Merge branch 'master' into staging-next

author: Weijia Wang <9713184+wegank@users.noreply.github.com> 2024-04-28 04:02:14 +0200
committer: Weijia Wang <9713184+wegank@users.noreply.github.com> 2024-04-28 04:02:14 +0200
commit: 7f45fee52a693123c5027e554fa38a8dc0debd40 (patch)
tree: d80d200737e36b48ec5b2d5b5e30a545700d88f9 /nixos
parent: 19c30e016f04874d60ed0922bf58be4aa9a15e53 (diff)
parent: 32a79f412e8665f3d0b17833f73914f9e9549a0d (diff)
32 files changed, 254 insertions, 37 deletions
diff --git a/nixos/doc/manual/configuration/profiles/graphical.section.md b/nixos/doc/manual/configuration/profiles/graphical.section.md
index 3bd80b52e845a..84fad5c0a612a 100644
--- a/nixos/doc/manual/configuration/profiles/graphical.section.md
+++ b/nixos/doc/manual/configuration/profiles/graphical.section.md
@@ -6,5 +6,5 @@ graphical installation CD.
 It sets [](#opt-services.xserver.enable),
 [](#opt-services.displayManager.sddm.enable),
 [](#opt-services.xserver.desktopManager.plasma5.enable),
-and [](#opt-services.xserver.libinput.enable) to true. It also
+and [](#opt-services.libinput.enable) to true. It also
 includes glxinfo and firefox in the system packages list.
diff --git a/nixos/doc/manual/configuration/x-windows.chapter.md b/nixos/doc/manual/configuration/x-windows.chapter.md
index c09e0877e8663..31752330dd9a8 100644
--- a/nixos/doc/manual/configuration/x-windows.chapter.md
+++ b/nixos/doc/manual/configuration/x-windows.chapter.md
@@ -207,7 +207,7 @@ Latitude series) can be enabled as follows:
 
 ```nix
 {
-  services.xserver.libinput.enable = true;
+  services.libinput.enable = true;
 }
 ```
 
@@ -216,7 +216,7 @@ For instance, the following disables tap-to-click behavior:
 
 ```nix
 {
-  services.xserver.libinput.touchpad.tapping = false;
+  services.libinput.touchpad.tapping = false;
 }
 ```
 
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index 6bb55c03ab830..bf4da68007641 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -193,6 +193,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable).
 
+- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable).
+
 ## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix
index e7f9990e9632e..7f16b97440c1c 100644
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@@ -185,7 +185,7 @@ in
         # };
 
         # Enable touchpad support (enabled default in most desktopManager).
-        # services.xserver.libinput.enable = true;
+        # services.libinput.enable = true;
 
         # Define a user account. Don't forget to set a password with ‘passwd’.
         # users.users.alice = {
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 50157f62ed320..ef25a7f3e75a2 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -325,6 +325,7 @@
   ./security/duosec.nix
   ./security/google_oslogin.nix
   ./security/ipa.nix
+  ./security/isolate.nix
   ./security/krb5
   ./security/lock-kernel-modules.nix
   ./security/misc.nix
@@ -558,6 +559,7 @@
   ./services/hardware/joycond.nix
   ./services/hardware/kanata.nix
   ./services/hardware/lcd.nix
+  ./services/hardware/libinput.nix
   ./services/hardware/lirc.nix
   ./services/hardware/nvidia-container-toolkit
   ./services/hardware/monado.nix
@@ -1472,7 +1474,6 @@
   ./services/x11/gdk-pixbuf.nix
   ./services/x11/hardware/cmt.nix
   ./services/x11/hardware/digimend.nix
-  ./services/x11/hardware/libinput.nix
   ./services/x11/hardware/synaptics.nix
   ./services/x11/hardware/wacom.nix
   ./services/x11/imwheel.nix
diff --git a/nixos/modules/profiles/graphical.nix b/nixos/modules/profiles/graphical.nix
index 8cc31652f8075..72b865c584f07 100644
--- a/nixos/modules/profiles/graphical.nix
+++ b/nixos/modules/profiles/graphical.nix
@@ -7,10 +7,12 @@
   services.xserver = {
     enable = true;
     desktopManager.plasma5.enable = true;
-    libinput.enable = true; # for touchpad support on many laptops
   };
 
