nix ./services/system/self-deploy.nix + ./services/system/systembus-notify.nix ./services/system/uptimed.nix ./services/torrent/deluge.nix ./services/torrent/flexget.nix diff --git a/nixos/modules/services/system/systembus-notify.nix b/nixos/modules/services/system/systembus-notify.nix new file mode 100644 index 00000000000..e918bc552ec --- /dev/null +++ b/nixos/modules/services/system/systembus-notify.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.systembus-notify; + + inherit (lib) mkEnableOption mkIf; + +in +{ + options.services.systembus-notify = { + enable = mkEnableOption '' + System bus notification support + + WARNING: enabling this option (while convenient) should *not* be done on a + machine where you do not trust the other users as it allows any other + local user to DoS your session by spamming notifications. + ''; + }; + + config = mkIf cfg.enable { + systemd = { + packages = with pkgs; [ systembus-notify ]; + + user.services.systembus-notify.wantedBy = [ "graphical-session.target" ]; + }; + }; +} diff --git a/pkgs/applications/misc/systembus-notify/default.nix b/pkgs/applications/misc/systembus-notify/default.nix index 6e5405ce988..770cd858401 100644 --- a/pkgs/applications/misc/systembus-notify/default.nix +++ b/pkgs/applications/misc/systembus-notify/default.nix @@ -1,5 +1,30 @@ -{ lib, stdenv, fetchFromGitHub, systemd }: +{ lib +, stdenv +, fetchFromGitHub +, formats +, systemd +}: +let + ini = formats.ini { }; + + unit = ini.generate "systembus-notify.service" { + Unit = { + Description = "system bus notification daemon"; + }; + + Service = { + Type = "exec"; + ExecStart = "@out@/bin/systembus-notify"; + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "strict"; + Restart = "on-failure"; + Slice = "background.slice"; + }; + }; + +in stdenv.mkDerivation rec { pname = "systembus-notify"; version = "1.1"; @@ -8,23 +33,32 @@ stdenv.mkDerivation rec { owner = "rfjakob"; repo = "systembus-notify"; rev = "v${version}"; - sha256 = "1pdn45rfpwhrf20hs87qmk2j8sr7ab8161f81019wnypnb1q2fsv"; + sha256 = "sha256-WzuBw7LXW54CCMgFE9BSJ2skxaz4IA2BcBny63Ihtt0="; }; buildInputs = [ systemd ]; installPhase = '' runHook preInstall - install -Dm755 systembus-notify -t $out/bin - install -Dm644 systembus-notify.desktop -t $out/etc/xdg/autostart + + install -Dm555 -t $out/bin systembus-notify + install -Dm444 -t $out/share/systembus-notify systembus-notify.desktop + + install -d $out/lib/systemd/user + substitute ${unit} $out/lib/systemd/user/${unit.name} \ + --subst-var out + runHook postInstall ''; + # requires a running dbus instance + doCheck = false; + meta = with lib; { description = "System bus notification daemon"; homepage = "https://github.com/rfjakob/systembus-notify"; license = licenses.mit; + maintainers = with maintainers; [ peterhoeg ]; platforms = platforms.linux; - maintainers = with maintainers; []; }; } -- cgit 1.4.1 From 5ac5bed4b4b029324ffbe6228be5f6db96005779 Mon Sep 17 00:00:00 2001 From: Luna Nova Date: Sun, 13 Mar 2022 15:43:32 -0700 Subject: nixos/fonts: Document removal of ancient bitmap fonts from default config --- .../manual/from_md/release-notes/rl-2205.section.xml | 18 ++++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 13 +++++++++++++ 2 files changed, 31 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index d3a944533ab..3d965fb54cd 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -404,6 +404,24 @@ in your configuration. + + + fonts.fonts no longer includes ancient + bitmap fonts when both + config.services.xserver.enable and + config.nixpkgs.config.allowUnfree are + enabled. If you still want these fonts, use: + + +{ + fonts.fonts = [ + pkgs.xorg.fontbhlucidatypewriter100dpi + pkgs.xorg.fontbhlucidatypewriter75dpi + pkgs.xorg.fontbh100dpi + ]; +} + + The DHCP server (services.dhcpd4, diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index fe30cbc3cf5..26dfc388902 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -131,6 +131,19 @@ In addition to numerous new and upgraded packages, this release has the followin This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration. The previous behavior may be retained by explicitly setting `systemd.enableUnifiedCgroupHierarchy = false` in