diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-01-11 03:51:33 +0100 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-01-11 03:51:33 +0100 |
| commit | c1e6c6af692c2cf07b4982c0f573acc9f16b78fc (patch) | |
| tree | c436a224f5f71c2a2d91926240b76ceab78d77b9 /nixos | |
| parent | 33aa224777a5077ff1dfa4c8f4653d8aab268d76 (diff) | |
| parent | b0644b461f97d4f7240b089074084c18f521f497 (diff) | |
Merge remote-tracking branch 'origin/master' into staging-next
Diffstat (limited to 'nixos')
22 files changed, 659 insertions, 131 deletions
diff --git a/nixos/doc/manual/configuration/x-windows.chapter.md b/nixos/doc/manual/configuration/x-windows.chapter.md index f92403ed1c4c4..be185cf4c314d 100644 --- a/nixos/doc/manual/configuration/x-windows.chapter.md +++ b/nixos/doc/manual/configuration/x-windows.chapter.md @@ -199,9 +199,9 @@ GTK themes can be installed either to user profile or system-wide (via GTK ones, you can use the following configuration: ```nix -qt5.enable = true; -qt5.platformTheme = "gtk2"; -qt5.style = "gtk2"; +qt.enable = true; +qt.platformTheme = "gtk2"; +qt.style = "gtk2"; ``` ## Custom XKB layouts {#custom-xkb-layouts .unnumbered} diff --git a/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml b/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml index c5a8b9bae84d2..319d3e9801881 100644 --- a/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml @@ -223,9 +223,9 @@ services.xserver.libinput.touchpad.tapping = false; configuration: </para> <programlisting language="nix"> -qt5.enable = true; -qt5.platformTheme = "gtk2"; -qt5.style = "gtk2"; +qt.enable = true; +qt.platformTheme = "gtk2"; +qt.style = "gtk2"; </programlisting> </section> <section xml:id="custom-xkb-layouts"> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index 68132f5b1c3c9..dfba0d1c79786 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -62,6 +62,14 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/StevenBlack/hosts">stevenblack-blocklist</link>, + A unified hosts file with base extensions for blocking + unwanted websites. Available as + <link xlink:href="options.html#opt-networking.stevenblack.enable">networking.stevenblack</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/ellie/atuin">atuin</link>, a sync server for shell history. Available as <link linkend="opt-services.atuin.enable">services.atuin</link>. diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 1ca8e45918a60..d17268fd9e98d 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -24,6 +24,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion). +- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable). + - [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable). - [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and recieves MMSes. Available as [services.mmsd](#opt-services.mmsd.enable). diff --git a/nixos/modules/config/qt5.nix b/nixos/modules/config/qt.nix index cb3180d7b96a5..35defb8fbd990 100644 --- a/nixos/modules/config/qt5.nix +++ b/nixos/modules/config/qt.nix @@ -4,7 +4,7 @@ with lib; let - cfg = config.qt5; + cfg = config.qt; isQGnome = cfg.platformTheme == "gnome" && builtins.elem cfg.style ["adwaita" "adwaita-dark"]; isQtStyle = cfg.platformTheme == "gtk2" && !(builtins.elem cfg.style ["adwaita" "adwaita-dark"]); @@ -12,22 +12,34 @@ let isLxqt = cfg.platformTheme == "lxqt"; isKde = cfg.platformTheme == "kde"; - packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ] + packages = + if isQGnome then [ + pkgs.qgnomeplatform + pkgs.adwaita-qt + pkgs.qgnomeplatform-qt6 + pkgs.adwaita-qt6 + ] else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] else if isQt5ct then [ pkgs.libsForQt5.qt5ct ] else if isLxqt then [ pkgs.lxqt.lxqt-qtplugin pkgs.lxqt.lxqt-config ] else if isKde then [ pkgs.libsForQt5.plasma-integration pkgs.libsForQt5.systemsettings ] - else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible."; + else throw "`qt.platformTheme` ${cfg.platformTheme} and `qt.style` ${cfg.style} are not compatible."; in { meta.maintainers = [ maintainers.romildo ]; + imports = [ + (mkRenamedOptionModule ["qt5" "enable" ] ["qt" "enable" ]) + (mkRenamedOptionModule ["qt5" "platformTheme" ] ["qt" "platformTheme" ]) + (mkRenamedOptionModule ["qt5" "style" ] ["qt" "style" ]) + ]; + options = { - qt5 = { + qt = { - enable = mkEnableOption (lib.mdDoc "Qt5 theming configuration"); + enable = mkEnableOption (lib.mdDoc "Qt theming configuration"); platformTheme = mkOption { type = types.enum [ @@ -40,13 +52,14 @@ in example = "gnome"; relatedPackages = [ "qgnomeplatform" + "qgnomeplatform-qt6" ["libsForQt5" "qtstyleplugins"] ["libsForQt5" "qt5ct"] ["lxqt" "lxqt-qtplugin"] ["libsForQt5" "plasma-integration"] ]; description = lib.mdDoc '' - Selects the platform theme to use for Qt5 applications. + Selects the platform theme to use for Qt applications. The options are - `gtk`: Use GTK theme with [qtstyleplugins](https://github.com/qt/qtstyleplugins) @@ -71,10 +84,11 @@ in example = "adwaita"; relatedPackages = [ "adwaita-qt" + "adwaita-qt6" ["libsForQt5" "qtstyleplugins"] ]; description = lib.mdDoc '' - Selects the style to use for Qt5 applications. + Selects the style to use for Qt applications. The options are - `adwaita`, `adwaita-dark`: Use Adwaita Qt style with diff --git a/nixos/modules/config/stevenblack.nix b/nixos/modules/config/stevenblack.nix new file mode 100644 index 0000000000000..ec6868484942b --- /dev/null +++ b/nixos/modules/config/stevenblack.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) optionals mkOption mkEnableOption types mkIf elem concatStringsSep maintainers mdDoc; + cfg = config.networking.stevenblack; + + # needs to be in a specific order + activatedHosts = with cfg; [ ] + ++ optionals (elem "fakenews" block) [ "fakenews" ] + ++ optionals (elem "gambling" block) [ "gambling" ] + ++ optionals (elem "porn" block) [ "porn" ] + ++ optionals (elem "social" block) [ "social" ]; + + hostsPath = "${pkgs.stevenblack-blocklist}/alternates/" + concatStringsSep "-" activatedHosts + "/hosts"; +in +{ + options.networking.stevenblack = { + enable = mkEnableOption (mdDoc "Enable the stevenblack hosts file blocklist."); + + block = mkOption { + type = types.listOf (types.enum [ "fakenews" "gambling" "porn" "social" ]); + default = [ ]; + description = mdDoc "Additional blocklist extensions."; + }; + }; + + config = mkIf cfg.enable { + networking.hostFiles = [ ] + ++ optionals (activatedHosts != [ ]) [ hostsPath ] + ++ optionals (activatedHosts == [ ]) [ "${pkgs.stevenblack-blocklist}/hosts" ]; + }; + + meta.maintainers = [ maintainers.fortuneteller2k maintainers.artturin ]; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix index d015e10c11d81..12feb2d96eccb 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix @@ -31,7 +31,7 @@ }; # Theme calamares with GNOME theme - qt5 = { + qt = { enable = true; platformTheme = "gnome"; }; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index dbebca815bec2..f0ee3fc939721 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -20,9 +20,10 @@ ./config/nsswitch.nix ./config/power-management.nix ./config/pulseaudio.nix - ./config/qt5.nix + ./config/qt.nix ./config/resolvconf.nix ./config/shells-environment.nix + ./config/stevenblack.nix ./config/swap.nix ./config/sysctl.nix ./config/system-environment.nix @@ -1141,6 +1142,7 @@ ./services/web-apps/isso.nix ./services/web-apps/jirafeau.nix ./services/web-apps/jitsi-meet.nix + ./services/web-apps/kasmweb/default.nix ./services/web-apps/keycloak.nix ./services/web-apps/komga.nix ./services/web-apps/lemmy.nix diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index 1b69aac98863b..98269f6250dbf 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -12,14 +12,14 @@ in { type = types.package; default = pkgs.steam.override { extraLibraries = pkgs: with config.hardware.opengl; - if pkgs.hostPlatform.is64bit + if pkgs.stdenv.hostPlatform.is64bit then [ package ] ++ extraPackages else [ package32 ] ++ extraPackages32; }; defaultText = literalExpression '' pkgs.steam.override { extraLibraries = pkgs: with config.hardware.opengl; - if pkgs.hostPlatform.is64bit + if pkgs.stdenv.hostPlatform.is64bit then [ package ] ++ extraPackages else [ package32 ] ++ extraPackages32; } diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 1d115108c30fb..f37d197f1621d 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -819,10 +819,10 @@ in system-features = mkDefault ( [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ - optionals (pkgs.hostPlatform ? gcc.arch) ( + optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( # a builder can run code for `gcc.arch` and inferior architectures - [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ - map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} or []) + [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ + map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) ) ); } diff --git a/nixos/modules/services/web-apps/changedetection-io.nix b/nixos/modules/services/web-apps/changedetection-io.nix index fc00aee435163..bbf4c2aed1861 100644 --- a/nixos/modules/services/web-apps/changedetection-io.nix +++ b/nixos/modules/services/web-apps/changedetection-io.nix @@ -214,7 +214,7 @@ in }; }) ]; - podman.defaultNetwork.dnsname.enable = true; + podman.defaultNetwork.settings.dns_enabled = true; }; }; } diff --git a/nixos/modules/services/web-apps/kasmweb/default.nix b/nixos/modules/services/web-apps/kasmweb/default.nix new file mode 100644 index 0000000000000..0d78025ecf0f3 --- /dev/null +++ b/nixos/modules/services/web-apps/kasmweb/default.nix @@ -0,0 +1,275 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.kasmweb; +in +{ + options.services.kasmweb = { + enable = lib.mkEnableOption (lib.mdDoc "kasmweb"); + + networkSubnet = lib.mkOption { + default = "172.20.0.0/16"; + type = lib.types.str; + description = lib.mdDoc '' + The network subnet to use for the containers. + ''; + }; + + postgres = { + user = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + Username to use for the postgres database. + ''; + }; + password = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + password to use for the postgres database. + ''; + }; + }; + + redisPassword = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + password to use for the redis cache. + ''; + }; + + defaultAdminPassword = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + default admin password to use. + ''; + }; + + defaultUserPassword = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + default user password to use. + ''; + }; + + defaultManagerToken = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + default manager token to use. + ''; + }; + + defaultGuacToken = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + default guac token to use. + ''; + }; + + defaultRegistrationToken = lib.mkOption { + default = "kasmweb"; + type = lib.types.str; + description = lib.mdDoc '' + default registration token to use. + ''; + }; + + datastorePath = lib.mkOption { + type = lib.types.str; + default = "/var/lib/kasmweb"; + description = lib.mdDoc '' + The directory used to store all data for kasmweb. + ''; + }; + + listenAddress = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = lib.mdDoc '' + The address on which kasmweb should listen. + ''; + }; + + listenPort = lib.mkOption { + type = lib.types.int; + default = 443; + description = lib.mdDoc '' + The port on which kasmweb should listen. + ''; + }; + + sslCertificate = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = lib.mdDoc '' + The SSL certificate to be used for kasmweb. + ''; + }; + + sslCertificateKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = lib.mdDoc '' + The SSL certificate's key to be used for kasmweb. Make sure to specify + this as a string and not a literal path, so that it is not accidentally + included in your nixstore. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + + systemd.services = { + "init-kasmweb" = { + wantedBy = [ + "docker-kasm_db.service" + ]; + before = [ + "docker-kasm_db.service" + "docker-kasm_redis.service" + "docker-kasm_db_init.service" + "docker-kasm_api.service" + "docker-kasm_agent.service" + "docker-kasm_manager.service" + "docker-kasm_share.service" + "docker-kasm_guac.service" + "docker-kasm_proxy.service" + ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.substituteAll { + src = ./initialize_kasmweb.sh; + isExecutable = true; + binPath = lib.makeBinPath [ pkgs.docker pkgs.openssl pkgs.gnused ]; + runtimeShell = pkgs.runtimeShell; + kasmweb = pkgs.kasmweb; + postgresUser = cfg.postgres.user; + postgresPassword = cfg.postgres.password; + inherit (cfg) + datastorePath + sslCertificate + sslCertificateKey + redisPassword + defaultUserPassword + defaultAdminPassword + defaultManagerToken + defaultRegistrationToken + defaultGuacToken; + }; + }; + }; + }; + + virtualisation = { + oci-containers.containers = { + kasm_db = { + image = "postgres:12-alpine"; + environment = { + POSTGRES_PASSWORD = cfg.postgres.password; + POSTGRES_USER = cfg.postgres.user; + POSTGRES_DB = "kasm"; + }; + volumes = [ + "${cfg.datastorePath}/conf/database/data.sql:/docker-entrypoint-initdb.d/data.sql" + "${cfg.datastorePath}/conf/database/:/tmp/" + "kasmweb_db:/var/lib/postgresql/data" + ]; + extraOptions = [ "--network=kasm_default_network" ]; + }; + kasm_db_init = { + image = "kasmweb/api:${pkgs.kasmweb.version}"; + user = "root:root"; + volumes = [ + "${cfg.datastorePath}/:/opt/kasm/current/" + "kasmweb_api_data:/tmp" + ]; + dependsOn = [ "kasm_db" ]; + entrypoint = "/bin/bash"; + cmd = [ "/opt/kasm/current/init_seeds.sh" ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" ]; + }; + kasm_redis = { + image = "redis:5-alpine"; + entrypoint = "/bin/sh"; + cmd = [ + "-c" + "redis-server --requirepass ${cfg.redisPassword}" + ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" ]; + }; + kasm_api = { + image = "kasmweb/api:${pkgs.kasmweb.version}"; + user = "root:root"; + volumes = [ + "${cfg.datastorePath}/:/opt/kasm/current/" + "kasmweb_api_data:/tmp" + ]; + dependsOn = [ "kasm_db_init" ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" ]; + }; + kasm_manager = { + image = "kasmweb/manager:${pkgs.kasmweb.version}"; + user = "root:root"; + volumes = [ + "${cfg.datastorePath}/:/opt/kasm/current/" + ]; + dependsOn = [ "kasm_db" "kasm_api" ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" "--read-only"]; + }; + kasm_agent = { + image = "kasmweb/agent:${pkgs.kasmweb.version}"; + user = "root:root"; + volumes = [ + "${cfg.datastorePath}/:/opt/kasm/current/" + "/var/run/docker.sock:/var/run/docker.sock" + "${pkgs.docker}/bin/docker:/usr/bin/docker" + "${cfg.datastorePath}/conf/nginx:/etc/nginx/conf.d" + ]; + dependsOn = [ "kasm_manager" ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" "--read-only" ]; + }; + kasm_share = { + image = "kasmweb/share:${pkgs.kasmweb.version}"; + user = "root:root"; + volumes = [ + "${cfg.datastorePath}/:/opt/kasm/current/" + ]; + dependsOn = [ "kasm_db" "kasm_redis" ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" "--read-only" ]; + }; + kasm_guac = { + image = "kasmweb/kasm-guac:${pkgs.kasmweb.version}"; + user = "root:root"; + volumes = [ + "${cfg.datastorePath}/:/opt/kasm/current/" + ]; + dependsOn = [ "kasm_db" "kasm_redis" ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" "--read-only" ]; + }; + kasm_proxy = { + image = "kasmweb/nginx:latest"; + ports = [ "${cfg.listenAddress}:${toString cfg.listenPort}:443" ]; + user = "root:root"; + volumes = [ + "${cfg.datastorePath}/conf/nginx:/etc/nginx/conf.d:ro" + "${cfg.datastorePath}/certs/kasm_nginx.key:/etc/ssl/private/kasm_nginx.key" + "${cfg.datastorePath}/certs/kasm_nginx.crt:/etc/ssl/certs/kasm_nginx.crt" + "${cfg.datastorePath}/www:/srv/www:ro" + "${cfg.datastorePath}/log/nginx:/var/log/external/nginx" + "${cfg.datastorePath}/log/logrotate:/var/log/external/logrotate" + ]; + dependsOn = [ "kasm_manager" "kasm_api" "kasm_agent" "kasm_share" + "kasm_guac" ]; + extraOptions = [ "--network=kasm_default_network" "--userns=host" + "--network-alias=proxy"]; + }; + }; + }; + }; +} diff --git a/nixos/modules/services/web-apps/kasmweb/initialize_kasmweb.sh b/nixos/modules/services/web-apps/kasmweb/initialize_kasmweb.sh new file mode 100644 index 0000000000000..dbf043b986931 --- /dev/null +++ b/nixos/modules/services/web-apps/kasmweb/initialize_kasmweb.sh @@ -0,0 +1,114 @@ +#! @runtimeShell@ +export PATH=@binPath@:$PATH + +mkdir -p @datastorePath@/log +chmod -R a+rw @datastorePath@ + +ln -sf @kasmweb@/bin @datastorePath@ +rm -r @datastorePath@/conf +cp -r @kasmweb@/conf @datastorePath@ +mkdir -p @datastorePath@/conf/nginx/containers.d +chmod -R a+rw @datastorePath@/conf +ln -sf @kasmweb@/www @datastorePath@ + + +docker network inspect kasm_default_network >/dev/null || docker network create kasm_default_network --subnet @networkSubnet@ +if docker volume inspect kasmweb_db >/dev/null; then + source @datastorePath@/ids.env + echo 'echo "skipping database init"' > @datastorePath@/init_seeds.sh + echo 'while true; do sleep 10 ; done' >> @datastorePath@/init_seeds.sh +else + API_SERVER_ID=$(cat /proc/sys/kernel/random/uuid) + MANAGER_ID=$(cat /proc/sys/kernel/random/uuid) + SHARE_ID=$(cat /proc/sys/kernel/random/uuid) + SERVER_ID=$(cat /proc/sys/kernel/random/uuid) + echo "export API_SERVER_ID=$API_SERVER_ID" > @datastorePath@/ids.env + echo "export MANAGER_ID=$MANAGER_ID" >> @datastorePath@/ids.env + echo "export SHARE_ID=$SHARE_ID" >> @datastorePath@/ids.env + echo "export SERVER_ID=$SERVER_ID" >> @datastorePath@/ids.env + + mkdir -p @datastorePath@/certs + openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout @datastorePath@/certs/kasm_nginx.key -out @datastorePath@/certs/kasm_nginx.crt -subj "/C=US/ST=VA/L=None/O=None/OU=DoFu/CN=$(hostname)/emailAddress=none@none.none" 2> /dev/null + + docker volume create kasmweb_db + rm @datastorePath@/.done_initing_data + cat >@datastorePath@/init_seeds.sh <<EOF +#!