-  services.displayManager.sddm.enable = true;
+  services = {
+    displayManager.sddm.enable = true;
+    libinput.enable = true; # for touchpad support on many laptops
+  };
 
   # Enable sound in virtualbox appliances.
   hardware.pulseaudio.enable = true;
diff --git a/nixos/modules/security/isolate.nix b/nixos/modules/security/isolate.nix
new file mode 100644
index 0000000000000..3cc0176f3db30
--- /dev/null
+++ b/nixos/modules/security/isolate.nix
@@ -0,0 +1,133 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkEnableOption mkPackageOption mkOption types mkIf maintainers;
+
+  cfg = config.security.isolate;
+  configFile = pkgs.writeText "isolate-config.cf" ''
+    box_root=${cfg.boxRoot}
+    lock_root=${cfg.lockRoot}
+    cg_root=${cfg.cgRoot}
+    first_uid=${toString cfg.firstUid}
+    first_gid=${toString cfg.firstGid}
+    num_boxes=${toString cfg.numBoxes}
+    restricted_init=${if cfg.restrictedInit then "1" else "0"}
+    ${cfg.extraConfig}
+  '';
+  isolate = pkgs.symlinkJoin {
+    name = "isolate-wrapped-${pkgs.isolate.version}";
+
+    paths = [ pkgs.isolate ];
+
+    nativeBuildInputs = [ pkgs.makeWrapper ];
+
+    postBuild = ''
+      wrapProgram $out/bin/isolate \
+        --set ISOLATE_CONFIG_FILE ${configFile}
+
+      wrapProgram $out/bin/isolate-cg-keeper \
+        --set ISOLATE_CONFIG_FILE ${configFile}
+    '';
+  };
+in
+{
+  options.security.isolate = {
+    enable = mkEnableOption ''
+      Sandbox for securely executing untrusted programs
+    '';
+
+    package = mkPackageOption pkgs "isolate-unwrapped" { };
+
+    boxRoot = mkOption {
+      type = types.path;
+      default = "/var/lib/isolate/boxes";
+      description = ''
+        All sandboxes are created under this directory.
+        To avoid symlink attacks, this directory and all its ancestors
+        must be writeable only by root.
+      '';
+    };
+
+    lockRoot = mkOption {
+      type = types.path;
+      default = "/run/isolate/locks";
+      description = ''
+        Directory where lock files are created.
+      '';
+    };
+
+    cgRoot = mkOption {
+      type = types.str;
+      default = "auto:/run/isolate/cgroup";
+      description = ''
+        Control group which subgroups are placed under.
+        Either an explicit path to a subdirectory in cgroupfs, or "auto:file" to read
+        the path from "file", where it is put by `isolate-cg-helper`.
+      '';
+    };
+
+    firstUid = mkOption {
+      type = types.numbers.between 1000 65533;
+      default = 60000;
+      description = ''
+        Start of block of UIDs reserved for sandboxes.
+      '';
+    };
+
+    firstGid = mkOption {
+      type = types.numbers.between 1000 65533;
+      default = 60000;
+      description = ''
+        Start of block of GIDs reserved for sandboxes.
+      '';
+    };
+
+    numBoxes = mkOption {
+      type = types.numbers.between 1000 65533;
+      default = 1000;
+      description = ''
+        Number of UIDs and GIDs to reserve, starting from
+        {option}`firstUid` and {option}`firstGid`.
+      '';
+    };
+
+    restrictedInit = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        If true, only root can create sandboxes.
+      '';
+    };
+
+    extraConfig = mkOption {
+      type = types.str;
+      default = "";
+      description = ''
+        Extra configuration to append to the configuration file.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [
+      isolate
+    ];
+
+    systemd.services.isolate = {
+      description = "Isolate control group hierarchy daemon";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${isolate}/bin/isolate-cg-keeper";
+        Slice = "isolate.slice";
+        Delegate = true;
+      };
+    };
+
+    systemd.slices.isolate = {
+      description = "Isolate sandbox slice";
+    };
+
+    meta.maintainers = with maintainers; [ virchau13 ];
+  };
+}
diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix
index 856d36b8a3030..08507b4d370a7 100644
--- a/nixos/modules/services/desktop-managers/plasma6.nix
+++ b/nixos/modules/services/desktop-managers/plasma6.nix
@@ -238,7 +238,7 @@ in {
     services.system-config-printer.enable = mkIf config.services.printing.enable (mkDefault true);
     services.udisks2.enable = true;
     services.upower.enable = config.powerManagement.enable;
-    services.xserver.libinput.enable = mkDefault true;
+    services.libinput.enable = mkDefault true;
 
