diff options
| author | Robert Hensing <roberth@users.noreply.github.com> | 2022-06-03 14:22:13 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-03 14:22:13 +0200 |
| commit | 793180cf557e9f5368466f62d6c54a8887895d3e (patch) | |
| tree | 4316f53c3cceccb15e24358406f7b299cbb6cb77 /nixos | |
| parent | 2a750c302669a59a13d8a2a6fa038cbc6e6cb134 (diff) | |
| parent | b92013d842d28cd3d53cdf168e4dd1042cdac4e7 (diff) | |
Merge branch 'master' into 172325-nixostest-override-python-pkgs-additional-param
Diffstat (limited to 'nixos')
58 files changed, 1576 insertions, 621 deletions
diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index 00f1d85bdb615..d32d4fc50ad79 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -308,6 +308,10 @@ The option set can be defined directly ([Example: Directly defined submodule](#ex-submodule-direct)) or as reference ([Example: Submodule defined as a reference](#ex-submodule-reference)). +Note that even if your submodule’s options all have a default value, +you will still need to provide a default value (e.g. an empty attribute set) +if you want to allow users to leave it undefined. + ::: {#ex-submodule-direct .example} ::: {.title} **Example: Directly defined submodule** diff --git a/nixos/doc/manual/development/writing-nixos-tests.section.md b/nixos/doc/manual/development/writing-nixos-tests.section.md index fff8873e61d0d..f4f4056ad9889 100644 --- a/nixos/doc/manual/development/writing-nixos-tests.section.md +++ b/nixos/doc/manual/development/writing-nixos-tests.section.md @@ -332,6 +332,19 @@ repository): ''; ``` +Similarly, the type checking of test scripts can be disabled in the following +way: + +```nix +import ./make-test-python.nix { + skipTypeCheck = true; + nodes.machine = + { config, pkgs, ... }: + { configuration… + }; +} +``` + ## Failing tests early {#ssec-failing-tests-early} To fail tests early when certain invariables are no longer met (instead of waiting for the build to time out), the decorator `polling_condition` is provided. For example, if we are testing a program `foo` that should not quit after being started, we might write the following: diff --git a/nixos/doc/manual/from_md/development/option-types.section.xml b/nixos/doc/manual/from_md/development/option-types.section.xml index 4447292927021..c67e183581c2c 100644 --- a/nixos/doc/manual/from_md/development/option-types.section.xml +++ b/nixos/doc/manual/from_md/development/option-types.section.xml @@ -617,6 +617,12 @@ (<link linkend="ex-submodule-reference">Example: Submodule defined as a reference</link>). </para> + <para> + Note that even if your submodule’s options all have a default + value, you will still need to provide a default value (e.g. an + empty attribute set) if you want to allow users to leave it + undefined. + </para> <anchor xml:id="ex-submodule-direct" /> <para> <emphasis role="strong">Example: Directly defined diff --git a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml index 36f5f00410fc3..46367bdd345d1 100644 --- a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml +++ b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml @@ -590,6 +590,19 @@ import ./make-test-python.nix { # fmt: on ''; </programlisting> + <para> + Similarly, the type checking of test scripts can be disabled in + the following way: + </para> + <programlisting language="bash"> +import ./make-test-python.nix { + skipTypeCheck = true; + nodes.machine = + { config, pkgs, ... }: + { configuration… + }; +} +</programlisting> </section> <section xml:id="ssec-failing-tests-early"> <title>Failing tests early</title> diff --git a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml index e3b77d4c3650b..11fe1d317ccdd 100644 --- a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml +++ b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml @@ -12,7 +12,7 @@ <listitem> <para> <emphasis>Stable channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-21.11"><literal>nixos-21.11</literal></link>. + <link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.05</literal></link>. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), @@ -33,7 +33,7 @@ <listitem> <para> <emphasis>Small channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-21.11-small"><literal>nixos-21.11-small</literal></link> + <link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.05-small</literal></link> or <link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>. These are identical to the stable and unstable channels @@ -60,8 +60,8 @@ <para> When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For - instance, if you installed from a 21.11 ISO, you will be subscribed - to the <literal>nixos-21.11</literal> channel. To see which NixOS + instance, if you installed from a 22.05 ISO, you will be subscribed + to the <literal>nixos-22.05</literal> channel. To see which NixOS channel you’re subscribed to, run the following as root: </para> <programlisting> @@ -76,17 +76,17 @@ nixos https://nixos.org/channels/nixos-unstable </programlisting> <para> (Be sure to include the <literal>nixos</literal> parameter at the - end.) For instance, to use the NixOS 21.11 stable channel: + end.) For instance, to use the NixOS 22.05 stable channel: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-21.11 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos </programlisting> <para> If you have a server, you may want to use the <quote>small</quote> channel instead: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-21.11-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos </programlisting> <para> And if you want to live on the bleeding edge: @@ -146,7 +146,7 @@ system.autoUpgrade.allowReboot = true; also specify a channel explicitly, e.g. </para> <programlisting language="bash"> -system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.11; +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; </programlisting> </section> </chapter> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index d46d5e0f0345b..5208671e4dab0 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1,5 +1,5 @@ <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.05"> - <title>Release 22.05 (“Quokka”, 2022.05/??)</title> + <title>Release 22.05 (“Quokka”, 2022.05/30)</title> <itemizedlist spacing="compact"> <listitem> <para> @@ -16,75 +16,30 @@ </para> <itemizedlist> <listitem> - <para> - The <literal>firefox</literal> browser on - <literal>x86_64-linux</literal> is now making use of - profile-guided optimization resulting in a much more - responsive browsing experience. - </para> +<literallayout>Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the <literal>nix</literal> command as experimental which now has to be enabled via the configuration explicitly. For more information and instructions for upgrades, see the relase notes for <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html">nix-2.4</link>, +<link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html">nix-2.5</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html">nix-2.6</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html">nix-2.7</link> and <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html">nix-2.8</link></literallayout> </listitem> <listitem> <para> - <literal>security.acme.defaults</literal> has been added to - simplify configuring settings for many certificates at once. - This also opens up the the option to use DNS-01 validation - when using <literal>enableACME</literal> on web server virtual - hosts (e.g. - <literal>services.nginx.virtualHosts.*.enableACME</literal>). + The <literal>firefox</literal> browser on + <literal>x86_64-linux</literal> now makes use of + profile-guided optimisation, resulting in a much more + responsive browsing experience. </para> </listitem> <listitem> <para> GNOME has been upgraded to 42. Please take a look at their <link xlink:href="https://release.gnome.org/42/">Release - Notes</link> for details. Notably, it replaces gedit with - GNOME Text Editor, GNOME Terminal with GNOME Console (formerly - King’s Cross), and GNOME Screenshot with a tool built into the - Shell. - </para> - </listitem> - <listitem> - <para> - <literal>stdenv.mkDerivation</literal> now supports a - self-referencing <literal>finalAttrs:</literal> parameter - containing the final <literal>mkDerivation</literal> arguments - including overrides. <literal>drv.overrideAttrs</literal> now - supports two parameters - <literal>finalAttrs: previousAttrs:</literal>. This allows - packaging configuration to be overridden in a consistent - manner by providing an alternative to - <literal>rec {}</literal> syntax. - </para> - <para> - Additionally, <literal>passthru</literal> can now reference - <literal>finalAttrs.finalPackage</literal> containing the - final package, including attributes such as the output paths - and <literal>overrideAttrs</literal>. - </para> - <para> - New language integrations can be simplified by overriding a - <quote>prototype</quote> package containing the - language-specific logic. This removes the need for a extra - layer of overriding for the <quote>generic builder</quote> - arguments, thus removing a usability problem and source of - error. + Notes</link> for details. In particular, it replaces gedit + with GNOME Text Editor, GNOME Terminal with GNOME Console + (formerly King’s Cross) and GNOME Screenshot by a tool + integrated into the Shell. </para> </listitem> <listitem> <para> - PHP 8.1 is now available - </para> - </listitem> - <listitem> - <para> - Mattermost has been updated to extended support release 6.3, - as the previously packaged extended support release 5.37 is - <link xlink:href="https://docs.mattermost.com/upgrade/extended-support-release.html">reaching - its end of life</link>. Migrations may take a while, see the - <link xlink:href="https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release">changelog</link> - and - <link xlink:href="https://docs.mattermost.com/upgrade/important-upgrade-notes.html">important - upgrade notes</link>. + PHP 8.1 is now available. </para> </listitem> <listitem> @@ -102,18 +57,17 @@ </listitem> <listitem> <para> - Pulseaudio has been upgraded to version 15.0 and now - optionally + Pulseaudio has been updated to version 15.0 and now optionally <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters">supports - additional Bluetooth audio codecs</link> like aptX or LDAC, - with codec switching support being available in + additional Bluetooth audio codecs</link> such as aptX or LDAC, + with codec switching available in <literal>pavucontrol</literal>. This feature is disabled by - default but can be enabled by using + default, but can be enabled with the option <literal>hardware.pulseaudio.package = pkgs.pulseaudioFull;</literal>. - Existing 3rd party modules that provided similar - functionality, like <literal>pulseaudio-modules-bt</literal> - or <literal>pulseaudio-hsphfpd</literal> are deprecated and - have been removed. + Existing third-party modules that offered similar functions, + such as <literal>pulseaudio-modules-bt</literal> or + <literal>pulseaudio-hsphfpd</literal>, are obsolete and have + been removed. </para> </listitem> <listitem> @@ -123,38 +77,6 @@ </listitem> <listitem> <para> - The new - <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook"><literal>postgresqlTestHook</literal></link> - runs a PostgreSQL server for the duration of package checks. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://kops.sigs.k8s.io"><literal>kops</literal></link> - defaults to 1.23.2, which will enable - <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html">Instance - Metadata Service Version 2</link> and require tokens on new - clusters with Kubernetes >= 1.22. This will increase - security by default, but may break some types of workloads. - The default behaviour for - <literal>spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS</literal> - has changed from <literal>true</literal> to - <literal>false</literal>. Cilium now has - <literal>disable-cnp-status-updates: true</literal> by - default. Set this to false if you rely on the - CiliumNetworkPolicy status fields. Support for Kubernetes - 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS - 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been - removed. See the - <link xlink:href="https://kops.sigs.k8s.io/releases/1.22-notes/">1.22 - release notes</link> and - <link xlink:href="https://kops.sigs.k8s.io/releases/1.23-notes/">1.23 - release notes</link> for more details, including other - significant changes. - </para> - </listitem> - <listitem> - <para> Module authors can use <literal>mkRenamedOptionModuleWith</literal> to automate the deprecation cycle without annoying out-of-tree module authors @@ -177,6 +99,16 @@ users to easily install and set up NixOS with a GUI. </para> </listitem> + <listitem> + <para> + <literal>security.acme.defaults</literal> has been added to + simplify the configuration of settings for many certificates + at once. This also opens up the option to use DNS-01 + validation when using <literal>enableACME</literal> web server + virtual hosts (e.g. + <literal>services.nginx.virtualHosts.