/bin/bash +if [ ! -e /opt/kasm/current/.done_initing_data ]; then + sleep 4 + /usr/bin/kasm_server.so --initialize-database --cfg \ + /opt/kasm/current/conf/app/api.app.config.yaml \ + --populate-production \ + --seed-file \ + /opt/kasm/current/conf/database/seed_data/default_properties.yaml \ + 2>&1 | grep -v UserWarning + /usr/bin/kasm_server.so --cfg \ + /opt/kasm/current/conf/app/api.app.config.yaml \ + --populate-production \ + --seed-file \ + /opt/kasm/current/conf/database/seed_data/default_agents.yaml \ + 2>&1 | grep -v UserWarning + /usr/bin/kasm_server.so --cfg \ + /opt/kasm/current/conf/app/api.app.config.yaml \ + --populate-production \ + --seed-file \ + /opt/kasm/current/conf/database/seed_data/default_connection_proxies.yaml \ + 2>&1 | grep -v UserWarning + /usr/bin/kasm_server.so --cfg \ + /opt/kasm/current/conf/app/api.app.config.yaml \ + --populate-production \ + --seed-file \ + /opt/kasm/current/conf/database/seed_data/default_images_amd64.yaml \ + 2>&1 | grep -v UserWarning + touch /opt/kasm/current/.done_initing_data + while true; do sleep 10 ; done +else + echo "skipping database init" + while true; do sleep 10 ; done +fi +EOF +fi + +chmod +x @datastorePath@/init_seeds.sh +chmod a+w @datastorePath@/init_seeds.sh + +if [ -e @sslCertificate@ ]; then + cp @sslCertificate@ @datastorePath@/certs/kasm_nginx.crt + cp @sslCertificateKey@ @datastorePath@/certs/kasm_nginx.key +fi + +sed -i -e "s/username.*/username: @postgresUser@/g" \ + -e "s/password.*/password: @postgresPassword@/g" \ + -e "s/host.*db/host: kasm_db/g" \ + -e "s/ssl: true/ssl: false/g" \ + -e "s/redisPassword.*/redisPassword: @redisPassword@/g" \ + -e "s/server_hostname.*/server_hostname: kasm_api/g" \ + -e "s/server_id.*/server_id: $API_SERVER_ID/g" \ + -e "s/manager_id.*/manager_id: $MANAGER_ID/g" \ + -e "s/share_id.*/share_id: $SHARE_ID/g" \ + @datastorePath@/conf/app/api.app.config.yaml + +sed -i -e "s/ token:.*/ token: \"@defaultManagerToken@\"/g" \ + -e "s/hostnames: \['proxy.*/hostnames: \['kasm_proxy'\]/g" \ + -e "s/server_id.*/server_id: $SERVER_ID/g" \ + @datastorePath@/conf/app/agent.app.config.yaml + + +sed -i -e "s/password: admin.*/password: \"@defaultAdminPassword@\"/g" \ + -e "s/password: user.*/password: \"@defaultUserPassword@\"/g" \ + -e "s/default-manager-token/@defaultManagerToken@/g" \ + -e "s/default-registration-token/@defaultRegistrationToken@/g" \ + -e "s/upstream_auth_address:.*/upstream_auth_address: 'proxy'/g" \ + @datastorePath@/conf/database/seed_data/default_properties.yaml + +sed -i -e "s/GUACTOKEN/@defaultGuacToken@/g" \ + -e "s/APIHOSTNAME/proxy/g" \ + @datastorePath@/conf/app/kasmguac.app.config.yaml + +sed -i -e "s/GUACTOKEN/@defaultGuacToken@/g" \ + -e "s/APIHOSTNAME/proxy/g" \ + @datastorePath@/conf/database/seed_data/default_connection_proxies.yaml + +sed -i "s/00000000-0000-0000-0000-000000000000/$SERVER_ID/g" \ + @datastorePath@/conf/database/seed_data/default_agents.yaml + diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index b6e2309555f2f..cc30896c80bd0 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -95,7 +95,6 @@ let ) env)))); mastodonTootctl = pkgs.writeShellScriptBin "mastodon-tootctl" '' - #! ${pkgs.runtimeShell} set -a export RAILS_ROOT="${cfg.package}" source "${envFile}" diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index df1b6f731a4e4..a693f3e2379a1 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -198,10 +198,10 @@ in programs.bash.vteIntegration = mkDefault true; programs.zsh.vteIntegration = mkDefault true; - # Harmonize Qt5 applications under Cinnamon - qt5.enable = true; - qt5.platformTheme = "gnome"; - qt5.style = "adwaita"; + # Harmonize Qt applications under