diff options
| author | Vladimír Čunát <v@cunat.cz> | 2019-08-24 08:19:05 +0200 |
|---|---|---|
| committer | Vladimír Čunát <v@cunat.cz> | 2019-08-24 08:55:37 +0200 |
| commit | 2e6bf42a2207d5ecfe6e67de2def6e004a0eb1f1 (patch) | |
| tree | 36de0660dc2c9f3731bd8b60ec852ca0c452efce /nixos | |
| parent | 84a91208a948be5eca97ea182c4256d9d6ecf171 (diff) | |
| parent | 8943fb5f24b9e1aa1d577be4e214d166643269fd (diff) | |
Merge branch 'master' into staging-next
There ver very many conflicts, basically all due to name -> pname+version. Fortunately, almost everything was auto-resolved by kdiff3, and for now I just fixed up a couple evaluation problems, as verified by the tarball job. There might be some fallback to these conflicts, but I believe it should be minimal. Hydra nixpkgs: ?compare=1538299
Diffstat (limited to 'nixos')
84 files changed, 1915 insertions, 1032 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index e0f71aadaba5f..37346948b289a 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -237,6 +237,12 @@ </para> </listitem> <listitem> + <para> + The <literal>shibboleth-sp</literal> package has been updated to version 3. + It is largely backward compatible, for further information refer to the + <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release notes</link> + and <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade guide</link>. + </para> <para> Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped. </para> @@ -263,6 +269,21 @@ <literal>false</literal>. </para> </listitem> + <listitem> + <para> + The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4. + </para> + </listitem> </itemizedlist> </section> @@ -424,6 +445,67 @@ installer after creating <literal>/var/lib/nextcloud</literal>. </para> </listitem> + <listitem> + <para> + There exists now <literal>lib.forEach</literal>, which is like <literal>map</literal>, but with + arguments flipped. When mapping function body spans many lines (or has nested + <literal>map</literal>s), it is often hard to follow which list is modified. + </para> + <para> + Previous solution to this problem was either to use <literal>lib.flip map</literal> + idiom or extract that anonymous mapping function to a named one. Both can still be used + but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>. + </para> + <para> + The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via + <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to + <literal>/etc/sysctl.d/60-nixos.conf</literal>, as + <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> + recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a + two-digit number and a dash to simplify the ordering of the files. + </para> + </listitem> + <listitem> + <para> + We now install the sysctl snippets shipped with systemd. + <itemizedlist> + <para>This enables:</para> + <listitem> + <para>Loose reverse path filtering</para> + </listitem> + <listitem> + <para>Source route filtering</para> + </listitem> + <listitem> + <para> + <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat) + </para> + </listitem> + </itemizedlist> + + This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>. + These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>, + and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> + (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>). + </para> + </listitem> + <listitem> + <para> + Coredumps are now acquired by <literal>systemd-coredump</literal> by default. + <literal>systemd-coredump</literal> behaviour can still be modified via + <option>systemd.coredump.extraConfig</option>. + To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal> + in the working directory), without piping it through <literal>systemd-coredump</literal>, set + <option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>systemd.packages</literal> option now also supports generators and + shutdown scripts. Old <literal>systemd.generator-packages</literal> option has + been removed. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/lib/build-vms.nix b/nixos/lib/build-vms.nix index b622a4d59e89c..1bad63b9194ce 100644 --- a/nixos/lib/build-vms.nix +++ b/nixos/lib/build-vms.nix @@ -54,11 +54,11 @@ rec { machinesNumbered = zipLists machines (range 1 254); - nodes_ = flip map machinesNumbered (m: nameValuePair m.fst + nodes_ = forEach machinesNumbered (m: nameValuePair m.fst [ ( { config, nodes, ... }: let interfacesNumbered = zipLists config.virtualisation.vlans (range 1 255); - interfaces = flip map interfacesNumbered ({ fst, snd }: + interfaces = forEach interfacesNumbered ({ fst, snd }: nameValuePair "eth${toString snd}" { ipv4.addresses = [ { address = "192.168.${toString fst}.${toString m.snd}"; prefixLength = 24; @@ -88,7 +88,7 @@ rec { "${config.networking.hostName}\n")); virtualisation.qemu.options = - flip map interfacesNumbered + forEach interfacesNumbered ({ fst, snd }: qemuNICFlags snd fst m.snd); }; } diff --git a/nixos/maintainers/option-usages.nix b/nixos/maintainers/option-usages.nix index a67a0ab960e59..11247666ecda9 100644 --- a/nixos/maintainers/option-usages.nix +++ b/nixos/maintainers/option-usages.nix @@ -102,7 +102,7 @@ let # builtins multiply by 4 the memory usage and the time used to compute # each options. tryCollectOptions = moduleResult: - flip map (excludeOptions (collect isOption moduleResult)) (opt: + forEach (excludeOptions (collect isOption moduleResult)) (opt: { name = showOption opt.loc; } // builtins.tryEval (strict opt.value)); in keepNames ( diff --git a/nixos/modules/config/fonts/fontconfig-penultimate.nix b/nixos/modules/config/fonts/fontconfig-penultimate.nix index 04fa8b9559a9a..24ed9c97668b1 100644 --- a/nixos/modules/config/fonts/fontconfig-penultimate.nix +++ b/nixos/modules/config/fonts/fontconfig-penultimate.nix @@ -52,85 +52,11 @@ let </fontconfig> ''; + # local configuration file localConf = pkgs.writeText "fc-local.conf" cfg.localConf; - # The configuration to be included in /etc/font/ - penultimateConf = pkgs.runCommand "font-penultimate-conf" { - preferLocalBuild = true; - } '' - support_folder=$out/etc/fonts/conf.d - latest_folder=$out/etc/fonts/${latestVersion}/conf.d - - mkdir -p $support_folder - mkdir -p $latest_folder - - ln -s ${supportFontsConf} $support_folder/../fonts.conf - ln -s ${latestPkg.out}/etc/fonts/fonts.conf \ - $latest_folder/../fonts.conf - - # fontconfig-penultimate various configuration files - ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \ - $latest_folder - - ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf - ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf - - rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf - ln -s ${antialiasConf} $support_folder/10-antialias.conf - ln -s ${antialiasConf} $latest_folder/10-antialias.conf - - rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf - ln -s ${hintingConf} $support_folder/10-hinting.conf - ln -s ${hintingConf} $latest_folder/10-hinting.conf - - ${optionalString cfg.useEmbeddedBitmaps '' - rm $support_folder/10-no-embedded-bitmaps.conf - rm $latest_folder/10-no-embedded-bitmaps.conf - ''} - - rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf - ln -s ${subpixelConf} $support_folder/10-subpixel.conf - ln -s ${subpixelConf} $latest_folder/10-subpixel.conf - - ${optionalString (cfg.dpi != 0) '' - ln -s ${dpiConf} $support_folder/11-dpi.conf - ln -s ${dpiConf} $latest_folder/11-dpi.conf - ''} - - ${optionalString (!cfg.includeUserConf) '' - rm $support_folder/50-user.conf - rm $latest_folder/50-user.conf - ''} - - # 51-local.conf - rm $latest_folder/51-local.conf - substitute \ - ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \ - $latest_folder/51-local.conf \ - --replace local.conf /etc/fonts/${latestVersion}/local.conf - - # local.conf (indirect priority 51) - ${optionalString (cfg.localConf != "") '' - ln -s ${localConf} $out/etc/fonts/local.conf - ln -s ${localConf} $out/etc/fonts/${latestVersion}/local.conf - ''} - - ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf - ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf - - ${optionalString cfg.allowBitmaps '' - rm $support_folder/53-no-bitmaps.conf - rm $latest_folder/53-no-bitmaps.conf - ''} - - ${optionalString (!cfg.allowType1) '' - ln -s ${rejectType1} $support_folder/53-no-type1.conf - ln -s ${rejectType1} $latest_folder/53-no-type1.conf - ''} - ''; - + # rendering settings configuration files + # priority 10 hintingConf = pkgs.writeText "fc-10-hinting.conf" '' <?xml version='1.0'?> <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> @@ -199,6 +125,8 @@ let </fontconfig> ''; + # default fonts configuration file + # priority 52 defaultFontsConf = let genDefault = fonts: name: optionalString (fonts != []) '' @@ -228,7 +156,9 @@ let </fontconfig> ''; - rejectType1 = pkgs.writeText "fc-53-no-type1.conf" '' + # reject Type 1 fonts + # priority 53 + rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" '' <?xml version="1.0"?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <fontconfig> @@ -245,6 +175,88 @@ let </fontconfig> ''; + # The configuration to be included in /etc/font/ + penultimateConf = pkgs.runCommand "fontconfig-penultimate-conf" { + preferLocalBuild = true; + } '' + support_folder=$out/etc/fonts/conf.d + latest_folder=$out/etc/fonts/${latestVersion}/conf.d + + mkdir -p $support_folder + mkdir -p $latest_folder + + # fonts.conf + ln -s ${supportFontsConf} $support_folder/../fonts.conf + ln -s ${latestPkg.out}/etc/fonts/fonts.conf \ + $latest_folder/../fonts.conf + + # fontconfig-penultimate various configuration files + ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \ + $support_folder + ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \ + $latest_folder + + ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf + ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf + + rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf + ln -s ${antialiasConf} $support_folder/10-antialias.conf + ln -s ${antialiasConf} $latest_folder/10-antialias.conf + + rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf + ln -s ${hintingConf} $support_folder/10-hinting.conf + ln -s ${hintingConf} $latest_folder/10-hinting.conf + + ${optionalString cfg.useEmbeddedBitmaps '' + rm $support_folder/10-no-embedded-bitmaps.conf + rm $latest_folder/10-no-embedded-bitmaps.conf + ''} + + rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf + ln -s ${subpixelConf} $support_folder/10-subpixel.conf + ln -s ${subpixelConf} $latest_folder/10-subpixel.conf + + ${optionalString (cfg.dpi != 0) '' + ln -s ${dpiConf} $support_folder/11-dpi.conf + ln -s ${dpiConf} $latest_folder/11-dpi.conf + ''} + + # 50-user.conf + ${optionalString (!cfg.includeUserConf) '' + rm $support_folder/50-user.conf + rm $latest_folder/50-user.conf + ''} + + # 51-local.conf + rm $latest_folder/51-local.conf + substitute \ + ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \ + $latest_folder/51-local.conf \ + --replace local.conf /etc/fonts/${latestVersion}/local.conf + + # local.conf (indirect priority 51) + ${optionalString (cfg.localConf != "") '' + ln -s ${localConf} $support_folder/../local.conf + ln -s ${localConf} $latest_folder/../local.conf + ''} + + # 52-nixos-default-fonts.conf + ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf + ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf + + # 53-no-bitmaps.conf + ${optionalString cfg.allowBitmaps '' + rm $support_folder/53-no-bitmaps.conf + rm $latest_folder/53-no-bitmaps.conf + ''} + + ${optionalString (!cfg.allowType1) '' + # 53-nixos-reject-type1.conf + ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf + ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf + ''} + ''; + in { diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 724158f738219..fe0b88cf4c266 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -14,250 +14,252 @@ Low number means high priority. */ -{ config, lib, pkgs, ... }: +{ config, pkgs, lib, ... }: with lib; -let cfg = config.fonts.fontconfig; - - fcBool = x: "<bool>" + (boolToString x) + "</bool>"; - - # back-supported fontconfig version and package - # version is used for font cache generation - supportVersion = "210"; - supportPkg = pkgs."fontconfig_${supportVersion}"; - - # latest fontconfig version and package - # version is used for configuration folder name, /etc/fonts/VERSION/ - # note: format differs from supportVersion and can not be used with makeCacheConf - latestVersion = pkgs.fontconfig.configVersion; - latestPkg = pkgs.fontconfig; - - # supported version fonts.conf - supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; }; - - # configuration file to read fontconfig cache - # version dependent - # priority 0 - cacheConfSupport = makeCacheConf { version = supportVersion; }; - cacheConfLatest = makeCacheConf {}; - - # generate the font cache setting file for a fontconfig version - # use latest when no version is passed - makeCacheConf = { version ? null }: - let - fcPackage = if version == null - then "fontconfig" - else "fontconfig_${version}"; - makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; - cache = makeCache pkgs."${fcPackage}"; - cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}"; - in - pkgs.writeText "fc-00-nixos-cache.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - <!-- Font directories --> - ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)} - <!-- Pre-generated font caches --> - <cachedir>${cache}</cachedir> - ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) '' - <cachedir>${cache32}</cachedir> - ''} - </fontconfig> - ''; - - # rendering settings configuration file - # priority 10 - renderConf = pkgs.writeText "fc-10-nixos-rendering.conf" '' +let + cfg = config.fonts.fontconfig; + + fcBool = x: "<bool>" + (boolToString x) + "</bool>"; + + # back-supported fontconfig version and package + # version is used for font cache generation + supportVersion = "210"; + supportPkg = pkgs."fontconfig_${supportVersion}"; + + # latest fontconfig version and package + # version is used for configuration folder name, /etc/fonts/VERSION/ + # note: format differs from supportVersion and can not be used with makeCacheConf + latestVersion = pkgs.fontconfig.configVersion; + latestPkg = pkgs.fontconfig; + + # supported version fonts.conf + supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; }; + + # configuration file to read fontconfig cache + # version dependent + # priority 0 + cacheConfSupport = makeCacheConf { version = supportVersion; }; + cacheConfLatest = makeCacheConf {}; + + # generate the font cache setting file for a fontconfig version + # use latest when no version is passed + makeCacheConf = { version ? null }: + let + fcPackage = if version == null + then "fontconfig" + else "fontconfig_${version}"; + makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; + cache = makeCache pkgs."${fcPackage}"; + cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}"; + in + pkgs.writeText "fc-00-nixos-cache.conf" '' <?xml version='1.0'?> <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> <fontconfig> - - <!