diff options
author | Weijia Wang <9713184+wegank@users.noreply.github.com> | 2024-04-28 04:02:14 +0200 |
---|---|---|
committer | Weijia Wang <9713184+wegank@users.noreply.github.com> | 2024-04-28 04:02:14 +0200 |
commit | 7f45fee52a693123c5027e554fa38a8dc0debd40 (patch) | |
tree | d80d200737e36b48ec5b2d5b5e30a545700d88f9 /nixos | |
parent | 19c30e016f04874d60ed0922bf58be4aa9a15e53 (diff) | |
parent | 32a79f412e8665f3d0b17833f73914f9e9549a0d (diff) |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
32 files changed, 254 insertions, 37 deletions
diff --git a/nixos/doc/manual/configuration/profiles/graphical.section.md b/nixos/doc/manual/configuration/profiles/graphical.section.md index 3bd80b52e845a..84fad5c0a612a 100644 --- a/nixos/doc/manual/configuration/profiles/graphical.section.md +++ b/nixos/doc/manual/configuration/profiles/graphical.section.md @@ -6,5 +6,5 @@ graphical installation CD. It sets [](#opt-services.xserver.enable), [](#opt-services.displayManager.sddm.enable), [](#opt-services.xserver.desktopManager.plasma5.enable), -and [](#opt-services.xserver.libinput.enable) to true. It also +and [](#opt-services.libinput.enable) to true. It also includes glxinfo and firefox in the system packages list. diff --git a/nixos/doc/manual/configuration/x-windows.chapter.md b/nixos/doc/manual/configuration/x-windows.chapter.md index c09e0877e8663..31752330dd9a8 100644 --- a/nixos/doc/manual/configuration/x-windows.chapter.md +++ b/nixos/doc/manual/configuration/x-windows.chapter.md @@ -207,7 +207,7 @@ Latitude series) can be enabled as follows: ```nix { - services.xserver.libinput.enable = true; + services.libinput.enable = true; } ``` @@ -216,7 +216,7 @@ For instance, the following disables tap-to-click behavior: ```nix { - services.xserver.libinput.touchpad.tapping = false; + services.libinput.touchpad.tapping = false; } ``` diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 6bb55c03ab830..bf4da68007641 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -193,6 +193,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable). +- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable). + ## Backward Incompatibilities {#sec-release-24.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index e7f9990e9632e..7f16b97440c1c 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -185,7 +185,7 @@ in # }; # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; + # services.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. # users.users.alice = { diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 50157f62ed320..ef25a7f3e75a2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -325,6 +325,7 @@ ./security/duosec.nix ./security/google_oslogin.nix ./security/ipa.nix + ./security/isolate.nix ./security/krb5 ./security/lock-kernel-modules.nix ./security/misc.nix @@ -558,6 +559,7 @@ ./services/hardware/joycond.nix ./services/hardware/kanata.nix ./services/hardware/lcd.nix + ./services/hardware/libinput.nix ./services/hardware/lirc.nix ./services/hardware/nvidia-container-toolkit ./services/hardware/monado.nix @@ -1472,7 +1474,6 @@ ./services/x11/gdk-pixbuf.nix ./services/x11/hardware/cmt.nix ./services/x11/hardware/digimend.nix - ./services/x11/hardware/libinput.nix ./services/x11/hardware/synaptics.nix ./services/x11/hardware/wacom.nix ./services/x11/imwheel.nix diff --git a/nixos/modules/profiles/graphical.nix b/nixos/modules/profiles/graphical.nix index 8cc31652f8075..72b865c584f07 100644 --- a/nixos/modules/profiles/graphical.nix +++ b/nixos/modules/profiles/graphical.nix @@ -7,10 +7,12 @@ services.xserver = { enable = true; desktopManager.plasma5.enable = true; - libinput.enable = true; # for touchpad support on many laptops }; - services.displayManager.sddm.enable = true; + services = { + displayManager.sddm.enable = true; + libinput.enable = true; # for touchpad support on many laptops + }; # Enable sound in virtualbox appliances. hardware.pulseaudio.enable = true; diff --git a/nixos/modules/security/isolate.nix b/nixos/modules/security/isolate.nix new file mode 100644 index 0000000000000..3cc0176f3db30 --- /dev/null +++ b/nixos/modules/security/isolate.nix @@ -0,0 +1,133 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkPackageOption mkOption types mkIf maintainers; + + cfg = config.security.isolate; + configFile = pkgs.writeText "isolate-config.cf" '' + box_root=${cfg.boxRoot} + lock_root=${cfg.lockRoot} + cg_root=${cfg.cgRoot} + first_uid=${toString cfg.firstUid} + first_gid=${toString