     # Extra UDEV rules used by Solid
     services.udev.packages = [
diff --git a/nixos/modules/services/display-managers/sddm.nix b/nixos/modules/services/display-managers/sddm.nix
index aaf1f0dcfc65d..a6bfa213fe380 100644
--- a/nixos/modules/services/display-managers/sddm.nix
+++ b/nixos/modules/services/display-managers/sddm.nix
@@ -111,8 +111,8 @@ let
       let
         westonIni = (pkgs.formats.ini { }).generate "weston.ini" {
           libinput = {
-            enable-tap = xcfg.libinput.mouse.tapping;
-            left-handed = xcfg.libinput.mouse.leftHanded;
+            enable-tap = config.services.libinput.mouse.tapping;
+            left-handed = config.services.libinput.mouse.leftHanded;
           };
           keyboard = {
             keymap_model = xcfg.xkb.model;
diff --git a/nixos/modules/services/x11/hardware/libinput.nix b/nixos/modules/services/hardware/libinput.nix
index 54ff7d85a0331..b8aa59035d338 100644
--- a/nixos/modules/services/x11/hardware/libinput.nix
+++ b/nixos/modules/services/hardware/libinput.nix
@@ -2,7 +2,7 @@
 
 with lib;
 
-let cfg = config.services.xserver.libinput;
+let cfg = config.services.libinput;
 
     xorgBool = v: if v then "on" else "off";
 
@@ -223,7 +223,7 @@ let cfg = config.services.xserver.libinput;
 in {
 
   imports =
-    (map (option: mkRenamedOptionModule ([ "services" "xserver" "libinput" option ]) [ "services" "xserver" "libinput" "touchpad" option ]) [
+    (map (option: mkRenamedOptionModule ([ "services" "xserver" "libinput" option ]) [ "services" "libinput" "touchpad" option ]) [
       "accelProfile"
       "accelSpeed"
       "buttonMapping"
@@ -242,11 +242,15 @@ in {
       "transformationMatrix"
       "disableWhileTyping"
       "additionalOptions"
-    ]);
+    ]) ++ [
+      (mkRenamedOptionModule [ "services" "xserver" "libinput" "enable" ]   [ "services" "libinput" "enable" ])
+      (mkRenamedOptionModule [ "services" "xserver" "libinput" "mouse" ]    [ "services" "libinput" "mouse" ])
+      (mkRenamedOptionModule [ "services" "xserver" "libinput" "touchpad" ] [ "services" "libinput" "touchpad" ])
+    ];
 
