diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-03-27 00:12:11 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-27 00:12:11 +0000 |
commit | 7f599f65111b55636eb6b8f1e50242f109edaeb1 (patch) | |
tree | 0b382c5d52c767e9021b2e37f6e3b1abddbe4b6f /nixos | |
parent | 13461228bb38440740786c47140460517f9f327c (diff) | |
parent | e80d1b630036fe33badbc168dfcd071d463b92cf (diff) |
Merge master into haskell-updates
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/configuration/x-windows.chapter.md | 10 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2405.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/config/users-groups.nix | 36 | ||||
-rw-r--r-- | nixos/modules/hardware/video/nvidia.nix | 13 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-generate-config.pl | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/programs/steam.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/misc/paperless.nix | 16 | ||||
-rw-r--r-- | nixos/modules/services/networking/microsocks.nix | 146 | ||||
-rw-r--r-- | nixos/modules/services/x11/xserver.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd/initrd.nix | 5 | ||||
-rw-r--r-- | nixos/release-combined.nix | 5 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/goss.nix | 8 | ||||
-rw-r--r-- | nixos/tests/systemd-user-linger.nix | 39 |
15 files changed, 252 insertions, 38 deletions
diff --git a/nixos/doc/manual/configuration/x-windows.chapter.md b/nixos/doc/manual/configuration/x-windows.chapter.md index bf1872ae01ace..0e8e38b83dcdc 100644 --- a/nixos/doc/manual/configuration/x-windows.chapter.md +++ b/nixos/doc/manual/configuration/x-windows.chapter.md @@ -146,14 +146,12 @@ default because it's not free software. You can enable it as follows: services.xserver.videoDrivers = [ "nvidia" ]; ``` -Or if you have an older card, you may have to use one of the legacy -drivers: +If you have an older card, you may have to use one of the legacy drivers: ```nix -services.xserver.videoDrivers = [ "nvidiaLegacy470" ]; -services.xserver.videoDrivers = [ "nvidiaLegacy390" ]; -services.xserver.videoDrivers = [ "nvidiaLegacy340" ]; -services.xserver.videoDrivers = [ "nvidiaLegacy304" ]; +hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; +hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_390; +hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_340; ``` You may need to reboot after enabling this driver to prevent a clash diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index f4b1cc0609ad1..92018e384847e 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -111,6 +111,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [Pretix](https://pretix.eu/about/en/), an open source ticketing software for events. Available as [services.pretix]($opt-services-pretix.enable). +- [microsocks](https://github.com/rofl0r/microsocks), a tiny, portable SOCKS5 server with very moderate resource usage. Available as [services.microsocks]($opt-services-microsocks.enable). + - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). - [fritz-exporter](https://github.com/pdreker/fritz_exporter), a Prometheus exporter for extracting metrics from [FRITZ!](https://avm.de/produkte/) devices. Available as [services.prometheus.exporters.fritz](#opt-services.prometheus.exporters.fritz.enable). diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 02cd1a17f538a..f9750b7263cac 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -496,6 +496,7 @@ let in filter types.shellPackage.check shells; + lingeringUsers = map (u: u.name) (attrValues (flip filterAttrs cfg.users (n: u: u.linger))); in { imports = [ (mkAliasOptionModuleMD [ "users" "extraUsers" ] [ "users" "users" ]) @@ -695,24 +696,31 @@ in { ''; } else ""; # keep around for backwards compatibility - system.activationScripts.update-lingering = let - lingerDir = "/var/lib/systemd/linger"; - lingeringUsers = map (u: u.name) (attrValues (flip filterAttrs cfg.users (n: u: u.linger))); - lingeringUsersFile = builtins.toFile "lingering-users" - (concatStrings (map (s: "${s}\n") - (sort (a: b: a < b) lingeringUsers))); # this sorting is important for `comm` to work correctly - in stringAfter [ "users" ] '' - if [ -e ${lingerDir} ] ; then + systemd.services.linger-users = lib.mkIf ((builtins.length lingeringUsers) > 0) { + wantedBy = ["multi-user.target"]; + after = ["systemd-logind.service"]; + requires = ["systemd-logind.service"]; + + script = let + lingerDir = "/var/lib/systemd/linger"; + lingeringUsersFile = builtins.toFile "lingering-users" + (concatStrings (map (s: "${s}\n") + (sort (a: b: a < b) lingeringUsers))); # this sorting is important for `comm` to work correctly + in '' + mkdir -vp ${lingerDir} cd ${lingerDir} - for user in ${lingerDir}/*; do - if ! id "$user" >/dev/null 2>&1; then + for user in $(ls); do + if ! id "$user" >/dev/null; then + echo "Removing linger for missing user $user" rm --force -- "$user" fi done - ls ${lingerDir} | sort | comm -3 -1 ${lingeringUsersFile} - | xargs -r ${pkgs.systemd}/bin/loginctl disable-linger - ls ${lingerDir} | sort | comm -3 -2 ${lingeringUsersFile} - | xargs -r ${pkgs.systemd}/bin/loginctl enable-linger - fi - ''; + ls | sort | comm -3 -1 ${lingeringUsersFile} - | xargs -r ${pkgs.systemd}/bin/loginctl disable-linger + ls | sort | comm -3 -2 ${lingeringUsersFile} - | xargs -r ${pkgs.systemd}/bin/loginctl enable-linger + ''; + + serviceConfig.Type = "oneshot"; + }; # Warn about user accounts with deprecated password hashing schemes # This does not work when the users and groups are created by diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 3b983f768f91a..352c8d8ead54d 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -396,6 +396,9 @@ in { modules = [nvidia_x11.bin]; display = !offloadCfg.enable; deviceSection = + '' + Option "SidebandSocketPath" "/run/nvidia-xdriver/" + '' + lib.optionalString primeEnabled '' BusID "${pCfg.nvidiaBusId}" @@ -533,8 +536,14 @@ in { hardware.firmware = lib.optional cfg.open nvidia_x11.firmware; - systemd.tmpfiles.rules = - lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) + systemd.tmpfiles.rules = [ + # Remove the following log message: + # (WW) NVIDIA: Failed to bind sideband socket to + # (WW) NVIDIA: '/var/run/nvidia-xdriver-b4f69129' Permission denied + # + # https://bbs.archlinux.org/viewtopic.php?pid=1909115#p1909115 + "d /run/nvidia-xdriver 0770 root users" + ] ++ lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; boot = { diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 2f9edba4f0c9c..ef25b8b296e6e 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -257,7 +257,7 @@ foreach my $path (glob "/sys/class/{block,mmc_host}/*") { # Add bcache module, if needed. my @bcacheDevices = glob("/dev/bcache*"); -@bcacheDevices = grep(!qr#dev/bcachefs.*#, @bcacheDevices); +@bcacheDevices = grep(!m#dev/bcachefs.*#, @bcacheDevices); if (scalar @bcacheDevices > 0) { push @initrdAvailableKernelModules, "bcache"; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 299b163844f82..439341f443574 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1020,6 +1020,7 @@ ./services/networking/lxd-image-server.nix ./services/networking/magic-wormhole-mailbox-server.nix ./services/networking/matterbridge.nix + ./services/networking/microsocks.nix ./services/networking/mihomo.nix ./services/networking/minidlna.nix ./services/networking/miniupnpd.nix diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index c93a34f618494..bab9bf8107b6e 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -45,6 +45,8 @@ in { apply = steam: steam.override (prev: { extraEnv = (lib.optionalAttrs (cfg.extraCompatPackages != [ ]) { STEAM_EXTRA_COMPAT_TOOLS_PATHS = makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; + }) // (optionalAttrs cfg.extest.enable { + LD_PRELOAD = "${pkgs.pkgsi686Linux.extest}/lib/libextest.so"; }) // (prev.extraEnv or {}); extraLibraries = pkgs: let prevLibs = if prev ? extraLibraries then prev.extraLibraries pkgs else [ ]; @@ -59,8 +61,6 @@ in { # use the setuid wrapped bubblewrap bubblewrap = "${config.security.wrapperDir}/.."; }; - } // optionalAttrs cfg.extest.enable { - extraEnv.LD_PRELOAD = "${pkgs.pkgsi686Linux.extest}/lib/libextest.so"; }); description = lib.mdDoc '' The Steam package to use. Additional libraries are added from the system diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9314c4f3848d8..9301d1f687254 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -27,6 +27,8 @@ let name = "paperless_ngx_nltk_data"; paths = pkg.nltkData; }; + } // optionalAttrs (cfg.openMPThreadingWorkaround) { + OMP_NUM_THREADS = "1"; } // (lib.mapAttrs (_: s: if (lib.isAttrs s || lib.isList s) then builtins.toJSON s else if lib.isBool s then lib.boolToString s @@ -199,6 +201,20 @@ in }; package = mkPackageOption pkgs "paperless-ngx" { }; + + openMPThreadingWorkaround = mkEnableOption '' + a workaround for