cfg.firstGid} + num_boxes=${toString cfg.numBoxes} + restricted_init=${if cfg.restrictedInit then "1" else "0"} + ${cfg.extraConfig} + ''; + isolate = pkgs.symlinkJoin { + name = "isolate-wrapped-${pkgs.isolate.version}"; + + paths = [ pkgs.isolate ]; + + nativeBuildInputs = [ pkgs.makeWrapper ]; + + postBuild = '' + wrapProgram $out/bin/isolate \ + --set ISOLATE_CONFIG_FILE ${configFile} + + wrapProgram $out/bin/isolate-cg-keeper \ + --set ISOLATE_CONFIG_FILE ${configFile} + ''; + }; +in +{ + options.security.isolate = { + enable = mkEnableOption '' + Sandbox for securely executing untrusted programs + ''; + + package = mkPackageOption pkgs "isolate-unwrapped" { }; + + boxRoot = mkOption { + type = types.path; + default = "/var/lib/isolate/boxes"; + description = '' + All sandboxes are created under this directory. + To avoid symlink attacks, this directory and all its ancestors + must be writeable only by root. + ''; + }; + + lockRoot = mkOption { + type = types.path; + default = "/run/isolate/locks"; + description = '' + Directory where lock files are created. + ''; + }; + + cgRoot = mkOption { + type = types.str; + default = "auto:/run/isolate/cgroup"; + description = '' + Control group which subgroups are placed under. + Either an explicit path to a subdirectory in cgroupfs, or "auto:file" to read + the path from "file", where it is put by `isolate-cg-helper`. + ''; + }; + + firstUid = mkOption { + type = types.numbers.between 1000 65533; + default = 60000; + description = '' + Start of block of UIDs reserved for sandboxes. + ''; + }; + + firstGid = mkOption { + type = types.numbers.between 1000 65533; + default = 60000; + description = '' + Start of block of GIDs reserved for sandboxes. + ''; + }; + + numBoxes = mkOption { + type = types.numbers.between 1000 65533; + default = 1000; + description = '' + Number of UIDs and GIDs to reserve, starting from + {option}`firstUid` and {option}`firstGid`. + ''; + }; + + restrictedInit = mkOption { + type = types.bool; + default = false; + description = '' + If true, only root can create sandboxes. + ''; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = '' + Extra configuration to append to the configuration file. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ + isolate + ]; + + systemd.services.isolate = { + description = "Isolate control group hierarchy daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "notify"; + ExecStart = "${isolate}/bin/isolate-cg-keeper"; + Slice = "isolate.slice"; + Delegate = true; + }; + }; + + systemd.slices.isolate = { + description = "Isolate sandbox slice"; + }; + + meta.maintainers = with maintainers; [ virchau13 ]; + }; +} diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 856d36b8a3030..08507b4d370a7 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -238,7 +238,7 @@ in { services.system-config-printer.enable = mkIf config.services.printing.enable (mkDefault true); services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; # Extra UDEV rules used by Solid services.udev.packages = [ diff --git a/nixos/modules/services/display-managers/sddm.nix b/nixos/modules/services/display-managers/sddm.nix index aaf1f0dcfc65d..a6bfa213fe380 100644 --- a/nixos/modules/services/display-managers/sddm.nix +++ b/nixos/modules/services/display-managers/sddm.nix @@ -111,8 +111,8 @@ let let westonIni = (pkgs.formats.ini { }).generate "weston.ini" { libinput = { - enable-tap = xcfg.libinput.mouse.tapping; - left-handed = xcfg.libinput.mouse.leftHanded; + enable-tap = config.services.libinput.mouse.tapping; + left-handed = config.services.libinput.mouse.leftHanded; }; keyboard = { keymap_model = xcfg.xkb.model; diff --git a/nixos/modules/services/x11/hardware/libinput.nix b/nixos/modules/services/hardware/libinput.nix index 54ff7d85a0331..b8aa59035d338 100644 --- a/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixos/modules/services/hardware/libinput.nix @@ -2,7 +2,7 @@ with lib; -let cfg = config.services.xserver.libinput; +let cfg = config.services.libinput; xorgBool = v: if v then "on" else "off"; @@ -223,7 +223,7 @@ let cfg = config.services.xserver.libinput; in { imports = - (map (option: mkRenamedOptionModule ([ "services" "xserver" "libinput" option ]) [ "services" "xserver" "libinput" "touchpad" option ]) [ + (map (option: mkRenamedOptionModule ([ "services" "xserver" "libinput" option ]) [ "services" "libinput" "touchpad" option ]) [ "accelProfile" "accelSpeed" "buttonMapping" @@ -242,11 +242,15 @@ in { "transformationMatrix" "disableWhileTyping" "additionalOptions" - ]); + ]) ++ [ + (mkRenamedOptionModule [ "services" "xserver" "libinput" "enable" ] [ "services" "libinput" "enable" ]) + (mkRenamedOptionModule [ "services" "xserver" "libinput" "mouse" ] [ "services" "libinput" "mouse" ]) + (mkRenamedOptionModule [ "services" "xserver" "libinput" "touchpad" ] [ "services" "libinput" "touchpad" ]) + ]; options = { - services.xserver.libinput = { + services.libinput = { enable = mkEnableOption "libinput" // { default = config.services.xserver.enable; defaultText = lib.literalExpression "config.services.xserver.enable"; diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix index 90790169142aa..f4539a90f2e60 100644 --- a/nixos/modules/services/matrix/appservice-irc.nix +++ b/nixos/modules/services/matrix/appservice-irc.nix @@ -214,8 +214,9 @@ in { RestrictRealtime = true; PrivateMounts = true; SystemCallFilter = [ - "@system-service @pkey @chown" + "@system-service @pkey" "~@privileged @resources" + "@chown" ]; SystemCallArchitectures = "native"; # AF_UNIX is required to connect to a postgres socket. diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index 1b86656c7d4c5..91d846abb36e6 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -87,9 +87,9 @@ in "/oauth2/auth" = let maybeQueryArg = name: value: if value == null then null - else "${name}=${lib.concatStringsSep "," value}"; + else "${name}=${lib.concatStringsSep "," (builtins.map lib.escapeURL value)}"; allArgs = lib.mapAttrsToList maybeQueryArg conf; - cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs); + cleanArgs = builtins.filter (x: x != null) allArgs; cleanArgsStr = lib.concatStringsSep "&" cleanArgs; in { # nginx doesn't support passing query string arguments to auth_request, diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix index b180db2d4ca04..7c9bf6c465164 100644 --- a/nixos/modules/services/web-apps/akkoma.nix +++ b/nixos/modules/services/web-apps/akkoma.nix @@ -957,7 +957,7 @@ in { assertions = optionals (cfg.config.":pleroma".":media_proxy".enabled && cfg.config.":pleroma".":media_proxy".base_url == null) ['' `services.akkoma.config.":pleroma".":media_proxy".base_url` must be set when the media proxy is enabled. '']; - warnings = optionals (with config.security; (!sudo.enable) && (!sudo-rs.enable)) ['' + warnings = optionals (with config.security; cfg.installWrapper && (!sudo.enable) && (!sudo-rs.enable)) ['' The pleroma_ctl wrapper enabled by the installWrapper option relies on sudo, which appears to have been disabled through security.sudo.enable. '']; diff --git a/nixos/modules/services/x11/desktop-managers/budgie.nix b/nixos/modules/services/x11/desktop-managers/budgie.nix index 75ee82f1f948a..b4e7390293351 100644 --- a/nixos/modules/services/x11/desktop-managers/budgie.nix +++ b/nixos/modules/services/x11/desktop-managers/budgie.nix @@ -214,7 +214,7 @@ in { services.geoclue2.enable = mkDefault true; # for BCC's Privacy > Location Services panel. services.upower.enable = config.powerManagement.enable; # for Budgie's Status Indicator and BCC's Power panel. - services.xserver.libinput.enable = mkDefault true; # for BCC's Mouse panel. + services.libinput.enable = mkDefault true; # for BCC's Mouse panel. services.colord.enable = mkDefault true; # for BCC's Color panel. services.gnome.at-spi2-core.enable = mkDefault true; # for BCC's A11y panel. services.accounts-daemon.enable = mkDefault true; # for BCC's Users panel. diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 774fdd4636aac..2e0eef67c0b3e 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -116,7 +116,7 @@ in services.touchegg.enable = mkDefault true; services.udisks2.enable = true; services.upower.enable = mkDefault config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; services.xserver.updateDbusEnvironment = true; networking.networkmanager.enable = mkDefault true; diff --git a/nixos/modules/services/x11/desktop-managers/deepin.nix b/nixos/modules/services/x11/desktop-managers/deepin.nix index 680ce7b9a93e6..30bd14adb4192 100644 --- a/nixos/modules/services/x11/desktop-managers/deepin.nix +++ b/nixos/modules/services/x11/desktop-managers/deepin.nix @@ -61,7 +61,7 @@ in services.gnome.gnome-keyring.enable = mkDefault true; services.bamf.enable = mkDefault true; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; services.udisks2.enable = true; services.upower.enable = mkDefault config.powerManagement.enable; networking.networkmanager.enable = mkDefault true; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 09f90e1cd4df8..0a341ba133d39 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -96,7 +96,7 @@ in services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; services.dbus.packages = [ e.efl ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index 64d4ff983e983..42cb57ef5a415 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -339,7 +339,7 @@ in # services.packagekit.enable = mkDefault true; services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center + services.