Cinnamon + qt.enable = true; + qt.platformTheme = "gnome"; + qt.style = "adwaita"; # Default Fonts fonts.fonts = with pkgs; [ diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index 9c1978e362bc7..dadfb421d3a87 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -352,8 +352,8 @@ in }) ]; - # Harmonize Qt5 application style and also make them use the portal for file chooser dialog. - qt5 = { + # Harmonize Qt application style and also make them use the portal for file chooser dialog. + qt = { enable = mkDefault true; platformTheme = mkDefault "gnome"; style = mkDefault "adwaita"; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 5c0203224e139..f5cc2d8187da5 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -250,10 +250,10 @@ in programs.bash.vteIntegration = mkDefault true; programs.zsh.vteIntegration = mkDefault true; - # Harmonize Qt5 applications under Pantheon - qt5.enable = true; - qt5.platformTheme = "gnome"; - qt5.style = "adwaita"; + # Harmonize Qt applications under Pantheon + qt.enable = true; + qt.platformTheme = "gnome"; + qt.style = "adwaita"; # Default Fonts fonts.fonts = with pkgs; [ diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index b13e50cb17d2d..272f1b95fe64a 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -73,8 +73,45 @@ in boot.kernelPatches = mkOption { type = types.listOf types.attrs; default = []; - example = literalExpression "[ pkgs.kernelPatches.ubuntu_fan_4_4 ]"; - description = lib.mdDoc "A list of additional patches to apply to the kernel."; + example = literalExpression '' + [ + { + name = "foo"; + patch = ./foo.patch; + structuredExtraConfig.FOO = lib.kernel.yes; + features.foo = true; + } + ] + ''; + description = lib.mdDoc '' + A list of additional patches to apply to the kernel. + + Every item should be an attribute set with the following attributes: + + ```nix + { + name = "foo"; # descriptive name, required + + patch = ./foo.patch; # path or derivation that contains the patch source + # (required, but can be null if only config changes + # are needed) + + structuredExtraConfig = { # attrset of extra configuration parameters + FOO = lib.kernel.yes; # (without the CONFIG_ prefix, optional) + }; # values should generally be lib.kernel.yes or lib.kernel.no + + features = { # attrset of extra "features" the kernel is considered to have + foo = true; # (may be checked by other NixOS modules, optional) + }; + + extraConfig = "CONFIG_FOO y"; # extra configuration options in string form + # (deprecated, use structuredExtraConfig instead, optional) + } + ``` + + There's a small set of existing kernel patches in Nixpkgs, available as `pkgs.kernelPatches`, + that follow this format and can be used directly. + ''; }; boot.kernel.randstructSeed = mkOption { diff --git a/nixos/modules/virtualisation/azure-agent-entropy.patch b/nixos/modules/virtualisation/azure-agent-entropy.patch deleted file mode 100644 index 2a7ad08a4afcd..0000000000000 --- a/nixos/modules/virtualisation/azure-agent-entropy.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/waagent 2016-03-12 09:58:15.728088851 +0200 -+++ a/waagent 2016-03-12 09:58:43.572680025 +0200 -@@ -6173,10 +6173,10 @@ - Log("MAC address: " + ":".join(["%02X" % Ord(a) for a in mac])) - - # Consume Entropy in ACPI table provided by Hyper-V -- try: -- SetFileContents("/dev/random", GetFileContents("/sys/firmware/acpi/tables/OEM0")) -- except: -- pass -+ #try: -+ # SetFileContents("/dev/random", GetFileContents("/sys/firmware/acpi/tables/OEM0")) -+ #except: -+ # pass - - Log("Probing for Azure environment.") - self.Endpoint = self.DoDhcpWork() diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index abe6455a1a699..6e6021cf80fe3 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -1,51 +1,10 @@ { config, lib, pkgs, ... }: with lib; - let cfg = config.virtualisation.azure.agent; - waagent = with pkgs; stdenv.mkDerivation rec { - name = "waagent-2.0"; - src = pkgs.fetchFromGitHub { - owner = "Azure"; - repo = "WALinuxAgent"; - rev = "1b3a8407a95344d9d12a2a377f64140975f1e8e4"; - sha256 = "10byzvmpgrmr4d5mdn2kq04aapqb3sgr1admk13wjmy5cd6bwd2x"; - }; - - patches = [ ./azure-agent-entropy.patch ]; - - nativeBuildInputs = [ makeWrapper python pythonPackages.wrapPython ]; - runtimeDeps = [ findutils gnugrep gawk coreutils openssl openssh - nettools # for hostname - procps # for pidof - shadow # for useradd, usermod - util-linux # for (u)mount, fdisk, sfdisk, mkswap - parted - ]; - pythonPath = [ pythonPackages.pyasn1 ]; - - configurePhase = false; - buildPhase = false; - - installPhase = '' - substituteInPlace config/99-azure-product-uuid.rules \ - --replace /bin/chmod "${coreutils}/bin/chmod" - mkdir -p $out/lib/udev/rules.d - cp config/*.rules $out/lib/udev/rules.d - - mkdir -p $out/bin - cp waagent $out/bin/ - chmod +x $out/bin/waagent - - wrapProgram "$out/bin/waagent" \ - --prefix PYTHONPATH : $PYTHONPATH \ - --prefix PATH : "${makeBinPath runtimeDeps}" - ''; - }; - provisionedHook = pkgs.writeScript "provisioned-hook" '' #!${pkgs.runtimeShell} /run/current-system/systemd/bin/systemctl start provisioned.target @@ -74,14 +33,15 @@ in ###### implementation - config = mkIf cfg.enable { - assertions = [ { + config = lib.mkIf cfg.enable { + assertions = [{ assertion = pkgs.stdenv.hostPlatform.isx86; message = "Azure not currently supported on ${pkgs.stdenv.hostPlatform.system}"; - } { - assertion = config.networking.networkmanager.enable == false; - message = "Windows Azure Linux Agent is not compatible with NetworkManager"; - } ]; + } + { + assertion = config.networking.networkmanager.enable == false; + message = "Windows Azure Linux Agent is not compatible with NetworkManager"; + }]; boot.initrd.kernelModules = [ "ata_piix" ]; networking.firewall.allowedUDPPorts = [ 68 ]; @@ -89,13 +49,19 @@ in environment.etc."waagent.conf".text = '' # - # Windows Azure Linux Agent Configuration + # Microsoft Azure Linux Agent Configuration # - Role.StateConsumer=${provisionedHook} + # Enable extension handling. Do not disable this unless you do not need password reset, + # backup, monitoring, or any extension handling whatsoever. + Extensions.Enabled=y - # Enable instance creation - Provisioning.Enabled=y + # How often (in seconds) to poll for new goal states + Extensions.GoalStatePeriod=6 + + # Which provisioning agent to use. Supported values are "auto" (default), "waagent", + # "cloud-init", or "disabled". + Provisioning.Agent=disabled # Password authentication for root account will be unavailable. Provisioning.DeleteRootPassword=n @@ -103,18 +69,31 @@ in # Generate fresh host key pair. Provisioning.RegenerateSshHostKeyPair=n - # Supported values are "rsa", "dsa" and "ecdsa". + # Supported values are "rsa", "dsa", "ecdsa", "ed25519", and "auto". + # The "auto" option is supported on OpenSSH 5.9 (2011) and later. Provisioning.SshHostKeyPairType=ed25519 # Monitor host name changes and publish changes via DHCP requests. Provisioning.MonitorHostName=y + # How often (in seconds) to monitor host name changes. + Provisioning.MonitorHostNamePeriod=30 + # Decode CustomData from Base64. Provisioning.DecodeCustomData=n # Execute CustomData after provisioning. Provisioning.ExecuteCustomData=n + # Algorithm used by crypt when generating password hash. + #Provisioning.PasswordCryptId=6 + + # Length of random salt used when generating password hash. + #Provisioning.PasswordCryptSaltLength=10 + + # Allow reset password of sys user + Provisioning.AllowResetSysUser=n + # Format if unformatted. If 'n', resource disk will not be mounted. ResourceDisk.Format=${if cfg.mountResourceDisk then "y" else "n"} @@ -125,22 +104,103 @@ in # Mount point for the resource disk ResourceDisk.MountPoint=/mnt/resource - # Respond to load balancer probes if requested by Windows Azure. - LBProbeResponder=y + # Create and use swapfile on resource disk. + ResourceDisk.EnableSwap=n + + # Size of the swapfile. + ResourceDisk.SwapSizeMB=0 - # Enable logging to serial console (y|n) - # When stdout is not enough... - # 'y' if not set - Logs.Console=y + # Comma-separated list of mount options. See mount(8) for valid options. + ResourceDisk.MountOptions=None # Enable verbose logging (y|n) Logs.Verbose=${if cfg.verboseLogging then "y" else "n"} + # Enable Console logging, default is y + # Logs.Console=y + + # Enable periodic log collection, default is n + Logs.Collect=n + + # How frequently to collect logs, default is each hour + Logs.CollectPeriod=3600 + + # Is FIPS enabled + OS.EnableFIPS=n + # Root device timeout in seconds. OS.RootDeviceScsiTimeout=300 + + # How often (in seconds) to set the root device timeout. + OS.RootDeviceScsiTimeoutPeriod=30 + + # If "None", the system default version is used. + OS.OpensslPath=${pkgs.openssl_3.bin}/bin/openssl + + # Set the SSH ClientAliveInterval + # OS.SshClientAliveInterval=180 + + # Set the path to SSH keys and configuration files + OS.SshDir=/etc/ssh + + # If set, agent will use proxy server to access internet + #HttpProxy.Host=None + #HttpProxy.Port=None + + # Detect Scvmm environment, default is n + # DetectScvmmEnv=n + + # + # Lib.Dir=/var/lib/waagent + + # + # DVD.MountPoint=/mnt/cdrom/secure + + # + # Pid.File=/var/run/waagent.pid + + # + # Extension.LogDir=/var/log/azure + + # + # Home.Dir=/home + + # Enable RDMA management and set up, should only be used in HPC images + OS.EnableRDMA=n + + # Enable checking RDMA driver version and update + # OS.CheckRdmaDriver=y + + # Enable or disable goal state processing auto-update, default is enabled + AutoUpdate.Enabled=n + + # Determine the update family, this should not be changed + # AutoUpdate.GAFamily=Prod + + # Determine if the overprovisioning feature is enabled. If yes, hold extension + # handling until inVMArtifactsProfile.OnHold is false. + # Default is enabled + EnableOverProvisioning=n + + # Allow fallback to HTTP if HTTPS is unavailable + # Note: Allowing HTTP (vs. HTTPS) may cause security risks + # OS.AllowHTTP=n + + # Add firewall rules to protect access to Azure host node services + OS.EnableFirewall=n + + # How often (in seconds) to check the firewall rules + OS.EnableFirewallPeriod=30 + + # How often (in seconds) to remove the udev rules for persistent network interface + # names (75-persistent-net-generator.rules and /etc/udev/rules.d/70-persistent-net.rules) + OS.RemovePersistentNetRulesPeriod=30 + + # How often (in seconds) to monitor for DHCP client restarts + OS.MonitorDhcpClientRestartPeriod=30 ''; - services.udev.packages = [ waagent ]; + services.udev.packages = [ pkgs.waagent ]; networking.dhcpcd.persistent = true; @@ -157,23 +217,24 @@ in description = "Services Requiring Azure VM provisioning to have finished"; }; - systemd.services.consume-hypervisor-entropy = - { description = "Consume entropy in ACPI table provided by Hyper-V"; - - wantedBy = [ "sshd.service" "waagent.service" ]; - before = [ "sshd.service" "waagent.service" ]; - - path = [ pkgs.coreutils ]; - script = - '' - echo "Fetching entropy..." - cat /sys/firmware/acpi/tables/OEM0 > /dev/random - ''; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.StandardError = "journal+console"; - serviceConfig.StandardOutput = "journal+console"; - }; + systemd.services.consume-hypervisor-entropy = + { + description = "Consume entropy in ACPI table provided by Hyper-V"; + + wantedBy = [ "sshd.service" "waagent.service" ]; + before = [ "sshd.service" "waagent.service" ]; + + path = [ pkgs.coreutils ]; + script = + '' + echo "Fetching entropy..." + cat /sys/firmware/acpi/tables/OEM0 > /dev/random + ''; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + serviceConfig.StandardError = "journal+console"; + serviceConfig.StandardOutput = "journal+console"; + }; systemd.services.waagent = { wantedBy = [ "multi-user.target" ]; @@ -184,11 +245,10 @@ in description = "Windows Azure Agent Service"; unitConfig.ConditionPathExists = "/etc/waagent.conf"; serviceConfig = { - ExecStart = "${waagent}/bin/waagent -daemon"; + ExecStart = "${pkgs.waagent}/bin/waagent -daemon"; Type = "simple"; }; }; }; - } diff --git a/nixos/tests/keepassxc.nix b/nixos/tests/keepassxc.nix index 303be13304057..debb469032a62 100644 --- a/nixos/tests/keepassxc.nix +++ b/nixos/tests/keepassxc.nix @@ -17,7 +17,7 @@ import ./make-test-python.nix ({ pkgs, ...} : services.xserver.enable = true; # Regression test for https://github.com/NixOS/nixpkgs/issues/163482 - qt5 = { + qt = { enable = true; platformTheme = "gnome"; style = "adwaita-dark"; diff --git a/nixos/tests/libvirtd.nix b/nixos/tests/libvirtd.nix index 49258fcb93eaf..b6e6040759976 100644 --- a/nixos/tests/libvirtd.nix +++ b/nixos/tests/libvirtd.nix @@ -21,7 +21,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { }; testScript = let - nixosInstallISO = (import ../release.nix {}).iso_minimal.${pkgs.hostPlatform.system}; + nixosInstallISO = (import ../release.nix {}).iso_minimal.${pkgs.stdenv.hostPlatform.system}; virshShutdownCmd = if pkgs.stdenv.isx86_64 then "shutdown" else "destroy"; in '' start_all() |