*.enableACME</literal>). + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-new-services"> @@ -184,6 +116,16 @@ <itemizedlist> <listitem> <para> + <link xlink:href="https://1password.com/">1password</link>, + command-lines and graphic interface for 1Password. Available + as + <link linkend="opt-programs._1password.enable">programs._1password</link> + and + <link linkend="opt-programs._1password.enable">programs._1password-gui</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw">aesmd</link>, the Intel SGX Architectural Enclave Service Manager. Available as @@ -192,98 +134,148 @@ </listitem> <listitem> <para> - <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless - Docker</link>, a <literal>systemd --user</literal> Docker - service which runs without root permissions. Available as - <link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>. + <link xlink:href="https://github.com/mbrubeck/agate">agate</link>, + a very simple server for the Gemini hypertext protocol. + Available as + <link linkend="opt-services.agate.enable">services.agate</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://conduit.rs/">matrix-conduit</link>, - a simple, fast and reliable chat server powered by matrix. - Available as - <link xlink:href="option.html#opt-services.matrix-conduit.enable">services.matrix-conduit</link>. + <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>, + a kernel module for mounting the Apple File System (APFS). </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/vvilhonen/nethoscope">nethoscope</link>, - listen to your network traffic. Available as - <link linkend="opt-programs.nethoscope.enable">programs.nethoscope</link>. + <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>, + a C# application with primary purpose of idling Steam cards + from multiple accounts simultaneously. Available as + <link linkend="opt-services.archisteamfarm.enable">services.archisteamfarm</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, - a lightweight shipper for forwarding and centralizing log - data. Available as - <link linkend="opt-services.filebeat.enable">services.filebeat</link>. + <link xlink:href="https://loic-sharma.github.io/BaGet/">BaGet</link>, + a lightweight NuGet and symbol server. Available at + <link linkend="opt-services.baget.enable">services.baget</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>, - a kernel module for mounting the Apple File System (APFS). + <link xlink:href="https://github.com/xddxdd/bird-lg-go">bird-lg</link>, + a BGP looking glass for Bird Routing. Available as + <link linkend="opt-services.bird-lg.package">services.bird-lg</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://frrouting.org/">FRRouting</link>, a - popular suite of Internet routing protocol daemons (BGP, BFD, - OSPF, IS-IS, VRRP and others). Available as - <link linkend="opt-services.frr.babel.enable">services.frr</link> + <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, + fast and lightweight DNS proxy as ad-blocker for local network + with many features. Available as + <link linkend="opt-services.blocky.enable">services.blocky</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/hifi/heisenbridge">heisenbridge</link>, - a bouncer-style Matrix IRC bridge. Available as - <link xlink:href="options.html#opt-services.heisenbridge.enable">services.heisenbridge</link>. + <link xlink:href="https://github.com/kissgyorgy/cloudflare-dyndns">cloudflare-dyndns</link>, + CloudFlare Dynamic DNS client. Available as + <link linkend="opt-services.cloudflare-dyndns.enable">services.cloudflare-dyndns</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://snowflake.torproject.org/">snowflake-proxy</link>, - a system to defeat internet censorship. Available as - <link xlink:href="options.html#opt-services.snowflake-proxy.enable">services.snowflake-proxy</link>. + <link xlink:href="https://corosync.github.io/corosync/">Corosync</link> + and + <link xlink:href="https://clusterlabs.org/pacemaker/">Pacemaker</link>, + A open-source high availability resource manager. Available as + <link linkend="opt-services.corosync.enable">services.corosync</link> + and + <link linkend="opt-services.pacemaker.enable">services.pacemaker</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/fleaz/r53-ddns">r53-ddns</link>, - a small tool to run your own DDNS service via AWS Route53. - Available as - <link xlink:href="options.html#opt-services.r53-ddns.enable">services.r53-ddns</link>. + <link xlink:href="https://github.com/lakinduakash/linux-wifi-hotspot">create_ap</link>, + a module for creating wifi hotspots using the program + linux-wifi-hotspot. Available as + <link linkend="opt-services.create_ap.enable">services.create_ap</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.envoyproxy.io/">Envoy</link>, a + high-performance reverse proxy. Available as + <link linkend="opt-services.envoy.enable">services.envoy</link>. </para> </listitem> <listitem> <para> <link xlink:href="https://ergo.chat">ergochat</link>, a modern IRC with IRCv3 features. Available as - <link xlink:href="options.html#opt-services.ergochat.enable">services.ergochat</link>. + <link linkend="opt-services.ergochat.enable">services.ergochat</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://snipeitapp.com">Snipe-IT</link>, a - free open source IT asset/license management system. Available - as - <link xlink:href="options.html#opt-services.snipe-it.enable">services.snipe-it</link>. + <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>, + an online collaborative spreadsheet. Available as + <link linkend="opt-services.ethercalc.enable">services.ethercalc</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/ngoduykhanh/PowerDNS-Admin">PowerDNS-Admin</link>, - a web interface for the PowerDNS server. Available at - <link xlink:href="options.html#opt-services.powerdns-admin.enable">services.powerdns-admin</link>. + <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, + a lightweight shipper for forwarding and centralizing log + data. Available as + <link linkend="opt-services.filebeat.enable">services.filebeat</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/postgres/pgadmin4">pgadmin4</link>, - an admin interface for the PostgreSQL database. Available at - <link xlink:href="options.html#opt-services.pgadmin.enable">services.pgadmin</link>. + <link xlink:href="https://frrouting.org/">FRRouting</link>, a + popular suite of Internet routing protocol daemons (BGP, BFD, + OSPF, IS-IS, VRRP and others). Available as + <link linkend="opt-services.frr.babel.enable">services.frr</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://grafana.com/oss/mimir/">Grafana + Mimir</link>, an open source, horizontally scalable, highly + available, multi-tenant, long-term storage for Prometheus. + Available as + <link linkend="opt-services.mimir.enable">services.mimir</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://hastebin.com/about.md">Haste</link>, + a pastebin written in node.js. Available as + <link linkend="opt-services.haste-server.enable">services.haste</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/juanfont/headscale">headscale</link>, + an Open Source implementation of the + <link xlink:href="https://tailscale.io">Tailscale</link> + Control Server. Available as + <link linkend="opt-services.headscale.enable">services.headscale</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/hifi/heisenbridge">heisenbridge</link>, + a bouncer-style Matrix IRC bridge. Available as + <link linkend="opt-services.heisenbridge.enable">services.heisenbridge</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/aarond10/https_dns_proxy">https-dns-proxy</link>, + DNS to DNS over HTTPS (DoH) proxy. Available as + <link linkend="opt-services.https-dns-proxy.enable">services.https-dns-proxy</link>. </para> </listitem> <listitem> @@ -291,7 +283,7 @@ <link xlink:href="https://github.com/sezanzeb/input-remapper">input-remapper</link>, an easy to use tool to change the mapping of your input device buttons. Available at - <link xlink:href="options.html#opt-services.input-remapper.enable">services.input-remapper</link>. + <link linkend="opt-services.input-remapper.enable">services.input-remapper</link>. </para> </listitem> <listitem> @@ -299,109 +291,133 @@ <link xlink:href="https://invoiceplane.com">InvoicePlane</link>, web application for managing and creating invoices. Available at - <link xlink:href="options.html#opt-services.invoiceplane.enable">services.invoiceplane</link>. + <link linkend="opt-services.invoiceplane.sites._name_.enable">services.invoiceplane</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://maddy.email">maddy</link>, a - composable all-in-one mail server. Available as - <link xlink:href="options.html#opt-services.maddy.enable">services.maddy</link>. + <link xlink:href="https://userbase.kde.org/K3b">k3b</link>, + the KDE disk burning application. Available as + <link linkend="opt-programs.k3b.enable">programs.k3b</link>. </para> </listitem> <listitem> <para> <link xlink:href="https://www.scorchworks.com/K40whisperer/k40whisperer.html">K40-Whisperer</link>, a program to control cheap Chinese laser cutters. Available as - <link xlink:href="options.html#opt-programs.k4-whisperer.enable">programs.k40-whisperer.enable</link>. + <link linkend="opt-programs.k40-whisperer.enable">programs.k40-whisperer.enable</link>. Users must add themselves to the <literal>k40</literal> group to be able to access the device. </para> </listitem> <listitem> <para> + <link xlink:href="https://kanidm.github.io/kanidm/stable/">kanidm</link>, + an identity management server written in Rust. Available as + <link linkend="opt-services.kanidm.enableServer">services.kanidm</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://maddy.email/">Maddy</link>, a free + an open source mail server. Availabe as + <link linkend="opt-services.maddy.enable">services.maddy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://conduit.rs/">matrix-conduit</link>, + a simple, fast and reliable chat server powered by matrix. + Available as + <link xlink:href="option.html#opt-services.matrix-conduit.enable">services.matrix-conduit</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://moosefs.com">Moosefs</link>, fault + tolerant petabyte distributed file system. Available as + <link linkend="opt-services.moosefs.master.enable">moosefs</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/mozilla-mobile/mozilla-vpn-client">mozillavpn</link>, the client for the <link xlink:href="https://vpn.mozilla.org/">Mozilla VPN</link> service. Available as - <link xlink:href="options.html#opt-services.mozillavpn">services.mozillavpn</link>. + <link linkend="opt-services.mozillavpn.enable">services.mozillavpn</link>. </para> </listitem> <listitem> <para> <link xlink:href="https://github.com/mgumz/mtr-exporter">mtr-exporter</link>, a Prometheus exporter for mtr metrics. Available as - <link xlink:href="options.html#opt-services.mtr-exporter.enable">services.mtr-exporter</link>. + <link linkend="opt-services.mtr-exporter.enable">services.mtr-exporter</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/prometheus-pve/prometheus-pve-exporter">prometheus-pve-exporter</link>, - a tool that exposes information from the Proxmox VE API for - use by Prometheus. Available as - <link xlink:href="options.html#opt-services.prometheus.exporters.pve">services.prometheus.exporters.pve</link>. + <link xlink:href="https://nbd.sourceforge.io/">nbd</link>, a + Network Block Device server. Available as + <link linkend="opt-services.nbd.server.enable">services.nbd</link>. </para> </listitem> <listitem> <para> <link xlink:href="https://github.com/netbox-community/netbox">netbox</link>, infrastructure resource modeling (IRM) tool. Available as - <link xlink:href="options.html#opt-services.netbox.enable">services.netbox</link>. + <link linkend="opt-services.netbox.enable">services.netbox</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://tetrd.app">tetrd</link>, share your - internet connection from your device to your PC and vice versa - through a USB cable. Available at - <link linkend="opt-services.tetrd.enable">services.tetrd</link>. + <link xlink:href="https://github.com/vvilhonen/nethoscope">nethoscope</link>, + listen to your network traffic. Available as + <link linkend="opt-programs.nethoscope.enable">programs.nethoscope</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://upterm.dev">uptermd</link>, an - open-source solution for sharing terminal sessions instantly - over the public internet via secure tunnels. Available at - <link linkend="opt-services.uptermd.enable">services.uptermd</link>. + <link xlink:href="https://nifi.apache.org">nifi</link>, an + easy to use, powerful, and reliable system to process and + distribute data. Available as + <link linkend="opt-services.nifi.enable">services.nifi</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/mbrubeck/agate">agate</link>, - a very simple server for the Gemini hypertext protocol. - Available as - <link xlink:href="options.html#opt-services.agate.enable">services.agate</link>. + <link xlink:href="https://github.com/Mic92/nix-ld">nix-ld</link>, + Run unpatched dynamic binaries on NixOS. Available as + <link linkend="opt-programs.nix-ld.enable">programs.nix-ld</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>, - a C# application with primary purpose of idling Steam cards - from multiple accounts simultaneously. Available as - <link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>. + <link xlink:href="http://www.nncpgo.org">NNCP</link>, NNCP + (Node to Node copy) utilities and configuration, Available as + <link linkend="opt-programs.nncp.enable">programs.nncp</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://goteleport.com">teleport</link>, - allows engineers and security professionals to unify access - for SSH servers, Kubernetes clusters, web applications, and - databases across all environments. Available at - <link linkend="opt-services.teleport.enable">services.teleport</link>. + <link xlink:href="https://github.com/postgres/pgadmin4">pgadmin4</link>, + an admin interface for the PostgreSQL database. Available at + <link linkend="opt-services.pgadmin.enable">services.pgadmin</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://loic-sharma.github.io/BaGet/">BaGet</link>, - a lightweight NuGet and symbol server. Available at - <link linkend="opt-services.baget.enable">services.baget</link>. + <link xlink:href="https://github.com/ngoduykhanh/PowerDNS-Admin">PowerDNS-Admin</link>, + a web interface for the PowerDNS server. Available at + <link linkend="opt-services.powerdns-admin.enable">services.powerdns-admin</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://moosefs.com">moosefs</link>, fault - tolerant petabyte distributed file system. Available as - <link linkend="opt-services.moosefs.client.enable">moosefs</link>. + <link xlink:href="https://github.com/prometheus-pve/prometheus-pve-exporter">prometheus-pve-exporter</link>, + a tool that exposes information from the Proxmox VE API for + use by Prometheus. Available as + <link linkend="opt-services.prometheus.exporters.pve.enable">services.prometheus.exporters.pve</link>. </para> </listitem> <listitem> @@ -413,94 +429,145 @@ </listitem> <listitem> <para> - <link xlink:href="https://github.com/rfjakob/systembus-notify">systembus-notify</link>, - allow system level notifications to reach the users. Available + <link xlink:href="https://public-inbox.org">Public + Inbox</link>, an <quote>archives first</quote> approach to + mailing lists. Available as + <link linkend="opt-services.public-inbox.enable">services.public-inbox</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/fleaz/r53-ddns">r53-ddns</link>, + a small tool to run your own DDNS service via AWS Route53. + Available as + <link linkend="opt-services.r53-ddns.enable">services.r53-ddns</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://ddvk.github.io/rmfakecloud/">rmfakecloud</link>, + a clone of the cloud sync the remarkable tablet. Available as + <link linkend="opt-services.rmfakecloud.enable">services.rmfakecloud</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless + Docker</link>, a <literal>systemd --user</literal> Docker + service which runs without root permissions. Available as + <link linkend="opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.rstudio.com/products/rstudio/#rstudio-server">rstudio-server</link>, + a browser-based version of the RStudio IDE for the R + programming language. Available as + <link linkend="opt-services.rstudio-server.enable">services.rstudio-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/aler9/rtsp-simple-server">rtsp-simple-server</link>, + ready-to-use RTSP / RTMP / HLS server and proxy that allows to + read, publish and proxy video and audio streams. Available as + <link linkend="opt-services.rtsp-simple-server.enable">services.rtsp-simple-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://snipeitapp.com">Snipe-IT</link>, a + free open source IT asset/license management system. Available as - <link xlink:href="opt-services.systembus-notify.enable">services.systembus-notify</link>. - Please keep in mind that this service should only be enabled - on machines with fully trusted users, as any local user is - able to DoS user sessions by spamming notifications. + <link linkend="opt-services.snipe-it.enable">services.snipe-it</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>, - an online collaborative spreadsheet. Available as - <link xlink:href="options.html#opt-services.ethercalc.enable">services.ethercalc</link>. + <link xlink:href="https://snowflake.torproject.org/">snowflake-proxy</link>, + a system to defeat internet censorship. Available as + <link linkend="opt-services.snowflake-proxy.enable">services.snowflake-proxy</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://nbd.sourceforge.io/">nbd</link>, a - Network Block Device server. Available as - <link xlink:href="options.html#opt-services.nbd.server.enable">services.nbd</link>. + <link xlink:href="https://sslmate.com/">sslmate-agent</link>, + a daemon for managing SSL/TLS certificates on a server. + Available as + <link xlink:href="services.sslmate-agent.enable">services.sslmate-agent</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/Mic92/nix-ld">nix-ld</link>, - Run unpatched dynamic binaries on NixOS. Available as - <link xlink:href="options.html#opt-programs.nix-ld.enable">programs.nix-ld</link>. + <link xlink:href="https://starship.rs">starship</link>, a + minimal, blazing-fast, and infinitely customizable prompt for + any shell. Available at + <link linkend="opt-programs.starship.enable">programs.startship</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://timetagger.app">timetagger</link>, - an open source time-tracker with an intuitive user experience - and powerful reporting. - <link xlink:href="options.html#opt-services.timetagger.enable">services.timetagger</link>. + <link xlink:href="https://github.com/rfjakob/systembus-notify">systembus-notify</link>, + allow system level notifications to reach the users. Available + as + <link xlink:href="opt-services.systembus-notify.enable">services.systembus-notify</link>. + Please keep in mind that this service should only be enabled + on machines with fully trusted users, as any local user is + able to DoS user sessions by spamming notifications. </para> </listitem> <listitem> <para> - <link xlink:href="https://www.rstudio.com/products/rstudio/#rstudio-server">rstudio-server</link>, - a browser-based version of the RStudio IDE for the R - programming language. Available as - <link xlink:href="options.html#opt-services.rstudio-server.enable">services.rstudio-server</link>. + <link xlink:href="https://goteleport.com">teleport</link>, + allows engineers and security professionals to unify access + for SSH servers, Kubernetes clusters, web applications, and + databases across all environments. Available at + <link linkend="opt-services.teleport.enable">services.teleport</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/juanfont/headscale">headscale</link>, - an Open Source implementation of the - <link xlink:href="https://tailscale.io">Tailscale</link> - Control Server. Available as - <link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link> + <link xlink:href="https://tetrd.app">tetrd</link>, share your + internet connection from your device to your PC and vice versa + through a USB cable. Available at + <link linkend="opt-services.tetrd.enable">services.tetrd</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/lakinduakash/linux-wifi-hotspot">create_ap</link>, - a module for creating wifi hotspots using the program - linux-wifi-hotspot. Available as - <link xlink:href="options.html#opt-services.create_ap.enable">services.create_ap</link>. + <link xlink:href="https://upterm.dev">uptermd</link>, an + open-source solution for sharing terminal sessions instantly + over the public internet via secure tunnels. Available at + <link linkend="opt-services.uptermd.enable">services.uptermd</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, - fast and lightweight DNS proxy as ad-blocker for local network - with many features. + <link xlink:href="https://github.com/darrylb123/usbrelay">usbrelayd</link>, + an USB Relay MQTT daemon. Available as + <link linkend="opt-services.usbrelayd.enable">services.usbrelayd</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://clusterlabs.org/pacemaker/">pacemaker</link> - cluster resource manager + <link xlink:href="https://github.com/miquels/webdav-server-rs">webdav-server-rs</link>, + Webdav server in rust. Available as + <link linkend="opt-services.webdav-server-rs.enable">services.webdav-server-rs</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://nifi.apache.org">nifi</link>, an - easy to use, powerful, and reliable system to process and - distribute data. Available as - <link xlink:href="options.html#opt-services.nifi.enable">services.nifi</link>. + <link xlink:href="https://github.com/gin66/wg_netmanager">wg-netmanager</link>, + the Wireguard network manager. Available as + <link linkend="opt-services.wg-netmanager.enable">services.wg-netmanager</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://kanidm.github.io/kanidm/stable/">kanidm</link>, - an identity management server written in Rust. + <link xlink:href="https://zammad.org/">Zammad</link>, a + web-based, open source user support/ticketing solution. + Available as + <link linkend="opt-services.zammad.enable">services.zammad</link>. </para> </listitem> </itemizedlist> @@ -548,7 +615,7 @@ version of the <literal>xmonad</literal> module, which will break your configuration if you use <literal>launch</literal> as entrypoint. The example code the corresponding nixos module - was adjusted, you way want to have a look at it. + was adjusted, you may want to have a look at it. </para> </listitem> <listitem> @@ -727,6 +794,13 @@ <literal>services.openldap.settings</literal>, which represents your <literal>cn=config</literal>. </para> + <para> + Additionally with 2.5 the argon2 module was included in the + standard distrubtion and renamed from + <literal>pw-argon2</literal> to <literal>argon2</literal>. + Remember to update your <literal>olcModuleLoad</literal> entry + in <literal>cn=config</literal>. + </para> </listitem> <listitem> <para> @@ -932,7 +1006,7 @@ }; extraConfigFiles = [ - /run/keys/matrix-synapse/secrets.yaml + "/run/keys/matrix-synapse/secrets.yaml" ]; }; } @@ -940,7 +1014,9 @@ <para> The secrets in your original config should be migrated into a YAML file that is included via - <literal>extraConfigFiles</literal>. + <literal>extraConfigFiles</literal>. The filename must be + quoted to prevent nix from copying it to the (world readable) + store. </para> <para> Additionally a few option defaults have been synced up with @@ -1913,6 +1989,43 @@ </listitem> <listitem> <para> + <link xlink:href="https://kops.sigs.k8s.io"><literal>kops</literal></link> + defaults to 1.23.2, which will enable + <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html">Instance + Metadata Service Version 2</link> and require tokens on new + clusters with Kubernetes >= 1.22. This will increase + security by default, but may break some types of workloads. + The default behaviour for + <literal>spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS</literal> + has changed from <literal>true</literal> to + <literal>false</literal>. Cilium now has + <literal>disable-cnp-status-updates: true</literal> by + default. Set this to false if you rely on the + CiliumNetworkPolicy status fields. Support for Kubernetes + 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS + 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been + removed. See the + <link xlink:href="https://kops.sigs.k8s.io/releases/1.22-notes/">1.22 + release notes</link> and + <link xlink:href="https://kops.sigs.k8s.io/releases/1.23-notes/">1.23 + release notes</link> for more details, including other + significant changes. + </para> + </listitem> + <listitem> + <para> + Mattermost has been upgraded to extended support version 6.3 + as the previously packaged extended support version 5.37 is + <link xlink:href="https://docs.mattermost.com/upgrade/extended-support-release.html">reaching + end of life</link>. Migration may take some time, see the + <link xlink:href="https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release">changelog</link> + and + <link xlink:href="https://docs.mattermost.com/upgrade/important-upgrade-notes.html">important + upgrade notes</link>. + </para> + </listitem> + <listitem> + <para> The <literal>writers.writePyPy2</literal>/<literal>writers.writePyPy3</literal> and corresponding @@ -1989,6 +2102,28 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" </listitem> <listitem> <para> + Peertube now uses services.redis.servers to start a new redis + server, instead of using a global redis server. This improves + compatibility with other services that use redis. + </para> + <para> + Redis database is used for storage only cache and job queue. + More information can be found here - + <link xlink:href="https://docs.joinpeertube.org/contribute-architecture">Peertube + architecture</link>. + </para> + <para> + If you do want to save the redis database, you can use the + following commands before upgrade OS: + </para> + <programlisting language="bash"> +redis-cli save +sudo mkdir /var/lib/redis-peertube +sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb +</programlisting> + </listitem> + <listitem> + <para> If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable <literal>NIXOS_OZONE_WL=1</literal> @@ -2160,13 +2295,6 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" </listitem> <listitem> <para> - A new module was added for the Envoy reverse proxy, providing - the options <literal>services.envoy.enable</literal> and - <literal>services.envoy.settings</literal>. - </para> - </listitem> - <listitem> - <para> The option <literal>services.duplicati.dataDir</literal> has been added to allow changing the location of duplicati’s files. @@ -2362,15 +2490,6 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" </listitem> <listitem> <para> - A new module was added for the - <link xlink:href="https://starship.rs/">Starship</link> shell - prompt, providing the options - <literal>programs.starship.enable</literal> and - <literal>programs.starship.settings</literal>. - </para> - </listitem> - <listitem> - <para> The <link xlink:href="https://dino.im">Dino</link> XMPP client was updated to 0.3, adding support for audio and video calls. </para> @@ -2577,6 +2696,14 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" </listitem> <listitem> <para> + The default <literal>scribus</literal> version is now 1.5, + while version 1.4 is still available as + <literal>scribus_1_4</literal> + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/172700">#172700</link>). + </para> + </listitem> + <listitem> + <para> The Nextcloud module now supports to create a Mysql database automatically with <literal>services.nextcloud.database.createLocally</literal> @@ -2620,12 +2747,6 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" </listitem> <listitem> <para> - The <literal>programs.nncp</literal> options were added for - generating host-global NNCP configuration. - </para> - </listitem> - <listitem> - <para> The option <literal>services.snapserver.openFirewall</literal> will no longer default to <literal>true</literal> starting with NixOS 22.11. Enable it explicitly if you need to control @@ -2648,6 +2769,40 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" case of scripted networking, no behavior was changed. </para> </listitem> + <listitem> + <para> + The new + <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook"><literal>postgresqlTestHook</literal></link> + runs a PostgreSQL server for the duration of package checks. + </para> + </listitem> + <listitem> + <para> + <literal>stdenv.mkDerivation</literal> now supports a + self-referencing <literal>finalAttrs:</literal> parameter + containing the final <literal>mkDerivation</literal> arguments + including overrides. <literal>drv.overrideAttrs</literal> now + supports two parameters + <literal>finalAttrs: previousAttrs:</literal>. This allows + packaging configuration to be overridden in a consistent + manner by providing an alternative to + <literal>rec {}</literal> syntax. + </para> + <para> + Additionally, <literal>passthru</literal> can now reference + <literal>finalAttrs.finalPackage</literal> containing the + final package, including attributes such as the output paths + and <literal>overrideAttrs</literal>. + </para> + <para> + New language integrations can be simplified by overriding a + <quote>prototype</quote> package containing the + language-specific logic. This removes the need for a extra + layer of overriding for the <quote>generic builder</quote> + arguments, thus removing a usability problem and source of + error. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 79268b398e60f..b0a84de57e0b2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -43,15 +43,16 @@ <itemizedlist spacing="compact"> <listitem> <para> - Please remove this line when you add the first item since - docbook requires the section to be non-empty + <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, + Nix based app VMs. Available as + <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. </para> </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-incompatibilities"> <title>Backward Incompatibilities</title> - <itemizedlist spacing="compact"> + <itemizedlist> <listitem> <para> The <literal>isCompatible</literal> predicate checking CPU @@ -69,6 +70,21 @@ compatible</emphasis>. </para> </listitem> + <listitem> + <para> + The <literal>isPowerPC</literal> predicate, found on + <literal>platform</literal> attrsets + (<literal>hostPlatform</literal>, + <literal>buildPlatform</literal>, + <literal>targetPlatform</literal>, etc) has been removed in + order to reduce confusion. The predicate was was defined such + that it matches only the 32-bit big-endian members of the + POWER/PowerPC family, despite having a name which would imply + a broader set of systems. If you were using this predicate, + you can replace <literal>foo.isPowerPC</literal> with + <literal>(with foo; isPower && is32bit && isBigEndian)</literal>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-notable-changes"> @@ -76,8 +92,21 @@ <itemizedlist spacing="compact"> <listitem> <para> - Please remove this line when you add the first item since - docbook requires the section to be non-empty + A new module was added for the Saleae Logic device family, + providing the options + <literal>hardware.saleae-logic.enable</literal> and + <literal>hardware.saleae-logic.package</literal>. + </para> + </listitem> + <listitem> + <para> + Matrix Synapse now requires entries in the + <literal>state_group_edges</literal> table to be unique, in + order to prevent accidentally introducing duplicate + information (for example, because a database backup was + restored multiple times). If your Synapse database already has + duplicate rows in this table, this could fail with an error + and require manual remediation. </para> </listitem> </itemizedlist> diff --git a/nixos/doc/manual/installation/upgrading.chapter.md b/nixos/doc/manual/installation/upgrading.chapter.md index faeefc4451dc9..2644979bc9db2 100644 --- a/nixos/doc/manual/installation/upgrading.chapter.md +++ b/nixos/doc/manual/installation/upgrading.chapter.md @@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated automatically from NixOS's Git repository after certain tests have passed and all packages have been built. These channels are: -- *Stable channels*, such as [`nixos-21.11`](https://nixos.org/channels/nixos-21.11). +- *Stable channels*, such as [`nixos-22.05`](https://nixos.org/channels/nixos-22.05). These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not @@ -19,7 +19,7 @@ passed and all packages have been built. These channels are: radical changes between channel updates. It's not recommended for production systems. -- *Small channels*, such as [`nixos-21.11-small`](https://nixos.org/channels/nixos-21.11-small) +- *Small channels*, such as [`nixos-22.05-small`](https://nixos.org/channels/nixos-22.05-small) or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small). These are identical to the stable and unstable channels described above, except that they contain fewer binary packages. This means they get updated @@ -38,8 +38,8 @@ newest supported stable release. When you first install NixOS, you're automatically subscribed to the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 21.11 ISO, you will be subscribed to -the `nixos-21.11` channel. To see which NixOS channel you're subscribed +instance, if you installed from a 22.05 ISO, you will be subscribed to +the `nixos-22.05` channel. To see which NixOS channel you're subscribed to, run the following as root: ```ShellSession @@ -54,16 +54,16 @@ To switch to a different NixOS channel, do ``` (Be sure to include the `nixos` parameter at the end.) For instance, to -use the NixOS 21.11 stable channel: +use the NixOS 22.05 stable channel: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-21.11 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos ``` If you have a server, you may want to use the "small" channel instead: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-21.11-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos ``` And if you want to live on the bleeding edge: @@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. ```nix -system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.11; +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; ``` diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index edb3758dd2f12..faf941f569966 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -1,4 +1,4 @@ -# Release 22.05 (“Quokka”, 2022.05/??) {#sec-release-22.05} +# Release 22.05 (“Quokka”, 2022.05/30) {#sec-release-22.05} - Support is planned until the end of December 2022, handing over to 22.11. @@ -6,144 +6,170 @@ In addition to numerous new and upgraded packages, this release has the following highlights: -- The `firefox` browser on `x86_64-linux` is now making use of - profile-guided optimization resulting in a much more responsive - browsing experience. +- Nix has been updated from 2.3 to 2.8. This mainly brings experimental support + for Flakes, but also marks the `nix` command as experimental which now has to + be enabled via the configuration explicitly. For more information and + instructions for upgrades, see the + relase notes for [nix-2.4](https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html), + [nix-2.5](https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html), + [nix-2.6](https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html), + [nix-2.7](https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html) and + [nix-2.8](https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html) -- `security.acme.defaults` has been added to simplify configuring - settings for many certificates at once. This also opens up the - the option to use DNS-01 validation when using `enableACME` on - web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`). +- The `firefox` browser on `x86_64-linux` now makes use of profile-guided + optimisation, resulting in a much more responsive browsing experience. -- GNOME has been upgraded to 42. Please take a look at their [Release Notes](https://release.gnome.org/42/) for details. Notably, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross), and GNOME Screenshot with a tool built into the Shell. +- GNOME has been upgraded to 42. Please take a look at their [Release + Notes](https://release.gnome.org/42/) for details. In particular, it replaces + gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly + King's Cross) and GNOME Screenshot by a tool integrated into the Shell. -- `stdenv.mkDerivation` now supports a self-referencing `finalAttrs:` parameter - containing the final `mkDerivation` arguments including overrides. - `drv.overrideAttrs` now supports two parameters `finalAttrs: previousAttrs:`. - This allows packaging configuration to be overridden in a consistent manner by - providing an alternative to `rec {}` syntax. - - Additionally, `passthru` can now reference `finalAttrs.finalPackage` containing - the final package, including attributes such as the output paths and - `overrideAttrs`. - - New language integrations can be simplified by overriding a "prototype" - package containing the language-specific logic. This removes the need for a - extra layer of overriding for the "generic builder" arguments, thus removing a - usability problem and source of error. - -- PHP 8.1 is now available - -- Mattermost has been updated to extended support release 6.3, as the previously packaged extended support release 5.37 is [reaching its end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). - Migrations may take a while, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release) - and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html). +- PHP 8.1 is now available. - systemd services can now set [systemd.services.\<name\>.reloadTriggers](#opt-systemd.services) instead of `reloadIfChanged` for a more granular distinction between reloads and restarts. - Systemd has been upgraded to the version 250. -- Pulseaudio has been upgraded to version 15.0 and now optionally [supports additional Bluetooth audio codecs](https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters) like aptX or LDAC, with codec switching support being available in `pavucontrol`. This feature is disabled by default but can be enabled by using `hardware.pulseaudio.package = pkgs.pulseaudioFull;`. - Existing 3rd party modules that provided similar functionality, like `pulseaudio-modules-bt` or `pulseaudio-hsphfpd` are deprecated and have been removed. +- Pulseaudio has been updated to version 15.0 and now optionally + [supports additional Bluetooth audio codecs](https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters) + such as aptX or LDAC, with codec switching available in `pavucontrol`. This + feature is disabled by default, but can be enabled with the option + `hardware.pulseaudio.package = pkgs.pulseaudioFull;`. Existing third-party + modules that offered similar functions, such as `pulseaudio-modules-bt` or + `pulseaudio-hsphfpd`, are obsolete and have been removed. - PostgreSQL now defaults to major version 14. -- The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks. - -- [`kops`](https://kops.sigs.k8s.io) defaults to 1.23.2, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for `spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS` has changed from `true` to `false`. Cilium now has `disable-cnp-status-updates: true` by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the [1.22 release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) and [1.23 release notes](https://kops.sigs.k8s.io/releases/1.23-notes/) for more details, including other significant changes. - - Module authors can use `mkRenamedOptionModuleWith` to automate the deprecation cycle without annoying out-of-tree module authors and their users. - The default GHC version has been updated from 8.10.7 to 9.0.2. `pkgs.haskellPackages` and `pkgs.ghc` will now use this version by default. - The GNOME and Plasma installation CDs now use `pkgs.calamares` and `pkgs.calamares-nixos-extensions` to allow users to easily install and set up NixOS with a GUI. +- `security.acme.defaults` has been added to simplify the configuration of + settings for many certificates at once. This also opens up the option to use + DNS-01 validation when using `enableACME` web server virtual hosts (e.g. + `services.nginx.virtualHosts.*.enableACME`). + ## New Services {#sec-release-22.05-new-services} +- [1password](https://1password.com/), command-lines and graphic interface for 1Password. Available as [programs._1password](#opt-programs._1password.enable) and [programs._1password-gui](#opt-programs._1password.enable). + - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). -- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable). +- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](#opt-services.agate.enable). -- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable). +- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). -- [nethoscope](https://github.com/vvilhonen/nethoscope), listen to your network traffic. Available as [programs.nethoscope](#opt-programs.nethoscope.enable). +- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](#opt-services.archisteamfarm.enable). + +- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable). + +- [bird-lg](https://github.com/xddxdd/bird-lg-go), a BGP looking glass for Bird Routing. Available as [services.bird-lg](#opt-services.bird-lg.package). + +- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. Available as [services.blocky](#opt-services.blocky.enable). + +- [cloudflare-dyndns](https://github.com/kissgyorgy/cloudflare-dyndns), CloudFlare Dynamic DNS client. Available as [services.cloudflare-dyndns](#opt-services.cloudflare-dyndns.enable). + +- [Corosync](https://corosync.github.io/corosync/) and [Pacemaker](https://clusterlabs.org/pacemaker/), A open-source high availability resource manager. Available as [services.corosync](#opt-services.corosync.enable) and [services.pacemaker](#opt-services.pacemaker.enable). + +- [create_ap](https://github.com/lakinduakash/linux-wifi-hotspot), a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as [services.create_ap](#opt-services.create_ap.enable). + +- [Envoy](https://www.envoyproxy.io/), a high-performance reverse proxy. Available as [services.envoy](#opt-services.envoy.enable). + +- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](#opt-services.ergochat.enable). + +- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative spreadsheet. Available as [services.ethercalc](#opt-services.ethercalc.enable). - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable). -- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). +- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as [services.frr](#opt-services.frr.babel.enable). -- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as [services.frr](#opt-services.frr.babel.enable) +- [Grafana Mimir](https://grafana.com/oss/mimir/), an open source, horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus. Available as [services.mimir](#opt-services.mimir.enable). -- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable). +- [Haste](https://hastebin.com/about.md), a pastebin written in node.js. Available as [services.haste](#opt-services.haste-server.enable). -- [snowflake-proxy](https://snowflake.torproject.org/), a system to defeat internet censorship. Available as [services.snowflake-proxy](options.html#opt-services.snowflake-proxy.enable). +- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](#opt-services.headscale.enable). -- [r53-ddns](https://github.com/fleaz/r53-ddns), a small tool to run your own DDNS service via AWS Route53. Available as [services.r53-ddns](options.html#opt-services.r53-ddns.enable). +- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](#opt-services.heisenbridge.enable). -- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](options.html#opt-services.ergochat.enable). +- [https-dns-proxy](https://github.com/aarond10/https_dns_proxy), DNS to DNS over HTTPS (DoH) proxy. Available as [services.https-dns-proxy](#opt-services.https-dns-proxy.enable). -- [Snipe-IT](https://snipeitapp.com), a free open source IT asset/license management system. Available as [services.snipe-it](options.html#opt-services.snipe-it.enable). +- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](#opt-services.input-remapper.enable). -- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable). +- [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](#opt-services.invoiceplane.sites._name_.enable). -- [pgadmin4](https://github.com/postgres/pgadmin4), an admin interface for the PostgreSQL database. Available at [services.pgadmin](options.html#opt-services.pgadmin.enable). +- [k3b](https://userbase.kde.org/K3b), the KDE disk burning application. Available as [programs.k3b](#opt-programs.k3b.enable). -- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](options.html#opt-services.input-remapper.enable). +- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](#opt-programs.k40-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device. -- [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](options.html#opt-services.invoiceplane.enable). +- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust. Available as [services.kanidm](#opt-services.kanidm.enableServer) -- [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable). +- [Maddy](https://maddy.email/), a free an open source mail server. Availabe as [services.maddy](#opt-services.maddy.enable). -- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](options.html#opt-programs.k4-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device. +- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable). -- [mozillavpn](https://github.com/mozilla-mobile/mozilla-vpn-client), the client for the [Mozilla VPN](https://vpn.mozilla.org/) service. Available as [services.mozillavpn](options.html#opt-services.mozillavpn). +- [Moosefs](https://moosefs.com), fault tolerant petabyte distributed file system. Available as [moosefs](#opt-services.moosefs.master.enable). -- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable). +- [mozillavpn](https://github.com/mozilla-mobile/mozilla-vpn-client), the client for the [Mozilla VPN](https://vpn.mozilla.org/) service. Available as [services.mozillavpn](#opt-services.mozillavpn.enable). -- [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](options.html#opt-services.prometheus.exporters.pve). +- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](#opt-services.mtr-exporter.enable). -- [netbox](https://github.com/netbox-community/netbox), infrastructure resource modeling (IRM) tool. Available as [services.netbox](options.html#opt-services.netbox.enable). +- [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](#opt-services.nbd.server.enable). -- [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). +- [netbox](https://github.com/netbox-community/netbox), infrastructure resource modeling (IRM) tool. Available as [services.netbox](#opt-services.netbox.enable). -- [uptermd](https://upterm.dev), an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at [services.uptermd](#opt-services.uptermd.enable). +- [nethoscope](https://github.com/vvilhonen/nethoscope), listen to your network traffic. Available as [programs.nethoscope](#opt-programs.nethoscope.enable). -- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](options.html#opt-services.agate.enable). +- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](#opt-services.nifi.enable). -- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable). +- [nix-ld](https://github.com/Mic92/nix-ld), Run unpatched dynamic binaries on NixOS. Available as [programs.nix-ld](#opt-programs.nix-ld.enable). -- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable). +- [NNCP](http://www.nncpgo.org), NNCP (Node to Node copy) utilities and configuration, Available as [programs.nncp](#opt-programs.nncp.enable). -- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable). +- [pgadmin4](https://github.com/postgres/pgadmin4), an admin interface for the PostgreSQL database. Available at [services.pgadmin](#opt-services.pgadmin.enable). -- [moosefs](https://moosefs.com), fault tolerant petabyte distributed file system. - Available as [moosefs](#opt-services.moosefs.client.enable). +- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](#opt-services.powerdns-admin.enable). + +- [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](#opt-services.prometheus.exporters.pve.enable). - [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable). -- [systembus-notify](https://github.com/rfjakob/systembus-notify), allow system level notifications to reach the users. Available as [services.systembus-notify](opt-services.systembus-notify.enable). Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications. +- [Public Inbox](https://public-inbox.org), an "archives first" approach to mailing lists. Available as [services.public-inbox](#opt-services.public-inbox.enable). + +- [r53-ddns](https://github.com/fleaz/r53-ddns), a small tool to run your own DDNS service via AWS Route53. Available as [services.r53-ddns](#opt-services.r53-ddns.enable). + +- [rmfakecloud](https://ddvk.github.io/rmfakecloud/), a clone of the cloud sync the remarkable tablet. Available as [services.rmfakecloud](#opt-services.rmfakecloud.enable). + +- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](#opt-virtualisation.docker.rootless.enable). + +- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](#opt-services.rstudio-server.enable). -- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative - spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable). +- [rtsp-simple-server](https://github.com/aler9/rtsp-simple-server), ready-to-use RTSP / RTMP / HLS server and proxy that allows to read, publish and proxy video and audio streams. Available as [services.rtsp-simple-server](#opt-services.rtsp-simple-server.enable). -- [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](options.html#opt-services.nbd.server.enable). +- [Snipe-IT](https://snipeitapp.com), a free open source IT asset/license management system. Available as [services.snipe-it](#opt-services.snipe-it.enable). -- [nix-ld](https://github.com/Mic92/nix-ld), Run unpatched dynamic binaries on NixOS. Available as [programs.nix-ld](options.html#opt-programs.nix-ld.enable). +- [snowflake-proxy](https://snowflake.torproject.org/), a system to defeat internet censorship. Available as [services.snowflake-proxy](#opt-services.snowflake-proxy.enable). -- [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable). +- [sslmate-agent](https://sslmate.com/), a daemon for managing SSL/TLS certificates on a server. Available as [services.sslmate-agent](services.sslmate-agent.enable). -- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable). +- [starship](https://starship.rs), a minimal, blazing-fast, and infinitely customizable prompt for any shell. Available at [programs.startship](#opt-programs.starship.enable). -- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable) +- [systembus-notify](https://github.com/rfjakob/systembus-notify), allow system level notifications to reach the users. Available as [services.systembus-notify](opt-services.systembus-notify.enable). Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications. + +- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable). + +- [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable). -- [create_ap](https://github.com/lakinduakash/linux-wifi-hotspot), a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as [services.create_ap](options.html#opt-services.create_ap.enable). +- [uptermd](https://upterm.dev), an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at [services.uptermd](#opt-services.uptermd.enable). -- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. +- [usbrelayd](https://github.com/darrylb123/usbrelay), an USB Relay MQTT daemon. Available as [services.usbrelayd](#opt-services.usbrelayd.enable). -- [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager +- [webdav-server-rs](https://github.com/miquels/webdav-server-rs), Webdav server in rust. Available as [services.webdav-server-rs](#opt-services.webdav-server-rs.enable). -- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable). +- [wg-netmanager](https://github.com/gin66/wg_netmanager), the Wireguard network manager. Available as [services.wg-netmanager](#opt-services.wg-netmanager.enable). -- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust. +- [Zammad](https://zammad.org/), a web-based, open source user support/ticketing solution. Available as [services.zammad](#opt-services.zammad.enable). <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -169,7 +195,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The update of the haskell package set brings with it a new version of the `xmonad` module, which will break your configuration if you use `launch` as entrypoint. The - example code the corresponding nixos module was adjusted, you way want to have a look at it. + example code the corresponding nixos module was adjusted, you may want to have a look at it. - The `home-assistant` module now requires users that don't want their configuration to be managed declaratively to set @@ -250,6 +276,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `openldap` (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database `slapcat -n 1` in LDIF format, and reimport it after updating your `services.openldap.settings`, which represents your `cn=config`. + Additionally with 2.5 the argon2 module was included in the standard distrubtion and renamed from `pw-argon2` to `argon2`. Remember to update your `olcModuleLoad` entry in `cn=config`. + - `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface. - `git` no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your enviroment consider adding `openssh` to it or switching to `gitFull`. @@ -368,13 +396,13 @@ In addition to numerous new and upgraded packages, this release has the followin }; extraConfigFiles = [ - /run/keys/matrix-synapse/secrets.yaml + "/run/keys/matrix-synapse/secrets.yaml" ]; }; } ``` - The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. + The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. The filename must be quoted to prevent nix from copying it to the (world readable) store. Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. For the same reason, the default `media_store_path` was changed from `${dataDir}/media` to `${dataDir}/media_store` if `system.stateVersion` is at least `22.05`. Files will need to be manually moved to the new @@ -705,6 +733,13 @@ In addition to numerous new and upgraded packages, this release has the followin - The configuration portion of the `nix-daemon` module has been reworked and exposed as [nix.settings](options.html#opt-nix-settings): * Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) and will be deprecated when NixOS 21.11 reaches end of life. * [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added. + +- [`kops`](https://kops.sigs.k8s.io) defaults to 1.23.2, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for `spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS` has changed from `true` to `false`. Cilium now has `disable-cnp-status-updates: true` by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the [1.22 release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) and [1.23 release notes](https://kops.sigs.k8s.io/releases/1.23-notes/) for more details, including other significant changes. + +- Mattermost has been upgraded to extended support version 6.3 as the previously + packaged extended support version 5.37 is [reaching end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). + Migration may take some time, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release) + and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html). - The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. @@ -730,6 +765,17 @@ In addition to numerous new and upgraded packages, this release has the followin redis-cli save cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" ``` +- Peertube now uses services.redis.servers to start a new redis server, instead of using a global redis server. + This improves compatibility with other services that use redis. + + Redis database is used for storage only cache and job queue. More information can be found here - [Peertube architecture](https://docs.joinpeertube.org/contribute-architecture). + + If you do want to save the redis database, you can use the following commands before upgrade OS: + ```bash + redis-cli save + sudo mkdir /var/lib/redis-peertube + sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb + ``` - If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable @@ -797,7 +843,6 @@ In addition to numerous new and upgraded packages, this release has the followin If you are using only a window manager without a desktop manager, you need to enable `services.xserver.desktopManager.runXdgAutostartIfNone` or using the `dex` package to make `fcitx5` work. -- A new module was added for the Envoy reverse proxy, providing the options `services.envoy.enable` and `services.envoy.settings`. - The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files. @@ -843,9 +888,6 @@ In addition to numerous new and upgraded packages, this release has the followin - The default value for `programs.spacefm.settings.graphical_su` got unset. It previously pointed to `gksu` which has been removed. -- A new module was added for the [Starship](https://starship.rs/) shell prompt, - providing the options `programs.starship.enable` and `programs.starship.settings`. - - The [Dino](https://dino.im) XMPP client was updated to 0.3, adding support for audio and video calls. - `services.mattermost.plugins` has been added to allow the declarative installation of Mattermost plugins. @@ -905,6 +947,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `nss` package was split into `nss_esr` and `nss_latest`, with `nss` being an alias for `nss_esr`. This was done to ease maintenance of `nss` and dependent high-profile packages like `firefox`. +- The default `scribus` version is now 1.5, while version 1.4 is still available as `scribus_1_4` ([#172700](https://github.com/NixOS/nixpkgs/pull/172700)). + - The Nextcloud module now supports to create a Mysql database automatically with `services.nextcloud.database.createLocally` enabled. @@ -915,8 +959,6 @@ In addition to numerous new and upgraded packages, this release has the followin - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`. - The `spark3` package is now usable on `aarch64-darwin` as a result of [#158613](https://github.com/NixOS/nixpkgs/pull/158613) and [#158992](https://github.com/NixOS/nixpkgs/pull/158992). -- The `programs.nncp` options were added for generating host-global NNCP configuration. - - The option `services.snapserver.openFirewall` will no longer default to `true` starting with NixOS 22.11. Enable it explicitly if you need to control Snapserver remotely or connect streamig clients from other hosts. @@ -927,5 +969,22 @@ In addition to numerous new and upgraded packages, this release has the followin or `wl*` with priority 99 (which means that it doesn't have any effect if such an interface is matched by a `.network-`unit with a lower priority). In case of scripted networking, no behavior was changed. + +- The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks. + +- `stdenv.mkDerivation` now supports a self-referencing `finalAttrs:` parameter + containing the final `mkDerivation` arguments including overrides. + `drv.overrideAttrs` now supports two parameters `finalAttrs: previousAttrs:`. + This allows packaging configuration to be overridden in a consistent manner by + providing an alternative to `rec {}` syntax. + + Additionally, `passthru` can now reference `finalAttrs.finalPackage` containing + the final package, including attributes such as the output paths and + `overrideAttrs`. + + New language integrations can be simplified by overriding a "prototype" + package containing the language-specific logic. This removes the need for a + extra layer of overriding for the "generic builder" arguments, thus removing a + usability problem and source of error. <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 7d2eacce57fed..acad456a4fd3a 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -23,7 +23,7 @@ In addition to numerous new and upgraded packages, this release has the followin ## New Services {#sec-release-22.11-new-services} -- Please remove this line when you add the first item since docbook requires the section to be non-empty +- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -37,9 +37,14 @@ In addition to numerous new and upgraded packages, this release has the followin `lib.systems.parse.isCompatible` still exists, but has changed semantically: Architectures with differing endianness modes are *no longer considered compatible*. +- The `isPowerPC` predicate, found on `platform` attrsets (`hostPlatform`, `buildPlatform`, `targetPlatform`, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace `foo.isPowerPC` with `(with foo; isPower && is32bit && isBigEndian)`. + + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Other Notable Changes {#sec-release-22.11-notable-changes} -- Please remove this line when you add the first item since docbook requires the section to be non-empty +* A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. +* Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 2daaa8a118632..3b58ef297973e 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -50,11 +50,6 @@ let # they way through, but has the last priority behind everything else. nixpkgs.system = lib.mkDefault system; - # Stash the value of the `system` argument. When using `nesting.children` - # we want to have the same default value behavior (immediately above) - # without any interference from the user's configuration. - nixpkgs.initialSystem = system; - _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_); }; }; diff --git a/nixos/lib/test-driver/default.nix b/nixos/lib/test-driver/default.nix index a79207267abd9..e3786622c3c58 100644 --- a/nixos/lib/test-driver/default.nix +++ b/nixos/lib/test-driver/default.nix @@ -35,6 +35,8 @@ python3Packages.buildPythonApplication rec { checkPhase = '' mypy --disallow-untyped-defs \ --no-implicit-optional \ + --pretty \ + --no-color-output \ --ignore-missing-imports ${src}/test_driver pylint --errors-only --enable=unused-import ${src}/test_driver black --check --diff ${src}/test_driver diff --git a/nixos/lib/test-driver/test_driver/py.typed b/nixos/lib/test-driver/test_driver/py.typed new file mode 100644 index 0000000000000..e69de29bb2d1d --- /dev/null +++ b/nixos/lib/test-driver/test_driver/py.typed diff --git a/nixos/lib/test-script-prepend.py b/nixos/lib/test-script-prepend.py new file mode 100644 index 0000000000000..15e59ce01047d --- /dev/null +++ b/nixos/lib/test-script-prepend.py @@ -0,0 +1,42 @@ +# This file contains type hints that can be prepended to Nix test scripts so they can be type +# checked. + +from test_driver.driver import Driver +from test_driver.vlan import VLan +from test_driver.machine import Machine +from test_driver.logger import Logger +from typing import Callable, Iterator, ContextManager, Optional, List, Dict, Any, Union +from typing_extensions import Protocol +from pathlib import Path + + +class RetryProtocol(Protocol): + def __call__(self, fn: Callable, timeout: int = 900) -> None: + raise Exception("This is just type information for the Nix test driver") + + +class PollingConditionProtocol(Protocol): + def __call__( + self, + fun_: Optional[Callable] = None, + *, + seconds_interval: float = 2.0, + description: Optional[str] = None, + ) -> Union[Callable[[Callable], ContextManager], ContextManager]: + raise Exception("This is just type information for the Nix test driver") + + +start_all: Callable[[], None] +subtest: Callable[[str], ContextManager[None]] +retry: RetryProtocol +test_script: Callable[[], None] +machines: List[Machine] +vlans: List[VLan] +driver: Driver +log: Logger +create_machine: Callable[[Dict[str, Any]], Machine] +run_tests: Callable[[], None] +join_all: Callable[[], None] +serial_stdout_off: Callable[[], None] +serial_stdout_on: Callable[[], None] +polling_condition: PollingConditionProtocol diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index 79b55f8d1d682..a6868a708aaf3 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -50,6 +50,7 @@ rec { , qemu_pkg ? pkgs.qemu_test , enableOCR ? false , skipLint ? false + , skipTypeCheck ? false , passthru ? {} , interactive ? false , extraPythonPackages ? (_ :[]) @@ -86,7 +87,7 @@ rec { nodeHostNames = let nodesList = map (c: c.config.system.name) (lib.attrValues nodes); - in nodesList ++ lib.optional (lib.length nodesList == 1) "machine"; + in nodesList ++ lib.optional (lib.length nodesList == 1 && !lib.elem "machine" nodesList) "machine"; # TODO: This is an implementation error and needs fixing # the testing famework cannot legitimately restrict hostnames further @@ -101,6 +102,9 @@ rec { then testScript { inherit nodes; } else testScript; + uniqueVlans = lib.unique (builtins.concatLists vlans); + vlanNames = map (i: "vlan${toString i}: VLan;") uniqueVlans; + machineNames = map (name: "${name}: Machine;") nodeHostNames; in if lib.length invalidNodeNames > 0 then throw '' @@ -114,7 +118,7 @@ rec { else lib.warnIf skipLint "Linting is disabled" (runCommand testDriverName { inherit testName; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [ makeWrapper mypy ]; testScript = testScript'; preferLocalBuild = true; passthru = passthru // { @@ -126,7 +130,25 @@ rec { mkdir -p $out/bin vmStartScripts=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)) - echo -n "$testScript" > $out/test-script + + ${lib.optionalString (!skipTypeCheck) '' + # prepend type hints so the test script can be type checked with mypy + cat "${./test-script-prepend.py}" >> testScriptWithTypes + echo "${builtins.toString machineNames}" >> testScriptWithTypes + echo "${builtins.toString vlanNames}" >> testScriptWithTypes + echo -n "$testScript" >> testScriptWithTypes + + # set pythonpath so mypy knows where to find the imports. this requires the py.typed file. + export PYTHONPATH='${./test-driver}' + mypy --no-implicit-optional \ + --pretty \ + --no-color-output \ + testScriptWithTypes + unset PYTHONPATH + ''} + + echo -n "$testScript" >> $out/test-script + ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-test-driver ${testDriver}/bin/generate-driver-symbols @@ -153,6 +175,7 @@ rec { , testScript , enableOCR ? false , name ? "unnamed" + , skipTypeCheck ? false # Skip linting (mainly intended for faster dev cycles) , skipLint ? false , passthru ? {} @@ -209,19 +232,19 @@ rec { )]; }; in - lib.warnIf (t?machine) "In test `${name}': The `machine' attribute in NixOS tests (pkgs.nixosTest / make-test-pyton.nix / testing-python.nix / makeTest) is deprecated. Please use the equivalent `nodes.machine'." + lib.warnIf (t?machine) "In test `${name}': The `machine' attribute in NixOS tests (pkgs.nixosTest / make-test-python.nix / testing-python.nix / makeTest) is deprecated. Please use the equivalent `nodes.machine'." build-vms.buildVirtualNetwork ( nodes // lib.optionalAttrs (machine != null) { inherit machine; } ); driver = setupDriverForTest { - inherit testScript enableOCR skipLint passthru extraPythonPackages; + inherit testScript enableOCR skipTypeCheck skipLint passthru extraPythonPackages; testName = name; qemu_pkg = pkgs.qemu_test; nodes = mkNodes pkgs.qemu_test; }; driverInteractive = setupDriverForTest { - inherit testScript enableOCR skipLint passthru extraPythonPackages; + inherit testScript enableOCR skipTypeCheck skipLint passthru extraPythonPackages; testName = name; qemu_pkg = pkgs.qemu; nodes = mkNodes pkgs.qemu; diff --git a/nixos/modules/hardware/new-lg4ff.nix b/nixos/modules/hardware/new-lg4ff.nix new file mode 100644 index 0000000000000..3c7f66f8d89b5 --- /dev/null +++ b/nixos/modules/hardware/new-lg4ff.nix @@ -0,0 +1,29 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.hardware.new-lg4ff; + kernelPackages = config.boot.kernelPackages; +in { + options.hardware.new-lg4ff = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables improved Linux module drivers for Logitech driving wheels. + This will replace the existing in-kernel hid-logitech modules. + Works most notably on the Logitech G25, G27, G29 and Driving Force (GT). + ''; + }; + }; + + config = lib.mkIf cfg.enable { + boot = { + extraModulePackages = [ kernelPackages.new-lg4ff ]; + kernelModules = [ "hid-logitech-new" ]; + }; + }; + + meta.maintainers = with lib.maintainers; [ matthiasbenaets ]; +} diff --git a/nixos/modules/hardware/saleae-logic.nix b/nixos/modules/hardware/saleae-logic.nix new file mode 100644 index 0000000000000..a3810d640c483 --- /dev/null +++ b/nixos/modules/hardware/saleae-logic.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.hardware.saleae-logic; +in +{ + options.hardware.saleae-logic = { + enable = lib.mkEnableOption "udev rules for Saleae Logic devices"; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.saleae-logic-2; + defaultText = lib.literalExpression "pkgs.saleae-logic-2"; + description = '' + Saleae Logic package to use. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.udev.packages = [ cfg.package ]; + }; + + meta.maintainers = with lib.maintainers; [ chivay ]; +} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 210d45ac84153..a9b04bcc85959 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -163,8 +163,19 @@ in ''; }; + hardware.nvidia.forceFullCompositionPipeline = lib.mkOption { + default = false; + type = types.bool; + description = '' + Whether to force-enable the full composition pipeline. + This sometimes fixes screen tearing issues. + This has been reported to reduce the performance of some OpenGL applications and may produce issues in WebGL. + It also drastically increases the time the driver needs to clock down after load. + ''; + }; + hardware.nvidia.package = lib.mkOption { - type = lib.types.package; + type = types.package; default = config.boot.kernelPackages.nvidiaPackages.stable; defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable"; description = '' @@ -255,13 +266,18 @@ in '' BusID "${pCfg.nvidiaBusId}" ${optionalString syncCfg.allowExternalGpu "Option \"AllowExternalGpus\""} - ${optionalString cfg.powerManagement.finegrained "Option \"NVreg_DynamicPowerManagement=0x02\""} ''; screenSection = '' Option "RandRRotation" "on" - ${optionalString syncCfg.enable "Option \"AllowEmptyInitialConfiguration\""} - ''; + '' + optionalString syncCfg.enable '' + Option "AllowEmptyInitialConfiguration" + '' + optionalString cfg.forceFullCompositionPipeline '' + Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" + Option "AllowIndirectGLXProtocol" "off" + Option "TripleBuffer" "on" + '' + ; }; services.xserver.serverLayoutSection = optionalString syncCfg.enable '' @@ -367,7 +383,8 @@ in RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%c{3} c 195 %c{3}" KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'" - '' + optionalString cfg.powerManagement.finegrained '' + '' + optionalString cfg.powerManagement.finegrained ( + optionalString (versionOlder config.boot.kernelPackages.kernel.version "5.5") '' # Remove NVIDIA USB xHCI Host Controller devices, if present ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1" @@ -376,7 +393,7 @@ in # Remove NVIDIA Audio devices, if present ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1" - + '' + '' # Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto" ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto" @@ -384,7 +401,7 @@ in # Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on" ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on" - ''; + ''); boot.extraModprobeConfig = mkIf cfg.powerManagement.finegrained '' options nvidia "NVreg_DynamicPowerManagement=0x02" diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 1eaa940afb1fc..d1ccc6c2072f7 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -479,7 +479,7 @@ in + lib.optionalString (isx86_32 || isx86_64) "-Xbcj x86" # Untested but should also reduce size for these platforms + lib.optionalString (isAarch32 || isAarch64) "-Xbcj arm" - + lib.optionalString (isPowerPC) "-Xbcj powerpc" + + lib.optionalString (isPower && is32bit && isBigEndian) "-Xbcj powerpc" + lib.optionalString (isSparc) "-Xbcj sparc"; description = '' Compression settings to use for the squashfs nix store. diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 69967c8a7601e..866bb35160091 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -67,6 +67,7 @@ in imports = [ ./assertions.nix ./meta.nix + (mkRemovedOptionModule [ "nixpkgs" "initialSystem" ] "The NixOS options `nesting.clone` and `nesting.children` have been deleted, and replaced with named specialisation. Therefore `nixpgks.initialSystem` has no effect anymore.") ]; options.nixpkgs = { @@ -219,14 +220,6 @@ in Ignored when <code>nixpkgs.pkgs</code> is set. ''; }; - - initialSystem = mkOption { - type = types.str; - internal = true; - description = '' - Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>. - ''; - }; }; config = { diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 010acdb72f678..da458a5748401 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -13,7 +13,7 @@ let attrsToText = attrs: concatStringsSep "\n" ( mapAttrsToList (n: v: ''${n}=${escapeIfNeccessary (toString v)}'') attrs - ); + ) + "\n"; osReleaseContents = { NAME = "NixOS"; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2607e99d84593..902fffd60f9b9 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -66,6 +66,7 @@ ./hardware/network/ath-user-regd.nix ./hardware/network/b43.nix ./hardware/network/intel-2200bg.nix + ./hardware/new-lg4ff.nix ./hardware/nitrokey.nix ./hardware/opengl.nix ./hardware/openrazer.nix @@ -73,6 +74,7 @@ ./hardware/printers.nix ./hardware/raid/hpsa.nix ./hardware/rtl-sdr.nix + ./hardware/saleae-logic.nix ./hardware/steam-hardware.nix ./hardware/system-76.nix ./hardware/tuxedo-keyboard.nix @@ -137,6 +139,7 @@ ./programs/captive-browser.nix ./programs/ccache.nix ./programs/cdemu.nix + ./programs/cfs-zen-tweaks.nix ./programs/chromium.nix ./programs/clickshare.nix ./programs/cnping.nix @@ -733,6 +736,7 @@ ./services/networking/bitcoind.nix ./services/networking/autossh.nix ./services/networking/bird.nix + ./services/networking/bird-lg.nix ./services/networking/bitlbee.nix ./services/networking/blockbook-frontend.nix ./services/networking/blocky.nix @@ -1234,6 +1238,7 @@ ./tasks/powertop.nix ./testing/service-runner.nix ./virtualisation/anbox.nix + ./virtualisation/appvm.nix ./virtualisation/build-vm.nix ./virtualisation/container-config.nix ./virtualisation/containerd.nix diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index ad75ab27666ce..a31078a891a0c 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -136,6 +136,24 @@ in packages = [ atop (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; services = mkService cfg.atopService.enable "atop" [ atop ] + // lib.mkIf cfg.atopService.enable { + # always convert logs to newer version first + # XXX might trigger TimeoutStart but restarting atop.service will + # convert remainings logs and start eventually + atop.serviceConfig.ExecStartPre = pkgs.writeShellScript "atop-update-log-format" '' + set -e -u + for logfile in "$LOGPATH"/atop_* + do + ${atop}/bin/atopconvert "$logfile" "$logfile".new + # only replace old file if version was upgraded to avoid + # false positives for atop-rotate.service + if ! ${pkgs.diffutils}/bin/cmp -s "$logfile" "$logfile".new + then + ${pkgs.coreutils}/bin/mv -v -f "$logfile".new "$logfile" + fi + done + ''; + } // mkService cfg.atopacctService.enable "atopacct" [ atop ] // mkService cfg.netatop.enable "netatop" [ cfg.netatop.package ] // mkService cfg.atopgpu.enable "atopgpu" [ atop ]; diff --git a/nixos/modules/programs/cfs-zen-tweaks.nix b/nixos/modules/programs/cfs-zen-tweaks.nix new file mode 100644 index 0000000000000..f168662bbefe7 --- /dev/null +++ b/nixos/modules/programs/cfs-zen-tweaks.nix @@ -0,0 +1,28 @@ +# CFS Zen Tweaks + +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.programs.cfs-zen-tweaks; + +in + +{ + + meta = { + maintainers = with maintainers; [ mkg20001 ]; + }; + + options = { + programs.cfs-zen-tweaks.enable = mkEnableOption "CFS Zen Tweaks"; + }; + + config = mkIf cfg.enable { + systemd.packages = [ pkgs.cfs-zen-tweaks ]; + + systemd.services.set-cfs-tweak.wantedBy = [ "multi-user.target" "suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target" ]; + }; +} diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 8cbe54c606040..b9792fd1334c3 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -361,8 +361,13 @@ in ++ lib.optional cfg.enableSrunX11 slurm-spank-x11; wantedBy = [ "multi-user.target" ]; - after = [ "systemd-tmpfiles-clean.service" ]; - requires = [ "network.target" ]; + after = [ + "systemd-tmpfiles-clean.service" + "munge.service" + "network-online.target" + "remote-fs.target" + ]; + wants = [ "network-online.target" ]; serviceConfig = { Type = "forking"; @@ -371,6 +376,7 @@ in PIDFile = "/run/slurmd.