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center # Explicitly enabled since GNOME will be severely broken without these. xdg.mime.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index 1937bdcbd3e73..ac86c385bcc8d 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -69,7 +69,7 @@ in services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; xdg.portal.lxqt.enable = mkDefault true; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index 520d40d67908c..beae07b70dbfe 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -88,7 +88,7 @@ in services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; security.pam.services.mate-screensaver.unixAuth = true; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 57ccbaccb0c68..008bc65eb6a4f 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -159,7 +159,7 @@ in services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; services.xserver.updateDbusEnvironment = true; services.zeitgeist.enable = mkDefault true; services.geoclue2.enable = mkDefault true; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 56fcd70dc9516..7d80b9b2641c3 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -348,7 +348,7 @@ in services.system-config-printer.enable = mkIf config.services.printing.enable (mkDefault true); services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; + services.libinput.enable = mkDefault true; # Extra UDEV rules used by Solid services.udev.packages = [ diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index c55d0021b6a7c..85d0d199de3f2 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -164,7 +164,7 @@ in services.gvfs.enable = true; services.tumbler.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager + services.libinput.enable = mkDefault true; # used in xfce4-settings-manager # Enable default programs programs.dconf.enable = true; diff --git a/nixos/modules/services/x11/hardware/cmt.nix b/nixos/modules/services/x11/hardware/cmt.nix index 55d3d840ee092..53906c5c716f4 100644 --- a/nixos/modules/services/x11/hardware/cmt.nix +++ b/nixos/modules/services/x11/hardware/cmt.nix @@ -46,10 +46,10 @@ in { assertions = [ { - assertion = !config.services.xserver.libinput.enable; + assertion = !config.services.libinput.enable; message = '' cmt and libinput are incompatible, meaning you cannot enable them both. - To use cmt you need to disable libinput with `services.xserver.libinput.enable = false` + To use cmt you need to disable libinput with `services.libinput.enable = false` If you haven't enabled it in configuration.nix, it's enabled by default on a different xserver module. ''; diff --git a/nixos/modules/services/x11/hardware/synaptics.nix b/nixos/modules/services/x11/hardware/synaptics.nix index 4dfa917d8fb4a..c43fdac6b1ec6 100644 --- a/nixos/modules/services/x11/hardware/synaptics.nix +++ b/nixos/modules/services/x11/hardware/synaptics.nix @@ -30,7 +30,7 @@ in { enable = mkOption { type = types.bool; default = false; - description = "Whether to enable touchpad support. Deprecated: Consider services.xserver.libinput.enable."; + description = "Whether to enable touchpad support. Deprecated: Consider services.libinput.enable."; }; dev = mkOption { @@ -207,8 +207,8 @@ in { assertions = [ { - assertion = !config.services.xserver.libinput.enable; - message = "Synaptics and libinput are incompatible, you cannot enable both (in services.xserver)."; + assertion = !config.services.libinput.enable; + message = "Synaptics and libinput are incompatible, you cannot enable both."; } ]; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index d27e6b8a2b137..2c9d1aa568bf2 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -399,6 +399,7 @@ in { honk = runTest ./honk.nix; installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); invidious = handleTest ./invidious.nix {}; + isolate = handleTest ./isolate.nix {}; livebook-service = handleTest ./livebook-service.nix {}; pyload = handleTest ./pyload.nix {}; oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {}; @@ -772,6 +773,7 @@ in { qgis = handleTest ./qgis.nix { qgisPackage = pkgs.qgis; }; qgis-ltr = handleTest ./qgis.nix { qgisPackage = pkgs.qgis-ltr; }; qownnotes = handleTest ./qownnotes.nix {}; + qtile = handleTest ./qtile.nix {}; quake3 = handleTest ./quake3.nix {}; quicktun = handleTest ./quicktun.nix {}; quorum = handleTest ./quorum.nix {}; diff --git a/nixos/tests/gvisor.nix b/nixos/tests/gvisor.nix index 7f130b709fc9d..5c9447b07118d 100644 --- a/nixos/tests/gvisor.nix +++ b/nixos/tests/gvisor.