-- Default rendering settings --> - <match target="pattern"> - <edit mode="append" name="hinting"> - ${fcBool cfg.hinting.enable} - </edit> - <edit mode="append" name="autohint"> - ${fcBool cfg.hinting.autohint} - </edit> - <edit mode="append" name="hintstyle"> - <const>hintslight</const> - </edit> - <edit mode="append" name="antialias"> - ${fcBool cfg.antialias} - </edit> - <edit mode="append" name="rgba"> - <const>${cfg.subpixel.rgba}</const> - </edit> - <edit mode="append" name="lcdfilter"> - <const>lcd${cfg.subpixel.lcdfilter}</const> - </edit> - </match> - - ${optionalString (cfg.dpi != 0) '' - <match target="pattern"> - <edit name="dpi" mode="assign"> - <double>${toString cfg.dpi}</double> - </edit> - </match> + <!-- Font directories --> + ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)} + <!-- Pre-generated font caches --> + <cachedir>${cache}</cachedir> + ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) '' + <cachedir>${cache32}</cachedir> ''} - - </fontconfig> - ''; - - # local configuration file - # priority 51 - localConf = pkgs.writeText "fc-local.conf" cfg.localConf; - - # default fonts configuration file - # priority 52 - defaultFontsConf = - let genDefault = fonts: name: - optionalString (fonts != []) '' - <alias> - <family>${name}</family> - <prefer> - ${concatStringsSep "" - (map (font: '' - <family>${font}</family> - '') fonts)} - </prefer> - </alias> - ''; - in - pkgs.writeText "fc-52-nixos-default-fonts.conf" '' - <?xml version='1.0'?> - <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> - <fontconfig> - - <!-- Default fonts --> - ${genDefault cfg.defaultFonts.sansSerif "sans-serif"} - - ${genDefault cfg.defaultFonts.serif "serif"} - - ${genDefault cfg.defaultFonts.monospace "monospace"} - </fontconfig> ''; - # bitmap font options - # priority 53 - rejectBitmaps = pkgs.writeText "fc-53-nixos-bitmaps.conf" '' - <?xml version="1.0"?> - <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> - <fontconfig> - - ${optionalString (!cfg.allowBitmaps) '' - <!-- Reject bitmap fonts --> - <selectfont> - <rejectfont> - <pattern> - <patelt name="scalable"><bool>false</bool></patelt> - </pattern> - </rejectfont> - </selectfont> - ''} - - <!-- Use embedded bitmaps in fonts like Calibri? --> - <match target="font"> - <edit name="embeddedbitmap" mode="assign"> - ${fcBool cfg.useEmbeddedBitmaps} + # rendering settings configuration file + # priority 10 + renderConf = pkgs.writeText "fc-10-nixos-rendering.conf" '' + <?xml version='1.0'?> + <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> + <fontconfig> + + <!-- Default rendering settings --> + <match target="pattern"> + <edit mode="append" name="hinting"> + ${fcBool cfg.hinting.enable} + </edit> + <edit mode="append" name="autohint"> + ${fcBool cfg.hinting.autohint} + </edit> + <edit mode="append" name="hintstyle"> + <const>hintslight</const> + </edit> + <edit mode="append" name="antialias"> + ${fcBool cfg.antialias} + </edit> + <edit mode="append" name="rgba"> + <const>${cfg.subpixel.rgba}</const> + </edit> + <edit mode="append" name="lcdfilter"> + <const>lcd${cfg.subpixel.lcdfilter}</const> </edit> </match> - </fontconfig> - ''; - - # reject Type 1 fonts - # priority 53 - rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" '' - <?xml version="1.0"?> - <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> - <fontconfig> - - <!-- Reject Type 1 fonts --> - <selectfont> - <rejectfont> - <pattern> - <patelt name="fontformat"><string>Type 1</string></patelt> - </pattern> - </rejectfont> - </selectfont> - - </fontconfig> - ''; - - # fontconfig configuration package - confPkg = pkgs.runCommand "fontconfig-conf" { preferLocalBuild = true; } '' - support_folder=$out/etc/fonts - latest_folder=$out/etc/fonts/${latestVersion} - - mkdir -p $support_folder/conf.d - mkdir -p $latest_folder/conf.d - - # fonts.conf - ln -s ${supportFontsConf} $support_folder/fonts.conf - ln -s ${latestPkg.out}/etc/fonts/fonts.conf \ - $latest_folder/fonts.conf - - # fontconfig default config files - ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \ - $support_folder/conf.d/ - ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \ - $latest_folder/conf.d/ - - # update latest 51-local.conf path to look at the latest local.conf - rm $latest_folder/conf.d/51-local.conf - - substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \ - $latest_folder/conf.d/51-local.conf \ - --replace local.conf /etc/fonts/${latestVersion}/local.conf - - # 00-nixos-cache.conf - ln -s ${cacheConfSupport} \ - $support_folder/conf.d/00-nixos-cache.conf - ln -s ${cacheConfLatest} $latest_folder/conf.d/00-nixos-cache.conf - - # 10-nixos-rendering.conf - ln -s ${renderConf} $support_folder/conf.d/10-nixos-rendering.conf - ln -s ${renderConf} $latest_folder/conf.d/10-nixos-rendering.conf - - # 50-user.conf - ${optionalString (! cfg.includeUserConf) '' - rm $support_folder/conf.d/50-user.conf - rm $latest_folder/conf.d/50-user.conf - ''} - - # local.conf (indirect priority 51) - ${optionalString (cfg.localConf != "") '' - ln -s ${localConf} $support_folder/local.conf - ln -s ${localConf} $latest_folder/local.conf - ''} - - # 52-nixos-default-fonts.conf - ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf - ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf - - # 53-nixos-bitmaps.conf - ln -s ${rejectBitmaps} $support_folder/conf.d/53-nixos-bitmaps.conf - ln -s ${rejectBitmaps} $latest_folder/conf.d/53-nixos-bitmaps.conf - - ${optionalString (! cfg.allowType1) '' - # 53-nixos-reject-type1.conf - ln -s ${rejectType1} $support_folder/conf.d/53-nixos-reject-type1.conf - ln -s ${rejectType1} $latest_folder/conf.d/53-nixos-reject-type1.conf + ${optionalString (cfg.dpi != 0) '' + <match target="pattern"> + <edit name="dpi" mode="assign"> + <double>${toString cfg.dpi}</double> + </edit> + </match> ''} - ''; - # Package with configuration files - # this merge all the packages in the fonts.fontconfig.confPackages list - fontconfigEtc = pkgs.buildEnv { - name = "fontconfig-etc"; - paths = cfg.confPackages; - ignoreCollisions = true; - }; + </fontconfig> + ''; + + # local configuration file + localConf = pkgs.writeText "fc-local.conf" cfg.localConf; + + # default fonts configuration file + # priority 52 + defaultFontsConf = + let genDefault = fonts: name: + optionalString (fonts != []) '' + <alias> + <family>${name}</family> + <prefer> + ${concatStringsSep "" + (map (font: '' + <family>${font}</family> + '') fonts)} + </prefer> + </alias> + ''; + in + pkgs.writeText "fc-52-nixos-default-fonts.conf" '' + <?xml version='1.0'?> + <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'> + <fontconfig> + + <!-- Default fonts --> + ${genDefault cfg.defaultFonts.sansSerif "sans-serif"} + + ${genDefault cfg.defaultFonts.serif "serif"} + + ${genDefault cfg.defaultFonts.monospace "monospace"} + + </fontconfig> + ''; + + # bitmap font options + # priority 53 + rejectBitmaps = pkgs.writeText "fc-53-no-bitmaps.conf" '' + <?xml version="1.0"?> + <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> + <fontconfig> + + ${optionalString (!cfg.allowBitmaps) '' + <!-- Reject bitmap fonts --> + <selectfont> + <rejectfont> + <pattern> + <patelt name="scalable"><bool>false</bool></patelt> + </pattern> + </rejectfont> + </selectfont> + ''} + + <!-- Use embedded bitmaps in fonts like Calibri? --> + <match target="font"> + <edit name="embeddedbitmap" mode="assign"> + ${fcBool cfg.useEmbeddedBitmaps} + </edit> + </match> + + </fontconfig> + ''; + + # reject Type 1 fonts + # priority 53 + rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" '' + <?xml version="1.0"?> + <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> + <fontconfig> + + <!-- Reject Type 1 fonts --> + <selectfont> + <rejectfont> + <pattern> + <patelt name="fontformat"><string>Type 1</string></patelt> + </pattern> + </rejectfont> + </selectfont> + + </fontconfig> + ''; + + # fontconfig configuration package + confPkg = pkgs.runCommand "fontconfig-conf" { + preferLocalBuild = true; + } '' + support_folder=$out/etc/fonts/conf.d + latest_folder=$out/etc/fonts/${latestVersion}/conf.d + + mkdir -p $support_folder + mkdir -p $latest_folder + + # fonts.conf + ln -s ${supportFontsConf} $support_folder/../fonts.conf + ln -s ${latestPkg.out}/etc/fonts/fonts.conf \ + $latest_folder/../fonts.conf + + # fontconfig default config files + ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \ + $support_folder/ + ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \ + $latest_folder/ + + # update latest 51-local.conf path to look at the latest local.conf + rm $latest_folder/51-local.conf + + substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \ + $latest_folder/51-local.conf \ + --replace local.conf /etc/fonts/${latestVersion}/local.conf + + # 00-nixos-cache.conf + ln -s ${cacheConfSupport} \ + $support_folder/00-nixos-cache.conf + ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf + + # 10-nixos-rendering.conf + ln -s ${renderConf} $support_folder/10-nixos-rendering.conf + ln -s ${renderConf} $latest_folder/10-nixos-rendering.conf + + # 50-user.conf + ${optionalString (!cfg.includeUserConf) '' + rm $support_folder/50-user.conf + rm $latest_folder/50-user.conf + ''} + + # local.conf (indirect priority 51) + ${optionalString (cfg.localConf != "") '' + ln -s ${localConf} $support_folder/../local.conf + ln -s ${localConf} $latest_folder/../local.conf + ''} + + # 52-nixos-default-fonts.conf + ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf + ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf + + # 53-no-bitmaps.conf + ln -s ${rejectBitmaps} $support_folder/53-no-bitmaps.conf + ln -s ${rejectBitmaps} $latest_folder/53-no-bitmaps.conf + + ${optionalString (!cfg.allowType1) '' + # 53-nixos-reject-type1.conf + ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf + ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf + ''} + ''; + + # Package with configuration files + # this merge all the packages in the fonts.fontconfig.confPackages list + fontconfigEtc = pkgs.buildEnv { + name = "fontconfig-etc"; + paths = cfg.confPackages; + ignoreCollisions = true; + }; in { diff --git a/nixos/modules/config/qt5.nix b/nixos/modules/config/qt5.nix new file mode 100644 index 0000000000000..7de1c0f5d5574 --- /dev/null +++ b/nixos/modules/config/qt5.nix @@ -0,0 +1,102 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.qt5; + + isQGnome = cfg.platformTheme == "gnome" && cfg.style == "adwaita"; + isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita"; + + packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ] + else if isQtStyle then [ pkgs.qtstyleplugins ] + else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible."; + +in + +{ + + options = { + qt5 = { + + enable = mkEnableOption "Qt5 theming configuration"; + + platformTheme = mkOption { + type = types.enum [ + "gtk2" + "gnome" + ]; + example = "gnome"; + relatedPackages = [ + "qgnomeplatform" + ["libsForQt5" "qtstyleplugins"] + ]; + description = '' + Selects the platform theme to use for Qt5 applications.</para> + <para>The options are + <variablelist> + <varlistentry> + <term><literal>gtk</literal></term> + <listitem><para>Use GTK theme with + <link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link> + </para></listitem> + </varlistentry> + <varlistentry> + <term><literal>gnome</literal></term> + <listitem><para>Use GNOME theme with + <link xlink:href="https://github.com/FedoraQt/QGnomePlatform">qgnomeplatform</link> + </para></listitem> + </varlistentry> + </variablelist> + ''; + }; + + style = mkOption { + type = types.enum [ + "adwaita" + "cleanlooks" + "gtk2" + "motif" + "plastique" + ]; + example = "adwaita"; + relatedPackages = [ + "adwaita-qt" + ["libsForQt5" "qtstyleplugins"] + ]; + description = '' + Selects the style to use for Qt5 applications.</para> + <para>The options are + <variablelist> + <varlistentry> + <term><literal>adwaita</literal></term> + <listitem><para>Use Adwaita Qt style with + <link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link> + </para></listitem> + </varlistentry> + <varlistentry> + <term><literal>cleanlooks</literal></term> + <term><literal>gtk2</literal></term> + <term><literal>motif</literal></term> + <term><literal>plastique</literal></term> + <listitem><para>Use styles from + <link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link> + </para></listitem> + </varlistentry> + </variablelist> + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.variables.QT_QPA_PLATFORMTHEME = cfg.platformTheme; + + environment.variables.QT_STYLE_OVERRIDE = cfg.style; + + environment.systemPackages = packages; + + }; +} diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 0c6a7e2431aa6..fb2b58eed7203 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -42,22 +42,16 @@ in config = { - environment.etc."sysctl.d/nixos.conf".text = + environment.etc."sysctl.d/60-nixos.conf".text = concatStrings (mapAttrsToList (n: v: optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" ) config.boot.kernel.sysctl); systemd.services.systemd-sysctl = { wantedBy = [ "multi-user.target" ]; - restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ]; + restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; }; - # Enable hardlink and symlink restrictions. See - # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 - # for details. - boot.kernel.sysctl."fs.protected_hardlinks" = true; - boot.kernel.sysctl."fs.protected_symlinks" = true; - # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = 1; diff --git a/nixos/modules/config/vte.nix b/nixos/modules/config/vte.nix new file mode 100644 index 0000000000000..9024ceddaee86 --- /dev/null +++ b/nixos/modules/config/vte.nix @@ -0,0 +1,52 @@ +# VTE + +{ config, pkgs, lib, ... }: + +with lib; + +let + + vteInitSnippet = '' + # Show current working directory in VTE terminals window title. + # Supports both bash and zsh, requires interactive shell. + . ${pkgs.vte}/etc/profile.d/vte.sh + ''; + +in + +{ + + options = { + + programs.bash.vteIntegration = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable Bash integration for VTE terminals. + This allows it to preserve the current directory of the shell + across terminals. + ''; + }; + + programs.zsh.vteIntegration = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable Zsh integration for VTE terminals. + This allows it to preserve the current directory of the shell + across terminals. + ''; + }; + + }; + + config = mkMerge [ + (mkIf config.programs.bash.vteIntegration { + programs.bash.interactiveShellInit = vteInitSnippet; + }) + + (mkIf config.programs.zsh.vteIntegration { + programs.zsh.interactiveShellInit = vteInitSnippet; + }) + ]; +} diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index 0c407b199367d..7f355a132496c 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -73,8 +73,8 @@ in firmwareSize = mkOption { type = types.int; - # As of 2019-05-31 the Raspberry pi firmware + u-bot takes ~13MiB - default = 20; + # As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB + default = 30; description = '' Size of the /boot/firmware partition, in