diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2018-04-09 15:12:32 +0200 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2018-04-09 15:12:32 +0200 |
commit | 0aa59a08d65461149552f68c638655ed2b474510 (patch) | |
tree | 95b176cf0459529707be2f16d6b87eb96fd4e01a /nixos | |
parent | 2cf343fc96b82772b9ab3700fe43eb142d100179 (diff) | |
parent | 2ab846211c52e3d7bb26b0888c9777598e921591 (diff) |
Merge master into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1809.xml | 3 | ||||
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/programs/iftop.nix | 18 | ||||
-rw-r--r-- | nixos/modules/programs/less.nix | 17 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/backup/duplicati.nix | 40 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 9 | ||||
-rw-r--r-- | nixos/modules/tasks/network-interfaces-scripted.nix | 4 | ||||
-rw-r--r-- | nixos/release.nix | 1 | ||||
-rw-r--r-- | nixos/tests/chromium.nix | 24 | ||||
-rw-r--r-- | nixos/tests/iftop.nix | 30 |
12 files changed, 141 insertions, 11 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index 959bd86759b1e..61f9ec8ba9950 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -58,6 +58,9 @@ following incompatible changes:</para> <itemizedlist> <listitem> <para> + The <literal>clementine</literal> package points now to the free derivation. + <literal>clementineFree</literal> is removed now and <literal>clementineUnfree</literal> + points to the package which is bundled with the unfree <literal>libspotify</literal> package. </para> </listitem> </itemizedlist> diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index c5dee2ca97aff..3594f57595c74 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -305,6 +305,7 @@ hass = 286; monero = 287; ceph = 288; + duplicati = 289; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -578,6 +579,7 @@ hass = 286; monero = 287; ceph = 288; + duplicati = 289; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3a8b1014553c1..2f9b1083ef1dd 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -86,6 +86,7 @@ ./programs/freetds.nix ./programs/gnupg.nix ./programs/gphoto2.nix + ./programs/iftop.nix ./programs/java.nix ./programs/kbdlight.nix ./programs/less.nix @@ -159,6 +160,7 @@ ./services/audio/ympd.nix ./services/backup/bacula.nix ./services/backup/borgbackup.nix + ./services/backup/duplicati.nix ./services/backup/crashplan.nix ./services/backup/crashplan-small-business.nix ./services/backup/mysql-backup.nix diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix new file mode 100644 index 0000000000000..a98a9a8187d4b --- /dev/null +++ b/nixos/modules/programs/iftop.nix @@ -0,0 +1,18 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.iftop; +in { + options = { + programs.iftop.enable = mkEnableOption "iftop + setcap wrapper"; + }; + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.iftop ]; + security.wrappers.iftop = { + source = "${pkgs.iftop}/bin/iftop"; + capabilities = "cap_net_raw+p"; + }; + }; +} diff --git a/nixos/modules/programs/less.nix b/nixos/modules/programs/less.nix index c0283c9e68626..d39103a58057d 100644 --- a/nixos/modules/programs/less.nix +++ b/nixos/modules/programs/less.nix @@ -6,7 +6,7 @@ let cfg = config.programs.less; - configFile = '' + configText = if (cfg.configFile != null) then (builtins.readFile cfg.configFile) else '' #command ${concatStringsSep "\n" (mapAttrsToList (command: action: "${command} ${action}") cfg.commands) @@ -25,7 +25,7 @@ let ''; lessKey = pkgs.runCommand "lesskey" - { src = pkgs.writeText "lessconfig" configFile; } + { src = pkgs.writeText "lessconfig" configText; } "${pkgs.less}/bin/lesskey -o $out $src"; in @@ -37,6 +37,19 @@ in enable = mkEnableOption "less"; + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExample "$${pkgs.my-configs}/lesskey"; + description = '' + Path to lesskey configuration file. + + <option>configFile</option> takes precedence over <option>commands</option>, + <option>clearDefaultCommands</option>, <option>lineEditingKeys</option>, and + <option>envVariables</option>. + ''; + }; + commands = mkOption { type = types.attrsOf types.str; default = {}; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index e1cad03e66e22..f2bdfcf885eea 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -386,7 +386,7 @@ let ${optionalString (cfg.enableGnomeKeyring) "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString (config.virtualisation.lxc.lxcfs.enable) - "session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"} + "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} ''); }; diff --git a/nixos/modules/services/backup/duplicati.nix b/nixos/modules/services/backup/duplicati.nix new file mode 100644 index 0000000000000..9772ca4d20a79 --- /dev/null +++ b/nixos/modules/services/backup/duplicati.