   options = {
 
-    services.xserver.libinput = {
+    services.libinput = {
       enable = mkEnableOption "libinput" // {
         default = config.services.xserver.enable;
         defaultText = lib.literalExpression "config.services.xserver.enable";
diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix
index 90790169142aa..f4539a90f2e60 100644
--- a/nixos/modules/services/matrix/appservice-irc.nix
+++ b/nixos/modules/services/matrix/appservice-irc.nix
@@ -214,8 +214,9 @@ in {
         RestrictRealtime = true;
         PrivateMounts = true;
         SystemCallFilter = [
-          "@system-service @pkey @chown"
+          "@system-service @pkey"
           "~@privileged @resources"
+          "@chown"
         ];
         SystemCallArchitectures = "native";
         # AF_UNIX is required to connect to a postgres socket.
diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix
index 1b86656c7d4c5..91d846abb36e6 100644
--- a/nixos/modules/services/security/oauth2_proxy_nginx.nix
+++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix
@@ -87,9 +87,9 @@ in
         "/oauth2/auth" = let
           maybeQueryArg = name: value:
             if value == null then null
-            else "${name}=${lib.concatStringsSep "," value}";
+            else "${name}=${lib.concatStringsSep "," (builtins.map lib.escapeURL value)}";
           allArgs = lib.mapAttrsToList maybeQueryArg conf;
-          cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs);
+          cleanArgs = builtins.filter (x: x != null) allArgs;
           cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
         in {
           # nginx doesn't support passing query string arguments to auth_request,
diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix
index b180db2d4ca04..7c9bf6c465164 100644
--- a/nixos/modules/services/web-apps/akkoma.nix
+++ b/nixos/modules/services/web-apps/akkoma.nix
@@ -957,7 +957,7 @@ in {
     assertions = optionals (cfg.config.":pleroma".":media_proxy".enabled && cfg.config.":pleroma".":media_proxy".base_url == null) [''
       `services.akkoma.config.":pleroma".":media_proxy".base_url` must be set when the media proxy is enabled.
     ''];
-    warnings = optionals (with config.security; (!sudo.enable) && (!sudo-rs.enable)) [''
+    warnings = optionals (with config.security; cfg.installWrapper && (!sudo.enable) && (!sudo-rs.enable)) [''
       The pleroma_ctl wrapper enabled by the installWrapper option relies on
       sudo, which appears to have been disabled through security.sudo.enable.
     ''];
diff --git a/nixos/modules/services/x11/desktop-managers/budgie.nix b/nixos/modules/services/x11/desktop-managers/budgie.nix
index 75ee82f1f948a..b4e7390293351 100644
--- a/nixos/modules/services/x11/desktop-managers/budgie.nix
+++ b/nixos/modules/services/x11/desktop-managers/budgie.nix
@@ -214,7 +214,7 @@ in {
 
     services.geoclue2.enable = mkDefault true; # for BCC's Privacy > Location Services panel.
     services.upower.enable = config.powerManagement.enable; # for Budgie's Status Indicator and BCC's Power panel.
-    services.xserver.libinput.enable = mkDefault true; # for BCC's Mouse panel.
+    services.libinput.enable = mkDefault true; # for BCC's Mouse panel.
     services.colord.enable = mkDefault true; # for BCC's Color panel.
     services.gnome.at-spi2-core.enable = mkDefault true; # for BCC's A11y panel.
     services.accounts-daemon.enable = mkDefault true; # for BCC's Users panel.
diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix
index 774fdd4636aac..2e0eef67c0b3e 100644
--- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix
+++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix
@@ -116,7 +116,7 @@ in
       services.touchegg.enable = mkDefault true;
       services.udisks2.enable = true;
       services.upower.enable = mkDefault config.powerManagement.enable;
-      services.xserver.libinput.enable = mkDefault true;
+      services.libinput.enable = mkDefault true;
       services.xserver.updateDbusEnvironment = true;
       networking.networkmanager.enable = mkDefault true;
 
diff --git a/nixos/modules/services/x11/desktop-managers/deepin.nix b/nixos/modules/services/x11/desktop-managers/deepin.nix
index 680ce7b9a93e6..30bd14adb4192 100644
--- a/nixos/modules/services/x11/desktop-managers/deepin.nix
+++ b/nixos/modules/services/x11/desktop-managers/deepin.nix
@@ -61,7 +61,7 @@ in
       services.gnome.gnome-keyring.enable = mkDefault true;
       services.bamf.enable = mkDefault true;
 
-      services.xserver.libinput.enable = mkDefault true;
+      services.libinput.enable = mkDefault true;
       services.udisks2.enable = true;
       services.upower.enable = mkDefault config.powerManagement.enable;
       networking.networkmanager.enable = mkDefault true;
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index 09f90e1cd4df8..0a341ba133d39 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -96,7 +96,7 @@ in
 
     services.udisks2.enable = true;
     services.upower.enable = config.powerManagement.enable;
-    services.xserver.libinput.enable = mkDefault true;
+    services.libinput.enable = mkDefault true;
 
     services.dbus.packages = [ e.efl ];
 
diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix
index 64d4ff983e983..42cb57ef5a415 100644
--- a/nixos/modules/services/x11/desktop-managers/gnome.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome.nix
@@ -339,7 +339,7 @@ in
       # services.packagekit.enable = mkDefault true;
       services.udisks2.enable = true;
       services.upower.enable = config.powerManagement.enable;
-      services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
+      services.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
 