megabytes. ''; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a167336c156bb..79c72fc14224b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -27,6 +27,7 @@ ./config/nsswitch.nix ./config/power-management.nix ./config/pulseaudio.nix + ./config/qt5.nix ./config/resolvconf.nix ./config/shells-environment.nix ./config/swap.nix @@ -37,6 +38,7 @@ ./config/unix-odbc-drivers.nix ./config/users-groups.nix ./config/vpnc.nix + ./config/vte.nix ./config/zram.nix ./hardware/acpilight.nix ./hardware/all-firmware.nix @@ -115,6 +117,7 @@ ./programs/fuse.nix ./programs/gnome-disks.nix ./programs/gnome-documents.nix + ./programs/gnome-terminal.nix ./programs/gpaste.nix ./programs/gnupg.nix ./programs/gphoto2.nix @@ -285,6 +288,7 @@ ./services/desktops/flatpak.nix ./services/desktops/geoclue2.nix ./services/desktops/gsignond.nix + ./services/desktops/gvfs.nix ./services/desktops/pipewire.nix ./services/desktops/gnome3/at-spi2-core.nix ./services/desktops/gnome3/chrome-gnome-shell.nix @@ -295,9 +299,7 @@ ./services/desktops/gnome3/gnome-remote-desktop.nix ./services/desktops/gnome3/gnome-online-miners.nix ./services/desktops/gnome3/gnome-settings-daemon.nix - ./services/desktops/gnome3/gnome-terminal-server.nix ./services/desktops/gnome3/gnome-user-share.nix - ./services/desktops/gnome3/gvfs.nix ./services/desktops/gnome3/rygel.nix ./services/desktops/gnome3/seahorse.nix ./services/desktops/gnome3/sushi.nix @@ -436,13 +438,13 @@ ./services/misc/logkeys.nix ./services/misc/leaps.nix ./services/misc/lidarr.nix - ./services/misc/mantisbt.nix ./services/misc/mathics.nix ./services/misc/matrix-synapse.nix ./services/misc/mbpfan.nix ./services/misc/mediatomb.nix ./services/misc/mesos-master.nix ./services/misc/mesos-slave.nix + ./services/misc/metabase.nix ./services/misc/mwlib.nix ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix @@ -520,7 +522,6 @@ ./services/monitoring/scollector.nix ./services/monitoring/smartd.nix ./services/monitoring/sysstat.nix - ./services/monitoring/systemhealth.nix ./services/monitoring/teamviewer.nix ./services/monitoring/telegraf.nix ./services/monitoring/thanos.nix @@ -608,6 +609,7 @@ ./services/networking/iodine.nix ./services/networking/iperf3.nix ./services/networking/ircd-hybrid/default.nix + ./services/networking/jormungandr.nix ./services/networking/iwd.nix ./services/networking/keepalived/default.nix ./services/networking/keybase.nix @@ -862,7 +864,6 @@ ./system/activation/activation-script.nix ./system/activation/top-level.nix ./system/boot/binfmt.nix - ./system/boot/coredump.nix ./system/boot/emergency-mode.nix ./system/boot/grow-partition.nix ./system/boot/initrd-network.nix diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 3ff9a2b4fde04..626d8b1d2bde5 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -14,8 +14,6 @@ with lib; nix.allowedUsers = mkDefault [ "@users" ]; - environment.memoryAllocator.provider = mkDefault "graphene-hardened"; - security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; @@ -95,23 +93,17 @@ with lib; # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; - # Enable reverse path filtering (that is, do not attempt to route packets - # that "obviously" do not belong to the iface's network; dropped packets are - # logged as martians). + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; - # Ignore route information from sender - boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false; - # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index b7bfb8504b6f1..eeebc3558bdf9 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -34,11 +34,11 @@ in services.dbus.packages = [ pkgs.gnome3.dconf ]; - environment.variables.GIO_EXTRA_MODULES = optional cfg.enable - "${pkgs.gnome3.dconf.lib}/lib/gio/modules"; - # https://github.com/NixOS/nixpkgs/pull/31891 - #environment.variables.XDG_DATA_DIRS = optional cfg.enable - # "$(echo ${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)"; + # For dconf executable + environment.systemPackages = [ pkgs.gnome3.dconf ]; + + # Needed for unwrapped applications + environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ]; }; } diff --git a/nixos/modules/programs/gnome-terminal.nix b/nixos/modules/programs/gnome-terminal.nix new file mode 100644 index 0000000000000..0036677a15765 --- /dev/null +++ b/nixos/modules/programs/gnome-terminal.nix @@ -0,0 +1,36 @@ +# GNOME Terminal. + +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.programs.gnome-terminal; + +in + +{ + + # Added 2019-08-19 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-terminal-server" "enable" ] + [ "programs" "gnome-terminal" "enable" ]) + ]; + + options = { + + programs.gnome-terminal.enable = mkEnableOption "GNOME Terminal"; + + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.gnome3.gnome-terminal ]; + services.dbus.packages = [ pkgs.gnome3.gnome-terminal ]; + systemd.packages = [ pkgs.gnome3.gnome-terminal ]; + + programs.bash.vteIntegration = true; + programs.zsh.vteIntegration = true; + }; +} diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index bd1a77680663d..27f4166e10050 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -69,9 +69,7 @@ in promptInit = mkOption { default = '' - if [ "$TERM" != dumb ]; then - autoload -U promptinit && promptinit && prompt walters - fi + autoload -U promptinit && promptinit && prompt walters && setopt prompt_sp ''; description = '' Shell script code used to initialise the zsh prompt. @@ -213,6 +211,15 @@ in ${cfg.promptInit} + # Need to disable features to support TRAMP + if [ "$TERM" = dumb ]; then + unsetopt zle prompt_cr prompt_subst + unfunction precmd preexec + unset RPS1 RPROMPT + PS1='$ ' + PROMPT='$ ' + fi + # Read system-wide modifications. if test -f /etc/zshrc.local; then . /etc/zshrc.local diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 5c08a25c128ab..e32fa6fded4a0 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -226,6 +226,7 @@ with lib; (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") + (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.") # ZSH (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) @@ -276,7 +277,7 @@ with lib; throw "services.redshift.longitude is set to null, you can remove this" else builtins.fromJSON value)) - ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 9562ad1b164e4..d4b0b098b78e9 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -19,6 +19,20 @@ in { TCP: 9100 - 9200 ''; }; + user = mkOption { + type = types.str; + default = "roon-server"; + description = '' + User to run the Roon Server as. + ''; + }; + group = mkOption { + type = types.str; + default = "roon-server"; + description = '' + Group to run the Roon Server as. + ''; + }; }; }; @@ -33,8 +47,8 @@ in { serviceConfig = { ExecStart = "${pkgs.roon-server}/opt/start.sh"; LimitNOFILE = 8192; - DynamicUser = true; - SupplementaryGroups = "audio"; + User = cfg.user; + Group = cfg.group; StateDirectory = name; }; }; @@ -45,5 +59,15 @@ in { ]; allowedUDPPorts = [ 9003 ]; }; + + + users.groups."${cfg.group}" = {}; + users.users."${cfg.user}" = + if cfg.user == "roon-server" then { + isSystemUser = true; + description = "Roon Server user"; + groups = [ cfg.group "audio" ]; + } + else {}; }; } diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix index 4286251357f7e..748a025414a78 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix @@ -30,9 +30,9 @@ with lib; config = mkIf config.services.gnome3.gnome-online-accounts.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-online-accounts ]; + environment.systemPackages = [ pkgs.gnome-online-accounts ]; - services.dbus.packages = [ pkgs.gnome3.gnome-online-accounts ]; + services.dbus.packages = [ pkgs.gnome-online-accounts ]; }; diff --git a/nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix b/nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix deleted file mode 100644 index fd14efee5f2ea..0000000000000 --- a/nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix +++ /dev/null @@ -1,41 +0,0 @@ -# GNOME Documents daemon. - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - ###### interface - - options = { - - services.gnome3.gnome-terminal-server = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable GNOME Terminal server service, - needed for gnome-terminal. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.gnome3.gnome-terminal-server.enable { - - environment.systemPackages = [ pkgs.gnome3.gnome-terminal ]; - - services.dbus.packages = [ pkgs.gnome3.gnome-terminal ]; - - systemd.packages = [ pkgs.gnome3.gnome-terminal ]; - - }; - -} diff --git a/nixos/modules/services/desktops/gnome3/gvfs.nix b/nixos/modules/services/desktops/gnome3/gvfs.nix deleted file mode 100644 index 4e99d191f18c7..0000000000000 --- a/nixos/modules/services/desktops/gnome3/gvfs.nix +++ /dev/null @@ -1,43 +0,0 @@ -# gvfs backends - -{ config, lib, pkgs, ... }: - -with lib; - -{ - - ###### interface - - options = { - - services.gnome3.gvfs = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable gvfs backends, userspace virtual filesystem used - by GNOME components via D-Bus. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.gnome3.gvfs.enable { - - environment.systemPackages = [ pkgs.gnome3.gvfs ]; - - services.dbus.packages = [ pkgs.gnome3.gvfs ]; - - systemd.packages = [ pkgs.gnome3.gvfs ]; - - services.udev.packages = [ pkgs.libmtp.bin ]; - - }; - -} diff --git a/nixos/modules/services/desktops/gnome3/tracker-miners.nix b/nixos/modules/services/desktops/gnome3/tracker-miners.nix index 20154fc2fed35..b390d8368c652 100644 --- a/nixos/modules/services/desktops/gnome3/tracker-miners.nix +++ b/nixos/modules/services/desktops/gnome3/tracker-miners.nix @@ -30,11 +30,11 @@ with lib; config = mkIf config.services.gnome3.tracker-miners.enable { - environment.systemPackages = [ pkgs.gnome3.tracker-miners ]; + environment.systemPackages = [ pkgs.tracker-miners ]; - services.dbus.packages = [ pkgs.gnome3.tracker-miners ]; + services.dbus.packages = [ pkgs.tracker-miners ]; - systemd.packages = [ pkgs.gnome3.tracker-miners ]; + systemd.packages = [ pkgs.tracker-miners ]; }; diff --git a/nixos/modules/services/desktops/gnome3/tracker.nix b/nixos/modules/services/desktops/gnome3/tracker.nix index c061f78904994..2e82927422644 100644 --- a/nixos/modules/services/desktops/gnome3/tracker.nix +++ b/nixos/modules/services/desktops/gnome3/tracker.nix @@ -30,11 +30,11 @@ with lib; config = mkIf config.services.gnome3.tracker.enable { - environment.systemPackages = [ pkgs.gnome3.tracker ]; + environment.systemPackages = [ pkgs.tracker ]; - services.dbus.packages = [ pkgs.gnome3.tracker ]; + services.dbus.packages = [ pkgs.tracker ]; - systemd.packages = [ pkgs.gnome3.tracker ]; + systemd.packages = [ pkgs.tracker ]; }; diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix new file mode 100644 index 0000000000000..1d002eac41def --- /dev/null +++ b/nixos/modules/services/desktops/gvfs.nix @@ -0,0 +1,59 @@ +# GVfs + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.gvfs; + +in + +{ + + # Added 2019-08-19 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gvfs" "enable" ] + [ "services" "gvfs" "enable" ]) + ]; + + ###### interface + + options = { + + services.gvfs = { + + enable = mkEnableOption "GVfs, a userspace virtual filesystem"; + + # gvfs can be built with multiple configurations + package = mkOption { + type = types.package; + default = pkgs.gnome3.gvfs; + description = "Which GVfs package to use."; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ cfg.package ]; + + services.dbus.packages = [ cfg.package ]; + + systemd.packages = [ cfg.package ]; + + services.udev.packages = [ pkgs.libmtp.bin ]; + + # Needed for unwrapped applications + environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ]; + + }; + +} diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix index c06a0665d02ff..62824ed7350a7 100644 --- a/nixos/modules/services/hardware/trezord.nix +++ b/nixos/modules/services/hardware/trezord.nix @@ -4,6 +4,12 @@ with lib; let cfg = config.services.trezord; in { + + ### docs + + meta = { + doc = ./trezord.xml; + }; ### interface @@ -16,6 +22,22 @@ in { Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets. ''; }; + + emulator.enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Trezor emulator support. + ''; + }; + + emulator.port = mkOption { + type = types.port; + default = 21324; + description = '' + Listening port for the Trezor emulator. + ''; + }; }; }; @@ -44,7 +66,7 @@ in { path = []; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.trezord}/bin/trezord-go"; + ExecStart = "${pkgs.trezord}/bin/trezord-go ${optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}"; User = "trezord"; }; }; diff --git a/nixos/modules/services/hardware/trezord.xml b/nixos/modules/services/hardware/trezord.xml new file mode 100644 index 0000000000000..972d409d9d0e0 --- /dev/null +++ b/nixos/modules/services/hardware/trezord.xml @@ -0,0 +1,26 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="trezor"> + <title>Trezor</title> + <para> + Trezor is an open-source cryptocurrency hardware wallet and security token + allowing secure storage of private keys. + </para> + <para> + It offers advanced features such U2F two-factor authorization, SSH login + through + <link xlink:href="https://wiki.trezor.io/Apps:SSH_agent">Trezor SSH agent</link>, + <link xlink:href="https://wiki.trezor.io/GPG">GPG</link> and a + <link xlink:href="https://wiki.trezor.io/Trezor_Password_Manager">password manager</link>. + For more information, guides and documentation, see <link xlink:href="https://wiki.trezor.io"/>. + </para> + <para> + To enable Trezor support, add the following to your <filename>configuration.nix</filename>: +<programlisting> +<xref linkend="opt-services.trezord.enable"/> = true; +</programlisting> + This will add all necessary udev rules and start Trezor Bridge. + </para> +</chapter> diff --git a/nixos/modules/services/logging/awstats.nix b/nixos/modules/services/logging/awstats.nix index 612ae06d0a79c..54799d699a746 100644 --- a/nixos/modules/services/logging/awstats.nix +++ b/nixos/modules/services/logging/awstats.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.awstats; + httpd = config.services.httpd; package = pkgs.awstats; in @@ -67,50 +68,43 @@ in environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf" { preferLocalBuild = true; } ( let - cfg-httpd = config.services.httpd; logFormat = - if cfg-httpd.logFormat == "combined" then "1" else - if cfg-httpd.logFormat == "common" then "4" else - throw "awstats service doesn't support Apache log format `${cfg-httpd.logFormat}`"; + if httpd.logFormat == "combined" then "1" else + if httpd.logFormat == "common" then "4" else + throw "awstats service doesn't support Apache log format `${httpd.logFormat}`"; in '' sed \ -e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \ -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ - -e 's|^\(SiteDomain\)=.*$|\1="${cfg-httpd.hostName}"|' \ - -e 's|^\(LogFile\)=.