your configuration. +- `fonts.fonts` no longer includes ancient bitmap fonts when both `config.services.xserver.enable` and `config.nixpkgs.config.allowUnfree` are enabled. + If you still want these fonts, use: + + ```nix + { + fonts.fonts = [ + pkgs.xorg.fontbhlucidatypewriter100dpi + pkgs.xorg.fontbhlucidatypewriter75dpi + pkgs.xorg.fontbh100dpi + ]; + } + ``` + - The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened. The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed. -- cgit 1.4.1 From 54d6aee8f3754266a4ff6723268c068269ff7965 Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Thu, 3 Mar 2022 10:22:08 -0800 Subject: nixos/doc/rl-22.05: mention nvidia va-api additions --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 9 +++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ 2 files changed, 11 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index d3a944533ab..6a122544a7c 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1290,6 +1290,15 @@ pkgs.theLoungePlugins.themes. + + + The option + services.xserver.videoDriver = [ "nvidia" ]; + will now also install + nvidia + VA-API drivers by default. + + The firmwareLinuxNonfree package has been diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index fe30cbc3cf5..ddfc9702c97 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -477,6 +477,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The option `services.thelounge.plugins` has been added to allow installing plugins for The Lounge. Plugins can be found in `pkgs.theLoungePlugins.plugins` and `pkgs.theLoungePlugins.themes`. +- The option `services.xserver.videoDriver = [ "nvidia" ];` will now also install [nvidia VA-API drivers](https://github.com/elFarto/nvidia-vaapi-driver) by default. + - The `firmwareLinuxNonfree` package has been renamed to `linux-firmware`. - It is now possible to specify wordlists to include as handy to access environment variables using the `config.environment.wordlist` configuration options. -- cgit 1.4.1 From df2327ee2471582ef0f56e72eb221519d6dbcd24 Mon Sep 17 00:00:00 2001 From: Vladyslav Burzakovskyy Date: Tue, 15 Mar 2022 14:17:44 +0100 Subject: kratos: 0.8.0-alpha.3 -> 0.8.3-alpha.1.pre.0 --- .../from_md/release-notes/rl-2205.section.xml | 46 ++++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 8 ++++ pkgs/applications/misc/kratos/default.nix | 8 ++-- 3 files changed, 58 insertions(+), 4 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 396de8cd77c..841fbff7a64 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1280,6 +1280,52 @@ instead of configuration.nix. + + + ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which + introduces some breaking changes: + + + + + If you are relying on the SQLite images, update your + Docker Pull commands as follows: + + + + + docker pull oryd/kratos:{version} + + + + + + + Additionally, all passwords now have to be at least 8 + characters long. + + + + + For more details, see: + + + + + Release + Notes for v0.8.1-alpha-1 + + + + + Release + Notes for v0.8.2-alpha-1 + + + + + + fetchFromSourcehut now allows fetching diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 2f730de737c..694b95c6cb2 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -480,6 +480,14 @@ In addition to numerous new and upgraded packages, this release has the followin - `nixos-generate-config` now puts the dhcp configuration in `hardware-configuration.nix` instead of `configuration.nix`. +- ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which introduces some breaking changes: + - If you are relying on the SQLite images, update your Docker Pull commands as follows: + - `docker pull oryd/kratos:{version}` + - Additionally, all passwords now have to be at least 8 characters long. + - For more details, see: + - [Release Notes for v0.8.1-alpha-1](https://github.com/ory/kratos/releases/tag/v0.8.1-alpha.1) + - [Release Notes for v0.8.2-alpha-1](https://github.com/ory/kratos/releases/tag/v0.8.2-alpha.1) + - `fetchFromSourcehut` now allows fetching repositories recursively using `fetchgit` or `fetchhg` if the argument `fetchSubmodules` is set to `true`. diff --git a/pkgs/applications/misc/kratos/default.nix b/pkgs/applications/misc/kratos/default.nix