       # Explicitly enabled since GNOME will be severely broken without these.
       xdg.mime.enable = true;
diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix
index 1937bdcbd3e73..ac86c385bcc8d 100644
--- a/nixos/modules/services/x11/desktop-managers/lxqt.nix
+++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix
@@ -69,7 +69,7 @@ in
 
     services.upower.enable = config.powerManagement.enable;
 
-    services.xserver.libinput.enable = mkDefault true;
+    services.libinput.enable = mkDefault true;
 
     xdg.portal.lxqt.enable = mkDefault true;
 
diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix
index 520d40d67908c..beae07b70dbfe 100644
--- a/nixos/modules/services/x11/desktop-managers/mate.nix
+++ b/nixos/modules/services/x11/desktop-managers/mate.nix
@@ -88,7 +88,7 @@ in
       services.udev.packages = [ pkgs.mate.mate-settings-daemon ];
       services.gvfs.enable = true;
       services.upower.enable = config.powerManagement.enable;
-      services.xserver.libinput.enable = mkDefault true;
+      services.libinput.enable = mkDefault true;
 
       security.pam.services.mate-screensaver.unixAuth = true;
 
diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix
index 57ccbaccb0c68..008bc65eb6a4f 100644
--- a/nixos/modules/services/x11/desktop-managers/pantheon.nix
+++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix
@@ -159,7 +159,7 @@ in
       services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ];
       services.udisks2.enable = true;
       services.upower.enable = config.powerManagement.enable;
-      services.xserver.libinput.enable = mkDefault true;
+      services.libinput.enable = mkDefault true;
       services.xserver.updateDbusEnvironment = true;
       services.zeitgeist.enable = mkDefault true;
       services.geoclue2.enable = mkDefault true;
diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix
index 56fcd70dc9516..7d80b9b2641c3 100644
--- a/nixos/modules/services/x11/desktop-managers/plasma5.nix
+++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix
@@ -348,7 +348,7 @@ in
       services.system-config-printer.enable = mkIf config.services.printing.enable (mkDefault true);
       services.udisks2.enable = true;
       services.upower.enable = config.powerManagement.enable;
-      services.xserver.libinput.enable = mkDefault true;
+      services.libinput.enable = mkDefault true;
 
       # Extra UDEV rules used by Solid
       services.udev.packages = [
diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix
index c55d0021b6a7c..85d0d199de3f2 100644
--- a/nixos/modules/services/x11/desktop-managers/xfce.nix
+++ b/nixos/modules/services/x11/desktop-managers/xfce.nix
@@ -164,7 +164,7 @@ in
     services.gvfs.enable = true;
     services.tumbler.enable = true;
     services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true));
-    services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager
+    services.libinput.enable = mkDefault true; # used in xfce4-settings-manager
 
     # Enable default programs
     programs.dconf.enable = true;
diff --git a/nixos/modules/services/x11/hardware/cmt.nix b/nixos/modules/services/x11/hardware/cmt.nix
index 55d3d840ee092..53906c5c716f4 100644
--- a/nixos/modules/services/x11/hardware/cmt.nix
+++ b/nixos/modules/services/x11/hardware/cmt.nix
@@ -46,10 +46,10 @@ in {
 