document classifier timeouts. + + Paperless uses OpenBLAS via scikit-learn for document classification. + + The default is to use threading for OpenMP but this would cause the + document classifier to spin on one core seemingly indefinitely if there + are large amounts of classes per classification; causing it to + effectively never complete due to running into timeouts. + + This sets `OMP_NUM_THREADS` to `1` in order to mitigate the issue. See + https://github.com/NixOS/nixpkgs/issues/240591 for more information. + '' // mkOption { default = true; }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/networking/microsocks.nix b/nixos/modules/services/networking/microsocks.nix new file mode 100644 index 0000000000000..be79a8495636f --- /dev/null +++ b/nixos/modules/services/networking/microsocks.nix @@ -0,0 +1,146 @@ +{ config, + lib, + pkgs, + ... +}: + +let + cfg = config.services.microsocks; + + cmd = + if cfg.execWrapper != null + then "${cfg.execWrapper} ${cfg.package}/bin/microsocks" + else "${cfg.package}/bin/microsocks"; + args = + [ "-i" cfg.ip "-p" (toString cfg.port) ] + ++ lib.optionals (cfg.authOnce) [ "-1" ] + ++ lib.optionals (cfg.disableLogging) [ "-q" ] + ++ lib.optionals (cfg.outgoingBindIp != null) [ "-b" cfg.outgoingBindIp ] + ++ lib.optionals (cfg.authUsername != null) [ "-u" cfg.authUsername ]; +in { + options.services.microsocks = { + enable = lib.mkEnableOption (lib.mdDoc "Tiny, portable SOCKS5 server with very moderate resource usage"); + user = lib.mkOption { + default = "microsocks"; + description = lib.mdDoc "User microsocks runs as."; + type = lib.types.str; + }; + group = lib.mkOption { + default = "microsocks"; + description = lib.mdDoc "Group microsocks runs as."; + type = lib.types.str; + }; + package = lib.mkPackageOption pkgs "microsocks" {}; + ip = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + IP on which microsocks should listen. Defaults to 127.0.0.1 for + security reasons. + ''; + }; + port = lib.mkOption { + type = lib.types.port; + default = 1080; + description = lib.mdDoc "Port on which microsocks should listen."; + }; + disableLogging = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "If true, microsocks will not log any messages to stdout/stderr."; + }; + authOnce = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + If true, once a specific ip address authed successfully with user/pass, + it is added to a whitelist and may use the proxy without auth. + ''; + }; + outgoingBindIp = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = lib.mdDoc "Specifies which ip outgoing connections are bound to"; + }; + authUsername = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "alice"; + description = lib.mdDoc "Optional username to use for authentication."; + }; + authPasswordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/secrets/microsocks-password"; + description = lib.mdDoc "Path to a file containing the password for authentication."; + }; + execWrapper = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = '' + ''${pkgs.mullvad-vpn}/bin/mullvad-exclude + ''; + description = lib.mdDoc '' + An optional command to prepend to the microsocks command (such as proxychains, or a VPN exclude command). + ''; + }; + }; + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.authUsername != null) == (cfg.authPasswordFile != null); + message = "Need to set both authUsername and authPasswordFile for microsocks"; + } + ]; + users = { + users = lib.mkIf (cfg.user == "microsocks") { + microsocks = { + group = cfg.group; + isSystemUser = true; + }; + }; + groups = lib.mkIf (cfg.group == "microsocks") { + microsocks = {}; + }; + }; + systemd.services.microsocks = { + enable = true; + description = "a tiny socks server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Restart = "on-failure"; + RestartSec = 10; + LoadCredential = lib.optionalString (cfg.authPasswordFile != null) "MICROSOCKS_PASSWORD_FILE:${cfg.authPasswordFile}"; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + PrivateTmp = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + PrivateDevices = true; + RestrictSUIDSGID = true; + RestrictNamespaces = [ + "cgroup" + "ipc" + "pid" + "user" + "uts" + ]; + }; + script = + if cfg.authPasswordFile != null + then '' + PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/MICROSOCKS_PASSWORD_FILE") + ${cmd} ${lib.escapeShellArgs args} -P "$PASSWORD" + '' + else '' + ${cmd} ${lib.escapeShellArgs