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "gvisor"; meta = with pkgs.lib.maintainers; { - maintainers = [ andrew-d ]; + maintainers = [ ]; }; nodes = { diff --git a/nixos/tests/isolate.nix b/nixos/tests/isolate.nix new file mode 100644 index 0000000000000..327231be1cd4a --- /dev/null +++ b/nixos/tests/isolate.nix @@ -0,0 +1,38 @@ +import ./make-test-python.nix ({ lib, ... }: +{ + name = "isolate"; + meta.maintainers = with lib.maintainers; [ virchau13 ]; + + nodes.machine = + { ... }: + { + security.isolate = { + enable = true; + }; + }; + + testScript = '' + bash_path = machine.succeed('realpath $(which bash)').strip() + sleep_path = machine.succeed('realpath $(which sleep)').strip() + def sleep_test(walltime, sleeptime): + return f'isolate --no-default-dirs --wall-time {walltime} ' + \ + f'--dir=/box={box_path} --dir=/nix=/nix --run -- ' + \ + f"{bash_path} -c 'exec -a sleep {sleep_path} {sleeptime}'" + + def sleep_test_cg(walltime, sleeptime): + return f'isolate --cg --no-default-dirs --wall-time {walltime} ' + \ + f'--dir=/box={box_path} --dir=/nix=/nix --processes=2 --run -- ' + \ + f"{bash_path} -c '( exec -a sleep {sleep_path} {sleeptime} )'" + + with subtest("without cgroups"): + box_path = machine.succeed('isolate --init').strip() + machine.succeed(sleep_test(1, 0.5)) + machine.fail(sleep_test(0.5, 1)) + machine.succeed('isolate --cleanup') + with subtest("with cgroups"): + box_path = machine.succeed('isolate --cg --init').strip() + machine.succeed(sleep_test_cg(1, 0.5)) + machine.fail(sleep_test_cg(0.5, 1)) + machine.succeed('isolate --cg --cleanup') + ''; +}) diff --git a/nixos/tests/libinput.nix b/nixos/tests/libinput.nix index 9b6fa159b999c..b002492b16657 100644 --- a/nixos/tests/libinput.nix +++ b/nixos/tests/libinput.nix @@ -12,7 +12,7 @@ import ./make-test-python.nix ({ ... }: test-support.displayManager.auto.user = "alice"; - services.xserver.libinput = { + services.libinput = { enable = true; mouse = { naturalScrolling = true; diff --git a/nixos/tests/nginx-sso.nix b/nixos/tests/nginx-sso.nix index 221c5f4ed9058..2bb9c7a1c3bb7 100644 --- a/nixos/tests/nginx-sso.nix +++ b/nixos/tests/nginx-sso.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "nginx-sso"; meta = { - maintainers = with pkgs.lib.maintainers; [ delroth ]; + maintainers = with pkgs.lib.maintainers; [ ambroisie ]; }; nodes.machine = { diff --git a/nixos/tests/qtile.nix b/nixos/tests/qtile.nix new file mode 100644 index 0000000000000..b4d8f9d421144 --- /dev/null +++ b/nixos/tests/qtile.nix @@ -0,0 +1,34 @@ +import ./make-test-python.nix ({ lib, ...} : { + name = "qtile"; + + meta = { + maintainers = with lib.maintainers; [ sigmanificient ]; + }; + + nodes.machine = { pkgs, lib, ... }: { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + test-support.displayManager.auto.user = "alice"; + + services.xserver.windowManager.qtile.enable = true; + services.displayManager.defaultSession = lib.mkForce "none+qtile"; + + environment.systemPackages = [ pkgs.kitty ]; + }; + + testScript = '' + with subtest("ensure x starts"): + machine.wait_for_x() + machine.wait_for_file("/home/alice/.Xauthority") + machine.succeed("xauth merge ~alice/.Xauthority") + + with subtest("ensure client is available"): + machine.succeed("qtile --version") + + with subtest("ensure we can open a new terminal"): + machine.sleep(2) + machine.send_key("meta_l-ret") + machine.wait_for_window(r"alice.*?machine") + machine.sleep(2) + machine.screenshot("terminal") + ''; +}) diff --git a/nixos/tests/syncthing-relay.nix b/nixos/tests/syncthing-relay.nix index 3d70b1eda7b2a..cab9bcafe9d5c 100644 --- a/nixos/tests/syncthing-relay.nix +++ b/nixos/tests/syncthing-relay.nix @@ -1,6 +1,6 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "syncthing-relay"; - meta.maintainers = with pkgs.lib.maintainers; [ delroth ]; + meta.maintainers = with pkgs.lib.maintainers; [ ]; nodes.machine = { environment.systemPackages = [ pkgs.jq ]; |