     assertions = [
       {
-        assertion = !config.services.xserver.libinput.enable;
+        assertion = !config.services.libinput.enable;
         message = ''
           cmt and libinput are incompatible, meaning you cannot enable them both.
-          To use cmt you need to disable libinput with `services.xserver.libinput.enable = false`
+          To use cmt you need to disable libinput with `services.libinput.enable = false`
           If you haven't enabled it in configuration.nix, it's enabled by default on a
           different xserver module.
         '';
diff --git a/nixos/modules/services/x11/hardware/synaptics.nix b/nixos/modules/services/x11/hardware/synaptics.nix
index 4dfa917d8fb4a..c43fdac6b1ec6 100644
--- a/nixos/modules/services/x11/hardware/synaptics.nix
+++ b/nixos/modules/services/x11/hardware/synaptics.nix
@@ -30,7 +30,7 @@ in {
       enable = mkOption {
         type = types.bool;
         default = false;
-        description = "Whether to enable touchpad support. Deprecated: Consider services.xserver.libinput.enable.";
+        description = "Whether to enable touchpad support. Deprecated: Consider services.libinput.enable.";
       };
 
       dev = mkOption {
@@ -207,8 +207,8 @@ in {
 
     assertions = [
       {
-        assertion = !config.services.xserver.libinput.enable;
-        message = "Synaptics and libinput are incompatible, you cannot enable both (in services.xserver).";
+        assertion = !config.services.libinput.enable;
+        message = "Synaptics and libinput are incompatible, you cannot enable both.";
       }
     ];
 
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index d27e6b8a2b137..2c9d1aa568bf2 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -399,6 +399,7 @@ in {
   honk = runTest ./honk.nix;
   installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {});
   invidious = handleTest ./invidious.nix {};
+  isolate = handleTest ./isolate.nix {};
   livebook-service = handleTest ./livebook-service.nix {};
   pyload = handleTest ./pyload.nix {};
   oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {};
@@ -772,6 +773,7 @@ in {
   qgis = handleTest ./qgis.nix { qgisPackage = pkgs.qgis; };
   qgis-ltr = handleTest ./qgis.nix { qgisPackage = pkgs.qgis-ltr; };
   qownnotes = handleTest ./qownnotes.nix {};
+  qtile = handleTest ./qtile.nix {};
   quake3 = handleTest ./quake3.nix {};
   quicktun = handleTest ./quicktun.nix {};
   quorum = handleTest ./quorum.nix {};
diff --git a/nixos/tests/gvisor.nix b/nixos/tests/gvisor.nix
index 7f130b709fc9d..5c9447b07118d 100644
--- a/nixos/tests/gvisor.nix
+++ b/nixos/tests/gvisor.nix
@@ -3,7 +3,7 @@
 import ./make-test-python.nix ({ pkgs, ... }: {
   name = "gvisor";
   meta = with pkgs.lib.maintainers; {
-    maintainers = [ andrew-d ];
+    maintainers = [ ];
   };
 
   nodes = {
diff --git a/nixos/tests/isolate.nix b/nixos/tests/isolate.nix
new file mode 100644
index 0000000000000..327231be1cd4a
--- /dev/null
+++ b/nixos/tests/isolate.nix
@@ -0,0 +1,38 @@
+import ./make-test-python.nix ({ lib, ... }:
+{
+  name = "isolate";
+  meta.maintainers = with lib.maintainers; [ virchau13 ];
+
+  nodes.machine =
+    { ... }:
+    {
+      security.isolate = {
+        enable = true;
+      };
+    };
+
+  testScript = ''
+    bash_path = machine.succeed('realpath $(which bash)').strip()
+    sleep_path = machine.succeed('realpath $(which sleep)').strip()
+    def sleep_test(walltime, sleeptime):
+        return f'isolate --no-default-dirs --wall-time {walltime} ' + \
+            f'--dir=/box={box_path} --dir=/nix=/nix --run -- ' + \
+            f"{bash_path} -c 'exec -a sleep {sleep_path} {sleeptime}'"
+
+    def sleep_test_cg(walltime, sleeptime):
+        return f'isolate --cg --no-default-dirs --wall-time {walltime} ' + \
+            f'--dir=/box={box_path} --dir=/nix=/nix --processes=2 --run -- ' + \
+            f"{bash_path} -c '( exec -a sleep {sleep_path} {sleeptime} )'"
+
+    with subtest("without cgroups"):
+        box_path = machine.succeed('isolate --init').strip()
+        machine.succeed(sleep_test(1, 0.5))
+        machine.fail(sleep_test(0.5, 1))
+        machine.succeed('isolate --cleanup')
+    with subtest("with cgroups"):
+        box_path = machine.succeed('isolate --cg --init').strip()
+        machine.succeed(sleep_test_cg(1, 0.5))
+        machine.fail(sleep_test_cg(0.5, 1))
+        machine.succeed('isolate --cg --cleanup')
+  '';
+})
diff --git a/nixos/tests/libinput.nix b/nixos/tests/libinput.nix
index 9b6fa159b999c..b002492b16657 100644
--- a/nixos/tests/libinput.nix
+++ b/nixos/tests/libinput.nix
@@ -12,7 +12,7 @@ import ./make-test-python.nix ({ ... }:
 