*$|\1="${cfg-httpd.logDir}/access_log"|' \ + -e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \ + -e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \ -e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \ < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" echo '${cfg.extraConfig}' >> "$out" ''); + systemd.tmpfiles.rules = optionals cfg.service.enable [ + "d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" + "Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" + ]; + # The httpd sub-service showing awstats. - services.httpd.enable = mkIf cfg.service.enable true; - services.httpd.extraSubservices = mkIf cfg.service.enable [ { function = { serverInfo, ... }: { - extraConfig = - '' - Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" - Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" - Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" - ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/" + services.httpd = optionalAttrs cfg.service.enable { + enable = true; + extraConfig = '' + Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" + Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" + Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" + ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/" - <Directory "${package.out}/wwwroot"> - Options None - AllowOverride None - Order allow,deny - Allow from all - </Directory> - ''; - startupScript = - let - inherit (serverInfo.serverConfig) user group; - in pkgs.writeScript "awstats_startup.sh" - '' - mkdir -p '${cfg.vardir}' - chown '${user}:${group}' '${cfg.vardir}' - ''; - };}]; + <Directory "${package.out}/wwwroot"> + Options None + Require all granted + </Directory> + ''; + }; systemd.services.awstats-update = mkIf (cfg.updateAt != null) { description = "awstats log collector"; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 087630f217769..09c3a89d6a688 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -659,7 +659,7 @@ in { fi # We remove potentially broken links to old gitlab-shell versions - rm -f ${cfg.statePath}/repositories/**/*.git/hooks + rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input" ''; diff --git a/nixos/modules/services/misc/mantisbt.nix b/nixos/modules/services/misc/mantisbt.nix deleted file mode 100644 index 7e3474feb672c..0000000000000 --- a/nixos/modules/services/misc/mantisbt.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.services.mantisbt; - - freshInstall = cfg.extraConfig == ""; - - # combined code+config directory - mantisbt = let - config_inc = pkgs.writeText "config_inc.php" ("<?php\n" + cfg.extraConfig); - src = pkgs.fetchurl { - url = "mirror://sourceforge/mantisbt/${name}.tar.gz"; - sha256 = "1pl6xn793p3mxc6ibpr2bhg85vkdlcf57yk7pfc399g47l8x4508"; - }; - name = "mantisbt-1.2.19"; - in - # We have to copy every time; otherwise config won't be found. - pkgs.runCommand name - { preferLocalBuild = true; allowSubstitutes = false; } - ('' - mkdir -p "$out" - cd "$out" - tar -xf '${src}' --strip-components=1 - ln -s '${config_inc}' config_inc.php - '' - + lib.optionalString (!freshInstall) "rm -r admin/" - ); -in -{ - options.services.mantisbt = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable the mantisbt web service. - This switches on httpd with PHP and database. - ''; - }; - urlPrefix = mkOption { - type = types.string; - default = "/mantisbt"; - description = "The URL prefix under which the mantisbt service appears."; - }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - The contents of config_inc.php, without leading <?php. - If left empty, the admin directory will be accessible. - ''; - }; - }; - - - config = mkIf cfg.enable { - services.mysql.enable = true; - services.httpd.enable = true; - services.httpd.enablePHP = true; - # The httpd sub-service showing mantisbt. - services.httpd.extraSubservices = [ { function = { ... }: { - extraConfig = - '' - Alias ${cfg.urlPrefix} "${mantisbt}" - ''; - };}]; - }; -} diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 00c8e7408030a..3eb649b08a2f5 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -684,7 +684,7 @@ in { fi ''; serviceConfig = { - Type = "simple"; + Type = "notify"; User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; diff --git a/nixos/modules/services/misc/metabase.nix b/nixos/modules/services/misc/metabase.nix new file mode 100644 index 0000000000000..e78100a046a20 --- /dev/null +++ b/nixos/modules/services/misc/metabase.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.metabase; + + inherit (lib) mkEnableOption mkIf mkOption; + inherit (lib) optional optionalAttrs types; + + dataDir = "/var/lib/metabase"; + +in { + + options = { + + services.metabase = { + enable = mkEnableOption "Metabase service"; + + listen = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address that Metabase should listen on. + ''; + }; + + port = mkOption { + type = types.port; + default = 3000; + description = '' + Listen port for Metabase. + ''; + }; + }; + + ssl = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable SSL (https) support. + ''; + }; + + port = mkOption { + type = types.port; + default = 8443; + description = '' + Listen port over SSL (https) for Metabase. + ''; + }; + + keystore = mkOption { + type = types.nullOr types.path; + default = "${dataDir}/metabase.jks"; + example = "/etc/secrets/keystore.jks"; + description = '' + <link xlink:href="https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores">Java KeyStore</link> file containing the certificates. + ''; + }; + + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports in the firewall for Metabase. + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.metabase = { + description = "Metabase server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + environment = { + MB_PLUGINS_DIR = "${dataDir}/plugins"; + MB_DB_FILE = "${dataDir}/metabase.db"; + MB_JETTY_HOST = cfg.listen.ip; + MB_JETTY_PORT = toString cfg.listen.port; + } // optionalAttrs (cfg.ssl.enable) { + MB_JETTY_SSL = true; + MB_JETTY_SSL_PORT = toString cfg.ssl.port; + MB_JETTY_SSL_KEYSTORE = cfg.ssl.keystore; + }; + serviceConfig = { + DynamicUser = true; + StateDirectory = baseNameOf dataDir; + ExecStart = "${pkgs.metabase}/bin/metabase"; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listen.port ] ++ optional cfg.ssl.enable cfg.ssl.port; + }; + + }; +} diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix index 6ca420a05b234..695a8c42e85e0 100644 --- a/nixos/modules/services/monitoring/cadvisor.nix +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -84,6 +84,16 @@ in { type = types.bool; description = "Cadvisor storage driver, enable secure communication."; }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Additional cadvisor options. + + See <link xlink:href='https://github.com/google/cadvisor/blob/master/docs/runtime_options.md'/> for available options. + ''; + }; }; }; @@ -112,6 +122,7 @@ in { -logtostderr=true \ -listen_ip="${cfg.listenAddress}" \ -port="${toString cfg.port}" \ + ${escapeShellArgs cfg.extraOptions} \ ${optionalString (cfg.storageDriver != null) '' -storage_driver "${cfg.storageDriver}" \ -storage_driver_user "${cfg.storageDriverHost}" \ diff --git a/nixos/modules/services/monitoring/riemann-tools.nix b/nixos/modules/services/monitoring/riemann-tools.nix index 9c400a1e3e46b..2b647b6b1ade8 100644 --- a/nixos/modules/services/monitoring/riemann-tools.nix +++ b/nixos/modules/services/monitoring/riemann-tools.nix @@ -11,7 +11,7 @@ let healthLauncher = writeScriptBin "riemann-health" '' #!/bin/sh - exec ${pkgs.riemann-tools}/bin/riemann-health --host ${riemannHost} + exec ${pkgs.riemann-tools}/bin/riemann-health ${builtins.concatStringsSep " " cfg.extraArgs} --host ${riemannHost} ''; @@ -34,8 +34,16 @@ in { Address of the host riemann node. Defaults to localhost. ''; }; + extraArgs = mkOption { + type = types.listOf types.string; + default = []; + description = '' + A list of commandline-switches forwarded to a riemann-tool. + See for example `riemann-health --help` for available options. + ''; + example = ["-p 5555" "--timeout=30" "--attribute=myattribute=42"]; + }; }; - }; config = mkIf cfg.enableHealth { diff --git a/nixos/modules/services/monitoring/systemhealth.nix b/nixos/modules/services/monitoring/systemhealth.nix deleted file mode 100644 index 32d4314d5f777..0000000000000 --- a/nixos/modules/services/monitoring/systemhealth.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.systemhealth; - - systemhealth = with pkgs; stdenv.mkDerivation { - name = "systemhealth-1.0"; - src = fetchurl { - url = "https://www.brianlane.com/downloads/systemhealth/systemhealth-1.0.tar.bz2"; - sha256 = "1q69lz7hmpbdpbz36zb06nzfkj651413n9icx0njmyr3xzq1j9qy"; - }; - buildInputs = [ python ]; - installPhase = '' - mkdir -p $out/bin - # Make it work for kernels 3.x, not so different than 2.6 - sed -i 's/2\.6/4.0/' system_health.py - cp system_health.py $out/bin - ''; - }; - - rrdDir = "/var/lib/health/rrd"; - htmlDir = "/var/lib/health/html"; - - configFile = rrdDir + "/.syshealthrc"; - # The program will try to read $HOME/.syshealthrc, so we set the proper home. - command = "HOME=${rrdDir} ${systemhealth}/bin/system_health.py"; - - cronJob = '' - */5 * * * * wwwrun ${command} --log - 5 * * * * wwwrun ${command} --graph - ''; - - nameEqualName = s: "${s} = ${s}"; - interfacesSection = concatStringsSep "\n" (map nameEqualName cfg.interfaces); - - driveLine = d: "${d.path} = ${d.name}"; - drivesSection = concatStringsSep "\n" (map driveLine cfg.drives); - -in -{ - options = { - services.systemhealth = { - enable = mkOption { - default = false; - description = '' - Enable the system health monitor and its generation of graphs. - ''; - }; - - urlPrefix = mkOption { - default = "/health"; - description = '' - The URL prefix under which the System Health web pages appear in httpd. - ''; - }; - - interfaces = mkOption { - default = [ "lo" ]; - example = [ "lo" "eth0" "eth1" ]; - description = '' - Interfaces to monitor (minimum one). - ''; - }; - - drives = mkOption { - default = [ ]; - example = [ { name = "root"; path = "/"; } ]; - description = '' - Drives to monitor. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - services.cron.systemCronJobs = [ cronJob ]; - - system.activationScripts.systemhealth = stringAfter [ "var" ] - '' - mkdir -p ${rrdDir} ${htmlDir} - chown wwwrun:wwwrun ${rrdDir} ${htmlDir} - - cat >${configFile} << EOF - [paths] - rrdtool = ${pkgs.rrdtool}/bin/rrdtool - loadavg_rrd = loadavg - ps = /run/current-system/sw/bin/ps - df = /run/current-system/sw/bin/df - meminfo_rrd = meminfo - uptime_rrd = uptime - rrd_path = ${rrdDir} - png_path = ${htmlDir} - - [processes] - - [interfaces] - ${interfacesSection} - - [drives] - ${drivesSection} - - [graphs] - width = 400 - time = ['-3hours', '-32hours', '-8days', '-5weeks', '-13months'] - height = 100 - - [external] - - EOF - - chown wwwrun:wwwrun ${configFile} - - ${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --check" wwwrun - ${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --html" wwwrun - ''; - - services.httpd.extraSubservices = [ - { function = f: { - extraConfig = '' - Alias ${cfg.urlPrefix} ${htmlDir} - - <Directory ${htmlDir}> - Order allow,deny - Allow from all - </Directory> - ''; - }; - } - ]; - }; -} diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index bc755612fd9bb..429b40227d47f 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -225,7 +225,7 @@ in '' maxstartdelay = ${toString cfg.maxStartDelay} - ${flip concatStringsSep (flip map (attrValues cfg.ups) (ups: ups.summary)) " + ${flip concatStringsSep (forEach (attrValues cfg.ups) (ups: ups.summary)) " "} ''; diff --git a/nixos/modules/services/network-filesystems/u9fs.nix b/nixos/modules/services/network-filesystems/u9fs.nix index 4f37fc2a9e5cf..77961b78cadb8 100644 --- a/nixos/modules/services/network-filesystems/u9fs.nix +++ b/nixos/modules/services/network-filesystems/u9fs.nix @@ -55,6 +55,7 @@ in sockets.u9fs = { description = "U9fs Listening Socket"; wantedBy = [ "sockets.target" ]; + after = [ "network.target" ]; inherit (cfg) listenStreams; socketConfig.Accept = "yes"; }; diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index c40962f4aa827..3fb85b16cbe20 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -44,9 +44,7 @@ let parseModules = x: x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; }; - # would be nice to merge 'cfg' with a //, - # but the json nesting is wacky. - cjdrouteConf = builtins.toJSON ( { + cjdrouteConf = builtins.toJSON ( recursiveUpdate { admin = { bind = cfg.admin.bind; password = "@CJDNS_ADMIN_PASSWORD@"; @@ -71,7 +69,7 @@ let security = [ { exemptAngel = 1; setuser = "nobody"; } ]; - }); + } cfg.extraConfig); in @@ -91,6 +89,16 @@ in ''; }; + extraConfig = mkOption { + type = types.attrs; + default = {}; + example = { router.interface.tunDevice = "tun10"; }; + description = '' + Extra configuration, given as attrs, that will be merged recursively + with the rest of the JSON generated by this module, at the root node. + ''; + }; + confFile = mkOption { type = types.nullOr types.path; default = null; @@ -246,7 +254,10 @@ in if cfg.confFile != null then "${pkg}/bin/cjdroute < ${cfg.confFile}" else '' source /etc/cjdns.keys - echo '${cjdrouteConf}' | sed \ + (cat <<'EOF' + ${cjdrouteConf} + EOF + ) | sed \ -e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \ -e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \ | ${pkg}/bin/cjdroute diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index 3a92a883fbf89..f080f12eaccdd 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -15,7 +15,7 @@ let ++ cfg.extraConfigFiles; devices = attrValues (filterAttrs (_: i: i != null) cfg.interface); - systemdDevices = flip map devices + systemdDevices = forEach devices (i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device"); in { diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index ef177e4be3458..0c6602e7f8abd 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -7,7 +7,7 @@ let inherit (lib) concatStringsSep optionalString; cfg = config.services.hylafax; - mapModems = lib.flip map (lib.attrValues cfg.modems); + mapModems = lib.forEach (lib.attrValues cfg.modems); mkConfigFile = name: conf: # creates hylafax config file, diff --git a/nixos/modules/services/networking/jormungandr.nix b/nixos/modules/services/networking/jormungandr.nix new file mode 100644 index 0000000000000..c1a16a316b7a4 --- /dev/null +++ b/nixos/modules/services/networking/jormungandr.