index a0b67042eca..043f607c010 100644 --- a/pkgs/applications/misc/kratos/default.nix +++ b/pkgs/applications/misc/kratos/default.nix @@ -2,16 +2,16 @@ buildGoModule rec { pname = "kratos"; - version = "0.8.0-alpha.3"; + version = "0.8.3-alpha.1.pre.0"; src = fetchFromGitHub { owner = "ory"; repo = "kratos"; rev = "v${version}"; - sha256 = "0ihq2kxjackicxg0hrpmx6bsgz056xbaq3j8py37z2w6mwszarcg"; + sha256 = "1225paf0x6lb6cb3q5f4lyz0r426ifx4x8145q7nsc6v64srck2y"; }; - vendorSha256 = "175pckj30cm5xkbvsdvwzarvwapsylyjgj4ss8v5r1sa0fjpj008"; + vendorSha256 = "10zhxbccjsp6hbmk2lnvbag6c92hz703mcaigaj4wvlf7glpldm6"; subPackages = [ "." ]; @@ -25,7 +25,7 @@ buildGoModule rec { test/e2e/run.sh script/testenv.sh script/test-envs.sh - persistence/sql/migratest/update_fixtures.sh + script/debug-entrypoint.sh ) patchShebangs "''${files[@]}" -- cgit 1.4.1 From 1b34039b5f1c3bfa6a9b1f7bd78ab3adecbe2a75 Mon Sep 17 00:00:00 2001 From: Luflosi Date: Sat, 5 Mar 2022 13:25:02 +0100 Subject: nixos/tor: fix services.tor.client.enable = false not working If `services.tor.client.enable` is set to false (the default), the `SOCKSPort` option is not added to the torrc file but since Tor defaults to listening on port 9050 when the option is not specified, the tor client is not actually disabled. To fix this, simply set `SOCKSPort` to 0, which disables the client. Use `mkForce` to prevent potentially two different `SOCKSPort` options in the torrc file, with one of them being 0 as this would cause Tor to fail to start. When `services.tor.client.enable` is set to false, this should always be disabled. --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/services/security/tor.nix | 5 +++++ 3 files changed, 17 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 396de8cd77c..ae9067c923e 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -792,6 +792,16 @@ systemd.nspawn.<name>.execConfig.PrivateUsers = false + + + The Tor SOCKS proxy is now actually disabled if + services.tor.client.enable is set to + false (the default). If you are using this + functionality but didn’t change the setting or set it to + false, you now need to set it to + true. + + The terraform 0.12 compatibility has been removed and the diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 2f730de737c..ad9020f1544 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -307,6 +307,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `systemd-nspawn@.service` settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set `systemd.nspawn..execConfig.PrivateUsers = false` +- The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`. + - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under `$out/libexec/terraform-providers/////_/terraform-provider-_v` (which mkProvider does). diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index ddd216ca7fd..a5822c02794 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -910,6 +910,11 @@ in ORPort = mkForce []; PublishServerDescriptor = mkForce false; }) + (mkIf (!cfg.client.enable) { + # Make sure application connections via SOCKS are disabled + # when services.tor.client.enable is false + SOCKSPort = mkForce [ 0 ]; + }) (mkIf cfg.client.enable ( { SOCKSPort = [ cfg.client.socksListenAddress ]; } // optionalAttrs cfg.client.transparentProxy.enable { -- cgit 1.4.1 From 47b699fe6c417b77575eff93be4b21a8530cf9be Mon Sep 17 00:00:00 2001 From: Luflosi Date: Wed, 16 Mar 2022 14:47:45 +0100 Subject: Revert "nixos/modprobe: add boot.initrd.extraModprobeConfig option" This reverts commit 1c58cdbeed880e99d816c234a954d4cdfc073b6c, since this change was made redundant by 3dc6fab5c9362db2cf079ffa15f2b62b05001747 and in https://github.com/NixOS/nixpkgs/pull/145013 we decided to revert this commit. --- .../manual/from_md/release-notes/rl-2205.section.xml | 8 -------- nixos/doc/manual/release-notes/rl-2205.section.md | 2 -- nixos/modules/system/boot/modprobe.nix | 20 -------------------- nixos/modules/system/boot/stage-1.nix | 3 --- 4 files changed, 33 deletions(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index d91bad8042d..cb88db67235 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1317,14 +1317,6 @@ files. - - - A new option - boot.initrd.extraModprobeConfig