       test-support.displayManager.auto.user = "alice";
 
-      services.xserver.libinput = {
+      services.libinput = {
         enable = true;
         mouse = {
           naturalScrolling = true;
diff --git a/nixos/tests/nginx-sso.nix b/nixos/tests/nginx-sso.nix
index 221c5f4ed9058..2bb9c7a1c3bb7 100644
--- a/nixos/tests/nginx-sso.nix
+++ b/nixos/tests/nginx-sso.nix
@@ -1,7 +1,7 @@
 import ./make-test-python.nix ({ pkgs, ... }: {
   name = "nginx-sso";
   meta = {
-    maintainers = with pkgs.lib.maintainers; [ delroth ];
+    maintainers = with pkgs.lib.maintainers; [ ambroisie ];
   };
 
   nodes.machine = {
diff --git a/nixos/tests/qtile.nix b/nixos/tests/qtile.nix
new file mode 100644
index 0000000000000..b4d8f9d421144
--- /dev/null
+++ b/nixos/tests/qtile.nix
@@ -0,0 +1,34 @@
+import ./make-test-python.nix ({ lib, ...} : {
+  name = "qtile";
+
+  meta = {
+    maintainers = with lib.maintainers; [ sigmanificient ];
+  };
+
+  nodes.machine = { pkgs, lib, ... }: {
+    imports = [ ./common/x11.nix ./common/user-account.nix ];
+    test-support.displayManager.auto.user = "alice";
+
+    services.xserver.windowManager.qtile.enable = true;
+    services.displayManager.defaultSession = lib.mkForce "none+qtile";
+
+    environment.systemPackages = [ pkgs.kitty ];
+  };
+
+  testScript = ''
+    with subtest("ensure x starts"):
+        machine.wait_for_x()
+        machine.wait_for_file("/home/alice/.Xauthority")
+        machine.succeed("xauth merge ~alice/.Xauthority")
+
+    with subtest("ensure client is available"):
+        machine.succeed("qtile --version")
+
+    with subtest("ensure we can open a new terminal"):
+        machine.sleep(2)
+        machine.send_key("meta_l-ret")
+        machine.wait_for_window(r"alice.*?machine")
+        machine.sleep(2)
+        machine.screenshot("terminal")
+  '';
+})
diff --git a/nixos/tests/syncthing-relay.nix b/nixos/tests/syncthing-relay.nix
index 3d70b1eda7b2a..cab9bcafe9d5c 100644
--- a/nixos/tests/syncthing-relay.nix
+++ b/nixos/tests/syncthing-relay.nix
@@ -1,6 +1,6 @@
 import ./make-test-python.nix ({ lib, pkgs, ... }: {
   name = "syncthing-relay";
-  meta.maintainers = with pkgs.lib.maintainers; [ delroth ];
+  meta.maintainers = with pkgs.lib.maintainers; [ ];
 
   nodes.machine = {
     environment.systemPackages = [ pkgs.jq ];
author	Weijia Wang <9713184+wegank@users.noreply.github.com>	2024-04-28 04:02:14 +0200
committer	Weijia Wang <9713184+wegank@users.noreply.github.com>	2024-04-28 04:02:14 +0200
commit	7f45fee52a693123c5027e554fa38a8dc0debd40 (patch)
tree	d80d200737e36b48ec5b2d5b5e30a545700d88f9 /nixos
parent	19c30e016f04874d60ed0922bf58be4aa9a15e53 (diff)
parent	32a79f412e8665f3d0b17833f73914f9e9549a0d (diff)