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.jormungandr; + + inherit (lib) mkEnableOption mkIf mkOption; + inherit (lib) optionalString types; + + dataDir = "/var/lib/jormungandr"; + + # Default settings so far, as the service matures we will + # move these out as separate settings + configSettings = { + storage = dataDir; + p2p = { + public_address = "/ip4/127.0.0.1/tcp/8606"; + messages = "high"; + blocks = "high"; + }; + rest = { + listen = "127.0.0.1:8607"; + }; + }; + + configFile = if cfg.configFile == null then + pkgs.writeText "jormungandr.yaml" (builtins.toJSON configSettings) + else cfg.configFile; + +in { + + options = { + + services.jormungandr = { + enable = mkEnableOption "jormungandr service"; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/jormungandr/node.yaml"; + description = '' + The path of the jormungandr blockchain configuration file in YAML format. + If no file is specified, a file is generated using the other options. + ''; + }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secret/jormungandr.yaml"; + description = '' + The path of the jormungandr blockchain secret node configuration file in + YAML format. Do not store this in nix store! + ''; + }; + + genesisBlockHash = mkOption { + type = types.nullOr types.string; + default = null; + example = "d70495af81ae8600aca3e642b2427327cb6001ec4d7a0037e96a00dabed163f9"; + description = '' + Set the genesis block hash (the hash of the block0) so we can retrieve + the genesis block (and the blockchain configuration) from the existing + storage or from the network. + ''; + }; + + genesisBlockFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/jormungandr/block-0.bin"; + description = '' + The path of the genesis block file if we are hosting it locally. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + + systemd.services.jormungandr = { + description = "jormungandr server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = baseNameOf dataDir; + ExecStart = '' + ${pkgs.jormungandr}/bin/jormungandr --config ${configFile} \ + ${optionalString (cfg.secretFile != null) " --secret ${cfg.secretFile}"} \ + ${optionalString (cfg.genesisBlockHash != null) " --genesis-block-hash ${cfg.genesisBlockHash}"} \ + ${optionalString (cfg.genesisBlockFile != null) " --genesis-block ${cfg.genesisBlockFile}"} + ''; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/shadowsocks.nix b/nixos/modules/services/networking/shadowsocks.nix index fe6d65a5f963a..af12db590f000 100644 --- a/nixos/modules/services/networking/shadowsocks.nix +++ b/nixos/modules/services/networking/shadowsocks.nix @@ -35,10 +35,10 @@ in }; localAddress = mkOption { - type = types.str; - default = "0.0.0.0"; + type = types.coercedTo types.str singleton (types.listOf types.str); + default = [ "[::0]" "0.0.0.0" ]; description = '' - Local address to which the server binds. + Local addresses to which the server binds. ''; }; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 0f9d2420903bd..91fc7d72bc6d2 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -502,7 +502,7 @@ in assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";}] - ++ flip map cfg.listenAddresses ({ addr, ... }: { + ++ forEach cfg.listenAddresses ({ addr, ... }: { assertion = addr != null; message = "addr must be specified in each listenAddresses entry"; }); diff --git a/nixos/modules/services/networking/stubby.nix b/nixos/modules/services/networking/stubby.nix index 3fbf6eb60e9d7..b38bcd4cec058 100644 --- a/nixos/modules/services/networking/stubby.nix +++ b/nixos/modules/services/networking/stubby.nix @@ -168,7 +168,7 @@ in default = defaultUpstream; type = types.lines; description = '' - Add additional upstreams. See <citerefentry><refentrytitle>stubby + Replace default upstreams. See <citerefentry><refentrytitle>stubby </refentrytitle><manvolnum>1</manvolnum></citerefentry> for an example of the entry formatting. In Strict mode, at least one of the following settings must be supplied for each nameserver: diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 6b688c640d59b..91d8f544e16b0 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -131,6 +131,7 @@ in { description = "Extra elasticsearch plugins"; default = []; type = types.listOf types.package; + example = lib.literalExample "[ pkgs.elasticsearchPlugins.discovery-ec2 ]"; }; }; diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 25cec5b5b1051..4a174564dd2ca 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -106,14 +106,24 @@ in { path = with pkgs; [ iptables ipset iproute systemd ]; - postStart = '' + # The sshguard ipsets must exist before we invoke + # iptables. sshguard creates the ipsets after startup if + # necessary, but if we let sshguard do it, we can't reliably add + # the iptables rules because postStart races with the creation + # of the ipsets. So instead, we create both the ipsets and + # firewall rules before sshguard starts. + preStart = '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; - preStop = '' + postStop = '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ''; unitConfig.Documentation = "man:sshguard(8)"; diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 88d2f69db5729..20d5e3b28eb9e 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -39,6 +39,16 @@ in { services.usbguard = { enable = mkEnableOption "USBGuard daemon"; + package = mkOption { + type = types.package; + default = pkgs.usbguard; + defaultText = "pkgs.usbguard"; + description = '' + The usbguard package to use. If you do not need the Qt GUI, use + <literal>pkgs.usbguard-nox</literal> to save disk space. + ''; + }; + ruleFile = mkOption { type = types.path; default = "/var/lib/usbguard/rules.conf"; @@ -179,7 +189,7 @@ in { config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.usbguard ]; + environment.systemPackages = [ cfg.package ]; systemd.services.usbguard = { description = "USBGuard daemon"; @@ -195,7 +205,7 @@ in { serviceConfig = { Type = "simple"; - ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -P -k -c ${daemonConfFile}''; + ExecStart = ''${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}''; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix index 910e1d937bf35..6740131dccde1 100644 --- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix +++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix @@ -5,10 +5,12 @@ defaultConfig = { global = { - module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}"; + module_path = "${pkgs.icingaweb2}/modules"; }; }; in { + meta.maintainers = with maintainers; [ das_j ]; + options.services.icingaweb2 = with types; { enable = mkEnableOption "the icingaweb2 web interface"; diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix index d0b936cb019fd..6a1db6087840a 100644 --- a/nixos/modules/services/web-servers/caddy.nix +++ b/nixos/modules/services/web-servers/caddy.nix @@ -70,7 +70,7 @@ in { { CADDYPATH = cfg.dataDir; }; serviceConfig = { ExecStart = '' - ${cfg.package.bin}/bin/caddy -root=/var/tmp -conf=${configFile} \ + ${cfg.package}/bin/caddy -root=/var/tmp -conf=${configFile} \ -ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"} ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 2b7fcb3140417..c1a51fbf8b425 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -162,6 +162,10 @@ let ${cfg.appendConfig} ''; + configPath = if cfg.enableReload + then "/etc/nginx/nginx.conf" + else configFile; + vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: let onlySSL = vhost.onlySSL || vhost.enableSSL; @@ -431,6 +435,16 @@ in "; }; + enableReload = mkOption { + default = false; + type = types.bool; + description = '' + Reload nginx when configuration file changes (instead of restart). + The configuration file is exposed at <filename>/etc/nginx/nginx.conf</filename>. + See also <literal>systemd.services.*.restartIfChanged</literal>. + ''; + }; + stateDir = mkOption { default = "/var/spool/nginx"; description = " @@ -638,10 +652,10 @@ in preStart = '' ${cfg.preStart} - ${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir} -t + ${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir} -t ''; serviceConfig = { - ExecStart = "${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir}"; + ExecStart = "${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; RestartSec = "10s"; @@ -649,6 +663,21 @@ in }; }; + environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload { + source = configFile; + }; + + systemd.services.nginx-config-reload = mkIf cfg.enableReload { + wantedBy = [ "nginx.service" ]; + restartTriggers = [ configFile ]; + script = '' + if ${pkgs.systemd}/bin/systemctl -q is-active nginx.service ; then + ${pkgs.systemd}/bin/systemctl reload nginx.service + fi + ''; + serviceConfig.RemainAfterExit = true; + }; + security.acme.certs = filterAttrs (n: v: v != {}) ( let vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index cbfd2d3c2ea2f..6434731d951fe 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -136,9 +136,8 @@ in { services.gnome3.gnome-online-accounts.enable = mkDefault true; services.gnome3.gnome-remote-desktop.enable = mkDefault true; services.gnome3.gnome-settings-daemon.enable = true; - services.gnome3.gnome-terminal-server.enable = mkDefault true; services.gnome3.gnome-user-share.enable = mkDefault true; - services.gnome3.gvfs.enable = true; + services.gvfs.enable = true; services.gnome3.rygel.enable = mkDefault true; services.gnome3.seahorse.enable = mkDefault true; services.gnome3.sushi.enable = mkDefault true; @@ -161,10 +160,12 @@ in { xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; # Enable default programs + programs.dconf.enable = true; programs.evince.enable = mkDefault true; programs.file-roller.enable = mkDefault true; programs.gnome-disks.enable = mkDefault true; programs.gnome-documents.enable = mkDefault true; + programs.gnome-terminal.enable = mkDefault true; # If gnome3 is installed, build vim for gtk3 too. nixpkgs.config.vim.gui = "gtk3"; @@ -230,8 +231,6 @@ in { services.xserver.updateDbusEnvironment = true; - environment.variables.GIO_EXTRA_MODULES = [ "${lib.getLib pkgs.gnome3.dconf}/lib/gio/modules" - "${pkgs.gnome3.gvfs}/lib/gio/modules" ]; environment.systemPackages = pkgs.gnome3.corePackages ++ cfg.sessionPath ++ (pkgs.gnome3.removePackagesByName pkgs.gnome3.optionalPackages config.environment.gnome3.excludePackages) ++ [ pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index 4368adedb34b3..bf53082b267d1 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -58,7 +58,8 @@ in # Link some extra directories in /run/current-system/software/share environment.pathsToLink = [ "/share" ]; - environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; + services.gvfs.enable = true; + services.gvfs.package = pkgs.gvfs; services.upower.enable = config.powerManagement.enable; }; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index a2d0810f90df4..e1084b0053ccd 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -94,17 +94,19 @@ in ]; programs.dconf.enable = true; + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + services.gnome3.at-spi2-core.enable = true; services.gnome3.gnome-keyring.enable = true; services.gnome3.gnome-settings-daemon.enable = true; services.gnome3.gnome-settings-daemon.package = pkgs.mate.mate-settings-daemon; - services.gnome3.gvfs.enable = true; + services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; security.pam.services."mate-screensaver".unixAuth = true; - environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gnome3.gvfs}/lib/gio/modules" ]; - environment.pathsToLink = [ "/share" ]; }; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index f0cafc377585d..ae23015d2005d 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -99,10 +99,6 @@ in fi '') cfg.sessionPath} - # Makes qt applications look less alien - export QT_QPA_PLATFORMTHEME=gtk3 - export QT_STYLE_OVERRIDE=adwaita - # Settings from elementary-default-settings export GTK_CSD=1 export GTK_MODULES=$GTK_MODULES:pantheon-filechooser-module @@ -129,7 +125,7 @@ in services.gnome3.gnome-keyring.enable = true; services.gnome3.gnome-settings-daemon.enable = true; services.gnome3.gnome-settings-daemon.package = pkgs.pantheon.elementary-settings-daemon; - services.gnome3.gvfs.enable = true; + services.gvfs.enable = true; services.gnome3.rygel.enable = mkDefault true; services.gsignond.enable = mkDefault true; services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; @@ -146,9 +142,19 @@ in isSystem = true; }; + programs.dconf.enable = true; programs.evince.enable = mkDefault true; programs.file-roller.enable = mkDefault true; + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Harmonize Qt5 applications under Pantheon + qt5.enable = true; + qt5.platformTheme = "gnome"; + qt5.style = "adwaita"; + networking.networkmanager.enable = mkDefault true; networking.networkmanager.basePackages = { inherit (pkgs) networkmanager modemmanager wpa_supplicant crda; @@ -161,11 +167,6 @@ in environment.variables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; - environment.variables.GIO_EXTRA_MODULES = [ - "${lib.getLib pkgs.gnome3.dconf}/lib/gio/modules" - "${pkgs.gnome3.gvfs}/lib/gio/modules" - ]; - environment.pathsToLink = [ # FIXME: modules should link subdirs of `/share` rather than relying on this "/share" @@ -187,7 +188,6 @@ in glib-networking gnome-menus gnome3.adwaita-icon-theme - gnome3.dconf gtk3.out hicolor-icon-theme lightlocker diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 6852154378d7c..1102f73d1ac36 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -66,7 +66,6 @@ in exo garcon gtk-xfce-engine - gvfs libxfce4ui tumbler xfconf @@ -100,10 +99,6 @@ in "/share/gtksourceview-2.0" ]; - environment.variables = { - GIO_EXTRA_MODULES = [ "${pkgs.xfce.gvfs}/lib/gio/modules" ]; - }; - services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; services.xserver.desktopManager.session = [{ @@ -128,5 +123,7 @@ in # Enable helpful DBus services. services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; + services.gvfs.enable = true; + services.gvfs.package = pkgs.xfce.gvfs; }; } diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index cbe000058dc64..10eef8aefbcde 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -129,7 +129,7 @@ in assertion = cfg.killer != null -> cfg.killtime >= 10; message = "killtime has to be at least 10 minutes according to `man xautolock`"; } - ] ++ (lib.flip map [ "locker" "notifier" "nowlocker" "killer" ] + ] ++ (lib.forEach [ "locker" "notifier" "nowlocker" "killer" ] (option: { assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/"; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 7ffe1c1256100..c94a064383156 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -78,7 +78,7 @@ let in imap1 mkHead cfg.xrandrHeads; xrandrDeviceSection = let - monitors = flip map xrandrHeads (h: '' + monitors = forEach xrandrHeads (h: '' Option "monitor-${h.config.output}" "${h.name}" ''); # First option is indented through the space in the config but any diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix deleted file mode 100644 index 30f367da76663..0000000000000 --- a/nixos/modules/system/boot/coredump.