has been - added which can be used to configure kernel modules that are - loaded in the initrd. - - nixos-generate-config now puts the dhcp diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 2e01297f15f..27cca7158e0 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -491,8 +491,6 @@ In addition to numerous new and upgraded packages, this release has the followin - The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files. -- A new option `boot.initrd.extraModprobeConfig` has been added which can be used to configure kernel modules that are loaded in the initrd. - - `nixos-generate-config` now puts the dhcp configuration in `hardware-configuration.nix` instead of `configuration.nix`. - ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which introduces some breaking changes: diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index 27f78835adb..e683d181729 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -34,23 +34,6 @@ with lib; type = types.lines; }; - boot.initrd.extraModprobeConfig = mkOption { - default = ""; - example = - '' - options zfs zfs_arc_max=1073741824 - ''; - description = '' - Does exactly the same thing as - , except - that the generated modprobe.conf - file is also included in the initrd. - This is useful for setting module options for kernel - modules that are loaded during early boot in the initrd. - ''; - type = types.lines; - }; - }; @@ -67,9 +50,6 @@ with lib; '')} ${config.boot.extraModprobeConfig} ''; - environment.etc."modprobe.d/nixos-initrd.conf".text = '' - ${config.boot.initrd.extraModprobeConfig} - ''; environment.etc."modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases; environment.etc."modprobe.d/systemd.conf".source = "${pkgs.systemd}/lib/modprobe.d/systemd.conf"; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index a85a3675e03..8b011d91563 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -338,9 +338,6 @@ let { object = pkgs.writeText "mdadm.conf" config.boot.initrd.mdadmConf; symlink = "/etc/mdadm.conf"; } - { object = config.environment.etc."modprobe.d/nixos-initrd.conf".source; - symlink = "/etc/modprobe.d/nixos-initrd.conf"; - } { object = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" { src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf"; preferLocalBuild = true; -- cgit 1.4.1 From 7867b9506b76d5d1e71419c1b259c0990afff081 Mon Sep 17 00:00:00 2001 From: Luflosi Date: Thu, 17 Mar 2022 10:17:51 +0100 Subject: nixos/doc/rl-22.05: add changelog entry for modprobe changes Add a changelog entry for the changes in 3dc6fab5c9362db2cf079ffa15f2b62b05001747. --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 8 ++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ 2 files changed, 10 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index cb88db67235..7ef03b1f5e1 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1317,6 +1317,14 @@ files. + + + The options boot.extraModprobeConfig and + boot.blacklistedKernelModules now also take + effect in the initrd by copying the file + /etc/modprobe.d/nixos.conf into the initrd. + + nixos-generate-config now puts the dhcp diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 27cca7158e0..d592d689611 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -491,6 +491,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files. +- The options `boot.extraModprobeConfig` and `boot.blacklistedKernelModules` now also take effect in the initrd by copying the file `/etc/modprobe.d/nixos.conf` into the initrd. + - `nixos-generate-config` now puts the dhcp configuration in `hardware-configuration.nix` instead of `configuration.nix`. - ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which introduces some breaking changes: -- cgit 1.4.1 From c12cec8bc39c3c1153a42032a03a83d149d1e2ac Mon Sep 17 00:00:00 2001 From: j-k Date: Fri, 18 Mar 2022 04:47:19 +0000 Subject: _7zz: correct license (#163999) * _7zz: correct license and remove p7zip dependency The code under Compress/Rar* is licensed under a specific unRAR license Also Compress/LzfseDecoder.cpp is covered by BSD3 The unRAR code is removed from the `.tar.xz` since the license posits you agree or remove the code from your hard drive This adds some complexity