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.duplicati; +in +{ + options = { + services.duplicati = { + enable = mkEnableOption "Duplicati"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.duplicati ]; + + systemd.services.duplicati = { + description = "Duplicati backup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "duplicati"; + Group = "duplicati"; + ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=any --webservice-port=8200 --server-datafolder=/var/lib/duplicati"; + Restart = "on-failure"; + }; + }; + + users.extraUsers.duplicati = { + uid = config.ids.uids.duplicati; + home = "/var/lib/duplicati"; + createHome = true; + group = "duplicati"; + }; + users.extraGroups.duplicati.gid = config.ids.gids.duplicati; + + }; +} + diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index dee877f1c1143..938a8a1fe334b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -9,15 +9,16 @@ let serverName = if vhostConfig.serverName != null then vhostConfig.serverName else vhostName; + acmeDirectory = config.security.acme.directory; in vhostConfig // { inherit serverName; } // (optionalAttrs vhostConfig.enableACME { - sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${serverName}/key.pem"; + sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; + sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; }) // (optionalAttrs (vhostConfig.useACMEHost != null) { - sslCertificate = "/var/lib/acme/${vhostConfig.useACMEHost}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${vhostConfig.useACMEHost}/key.pem"; + sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; + sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index c7d56790fa0c1..e754a1e8718d5 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -191,7 +191,7 @@ let if out=$(ip addr add "${cidr}" dev "${i.name}" 2>&1); then echo "done" elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then - echo "failed" + echo "'ip addr add "${cidr}" dev "${i.name}"' failed: $out" exit 1 fi '' @@ -212,7 +212,7 @@ let if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" 2>&1); then echo "done" elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then - echo "failed" + echo "'ip route add "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out" exit 1 fi '' diff --git a/nixos/release.nix b/nixos/release.nix index c84853a142c17..4fd77e6471cff 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -295,6 +295,7 @@ in rec { tests.hound = callTest tests/hound.nix {}; tests.hocker-fetchdocker = callTest tests/hocker-fetchdocker {}; tests.i3wm = callTest tests/i3wm.nix {}; + tests.iftop = callTest tests/iftop.nix {}; tests.initrd-network-ssh = callTest tests/initrd-network-ssh {}; tests.installer = callSubTests tests/installer.nix {}; tests.influxdb = callTest tests/influxdb.nix {}; diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 3a2c651647667..65c314e22e1d2 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -151,11 +151,11 @@ mapAttrs (channel: chromiumPkg: makeTest rec { $machine->screenshot("sandbox_info"); - $machine->succeed(ru "${xdo "submit-url" '' + $machine->succeed(ru "${xdo "find-window" '' search --sync --onlyvisible --name "sandbox status" windowfocus --sync ''}"); - $machine->succeed(ru "${xdo "submit-url" '' + $machine->succeed(ru "${xdo "copy-sandbox-info" '' key --delay 1000 Ctrl+a Ctrl+c ''}"); @@ -166,6 +166,26 @@ mapAttrs (channel: chromiumPkg: makeTest rec { && $clipboard =~ /network namespaces.*yes/mi && $clipboard =~ /seccomp.*sandbox.*yes/mi && $clipboard =~ /you are adequately sandboxed/mi; + + $machine->sleep(1); + $machine->succeed(ru "${xdo "find-window-after-copy" '' + search --onlyvisible --name "sandbox status" + ''}"); + + my $clipboard = $machine->succeed(ru "echo void | ${pkgs.xclip}/bin/xclip -i"); + $machine->succeed(ru "${xdo "copy-sandbox-info" '' + key --delay 1000 Ctrl+a Ctrl+c + ''}"); + + my $clipboard = $machine->succeed(ru "${pkgs.xclip}/bin/xclip -o"); + die "copying twice in a row does not work properly: $clipboard" + unless $clipboard =~ /namespace sandbox.*yes/mi + && $clipboard =~ /pid namespaces.*yes/mi + && $clipboard =~ /network namespaces.*yes/mi + && $clipboard =~ /seccomp.*sandbox.*yes/mi + && $clipboard =~ /you are adequately sandboxed/mi; + + $machine->screenshot("afer_copy_from_chromium"); }; $machine->shutdown; diff --git a/nixos/tests/iftop.nix b/nixos/tests/iftop.nix new file mode 100644 index 0000000000000..21ff3cafed7ce --- /dev/null +++ b/nixos/tests/iftop.nix @@ -0,0 +1,30 @@ +import ./make-test.nix ({ pkgs, lib, ... }: + +with lib; + +{ + name = "iftop"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ]; + + nodes = { + withIftop = { + imports = [ ./common/user-account.nix ]; + + programs.iftop.enable = true; + }; + withoutIftop = { + imports = [ ./common/user-account.nix ]; + }; + }; + + testScript = '' + subtest "machine with iftop enabled", sub { + $withIftop->start; + $withIftop->succeed("su -l alice -c 'iftop -t -s 1'"); + }; + subtest "machine without iftop", sub { + $withoutIftop->start; + $withoutIftop->mustFail("su -l alice -c 'iftop -t -s 1'"); + }; + ''; +}) |