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - systemd.coredump = { - - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables storing core dumps in systemd. - Note that this alone is not enough to enable core dumps. The maximum - file size for core dumps must be specified in limits.conf as well. See - <option>security.pam.loginLimits</option> and the limits.conf(5) - man page (these specify the core dump limits for user login sessions) - and <option>systemd.extraConfig</option> (where e.g. - <literal>DefaultLimitCORE=1000000</literal> can be specified to set - the core dump limit for systemd system-level services). - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.lines; - example = "Storage=journal"; - description = '' - Extra config options for systemd-coredump. See coredump.conf(5) man page - for available options. - ''; - }; - }; - - }; - - config = mkMerge [ - (mkIf config.systemd.coredump.enable { - - systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ]; - - environment.etc."systemd/coredump.conf".text = - '' - [Coredump] - ${config.systemd.coredump.extraConfig} - ''; - - # Have the kernel pass core dumps to systemd's coredump helper binary. - # From systemd's 50-coredump.conf file. See: - # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in> - boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e"; - }) - - (mkIf (!config.systemd.coredump.enable) { - boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core"; - - systemd.extraConfig = - '' - DefaultLimitCORE=0:infinity - ''; - }) - ]; - -} diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index ee43fe1002388..baa8c602a99e7 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -36,6 +36,7 @@ in boot.kernelPackages = mkOption { default = pkgs.linuxPackages; + type = types.unspecified // { merge = mergeEqualOption; }; apply = kernelPackages: kernelPackages.extend (self: super: { kernel = super.kernel.override { inherit randstructSeed; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 4e4d14985b0d4..eca9dad642224 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -684,7 +684,7 @@ in assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint; message = "EFI paths must be absolute, not ${args.efiSysMountPoint}"; } - ] ++ flip map args.devices (device: { + ] ++ forEach args.devices (device: { assertion = device == "nodev" || hasPrefix "/" device; message = "GRUB devices must be absolute paths, not ${device} in ${args.path}"; })); diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index d6b446e9ac227..f2060e21509c9 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -55,6 +55,27 @@ let (assertMacAddress "MACAddress") ]; + # NOTE The PrivateKey directive is missing on purpose here, please + # do not add it to this list. The nix store is world-readable let's + # refrain ourselves from providing a footgun. + checkWireGuard = checkUnitConfig "WireGuard" [ + (assertOnlyFields [ + "PrivateKeyFile" "ListenPort" "FwMark" + ]) + (assertRange "FwMark" 1 4294967295) + ]; + + # NOTE The PresharedKey directive is missing on purpose here, please + # do not add it to this list. The nix store is world-readable,let's + # refrain ourselves from providing a footgun. + checkWireGuardPeer = checkUnitConfig "WireGuardPeer" [ + (assertOnlyFields [ + "PublicKey" "PresharedKeyFile" "AllowedIPs" + "Endpoint" "PersistentKeepalive" + ]) + (assertRange "PersistentKeepalive" 1 65535) + ]; + checkVlan = checkUnitConfig "VLAN" [ (assertOnlyFields ["Id" "GVRP" "MVRP" "LooseBinding" "ReorderHeader"]) (assertRange "Id" 0 4094) @@ -320,6 +341,46 @@ let ''; }; + wireguardConfig = mkOption { + default = {}; + example = { + PrivateKeyFile = "/etc/wireguard/secret.key"; + ListenPort = 51820; + FwMark = 42; + }; + type = types.addCheck (types.attrsOf unitOption) checkWireGuard; + description = '' + Each attribute in this set specifies an option in the + <literal>[WireGuard]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.netdev</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + Use <literal>PrivateKeyFile</literal> instead of + <literal>PrivateKey</literal>: the nix store is + world-readable. + ''; + }; + + wireguardPeers = mkOption { + default = []; + example = [ { wireguardPeerConfig={ + Endpoint = "192.168.1.1:51820"; + PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; + PresharedKeyFile = "/etc/wireguard/psk.key"; + AllowedIPs = [ "10.0.0.1/32" ]; + PersistentKeepalive = 15; + };}]; + type = with types; listOf (submodule wireguardPeerOptions); + description = '' + Each item in this array specifies an option in the + <literal>[WireGuardPeer]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.netdev</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + Use <literal>PresharedKeyFile</literal> instead of + <literal>PresharedKey</literal>: the nix store is + world-readable. + ''; + }; + vlanConfig = mkOption { default = {}; example = { Id = "4"; }; @@ -450,6 +511,23 @@ let }; }; + wireguardPeerOptions = { + options = { + wireguardPeerConfig = mkOption { + default = {}; + example = { }; + type = types.addCheck (types.attrsOf unitOption) checkWireGuardPeer; + description = '' + Each attribute in this set specifies an option in the + <literal>[WireGuardPeer]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + }; + }; + + networkOptions = commonNetworkOptions // { networkConfig = mkOption { @@ -732,6 +810,16 @@ let ${attrsToSection def.bondConfig} ''} + ${optionalString (def.wireguardConfig != { }) '' + [WireGuard] + ${attrsToSection def.wireguardConfig} + + ''} + ${flip concatMapStrings def.wireguardPeers (x: '' + [WireGuardPeer] + ${attrsToSection x.wireguardPeerConfig} + + '')} ${def.extraConfig} ''; }; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 67cbe720ddc3f..b817a45deba35 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -44,13 +44,13 @@ EOF *) to ignore the error and continue EOF - read reply + read -n 1 reply if [ -n "$allowShell" -a "$reply" = f ]; then exec setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console" elif [ -n "$allowShell" -a "$reply" = i ]; then echo "Starting interactive shell..." - setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail + setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail elif [ "$reply" = r ]; then echo "Rebooting..." reboot -f diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 1914827d0e5d6..23a2dd45d492a 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -76,6 +76,10 @@ let "systemd-journald-dev-log.socket" "syslog.socket" + # Coredumps. + "systemd-coredump.socket" + "systemd-coredump@.service" + # SysV init compatibility. "systemd-initctl.socket" "systemd-initctl.service" @@ -540,6 +544,16 @@ in ''; }; + systemd.coredump.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "Storage=journal"; + description = '' + Extra config options for systemd-coredump. See coredump.conf(5) man page + for available options. + ''; + }; + systemd.extraConfig = mkOption { default = ""; type = types.lines; @@ -795,6 +809,7 @@ in DefaultMemoryAccounting=yes DefaultTasksAccounting=yes ''} + DefaultLimitCORE=infinity ${config.systemd.extraConfig} ''; @@ -818,6 +833,12 @@ in ${config.services.journald.extraConfig} ''; + "systemd/coredump.conf".text = + '' + [Coredump] + ${config.systemd.coredump.extraConfig} + ''; + "systemd/logind.conf".text = '' [Login] KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"} @@ -831,6 +852,10 @@ in [Sleep] ''; + # install provided sysctl snippets + "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 857aaf1e6e30c..fbca54978e5bd 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -74,7 +74,7 @@ in enable = true; networks."99-main" = genericNetwork mkDefault; } - (mkMerge (flip map interfaces (i: { + (mkMerge (forEach interfaces (i: { netdevs = mkIf i.virtual ({ "40-${i.name}" = { netdevConfig = { @@ -90,7 +90,7 @@ in name = mkDefault i.name; DHCP = mkForce (dhcpStr (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); - address = flip map (interfaceIps i) + address = forEach (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); networkConfig.IPv6PrivacyExtensions = "kernel"; } ]; @@ -102,7 +102,7 @@ in Kind = "bridge"; }; }; - networks = listToAttrs (flip map bridge.interfaces (bi: + networks = listToAttrs (forEach bridge.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bridge = name; @@ -173,7 +173,7 @@ in }; - networks = listToAttrs (flip map bond.interfaces (bi: + networks = listToAttrs (forEach bond.interfaces (bi: nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) { DHCP = mkOverride 0 (dhcpStr false); networkConfig.Bond = name; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index c75d7cbc408b8..5ac753c92a78e 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -926,7 +926,7 @@ in warnings = concatMap (i: i.warnings) interfaces; assertions = - (flip map interfaces (i: { + (forEach interfaces (i: { # With the linux kernel, interface name length is limited by IFNAMSIZ # to 16 bytes, including the trailing null byte. # See include/linux/if.h in the kernel sources @@ -934,12 +934,12 @@ in message = '' The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters. ''; - })) ++ (flip map slaveIfs (i: { + })) ++ (forEach slaveIfs (i: { assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ]; message = '' The networking.interfaces."${i.name}" must not have any defined ips when it is a slave. ''; - })) ++ (flip map interfaces (i: { + })) ++ (forEach interfaces (i: { assertion = i.preferTempAddress -> cfg.enableIPv6; message = '' Temporary addresses are only needed when IPv6 is enabled. @@ -967,8 +967,8 @@ in "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) - (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) - // listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces) + (i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + // listToAttrs (forEach (filter (i: i.preferTempAddress) interfaces) (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux @@ -1050,7 +1050,7 @@ in ${cfg.localCommands} ''; }; - } // (listToAttrs (flip map interfaces (i: + } // (listToAttrs (forEach interfaces (i: let deviceDependency = if (config.boot.isContainer || i.name == "lo") then [] diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index c10e2b162ccc7..b65374c925776 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -138,7 +138,7 @@ let --bind-ro=/nix/var/nix/daemon-socket \ --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ - --link-journal=try-guest \ + ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ --setenv HOST_BRIDGE="$HOST_BRIDGE" \ --setenv HOST_ADDRESS="$HOST_ADDRESS" \ @@ -147,6 +147,7 @@ let --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ --setenv HOST_PORT="$HOST_PORT" \ --setenv PATH="$PATH" \ + ${optionalString cfg.ephemeral "--ephemeral"} \ ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else "" } \ @@ -247,6 +248,8 @@ let Type = "notify"; + RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i"; + # Note that on reboot, systemd-nspawn returns 133, so this # unit will be restarted. On poweroff, it returns 0, so the # unit won't be restarted. @@ -419,6 +422,7 @@ let { extraVeths = {}; additionalCapabilities = []; + ephemeral = false; allowedDevices = []; hostAddress = null; hostAddress6 = null; @@ -511,6 +515,26 @@ in information. ''; }; + + ephemeral = mkOption { + type = types.bool; + default = false; + description = '' + Runs container in ephemeral mode with the empty root filesystem at boot. + This way container will be bootstrapped from scratch on each boot + and will be cleaned up on shutdown leaving no traces behind. + Useful for completely stateless, reproducible containers. + + Note that this option might require to do some adjustments to the container configuration, + e.g. you might want to set + <varname>systemd.network.networks.$interface.dhcpConfig.ClientIdentifier</varname> to "mac" + if you use <varname>macvlans</varname> option. + This way dhcp client identifier will be stable between the container restarts. + + Note that the container journal will not be linked to the host if this option is enabled. + ''; + }; + enableTun = mkOption { type = types.bool; default = false; @@ -659,12 +683,14 @@ in unit = { description = "Container '%i'"; - unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ]; + unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; path = [ pkgs.iproute ]; - environment.INSTANCE = "%i"; - environment.root = "/var/lib/containers/%i"; + environment = { + root = "/var/lib/containers/%i"; + INSTANCE = "%i"; + }; preStart = preStartScript dummyConfig; @@ -703,11 +729,13 @@ in } else {}); in - unit // { + recursiveUpdate unit { preStart = preStartScript containerConfig; script = startScript containerConfig; postStart = postStartScript containerConfig; serviceConfig = serviceDirectives containerConfig; + unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i"; + environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i"; } // ( if containerConfig.autoStart then { diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 5c59188b68b2c..79766970c757a 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -159,12 +159,6 @@ in # functionality/features (e.g. TCP Window scaling). "net.ipv4.tcp_syncookies" = mkDefault "1"; - # ignores source-routed packets - "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; - - # ignores source-routed packets - "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; - # ignores ICMP redirects "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; @@ -186,10 +180,10 @@ in # don't allow traffic between networks or act as a router "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - # reverse path filtering - IP spoofing protection + # strict reverse path filtering - IP spoofing protection "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - # reverse path filtering - IP spoofing protection + # strict path filtering - IP spoofing protection "net.ipv4.conf.default.rp_filter" = mkDefault "1"; # ignores ICMP broadcasts to avoid participating in Smurf attacks diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index c24c8ae61a587..36a053e8e6bdc 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -47,6 +47,7 @@ in codimd = handleTest ./codimd.nix {}; colord = handleTest ./colord.nix {}; containers-bridge = handleTest ./containers-bridge.nix {}; + containers-ephemeral = handleTest ./containers-ephemeral.nix {}; containers-extra_veth = handleTest ./containers-extra_veth.nix {}; containers-hosts = handleTest ./containers-hosts.nix {}; containers-imperative = handleTest ./containers-imperative.nix {}; @@ -73,7 +74,7 @@ in #ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {}; ecryptfs = handleTest ./ecryptfs.nix {}; - ejabberd = handleTest ./ejabberd.nix {}; + ejabberd = handleTest ./xmpp/ejabberd.nix {}; elk = handleTestOn ["x86_64-linux"] ./elk.nix {}; env = handleTest ./env.nix {}; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; @@ -93,8 +94,10 @@ in gitlab = handleTest ./gitlab.nix {}; gitolite = handleTest ./gitolite.nix {}; gjs = handleTest ./gjs.nix {}; + glusterfs = handleTest ./glusterfs.nix {}; gnome3-xorg = handleTest ./gnome3-xorg.nix {}; gnome3 = handleTest ./gnome3.nix {}; + gnome-photos = handleTest ./gnome-photos.nix {}; gocd-agent = handleTest ./gocd-agent.nix {}; gocd-server = handleTest ./gocd-server.nix {}; google-oslogin = handleTest ./google-oslogin {}; @@ -114,6 +117,7 @@ in hound = handleTest ./hound.nix {}; hydra = handleTest ./hydra {}; i3wm = handleTest ./i3wm.nix {}; + icingaweb2 = handleTest ./icingaweb2.nix {}; iftop = handleTest ./iftop.nix {}; incron = handleTest ./incron.nix {}; influxdb = handleTest ./influxdb.nix {}; @@ -124,6 +128,7 @@ in jackett = handleTest ./jackett.nix {}; jellyfin = handleTest ./jellyfin.nix {}; jenkins = handleTest ./jenkins.nix {}; + jormungandr = handleTest ./jormungandr.nix {}; kafka = handleTest ./kafka.nix {}; kerberos = handleTest ./kerberos/default.nix {}; kernel-latest = handleTest ./kernel-latest.nix {}; @@ -138,6 +143,7 @@ in latestKernel.login = handleTest ./login.nix { latestKernel = true; }; ldap = handleTest ./ldap.nix {}; leaps = handleTest ./leaps.nix {}; + libxmlb = handleTest ./libxmlb.nix {}; lidarr = handleTest ./lidarr.nix {}; lightdm = handleTest ./lightdm.nix {}; limesurvey = handleTest ./limesurvey.nix {}; @@ -150,6 +156,7 @@ in mediawiki = handleTest ./mediawiki.nix {}; memcached = handleTest ./memcached.nix {}; mesos = handleTest ./mesos.nix {}; + metabase = handleTest ./metabase.nix {}; miniflux = handleTest ./miniflux.nix {}; minio = handleTest ./minio.nix {}; misc = handleTest ./misc.nix {}; @@ -217,7 +224,8 @@ in prometheus = handleTest ./prometheus.nix {}; prometheus2 = handleTest ./prometheus-2.nix {}; prometheus-exporters = handleTest ./prometheus-exporters.nix {}; - prosody = handleTest ./prosody.nix {}; + prosody = handleTest ./xmpp/prosody.nix {}; + prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {}; proxy = handleTest ./proxy.nix {}; quagga = handleTest ./quagga.nix {}; quake3 = handleTest ./quake3.nix {}; @@ -249,6 +257,7 @@ in systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; + systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; @@ -256,6 +265,7 @@ in tinydns = handleTest ./tinydns.nix {}; tor = handleTest ./tor.nix {}; transmission = handleTest ./transmission.nix {}; + trezord = handleTest ./trezord.nix {}; udisks2 = handleTest ./udisks2.nix {}; upnp = handleTest ./upnp.nix {}; uwsgi = handleTest ./uwsgi.nix {}; diff --git a/nixos/tests/containers-ephemeral.nix b/nixos/tests/containers-ephemeral.nix new file mode 100644 index 0000000000000..1ef8717d9a0e1 --- /dev/null +++ b/nixos/tests/containers-ephemeral.nix @@ -0,0 +1,56 @@ +# Test for NixOS' container support. + +import ./make-test.nix ({ pkgs, ...