to updating 7zz so there is also an update script Meta has been updated and tweaked Source is now downloaded from sourceforge in the `.tar.xz` version to avoid depending on p7zip * _7zz: add notice of the license updates and optional unRAR licenced code --- .../from_md/release-notes/rl-2205.section.xml | 6 +++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 + pkgs/tools/archivers/7zz/default.nix | 58 +++++++++++++++++++--- pkgs/tools/archivers/7zz/update.sh | 50 +++++++++++++++++++ 4 files changed, 109 insertions(+), 7 deletions(-) create mode 100755 pkgs/tools/archivers/7zz/update.sh (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 7ef03b1f5e1..ee0f94bfce3 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -760,6 +760,12 @@ unmaintained + + + pkgs._7zz is now correctly licensed as + LGPL3+ and BSD3 with optional unfree unRAR licensed code + + tilp2 was removed together with its module diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index d592d689611..148543802d0 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -304,6 +304,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `pkgs.docbookrx` was removed since it's unmaintained +- `pkgs._7zz` is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code + - `tilp2` was removed together with its module - The F-PROT antivirus (`fprot` package) and its service module were removed because it diff --git a/pkgs/tools/archivers/7zz/default.nix b/pkgs/tools/archivers/7zz/default.nix index c93a750e48f..c4ccae0272e 100644 --- a/pkgs/tools/archivers/7zz/default.nix +++ b/pkgs/tools/archivers/7zz/default.nix @@ -1,4 +1,14 @@ -{ stdenv, lib, fetchurl, p7zip, uasm, useUasm ? stdenv.isx86_64 }: +{ stdenv +, lib +, fetchurl + +, uasm +, useUasm ? stdenv.isx86_64 + + # RAR code is under non-free unRAR license + # see the meta.license section below for more details +, enableUnfree ? false +}: let inherit (stdenv.hostPlatform) system; @@ -14,17 +24,38 @@ stdenv.mkDerivation rec { version = "21.07"; src = fetchurl { - url = "https://7-zip.org/a/7z${lib.replaceStrings [ "." ] [ "" ] version}-src.7z"; - sha256 = "sha256-0QdNVvQVqrmdmeWXp7ZtxFXbpjSa6KTInfdkdbahKEw="; + url = "https://7-zip.org/a/7z${lib.replaceStrings [ "." ] [ "" ] version}-src.tar.xz"; + sha256 = { + free = "sha256-SMM6kQ6AZ05s4miJjMoE4NnsXQ0tlkdWx0q2HKjhaM8="; + unfree = "sha256-IT1ZRAfLjvy6NmELFSykkh7aFBYzELQ5A9E+aDE+Hjk="; + }.${if enableUnfree then "unfree" else "free"}; + downloadToTemp = (!enableUnfree); + # remove the unRAR related code from the src drv + # > the license requires that you agree to these use restrictions, + # > or you must remove the software (source and binary) from your hard disks + # https://fedoraproject.org/wiki/Licensing:Unrar + postFetch = lib.optionalString (!enableUnfree) '' + mkdir tmp + tar xf $downloadedFile -C ./tmp + rm -r ./tmp/CPP/7zip/Compress/Rar* + tar cfJ $out -C ./tmp . \ + --sort=name \ + --mtime="@$SOURCE_DATE_EPOCH" \ + --owner=0 --group=0 --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime + ''; }; sourceRoot = "CPP/7zip/Bundles/Alone2"; - makeFlags = lib.optionals useUasm [ "MY_ASM=uasm" ]; + makeFlags = + lib.optionals useUasm [ "MY_ASM=uasm" ] ++ + # it's the compression code with the restriction, see DOC/License.txt + lib.optionals (!enableUnfree) [ "DISABLE_RAR_COMPRESS=true" ]; makefile = "../../cmpl_gcc${platformSuffix}.mak"; - nativeBuildInputs = [ p7zip ] ++ lib.optionals useUasm [ uasm ]; + nativeBuildInputs = lib.optionals useUasm [ uasm ]; enableParallelBuilding = true; @@ -40,14 +71,27 @@ stdenv.mkDerivation rec { doInstallCheck = true; installCheckPhase = '' + runHook preInstallCheck + $out/bin/7zz --help | grep ${version} + + runHook postInstallCheck ''; + passthru.updateScript = ./update.sh; + meta = with lib; { description = "Command line archiver utility"; homepage = "https://7-zip.org"; - license = licenses.lgpl21Plus; - maintainers = with maintainers; [ anna328p peterhoeg ]; + license = with licenses; + # 7zip code is largely lgpl2Plus + # CPP/7zip/Compress/LzfseDecoder.cpp is bsd3 + [ lgpl2Plus /* and */ bsd3 ] ++ + # and CPP/7zip/Compress/Rar* are unfree with the unRAR license restriction + # the unRAR compression code is disabled by default + lib.optionals enableUnfree [ unfree ]; + maintainers = with maintainers; [ anna328p peterhoeg jk ]; platforms = platforms.linux; + mainProgram = "7zz"; }; } diff --git a/pkgs/tools/archivers/7zz/update.sh b/pkgs/tools/archivers/7zz/update.sh new file mode 100755 index 00000000000..bbc9804799a --- /dev/null +++ b/pkgs/tools/archivers/7zz/update.sh @@ -0,0 +1,50 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p coreutils gnused curl jq +set -euo pipefail +cd "$(dirname "${BASH_SOURCE[0]}")" + +DRV_DIR="$PWD" + +OLD_VERSION="$(sed -nE 's/\s*version = "(.