args} + ''; + }; + }; +} diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 4e0235f9ad1dd..453f414e2a862 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -303,7 +303,7 @@ in type = types.listOf types.str; default = [ "modesetting" "fbdev" ]; example = [ - "nvidia" "nvidiaLegacy390" "nvidiaLegacy340" "nvidiaLegacy304" + "nvidia" "amdgpu-pro" ]; # TODO(@oxij): think how to easily add the rest, like those nvidia things diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index e4f61db0cd02a..06359f273846a 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -392,7 +392,10 @@ in { boot.kernelParams = [ "root=${config.boot.initrd.systemd.root}" - ] ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}"; + ] ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}" + # `systemd` mounts root in initrd as read-only unless "rw" is on the kernel command line. + # For NixOS activation to succeed, we need to have root writable in initrd. + ++ lib.optional (config.boot.initrd.systemd.root == "gpt-auto") "rw"; boot.initrd.systemd = { initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package]; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 459700514ffc5..96b24feeb0631 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -169,11 +169,6 @@ in rec { (onFullSupported "nixpkgs.jdk") (onSystems ["x86_64-linux"] "nixpkgs.mesa_i686") # i686 sanity check + useful ["nixpkgs.tarball"] - - # Ensure that nixpkgs-check-by-name is available in nixos-unstable, - # so that a pre-built version can be used in CI for PR's - # See ../pkgs/test/nixpkgs-check-by-name/README.md - (onSystems ["x86_64-linux"] "nixpkgs.tests.nixpkgs-check-by-name") ]; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 69d340bae2774..fd1f884c8c28e 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -902,6 +902,7 @@ in { systemd-sysusers-immutable = runTest ./systemd-sysusers-immutable.nix; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-timesyncd-nscd-dnssec = handleTest ./systemd-timesyncd-nscd-dnssec.nix {}; + systemd-user-linger = handleTest ./systemd-user-linger.nix {}; systemd-user-tmpfiles-rules = handleTest ./systemd-user-tmpfiles-rules.nix {}; systemd-misc = handleTest ./systemd-misc.nix {}; systemd-userdbd = handleTest ./systemd-userdbd.nix {}; diff --git a/nixos/tests/goss.nix b/nixos/tests/goss.nix index 6b772d19215e3..2e77b2734464f 100644 --- a/nixos/tests/goss.nix +++ b/nixos/tests/goss.nix @@ -28,10 +28,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { }; group.root.exists = true; kernel-param."kernel.ostype".value = "Linux"; - service.goss = { - enabled = true; - running = true; - }; user.root.exists = true; }; }; @@ -46,8 +42,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { with subtest("returns health status"): result = json.loads(machine.succeed("curl -sS http://localhost:8080/healthz")) - assert len(result["results"]) == 10, f".results should be an array of 10 items, was {result['results']!r}" + assert len(result["results"]) == 8, f".results should be an array of 10 items, was {result['results']!r}" assert result["summary"]["failed-count"] == 0, f".summary.failed-count should be zero, was {result['summary']['failed-count']}" - assert result["summary"]["test-count"] == 10, f".summary.test-count should be 10, was {result['summary']['test-count']}" + assert result["summary"]["test-count"] == 8, f".summary.test-count should be 10, was {result['summary']['test-count']}" ''; }) diff --git a/nixos/tests/systemd-user-linger.nix b/nixos/tests/systemd-user-linger.nix new file mode 100644 index 0000000000000..2c3d71668979f --- /dev/null +++ b/nixos/tests/systemd-user-linger.nix @@ -0,0 +1,39 @@ +import ./make-test-python.nix ( + { lib, ... }: + { + name = "systemd-user-linger"; + + nodes.machine = + { ... }: + { + users.users = { + alice = { + isNormalUser = true; + linger = true; + uid = 1000; + }; + + bob = { + isNormalUser = true; + linger = false; + uid = 10001; + }; + }; + }; + + testScript = + { ... }: + '' + machine.wait_for_file("/var/lib/systemd/linger/alice") + machine.succeed("systemctl status user-1000.slice") + + machine.fail("test -e /var/lib/systemd/linger/bob") + machine.fail("systemctl status user-1001.slice") + + with subtest("missing users have linger purged"): + machine.succeed("touch /var/lib/systemd/linger/missing") + machine.systemctl("restart linger-users") + machine.succeed("test ! -e /var/lib/systemd/linger/missing") + ''; + } +) |