} : { + name = "containers-ephemeral"; + + machine = { pkgs, ... }: { + virtualisation.memorySize = 768; + virtualisation.writableStore = true; + + containers.webserver = { + ephemeral = true; + privateNetwork = true; + hostAddress = "10.231.136.1"; + localAddress = "10.231.136.2"; + config = { + services.nginx = { + enable = true; + virtualHosts.localhost = { + root = (pkgs.runCommand "localhost" {} '' + mkdir "$out" + echo hello world > "$out/index.html" + ''); + }; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + }; + }; + + testScript = '' + $machine->succeed("nixos-container list") =~ /webserver/ or die; + + # Start the webserver container. + $machine->succeed("nixos-container start webserver"); + + # Check that container got its own root folder + $machine->succeed("ls /run/containers/webserver"); + + # Check that container persistent directory is not created + $machine->fail("ls /var/lib/containers/webserver"); + + # Since "start" returns after the container has reached + # multi-user.target, we should now be able to access it. + my $ip = $machine->succeed("nixos-container show-ip webserver"); + chomp $ip; + $machine->succeed("ping -n -c1 $ip"); + $machine->succeed("curl --fail http://$ip/ > /dev/null"); + + # Stop the container. + $machine->succeed("nixos-container stop webserver"); + $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); + + # Check that container's root folder was removed + $machine->fail("ls /run/containers/webserver"); + ''; +}) diff --git a/nixos/tests/glusterfs.nix b/nixos/tests/glusterfs.nix new file mode 100644 index 0000000000000..9fd8bd2ed1294 --- /dev/null +++ b/nixos/tests/glusterfs.nix @@ -0,0 +1,65 @@ +import ./make-test.nix ({ ... } : + +let + client = { pkgs, ... } : { + environment.systemPackages = [ pkgs.glusterfs ]; + fileSystems = pkgs.lib.mkVMOverride + [ { mountPoint = "/gluster"; + fsType = "glusterfs"; + device = "server1:/gv0"; + } ]; + }; + + server = { pkgs, ... } : { + networking.firewall.enable = false; + services.glusterfs.enable = true; + + # create a mount point for the volume + boot.initrd.postDeviceCommands = '' + ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb + ''; + + virtualisation.emptyDiskImages = [ 1024 ]; + + fileSystems = pkgs.lib.mkVMOverride + [ { mountPoint = "/data"; + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + } + ]; + }; +in { + name = "glusterfs"; + + nodes = { + server1 = server; + server2 = server; + client1 = client; + client2 = client; + }; + + testScript = '' + $server1->waitForUnit("glusterd.service"); + $server2->waitForUnit("glusterd.service"); + + # establish initial contact + $server1->succeed("sleep 2"); + $server1->succeed("gluster peer probe server2"); + $server1->succeed("gluster peer probe server1"); + + $server1->succeed("gluster peer status | grep Connected"); + + # create volumes + $server1->succeed("mkdir -p /data/vg0"); + $server2->succeed("mkdir -p /data/vg0"); + $server1->succeed("gluster volume create gv0 server1:/data/vg0 server2:/data/vg0"); + $server1->succeed("gluster volume start gv0"); + + # test clients + $client1->waitForUnit("gluster.mount"); + $client2->waitForUnit("gluster.mount"); + + $client1->succeed("echo test > /gluster/file1"); + $client2->succeed("grep test /gluster/file1"); + ''; +}) diff --git a/nixos/tests/gnome-photos.nix b/nixos/tests/gnome-photos.nix new file mode 100644 index 0000000000000..2ecda1d68ce34 --- /dev/null +++ b/nixos/tests/gnome-photos.nix @@ -0,0 +1,42 @@ +# run installed tests +import ./make-test.nix ({ pkgs, lib, ... }: + +let + + # gsettings tool with access to gsettings-desktop-schemas + desktop-gsettings = with pkgs; stdenv.mkDerivation { + name = "desktop-gsettings"; + dontUnpack = true; + nativeBuildInputs = [ glib wrapGAppsHook ]; + buildInputs = [ gsettings-desktop-schemas ]; + installPhase = '' + runHook preInstall + mkdir -p $out/bin + ln -s ${glib.bin}/bin/gsettings $out/bin/desktop-gsettings + runHook postInstall + ''; + }; + +in + +{ + name = "gnome-photos"; + meta = { + maintainers = pkgs.gnome-photos.meta.maintainers; + }; + + machine = { pkgs, ... }: { + imports = [ ./common/x11.nix ]; + programs.dconf.enable = true; + services.gnome3.at-spi2-core.enable = true; # needed for dogtail + environment.systemPackages = with pkgs; [ gnome-desktop-testing desktop-gsettings ]; + services.dbus.packages = with pkgs; [ gnome-photos ]; + }; + + testScript = '' + $machine->waitForX; + # dogtail needs accessibility enabled + $machine->succeed("desktop-gsettings set org.gnome.desktop.interface toolkit-accessibility true 2>&1"); + $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.gnome-photos.installedTests}/share' 2>&1"); + ''; +}) diff --git a/nixos/tests/icingaweb2.nix b/nixos/tests/icingaweb2.nix new file mode 100644 index 0000000000000..ea1b94c526b13 --- /dev/null +++ b/nixos/tests/icingaweb2.nix @@ -0,0 +1,71 @@ +import ./make-test.nix ({ pkgs, ... }: { + name = "icingaweb2"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ das_j ]; + }; + + nodes = { + icingaweb2 = { config, pkgs, ... }: { + services.icingaweb2 = { + enable = true; + + modulePackages = with pkgs.icingaweb2Modules; { + particles = theme-particles; + spring = theme-spring; + }; + + modules = { + doc.enable = true; + migrate.enable = true; + setup.enable = true; + test.enable = true; + translation.enable = true; + }; + + generalConfig = { + global = { + module_path = "${pkgs.icingaweb2}/modules"; + }; + }; + + authentications = { + icingaweb = { + backend = "external"; + }; + }; + + groupBackends = { + icingaweb = { + backend = "db"; + resource = "icingaweb_db"; + }; + }; + + resources = { + # Not used, so no DB server needed + icingaweb_db = { + type = "db"; + db = "mysql"; + host = "localhost"; + username = "icingaweb2"; + password = "icingaweb2"; + dbname = "icingaweb2"; + }; + }; + + roles = { + Administrators = { + users = "*"; + permissions = "*"; + }; + }; + }; + }; + }; + + testScript = '' + startAll(); + $icingaweb2->waitForUnit("multi-user.target"); + $icingaweb2->succeed("curl -sSf http://icingaweb2/authentication/login"); + ''; +}) diff --git a/nixos/tests/jormungandr.nix b/nixos/tests/jormungandr.nix new file mode 100644 index 0000000000000..ab4edf0506aa9 --- /dev/null +++ b/nixos/tests/jormungandr.nix @@ -0,0 +1,49 @@ +import ./make-test.nix ({ pkgs, ... }: { + name = "jormungandr"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ mmahut ]; + }; + + nodes = { + bft = { ... }: { + environment.systemPackages = [ pkgs.jormungandr ]; + + services.jormungandr.enable = true; + services.jormungandr.genesisBlockFile = "/var/lib/jormungandr/block-0.bin"; + services.jormungandr.secretFile = "/etc/secrets/jormungandr.yaml"; + }; + }; + + testScript = '' + startAll; + + # Let's wait for the StateDirectory + $bft->waitForFile("/var/lib/jormungandr/"); + + # First, we generate the genesis file for our new blockchain + $bft->succeed("jcli genesis init > /root/genesis.yaml"); + + # We need to generate our secret key + $bft->succeed("jcli key generate --type=Ed25519 > /root/key.prv"); + + # We include the secret key into our services.jormungandr.secretFile + $bft->succeed("mkdir -p /etc/secrets"); + $bft->succeed("echo -e \"bft:\\n signing_key:\" \$(cat /root/key.prv) > /etc/secrets/jormungandr.yaml"); + + # After that, we generate our public key from it + $bft->succeed("cat /root/key.prv | jcli key to-public > /root/key.pub"); + + # We add our public key as a consensus leader in the genesis configration file + $bft->succeed("sed -ie \"s/ed25519_pk1vvwp2s0n5jl5f4xcjurp2e92sj2awehkrydrlas4vgqr7xzt33jsadha32/\$(cat /root/key.pub)/\" /root/genesis.yaml"); + + # Now we can generate the genesis block from it + $bft->succeed("jcli genesis encode --input /root/genesis.yaml --output /var/lib/jormungandr/block-0.bin"); + + # We should have everything to start the service now + $bft->succeed("systemctl restart jormungandr"); + $bft->waitForUnit("jormungandr.service"); + + # Now we can test if we are able to reach the REST API + $bft->waitUntilSucceeds("curl -L http://localhost:8607/api/v0/node/stats | grep uptime"); + ''; +}) diff --git a/nixos/tests/libxmlb.nix b/nixos/tests/libxmlb.nix new file mode 100644 index 0000000000000..3bee568ac5a20 --- /dev/null +++ b/nixos/tests/libxmlb.nix @@ -0,0 +1,17 @@ +# run installed tests +import ./make-test.nix ({ pkgs, ... }: + +{ + name = "libxmlb"; + meta = { + maintainers = pkgs.libxmlb.meta.maintainers; + }; + + machine = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; + }; + + testScript = '' + $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.libxmlb.installedTests}/share'"); + ''; +}) diff --git a/nixos/tests/metabase.nix b/nixos/tests/metabase.nix new file mode 100644 index 0000000000000..be9e5ed5b1e8f --- /dev/null +++ b/nixos/tests/metabase.nix @@ -0,0 +1,20 @@ +import ./make-test.nix ({ pkgs, ... }: { + name = "metabase"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ mmahut ]; + }; + + nodes = { + machine = { ... }: { + services.metabase.enable = true; + virtualisation.memorySize = 1024; + }; + }; + + testScript = '' + startAll; + $machine->waitForUnit("metabase.service"); + $machine->waitForOpenPort(3000); + $machine->waitUntilSucceeds("curl -L http://localhost:3000/setup | grep Metabase"); + ''; +}) diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 949d946bdc4c4..6ce64dcebea04 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -21,7 +21,7 @@ let useNetworkd = networkd; firewall.checkReversePath = true; firewall.allowedUDPPorts = [ 547 ]; - interfaces = mkOverride 0 (listToAttrs (flip map vlanIfs (n: + interfaces = mkOverride 0 (listToAttrs (forEach vlanIfs (n: nameValuePair "eth${toString n}" { ipv4.addresses = [ { address = "192.168.${toString n}.1"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "fd00:1234:5678:${toString n}::1"; prefixLength = 64; } ]; diff --git a/nixos/tests/nginx.nix b/nixos/tests/nginx.nix index d66d99821c112..d0b7306ae83b7 100644 --- a/nixos/tests/nginx.nix +++ b/nixos/tests/nginx.nix @@ -3,15 +3,15 @@ # generated virtual hosts config. # 2. whether the ETag header is properly generated whenever we're serving # files in Nix store paths - +# 3. nginx doesn't restart on configuration changes (only reloads) import ./make-test.nix ({ pkgs, ... }: { name = "nginx"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ mbbx6spp ]; }; - nodes = let - commonConfig = { pkgs, ... }: { + nodes = { + webserver = { pkgs, lib, ... }: { services.nginx.enable = true; services.nginx.commonHttpConfig = '' log_format ceeformat '@cee: {"status":"$status",' @@ -32,30 +32,42 @@ import ./make-test.nix ({ pkgs, ... }: { location /favicon.ico { allow all; access_log off; log_not_found off; } ''; }; + services.nginx.virtualHosts.localhost = { root = pkgs.runCommand "testdir" {} '' mkdir "$out" echo hello world > "$out/index.html" ''; }; - }; - in { - webserver = commonConfig; - newwebserver = { pkgs, lib, ... }: { - imports = [ commonConfig ]; - services.nginx.virtualHosts.localhost = { - root = lib.mkForce (pkgs.runCommand "testdir2" {} '' - mkdir "$out" - echo hello world > "$out/index.html" - ''); - }; + services.nginx.enableReload = true; + + nesting.clone = [ + { + services.nginx.virtualHosts.localhost = { + root = lib.mkForce (pkgs.runCommand "testdir2" {} '' + mkdir "$out" + echo content changed > "$out/index.html" + ''); + }; + } + + { + services.nginx.virtualHosts."1.my.test".listen = [ { addr = "127.0.0.1"; port = 8080; }]; + } + + { + services.nginx.package = pkgs.nginxUnstable; + } + ]; }; + }; testScript = { nodes, ... }: let - newServerSystem = nodes.newwebserver.config.system.build.toplevel; - switch = "${newServerSystem}/bin/switch-to-configuration test"; + etagSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-1"; + justReloadSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-2"; + reloadRestartSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-3"; in '' my $url = 'http://localhost/index.html'; @@ -77,9 +89,23 @@ import ./make-test.nix ({ pkgs, ... }: { subtest "check ETag if serving Nix store paths", sub { my $oldEtag = checkEtag; - $webserver->succeed('${switch}'); + $webserver->succeed("${etagSystem}/bin/switch-to-configuration test >&2"); + $webserver->sleep(1); # race condition my $newEtag = checkEtag; die "Old ETag $oldEtag is the same as $newEtag" if $oldEtag eq $newEtag; }; + + subtest "config is reloaded on nixos-rebuild switch", sub { + $webserver->succeed("${justReloadSystem}/bin/switch-to-configuration test >&2"); + $webserver->waitForOpenPort("8080"); + $webserver->fail("journalctl -u nginx | grep -q -i stopped"); + $webserver->succeed("journalctl -u nginx | grep -q -i reloaded"); + }; + + subtest "restart when nginx package changes", sub { + $webserver->succeed("${reloadRestartSystem}/bin/switch-to-configuration test >&2"); + $webserver->waitForUnit("nginx"); + $webserver->succeed("journalctl -u nginx | grep -q -i stopped"); + }; ''; }) diff --git a/nixos/tests/php-pcre.nix b/nixos/tests/php-pcre.nix index 19bde9babad5d..ae44aec7944f4 100644 --- a/nixos/tests/php-pcre.nix +++ b/nixos/tests/php-pcre.nix @@ -8,30 +8,25 @@ import ./make-test.nix ({ ...