*)".*/\1/p' ./default.nix)" + +NEW_VERSION="$(curl "https://sourceforge.net/projects/sevenzip/best_release.json" | jq '.platform_releases.linux.filename' -r | cut -d/ -f3)" + +echo "comparing versions $OLD_VERSION => $NEW_VERSION" +if [[ "$OLD_VERSION" == "$NEW_VERSION" ]]; then + echo "Already up to date! Doing nothing" + exit 0 +fi + +NIXPKGS_ROOT="$(realpath "$DRV_DIR/../../../..")" + +echo "getting free source hash" +OLD_FREE_HASH="$(nix-instantiate --eval --strict -E "with import $NIXPKGS_ROOT {}; _7zz.src.drvAttrs.outputHash" | tr -d '"')" +echo "getting unfree source hash" +OLD_UNFREE_HASH="$(nix-instantiate --eval --strict -E "with import $NIXPKGS_ROOT {}; (_7zz.override { enableUnfree = true; }).src.drvAttrs.outputHash" | tr -d '"')" + +NEW_VERSION_FORMATTED="$(echo "$NEW_VERSION" | tr -d '.')" +URL="https://7-zip.org/a/7z${NEW_VERSION_FORMATTED}-src.tar.xz" + + +NEW_FREE_HASH=$(nix-prefetch -f "$NIXPKGS_ROOT" -E "_7zz.src" --url "$URL") + +NEW_UNFREE_OUT=$(nix-prefetch -f "$NIXPKGS_ROOT" -E "(_7zz.override { enableUnfree = true; }).src" --url "$URL" --output raw --print-path) +# first line of raw output is the hash +NEW_UNFREE_HASH="$(echo "$NEW_UNFREE_OUT" | sed -n 1p)" +# second line of raw output is the src path +NEW_UNFREE_SRC="$(echo "$NEW_UNFREE_OUT" | sed -n 2p)" +# make sure to nuke the unfree src from the updater's machine +# > the license requires that you agree to these use restrictions, or you must remove the software (source and binary) from your hard disks +# https://fedoraproject.org/wiki/Licensing:Unrar +nix-store --delete "$NEW_UNFREE_SRC" + + +echo "updating version" +sed -i "s/version = \"$OLD_VERSION\";/version = \"$NEW_VERSION\";/" "$DRV_DIR/default.nix" + +echo "updating free hash" +sed -i "s@free = \"$OLD_FREE_HASH\";@free = \"$NEW_FREE_HASH\";@" "$DRV_DIR/default.nix" +echo "updating unfree hash" +sed -i "s@unfree = \"$OLD_UNFREE_HASH\";@unfree = \"$NEW_UNFREE_HASH\";@" "$DRV_DIR/default.nix" + +echo "done" -- cgit 1.4.1 From 201a32a1a70720a28036c1e83c421a185f2f13a5 Mon Sep 17 00:00:00 2001 From: pennae Date: Fri, 18 Mar 2022 08:35:25 +0100 Subject: unifi: unifi6 -> unifi7 --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 8 ++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 3 +++ pkgs/top-level/all-packages.nix | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index ee0f94bfce3..48e85b1a5e7 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1248,6 +1248,14 @@ compatibilty, but will be removed at a later date. + + + The unifi package was switched from + unifi6 to unifi7. Direct + downgrades from Unifi 7 to Unifi 6 are not possible and + require restoring from a backup made by Unifi 6. + + programs.zsh.autosuggestions.strategy now diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 148543802d0..2c2008ba123 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -464,6 +464,9 @@ In addition to numerous new and upgraded packages, this release has the followin combined `influxdb2` package is still provided in this release for backwards compatibilty, but will be removed at a later date. +- The `unifi` package was switched from `unifi6` to `unifi7`. + Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6. + - `programs.zsh.autosuggestions.strategy` now takes a list of strings instead of a string. - The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11. diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 0a6a4013d35..701d82b961f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -22194,7 +22194,7 @@ with pkgs; unifi6 unifi7; - unifi = unifi6; + unifi = unifi7; unifi-video = callPackage ../servers/unifi-video { }; -- cgit 1.4.1