}: { services.httpd = { enable = true; adminAddr = "please@dont.contact"; - extraSubservices = lib.singleton { - function = f: { - enablePHP = true; - phpOptions = "pcre.jit = true"; + enablePHP = true; + phpOptions = "pcre.jit = true"; + extraConfig = + let + testRoot = pkgs.writeText "index.php" + '' + <?php + preg_match('/(${testString})/', '${testString}', $result); + var_dump($result); + ?> + ''; + in + '' + Alias / ${testRoot}/ - extraConfig = - let - testRoot = pkgs.writeText "index.php" - '' - <?php - preg_match('/(${testString})/', '${testString}', $result); - var_dump($result); - ?> - ''; - in - '' - Alias / ${testRoot}/ - - <Directory ${testRoot}> - Require all granted - </Directory> - ''; - }; - }; + <Directory ${testRoot}> + Require all granted + </Directory> + ''; }; }; testScript = { ... }: diff --git a/nixos/tests/prosody.nix b/nixos/tests/prosody.nix deleted file mode 100644 index a39bae7898dc2..0000000000000 --- a/nixos/tests/prosody.nix +++ /dev/null @@ -1,38 +0,0 @@ -import ./make-test.nix { - name = "prosody"; - - machine = { pkgs, ... }: { - services.prosody = { - enable = true; - # TODO: use a self-signed certificate - c2sRequireEncryption = false; - extraConfig = '' - storage = "sql" - ''; - virtualHosts.test = { - domain = "example.com"; - enabled = true; - }; - }; - environment.systemPackages = [ - (pkgs.callPackage ./xmpp-sendmessage.nix {}) - ]; - }; - - testScript = '' - $machine->waitForUnit('prosody.service'); - $machine->succeed('prosodyctl status') =~ /Prosody is running/; - - # set password to 'nothunter2' (it's asked twice) - $machine->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com'); - # set password to 'y' - $machine->succeed('yes | prosodyctl adduser azurediamond@example.com'); - # correct password to 'hunter2' - $machine->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com'); - - $machine->succeed("send-message"); - - $machine->succeed('prosodyctl deluser cthon98@example.com'); - $machine->succeed('prosodyctl deluser azurediamond@example.com'); - ''; -} diff --git a/nixos/tests/subversion.nix b/nixos/tests/subversion.nix deleted file mode 100644 index e7b99b10602a2..0000000000000 --- a/nixos/tests/subversion.nix +++ /dev/null @@ -1,121 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : - -let - - # Build some packages with coverage instrumentation. - overrides = pkgs: - with pkgs.stdenvAdapters; - let - do = pkg: pkg.override (args: { - stdenv = addCoverageInstrumentation args.stdenv; - }); - in - rec { - apr = do pkgs.apr; - aprutil = do pkgs.aprutil; - apacheHttpd = do pkgs.apacheHttpd; - mod_python = do pkgs.mod_python; - subversion = do pkgs.subversion; - - # To build the kernel with coverage instrumentation, we need a - # special patch to make coverage data available under /proc. - linux = pkgs.linux.override (orig: { - stdenv = overrideInStdenv pkgs.stdenv [ pkgs.keepBuildTree ]; - extraConfig = - '' - GCOV_KERNEL y - GCOV_PROFILE_ALL y - ''; - }); - }; - -in - -{ - name = "subversion"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ eelco ]; - }; - - nodes = - { webserver = - { ... }: - - { - services.httpd.enable = true; - services.httpd.adminAddr = "e.dolstra@tudelft.nl"; - services.httpd.extraSubservices = - [ { function = import <services/subversion>; - urlPrefix = ""; - dataDir = "/data/subversion"; - userCreationDomain = "192.168.0.0/16"; - } - ]; - nixpkgs.config.packageOverrides = overrides; - }; - - client = - { pkgs, ... }: - - { - environment.systemPackages = [ pkgs.subversion ]; - nixpkgs.config.packageOverrides = overrides; - }; - - }; - - testScript = - '' - startAll; - - $webserver->waitForOpenPort(80); - - print STDERR $client->succeed("svn --version"); - - print STDERR $client->succeed("curl --fail http://webserver/"); - - # Create a new user through the web interface. - $client->succeed("curl --fail -F username=alice -F fullname='Alice Lastname' -F address=alice\@example.org -F password=foobar -F password_again=foobar http://webserver/repoman/adduser"); - - # Let Alice create a new repository. - $client->succeed("curl --fail -u alice:foobar --form repo=xyzzy --form description=Xyzzy http://webserver/repoman/create"); - - $client->succeed("curl --fail http://webserver/") =~ /alice/ or die; - - # Let Alice do a checkout. - my $svnFlags = "--non-interactive --username alice --password foobar"; - $client->succeed("svn co $svnFlags http://webserver/repos/xyzzy wc"); - $client->succeed("echo hello > wc/world"); - $client->succeed("svn add wc/world"); - $client->succeed("svn ci $svnFlags -m 'Added world.' wc/world"); - - # Create a new user on the server through the create-user.pl script. - $webserver->execute("svn-server-create-user.pl bob bob\@example.org Bob"); - $webserver->succeed("svn-server-resetpw.pl bob fnord"); - $client->succeed("curl --fail http://webserver/") =~ /bob/ or die; - - # Bob should not have access to the repo. - my $svnFlagsBob = "--non-interactive --username bob --password fnord"; - $client->fail("svn co $svnFlagsBob http://webserver/repos/xyzzy wc2"); - - # Bob should not be able change the ACLs of the repo. - # !!! Repoman should really return a 403 here. - $client->succeed("curl --fail -u bob:fnord -F description=Xyzzy -F readers=alice,bob -F writers=alice -F watchers= -F tardirs= http://webserver/repoman/update/xyzzy") - =~ /not authorised/ or die; - - # Give Bob access. - $client->succeed("curl --fail -u alice:foobar -F description=Xyzzy -F readers=alice,bob -F writers=alice -F watchers= -F tardirs= http://webserver/repoman/update/xyzzy"); - - # So now his checkout should succeed. - $client->succeed("svn co $svnFlagsBob http://webserver/repos/xyzzy wc2"); - - # Test ViewVC and WebSVN - $client->succeed("curl --fail -u alice:foobar http://webserver/viewvc/xyzzy"); - $client->succeed("curl --fail -u alice:foobar http://webserver/websvn/xyzzy"); - $client->succeed("curl --fail -u alice:foobar http://webserver/repos-xml/xyzzy"); - - # Stop Apache to gather all the coverage data. - $webserver->stopJob("httpd"); - ''; - -}) diff --git a/nixos/tests/systemd-networkd-wireguard.nix b/nixos/tests/systemd-networkd-wireguard.nix new file mode 100644 index 0000000000000..f1ce1e791ce3a --- /dev/null +++ b/nixos/tests/systemd-networkd-wireguard.nix @@ -0,0 +1,80 @@ +let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...}: { + imports = [ common/user-account.nix ]; + systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; + networking.useNetworkd = true; + networking.firewall.enable = false; + virtualisation.vlans = [ 1 ]; + environment.systemPackages = with pkgs; [ wireguard-tools ]; + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + systemd.network = { + enable = true; + netdevs = { + "90-wg0" = { + netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; + wireguardConfig = { + PrivateKeyFile = privkpath ; + ListenPort = 51820; + FwMark = 42; + }; + wireguardPeers = [ {wireguardPeerConfig={ + Endpoint = "192.168.1.${peerId}:51820"; + PublicKey = pubk; + PresharedKeyFile = pkgs.writeText "psk.key" "yTL3sCOL33Wzi6yCnf9uZQl/Z8laSE+zwpqOHC4HhFU="; + AllowedIPs = [ "10.0.0.${peerId}/32" ]; + PersistentKeepalive = 15; + };}]; + }; + }; + networks = { + "99-nope" = { + matchConfig.Name = "eth*"; + linkConfig.Unmanaged = true; + }; + "90-wg0" = { + matchConfig = { Name = "wg0"; }; + address = [ "10.0.0.${nodeId}/32" ]; + routes = [ + { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; } + ]; + }; + "90-eth1" = { + matchConfig = { Name = "eth1"; }; + address = [ "192.168.1.${nodeId}/24" ]; + }; + }; + }; + }; +in import ./make-test.nix ({pkgs, ... }: { + name = "networkd-wireguard"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ninjatrappeur ]; + }; + nodes = { + node1 = { pkgs, ... }@attrs: + let localConf = { + privkpath = pkgs.writeText "priv.key" "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00="; + pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE="; + nodeId = "1"; + peerId = "2"; + }; + in generateNodeConf (attrs // localConf); + + node2 = { pkgs, ... }@attrs: + let localConf = { + privkpath = pkgs.writeText "priv.key" "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k="; + pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; + nodeId = "2"; + peerId = "1"; + }; + in generateNodeConf (attrs // localConf); + }; +testScript = '' + startAll; + $node1->waitForUnit('systemd-networkd-wait-online.service'); + $node2->waitForUnit('systemd-networkd-wait-online.service'); + $node1->succeed('ping -c 5 10.0.0.2'); + $node2->succeed('ping -c 5 10.0.0.1'); + # Is the fwmark set? + $node2->succeed('wg | grep -q 42'); +''; +}) diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index fadea52f1dbc3..3168c026d5140 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -78,19 +78,16 @@ import ./make-test.nix ({ pkgs, ... }: { $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"'); }; - # Regression test for https://github.com/NixOS/nixpkgs/issues/35268 - subtest "file system with x-initrd.mount is not unmounted", sub { - $machine->shutdown; - $machine->waitForUnit('multi-user.target'); - # If the file system was unmounted during the shutdown the file system - # has a last mount time, because the file system wasn't checked. - $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"'); - }; - subtest "systemd-shutdown works", sub { $machine->shutdown; $machine->waitForUnit('multi-user.target'); $machine->succeed('test -e /tmp/shared/shutdown-test'); }; + + # Test settings from /etc/sysctl.d/50-default.conf are applied + subtest "systemd sysctl settings are applied", sub { + $machine->waitForUnit('multi-user.target'); + $machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"'); + }; ''; }) diff --git a/nixos/tests/trezord.nix b/nixos/tests/trezord.nix new file mode 100644 index 0000000000000..1c85bf539345d --- /dev/null +++ b/nixos/tests/trezord.nix @@ -0,0 +1,20 @@ +import ./make-test.nix ({ pkgs, ... }: { + name = "trezord"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ mmahut ]; + }; + + nodes = { + machine = { ... }: { + services.trezord.enable = true; + services.trezord.emulator.enable = true; + }; + }; + + testScript = '' + startAll; + $machine->waitForUnit("trezord.service"); + $machine->waitForOpenPort(21325); + $machine->waitUntilSucceeds("curl -L http://localhost:21325/status/ | grep Version"); + ''; +}) diff --git a/nixos/tests/ejabberd.nix b/nixos/tests/xmpp/ejabberd.nix index 0691dfe780d2a..196a04aca3000 100644 --- a/nixos/tests/ejabberd.nix +++ b/nixos/tests/xmpp/ejabberd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ../make-test.nix ({ pkgs, ... }: { name = "ejabberd"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ajs124 ]; @@ -45,8 +45,7 @@ import ./make-test.nix ({ pkgs, ... }: { ip: "127.0.0.1" module: ejabberd_service access: local - shaper_rule: fast - ip: "127.0.0.1" + shaper: fast ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text ## password storage (see auth_password_format option). @@ -181,7 +180,6 @@ import ./make-test.nix ({ pkgs, ... }: { mod_client_state: {} mod_configure: {} # requires mod_adhoc ## mod_delegation: {} # for xep0356 - mod_echo: {} #mod_irc: # host: "irc.@HOST@" # default_encoding: "utf-8" diff --git a/nixos/tests/xmpp/prosody-mysql.nix b/nixos/tests/xmpp/prosody-mysql.nix new file mode 100644 index 0000000000000..62b4a17421e53 --- /dev/null +++ b/nixos/tests/xmpp/prosody-mysql.nix @@ -0,0 +1,77 @@ +import ../make-test.nix { + name = "prosody-mysql"; + + nodes = { + client = { nodes, pkgs, ... }: { + environment.systemPackages = [ + (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; }) + ]; + }; + server = { config, pkgs, ... }: { + nixpkgs.overlays = [ + (self: super: { + prosody = super.prosody.override { + withDBI = true; + withExtraLibs = [ pkgs.luaPackages.luadbi-mysql ]; + }; + }) + ]; + networking.extraHosts = '' + ${config.networking.primaryIPAddress} example.com + ''; + networking.firewall.enable = false; + services.prosody = { + enable = true; + # TODO: use a self-signed certificate + c2sRequireEncryption = false; + extraConfig = '' + storage = "sql" + sql = { + driver = "MySQL"; + database = "prosody"; + host = "mysql"; + port = 3306; + username = "prosody"; + password = "password123"; + }; + ''; + virtualHosts.test = { + domain = "example.com"; + enabled = true; + }; + }; + }; + mysql = { config, pkgs, ... }: { + networking.firewall.enable = false; + services.mysql = { + enable = true; + initialScript = pkgs.writeText "mysql_init.sql" '' + CREATE DATABASE prosody; + CREATE USER 'prosody'@'server' IDENTIFIED BY 'password123'; + GRANT ALL PRIVILEGES ON prosody.* TO 'prosody'@'server'; + FLUSH PRIVILEGES; + ''; + package = pkgs.mariadb; + }; + }; + }; + + testScript = { nodes, ... }: '' + $mysql->waitForUnit('mysql.service'); + $server->waitForUnit('prosody.service'); + $server->succeed('prosodyctl status') =~ /Prosody is running/; + + # set password to 'nothunter2' (it's asked twice) + $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com'); + # set password to 'y' + $server->succeed('yes | prosodyctl adduser azurediamond@example.com'); + # correct password to 'hunter2' + $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com'); + + $client->succeed("send-message"); + + $server->succeed('prosodyctl deluser cthon98@example.com'); + $server->succeed('prosodyctl deluser azurediamond@example.com'); + ''; +} + diff --git a/nixos/tests/xmpp/prosody.nix b/nixos/tests/xmpp/prosody.nix new file mode 100644 index 0000000000000..8331c7b6d3310 --- /dev/null +++ b/nixos/tests/xmpp/prosody.nix @@ -0,0 +1,46 @@ +import ../make-test.nix { + name = "prosody"; + + nodes = { + client = { nodes, pkgs, ... }: { + environment.systemPackages = [ + (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; }) + ]; + }; + server = { config, pkgs, ... }: { + networking.extraHosts = '' + ${config.networking.primaryIPAddress} example.com + ''; + networking.firewall.enable = false; + services.prosody = { + enable = true; + # TODO: use a self-signed certificate + c2sRequireEncryption = false; + extraConfig = '' + storage = "sql" + ''; + virtualHosts.test = { + domain = "example.com"; + enabled = true; + }; + }; + }; + }; + + testScript = { nodes, ... }: '' + $server->waitForUnit('prosody.service'); + $server->succeed('prosodyctl status') =~ /Prosody is running/; + + # set password to 'nothunter2' (it's asked twice) + $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com'); + # set password to 'y' + $server->succeed('yes | prosodyctl adduser azurediamond@example.com'); + # correct password to 'hunter2' + $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com'); + + $client->succeed("send-message"); + + $server->succeed('prosodyctl deluser cthon98@example.com'); + $server->succeed('prosodyctl deluser azurediamond@example.com'); + ''; +} diff --git a/nixos/tests/xmpp-sendmessage.nix b/nixos/tests/xmpp/xmpp-sendmessage.nix index 2a075a0181340..2a075a0181340 100644 --- a/nixos/tests/xmpp-sendmessage.nix +++ b/nixos/tests/xmpp/xmpp-sendmessage.nix |