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; LimitMEMLOCK = "infinity"; + Delegate="Yes"; }; }; diff --git a/nixos/modules/services/games/asf.nix b/nixos/modules/services/games/asf.nix index ea2bfd40fffaa..31a112d6c74b6 100644 --- a/nixos/modules/services/games/asf.nix +++ b/nixos/modules/services/games/asf.nix @@ -13,6 +13,8 @@ let # is in theory not needed as this is already the default for default builds UpdateChannel = 0; Headless = true; + } // lib.optionalAttrs (cfg.ipcPasswordFile != "") { + IPCPassword = "#ipcPassword#"; }); ipc-config = format.generate "IPC.config" cfg.ipcSettings; @@ -81,8 +83,7 @@ in type = format.type; description = '' The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>. - Do note that `AutoRestart` and `UpdateChannel` is always to `false` -respectively `0` because NixOS takes care of updating everything. + Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything. `Headless` is also always set to `true` because there is no way to provide inputs via a systemd service. You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>. ''; @@ -92,6 +93,11 @@ respectively `0` because NixOS takes care of updating everything. default = { }; }; + ipcPasswordFile = mkOption { + type = types.path; + description = "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group."; + }; + ipcSettings = mkOption { type = format.type; description = '' @@ -115,14 +121,12 @@ respectively `0` because NixOS takes care of updating everything. options = { username = mkOption { type = types.str; - description = - "Name of the user to log in. Default is attribute name."; + description = "Name of the user to log in. Default is attribute name."; default = ""; }; passwordFile = mkOption { type = types.path; - description = - "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group."; + description = "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group."; }; enabled = mkOption { type = types.bool; @@ -131,8 +135,7 @@ respectively `0` because NixOS takes care of updating everything. }; settings = mkOption { type = types.attrs; - description = - "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>."; + description = "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>."; default = { }; }; }; @@ -156,6 +159,7 @@ respectively `0` because NixOS takes care of updating everything. users = { users.asf = { home = cfg.dataDir; + homeMode = "700"; isSystemUser = true; group = "asf"; description = "Archis-Steam-Farm service user"; @@ -176,8 +180,7 @@ respectively `0` because NixOS takes care of updating everything. Group = "asf"; WorkingDirectory = cfg.dataDir; Type = "simple"; - ExecStart = - "${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate"; + ExecStart = "${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate"; # mostly copied from the default systemd service PrivateTmp = true; @@ -202,29 +205,38 @@ respectively `0` because NixOS takes care of updating everything. } ]; - preStart = '' - mkdir -p config - rm -f www - rm -f config/{*.json,*.config} - - ln -s ${asf-config} config/ASF.json - - ${strings.optionalString (cfg.ipcSettings != {}) '' - ln -s ${ipc-config} config/IPC.config - ''} - - ln -s ${pkgs.runCommandLocal "ASF-bots" {} '' - mkdir -p $out/lib/asf/bots - for i in ${strings.concatStringsSep " " (lists.map (x: "${getName x},${x}") (attrsets.mapAttrsToList mkBot cfg.bots))}; do IFS=","; - set -- $i - ln -s $2 $out/lib/asf/bots/$1 - done - ''}/lib/asf/bots/* config/ - - ${strings.optionalString cfg.web-ui.enable '' - ln -s ${cfg.web-ui.package}/lib/dist www - ''} - ''; + preStart = + let + createBotsScript = pkgs.runCommandLocal "ASF-bots" { } '' + mkdir -p $out + # clean potential removed bots + rm -rf $out/*.json + for i in ${strings.concatStringsSep " " (lists.map (x: "${getName x},${x}") (attrsets.mapAttrsToList mkBot cfg.bots))}; do IFS=","; + set -- $i + ln -fs $2 $out/$1 + done + ''; + replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; + in + '' + mkdir -p config + + cp --no-preserve=mode ${asf-config} config/ASF.json + ${replaceSecretBin} '#ipcPassword#' '${cfg.ipcPasswordFile}' config/ASF.json + + ${optionalString (cfg.ipcSettings != {}) '' + ln -fs ${ipc-config} config/IPC.config + ''} + + ${optionalString (cfg.ipcSettings != {}) '' + ln -fs ${createBotsScript}/* config/ + ''} + + rm -f www + ${optionalString cfg.web-ui.enable '' + ln -s ${cfg.web-ui.package}/lib/dist www + ''} + ''; }; }; }; diff --git a/nixos/modules/services/misc/dendrite.nix b/nixos/modules/services/misc/dendrite.nix index ac5df9951b3f0..54052084b3378 100644 --- a/nixos/modules/services/misc/dendrite.nix +++ b/nixos/modules/services/misc/dendrite.nix @@ -74,6 +74,18 @@ in <literal>dendrite</literal> is running. ''; }; + loadCredential = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "private_key:/path/to/my_private_key" ]; + description = '' + This can be used to pass secrets to the systemd service without adding them to + the nix store. + To use the example setting, see the example of + <option>services.dendrite.settings.global.private_key</option>. + See the LoadCredential section of systemd.exec manual for more information. + ''; + }; settings = lib.mkOption { type = lib.types.submodule { freeformType = settingsFormat.type; @@ -88,8 +100,10 @@ in ''; }; private_key = lib.mkOption { - type = lib.types.path; - example = "${workingDir}/matrix_key.pem"; + type = lib.types.either + lib.types.path + (lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+"); + example = "$CREDENTIALS_DIRECTORY/private_key"; description = '' The path to the signing private key file, used to sign requests and events. @@ -256,6 +270,7 @@ in RuntimeDirectoryMode = "0700"; LimitNOFILE = 65535; EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + LoadCredential = cfg.loadCredential; ExecStartPre = '' ${pkgs.envsubst}/bin/envsubst \ -i ${configurationYaml} \ diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 04cf82f8a46bb..789b78702e9bc 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -53,7 +53,10 @@ in User = cfg.user; Group = cfg.group; StateDirectory = "jellyfin"; + StateDirectoryMode = "0700"; CacheDirectory = "jellyfin"; + CacheDirectoryMode = "0700"; + UMask = "0077"; ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; diff --git a/nixos/modules/services/misc/libreddit.nix b/nixos/modules/services/misc/libreddit.nix index 77b34a8562049..e21a884478441 100644 --- a/nixos/modules/services/misc/libreddit.nix +++ b/nixos/modules/services/misc/libreddit.nix @@ -2,14 +2,13 @@ with lib; - let - cfg = config.services.libreddit; - - args = concatStringsSep " " ([ - "--port ${toString cfg.port}" - "--address ${cfg.address}" - ] ++ optional cfg.redirect "--redirect-https"); +let + cfg = config.services.libreddit; + args = concatStringsSep " " ([ + "--port ${toString cfg.port}" + "--address ${cfg.address}" + ]); in { options = { @@ -30,12 +29,6 @@ in description = "The port to listen on"; }; - redirect = mkOption { - type = types.bool; - default = false; - description = "Enable the redirecting to HTTPS"; - }; - openFirewall = mkOption { type = types.bool; default = false; @@ -56,6 +49,31 @@ in AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; Restart = "on-failure"; RestartSec = "2s"; + # Hardening + CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + # A private user cannot have process capabilities on the host's user + # namespace and thus CAP_NET_BIND_SERVICE has no effect. + PrivateUsers = (cfg.port >= 1024); + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; }; }; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index b959379d331a7..497d46741381b 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -14,6 +14,7 @@ let PATHS_PLUGINS = if builtins.isNull cfg.declarativePlugins then "${cfg.dataDir}/plugins" else declarativePlugins; PATHS_LOGS = "${cfg.dataDir}/log"; + SERVER_SERVE_FROM_SUBPATH = boolToString cfg.server.serveFromSubPath; SERVER_PROTOCOL = cfg.protocol; SERVER_HTTP_ADDR = cfg.addr; SERVER_HTTP_PORT = cfg.port; @@ -41,9 +42,23 @@ let USERS_AUTO_ASSIGN_ORG = boolToString cfg.users.autoAssignOrg; USERS_AUTO_ASSIGN_ORG_ROLE = cfg.users.autoAssignOrgRole; + AUTH_DISABLE_LOGIN_FORM = boolToString cfg.auth.disableLoginForm; + AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; + + AUTH_AZUREAD_NAME = "Azure AD"; + AUTH_AZUREAD_ENABLED = boolToString cfg.auth.azuread.enable; + AUTH_AZUREAD_ALLOW_SIGN_UP = boolToString cfg.auth.azuread.allowSignUp; + AUTH_AZUREAD_CLIENT_ID = cfg.auth.azuread.clientId; + AUTH_AZUREAD_SCOPES = "openid email profile"; + AUTH_AZUREAD_AUTH_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/authorize"; + AUTH_AZUREAD_TOKEN_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/token"; + AUTH_AZUREAD_ALLOWED_DOMAINS = cfg.auth.azuread.allowedDomains; + AUTH_AZUREAD_ALLOWED_GROUPS = cfg.auth.azuread.allowedGroups; + AUTH_AZUREAD_ROLE_ATTRIBUTE_STRICT = false; + AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable; AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp; AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId; @@ -484,6 +499,14 @@ in { }; }; + server = { + serveFromSubPath = mkOption { + description = "Serve Grafana from subpath specified in rootUrl setting"; + default = false; + type = types.bool; + }; + }; + smtp = { enable = mkEnableOption "smtp"; host = mkOption { @@ -546,6 +569,12 @@ in { }; auth = { + disableLoginForm = mkOption { + description = "Set to true to disable (hide) the login form, useful if you use OAuth"; + default = false; + type = types.bool; + }; + anonymous = { enable = mkOption { description = "Whether to allow anonymous access."; @@ -563,6 +592,53 @@ in { type = types.str; }; }; + azuread = { + enable = mkOption { + description = "Whether to allow Azure AD OAuth."; + default = false; + type = types.bool; + }; + allowSignUp = mkOption { + description = "Whether to allow sign up with Azure AD OAuth."; + default = false; + type = types.bool; + }; + clientId = mkOption { + description = "Azure AD OAuth client ID."; + default = ""; + type = types.str; + }; + clientSecretFile = mkOption { + description = "Azure AD OAuth client secret."; + default = null; + type = types.nullOr types.path; + }; + tenantId = mkOption { + description = '' + Tenant id used to create auth and token url. Default to "common" + , let user sign in with any tenant. + ''; + default = "common"; + type = types.str; + }; + allowedDomains = mkOption { + description = '' + To limit access to authenticated users who are members of one or more groups, + set allowedGroups to a comma- or space-separated list of group object IDs. + You can find object IDs for a specific group on the Azure portal. + ''; + default = ""; + type = types.str; + }; + allowedGroups = mkOption { + description = '' + Limits access to users who belong to specific domains. + Separate domains with space or comma. + ''; + default = ""; + type = types.str; + }; + }; google = { enable = mkOption { description = "Whether to allow Google OAuth2."; @@ -652,6 +728,10 @@ in { set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + ${optionalString (cfg.auth.azuread.clientSecretFile != null) '' + GF_AUTH_AZUREAD_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.azuread.clientSecretFile})" + export GF_AUTH_AZUREAD_CLIENT_SECRET + ''} ${optionalString (cfg.auth.google.clientSecretFile != null) '' GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})" export GF_AUTH_GOOGLE_CLIENT_SECRET diff --git a/nixos/modules/services/monitoring/mimir.nix b/nixos/modules/services/monitoring/mimir.nix index df853f037ee6a..f85f3ab02c37e 100644 --- a/nixos/modules/services/monitoring/mimir.nix +++ b/nixos/modules/services/monitoring/mimir.nix @@ -28,6 +28,9 @@ in { }; config = mkIf cfg.enable { + # for mimirtool + environment.systemPackages = [ pkgs.mimir ]; + assertions = [{ assertion = ( (cfg.configuration == {} -> cfg.configFile != null) && @@ -56,6 +59,7 @@ in { ProtectSystem = "full"; DevicePolicy = "closed"; NoNewPrivileges = true; + WorkingDirectory = "/var/lib/mimir"; StateDirectory = "mimir"; }; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix b/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix index 330610a15d9e0..25950e1ece967 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix @@ -108,7 +108,7 @@ in { -i ${pkgs.writeText "dmarc-exporter.json.template" json} \ -o ''${STATE_DIRECTORY}/dmarc-exporter.json - exec ${pkgs.prometheus-dmarc-exporter}/bin/prometheus-dmarc-exporter \ + exec ${pkgs.dmarc-metrics-exporter}/bin/dmarc-metrics-exporter \ --configuration /var/lib/prometheus-dmarc-exporter/dmarc-exporter.json \ ${optionalString cfg.debug "--debug"} ''}"; diff --git a/nixos/modules/services/networking/bird-lg.nix b/nixos/modules/services/networking/bird-lg.nix new file mode 100644 index 0000000000000..515ef38608b4b --- /dev/null +++ b/nixos/modules/services/networking/bird-lg.nix @@ -0,0 +1,269 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.bird-lg; +in +{ + options = { + services.bird-lg = { + package = mkOption { + type = types.package; + default = pkgs.bird-lg; + defaultText = literalExpression "pkgs.bird-lg"; + description = "The Bird Looking Glass package to use."; + }; + + user = mkOption { + type = types.str; + default = "bird-lg"; + description = "User to run the service."; + }; + + group = mkOption { + type = types.str; + default = "bird-lg"; + description = "Group to run the service."; + }; + + frontend = { + enable = mkEnableOption "Bird Looking Glass Frontend Webserver"; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:5000"; + description = "Address to listen on."; + }; + + proxyPort = mkOption { + type = types.port; + default = 8000; + description = "Port bird-lg-proxy is running on."; + }; + + domain = mkOption { + type = types.str; + default = ""; + example = "dn42.lantian.pub"; + description = "Server name domain suffixes."; + }; + + servers = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "gigsgigscloud" "hostdare" ]; + description = "Server name prefixes."; + }; + + whois = mkOption { + type = types.str; + default = "whois.verisign-grs.com"; + description = "Whois server for queries."; + }; + + dnsInterface = mkOption { + type = types.str; + default = "asn.cymru.com"; + description = "DNS zone to query ASN information."; + }; + + bgpMapInfo = mkOption { + type = types.listOf types.str; + default = [ "asn" "as-name" "ASName" "descr" ]; + description = "Information displayed in bgpmap."; + }; + + titleBrand = mkOption { + type = types.str; + default = "Bird-lg Go"; + description = "Prefix of page titles in browser tabs."; + }; + + netSpecificMode = mkOption { + type = types.str; + default = ""; + example = "dn42"; + description = "Apply network-specific changes for some networks."; + }; + + protocolFilter = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "ospf" ]; + description = "Information displayed in bgpmap."; + }; + + nameFilter = mkOption { + type = types.str; + default = ""; + example = "^ospf"; + description = "Protocol names to hide in summary tables (RE2 syntax),"; + }; + + timeout = mkOption { + type = types.int; + default = 120; + description = "Time before request timed out, in seconds."; + }; + + navbar = { + brand = mkOption { + type = types.str; + default = "Bird-lg Go"; + description = "Brand to show in the navigation bar ."; + }; + + brandURL = mkOption { + type = types.str; + default = "/"; + description = "URL of the brand to show in the navigation bar."; + }; + + allServers = mkOption { + type = types.str; + default = "ALL Servers"; + description = "Text of 'All server' button in the navigation bar."; + }; + + allServersURL = mkOption { + type = types.str; + default = "all"; + description = "URL of 'All servers' button."; + }; + }; + + extraArgs = mkOption { + type = types.lines; + default = ""; + description = " + Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#frontend\">here</link>. + "; + }; + }; + + proxy = { + enable = mkEnableOption "Bird Looking Glass Proxy"; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:8000"; + description = "Address to listen on."; + }; + + allowedIPs = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "192.168.25.52" "192.168.25.53" ]; + description = "List of IPs to allow (default all allowed)."; + }; + + birdSocket = mkOption { + type = types.str; + default = "/run/bird.ctl"; + example = "/var/run/bird/bird.ctl"; + description = "Bird control socket path."; + }; + + traceroute = { + binary = mkOption { + type = types.str; + default = "${pkgs.traceroute}/bin/traceroute"; + defaultText = literalExpression ''"''${pkgs.traceroute}/bin/traceroute"''; + description = "Traceroute's binary path."; + }; + + rawOutput = mkOption { + type = types.bool; + default = false; + description = "Display traceroute output in raw format."; + }; + }; + + extraArgs = mkOption { + type = types.lines; + default = ""; + description = " + Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#proxy\">here</link>. + "; + }; + }; + }; + }; + + ###### implementation + + config = { + systemd.services = { + bird-lg-frontend = mkIf cfg.frontend.enable { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "Bird Looking Glass Frontend Webserver"; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + ProtectSystem = "full"; + ProtectHome = "yes"; + MemoryDenyWriteExecute = "yes"; + User = cfg.user; + Group = cfg.group; + }; + script = '' + ${cfg.package}/bin/frontend \ + --servers ${concatStringsSep "," cfg.frontend.servers } \ + --domain ${cfg.frontend.domain} \ + --listen ${cfg.frontend.listenAddress} \ + --proxy-port ${toString cfg.frontend.proxyPort} \ + --whois ${cfg.frontend.whois} \ + --dns-interface ${cfg.frontend.dnsInterface} \ + --bgpmap-info ${concatStringsSep "," cfg.frontend.bgpMapInfo } \ + --title-brand ${cfg.frontend.titleBrand} \ + --navbar-brand ${cfg.frontend.navbar.brand} \ + --navbar-brand-url ${cfg.frontend.navbar.brandURL} \ + --navbar-all-servers ${cfg.frontend.navbar.allServers} \ + --navbar-all-url ${cfg.frontend.navbar.allServersURL} \ + --net-specific-mode ${cfg.frontend.netSpecificMode} \ + --protocol-filter ${concatStringsSep "," cfg.frontend.protocolFilter } \ + --name-filter ${cfg.frontend.nameFilter} \ + --time-out ${toString cfg.frontend.timeout} \ + ${cfg.frontend.extraArgs} + ''; + }; + + bird-lg-proxy = mkIf cfg.proxy.enable { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "Bird Looking Glass Proxy"; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + ProtectSystem = "full"; + ProtectHome = "yes"; + MemoryDenyWriteExecute = "yes"; + User = cfg.user; + Group = cfg.group; + }; + script = '' + ${cfg.package}/bin/proxy \ + --allowed ${concatStringsSep "," cfg.proxy.allowedIPs } \ + --bird ${cfg.proxy.birdSocket} \ + --listen ${cfg.proxy.listenAddress} \ + --traceroute_bin ${cfg.proxy.traceroute.binary} + --traceroute_raw ${boolToString cfg.proxy.traceroute.rawOutput} + ${cfg.proxy.extraArgs} + ''; + }; + }; + users = mkIf (cfg.frontend.enable || cfg.proxy.enable) { + groups."bird-lg" = mkIf (cfg.group == "bird-lg") { }; + users."bird-lg" = mkIf (cfg.user == "bird-lg") { + description = "Bird Looking Glass user"; + extraGroups = lib.optionals (config.services.bird2.enable) [ "bird2" ]; + group = cfg.group; + isSystemUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/openconnect.nix b/nixos/modules/services/networking/openconnect.nix index de4b505130eb6..bc873b2198bcc 100644 --- a/nixos/modules/services/networking/openconnect.nix +++ b/nixos/modules/services/networking/openconnect.nix @@ -9,6 +9,12 @@ let }; interfaceOptions = { options = { + autoStart = mkOption { + default = true; + description = "Whether this VPN connection should be started automatically."; + type = types.bool; + }; + gateway = mkOption { description = "Gateway server to connect to."; example = "gateway.example.com"; @@ -95,7 +101,7 @@ let description = "OpenConnect Interface - ${name}"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional icfg.autoStart "multi-user.target"; serviceConfig = { Type = "simple"; diff --git a/nixos/modules/services/system/localtime.nix b/nixos/modules/services/system/localtime.nix index 8f23454af9dfd..6383e454e76ba 100644 --- a/nixos/modules/services/system/localtime.nix +++ b/nixos/modules/services/system/localtime.nix @@ -3,30 +3,26 @@ with lib; let - cfg = config.services.localtime; + cfg = config.services.localtimed; in { options = { - services.localtime = { + services.localtimed = { enable = mkOption { type = types.bool; default = false; description = '' - Enable <literal>localtime</literal>, simple daemon for keeping the system - timezone up-to-date based on the current location. It uses geoclue2 to - determine the current location and systemd-timedated to actually set - the timezone. + Enable <literal>localtimed</literal>, a simple daemon for keeping the + system timezone up-to-date based on the current location. It uses + geoclue2 to determine the current location. ''; }; }; }; config = mkIf cfg.enable { - services.geoclue2 = { - enable = true; - appConfig.localtime = { - isAllowed = true; - isSystem = true; - }; + services.geoclue2.appConfig.localtimed = { + isAllowed = true; + isSystem = true; }; # Install the polkit rules. @@ -34,16 +30,6 @@ in { # Install the systemd unit. systemd.packages = [ pkgs.localtime ]; - users.users.localtimed = { - description = "localtime daemon"; - isSystemUser = true; - group = "localtimed"; - }; - users.groups.localtimed = {}; - - systemd.services.localtime = { - wantedBy = [ "multi-user.target" ]; - serviceConfig.Restart = "on-failure"; - }; + systemd.services.localtime.wantedBy = [ "multi-user.target" ]; }; } diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index 6a46ffbd17d45..13893cbf005af 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -197,6 +197,13 @@ in Whether to allow note creation by accessing a nonexistent note URL. ''; }; + requireFreeURLAuthentication = mkOption { + type = types.bool; + default = false; + description = '' + Whether to require authentication for FreeURL mode style note creation. + ''; + }; defaultPermission = mkOption { type = types.enum [ "freely" "editable" "limited" "locked" "private" ]; default = "editable"; @@ -431,7 +438,7 @@ in Minio secret key. ''; }; - endpoint = mkOption { + endPoint = mkOption { type = types.str; description = '' Minio endpoint. diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 1d5ec5594f791..dd2f2479f4e99 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -733,7 +733,7 @@ in { 'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)}, 'trusted_proxies' => ${writePhpArrary (c.trustedProxies)}, ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"} - ${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles}"} + ${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles},"} ${objectstoreConfig} ]; ''; @@ -830,7 +830,7 @@ in { ${occ}/bin/nextcloud-occ config:system:delete trusted_domains ${optionalString (cfg.extraAppsEnable && cfg.extraApps != { }) '' - # Try to enable apps (don't fail when one of them cannot be enabled , eg. due to incompatible version) + # Try to enable apps ${occ}/bin/nextcloud-occ app:enable ${concatStringsSep " " (attrNames cfg.extraApps)} ''} diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index e195e6e6e8240..e6b6aa273e7fb 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -209,7 +209,7 @@ in { port = lib.mkOption { type = lib.types.nullOr lib.types.port; - default = if cfg.redis.createLocally && cfg.redis.enableUnixSocket then null else 6379; + default = if cfg.redis.createLocally && cfg.redis.enableUnixSocket then null else 31638; defaultText = lib.literalExpression '' if config.${opt.redis.createLocally} && config.${opt.redis.enableUnixSocket} then null @@ -344,7 +344,7 @@ in { }; }; } - (lib.mkIf cfg.redis.enableUnixSocket { redis = { socket = "/run/redis/redis.sock"; }; }) + (lib.mkIf cfg.redis.enableUnixSocket { redis = { socket = "/run/redis-peertube/redis.sock"; }; }) ]; systemd.tmpfiles.rules = [ @@ -441,13 +441,17 @@ in { enable = true; }; - services.redis = lib.mkMerge [ + services.redis.servers.peertube = lib.mkMerge [ (lib.mkIf cfg.redis.createLocally { enable = true; }) + (lib.mkIf (cfg.redis.createLocally && !cfg.redis.enableUnixSocket) { + bind = "127.0.0.1"; + port = cfg.redis.port; + }) (lib.mkIf (cfg.redis.createLocally && cfg.redis.enableUnixSocket) { - unixSocket = "/run/redis/redis.sock"; - unixSocketPerm = 770; + unixSocket = "/run/redis-peertube/redis.sock"; + unixSocketPerm = 660; }) ]; @@ -465,7 +469,7 @@ in { }; }) (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package peertubeEnv peertubeCli pkgs.ffmpeg pkgs.nodejs-16_x pkgs.yarn ]) - (lib.mkIf cfg.redis.enableUnixSocket {${config.services.peertube.user}.extraGroups = [ "redis" ];}) + (lib.mkIf cfg.redis.enableUnixSocket {${config.services.peertube.user}.extraGroups = [ "redis-peertube" ];}) ]; users.groups = lib.optionalAttrs (cfg.group == "peertube") { diff --git a/nixos/modules/services/web-apps/timetagger.nix b/nixos/modules/services/web-apps/timetagger.nix deleted file mode 100644 index 373f4fcd52f81..0000000000000 --- a/nixos/modules/services/web-apps/timetagger.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkEnableOption mkIf mkOption types literalExpression; - - cfg = config.services.timetagger; -in { - - options = { - services.timetagger = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Tag your time, get the insight - - <note><para> - This app does not do authentication. - You must setup authentication yourself or run it in an environment where - only allowed users have access. - </para></note> - ''; - }; - - bindAddr = mkOption { - description = "Address to bind to."; - type = types.str; - default = "127.0.0.1"; - }; - - port = mkOption { - description = "Port to bind to."; - type = types.port; - default = 8080; - }; - - package = mkOption { - description = '' - Use own package for starting timetagger web application. - - The ${literalExpression ''pkgs.timetagger''} package only provides a - "run.py" script for the actual package - ${literalExpression ''pkgs.python3Packages.timetagger''}. - - If you want to provide a "run.py" script for starting timetagger - yourself, you can do so with this option. - If you do so, the 'bindAddr' and 'port' options are ignored. - ''; - - default = pkgs.timetagger.override { addr = cfg.bindAddr; port = cfg.port; }; - defaultText = literalExpression '' - pkgs.timetagger.override { - addr = ${cfg.bindAddr}; - port = ${cfg.port}; - }; - ''; - type = types.package; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.timetagger = { - description = "Timetagger service"; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - User = "timetagger"; - Group = "timetagger"; - StateDirectory = "timetagger"; - - ExecStart = "${cfg.package}/bin/timetagger"; - - Restart = "on-failure"; - RestartSec = 1; - }; - }; - }; -} - diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 0c2333399e815..160d76597c889 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -932,7 +932,7 @@ in # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] - ++ optionals ((cfg.package != pkgs.tengine) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; + ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; }; }; diff --git a/nixos/modules/services/x11/desktop-managers/phosh.nix b/nixos/modules/services/x11/desktop-managers/phosh.nix index 4bf78fa16e7d9..5efe645d8aa24 100644 --- a/nixos/modules/services/x11/desktop-managers/phosh.nix +++ b/nixos/modules/services/x11/desktop-managers/phosh.nix @@ -78,7 +78,13 @@ let description = '' Display scaling factor. ''; - type = types.nullOr types.ints.unsigned; + type = types.nullOr ( + types.addCheck + (types.either types.int types.float) + (x : x > 0) + ) // { + description = "null or positive integer or float"; + }; default = null; example = 2; }; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index fa879437fd810..aca6a1ca2cc20 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -204,7 +204,6 @@ def get_profiles() -> List[str]: else: return [] - def main() -> None: parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files') parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot') @@ -244,27 +243,29 @@ def main() -> None: subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@"] + flags + ["install"]) else: # Update bootloader to latest if needed - systemd_version = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2] - sdboot_status = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True) + available_out = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2] + installed_out = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True) # See status_binaries() in systemd bootctl.c for code which generates this - m = re.search("^\W+File:.*/EFI/(BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$", - sdboot_status, re.IGNORECASE | re.MULTILINE) + installed_match = re.search(r"^\W+File:.*/EFI/(?:BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$", + installed_out, re.IGNORECASE | re.MULTILINE) - needs_install = False + available_match = re.search(r"^\((.*)\)$", available_out) - if m is None: - print("could not find any previously installed systemd-boot, installing.") - # Let systemd-boot attempt an installation if a previous one wasn't found - needs_install = True - else: - sdboot_version = f'({m.group(2)})' - if systemd_version != sdboot_version: - print("updating systemd-boot from %s to %s" % (sdboot_version, systemd_version)) - needs_install = True + if installed_match is None: + raise Exception("could not find any previously installed systemd-boot") + + if available_match is None: + raise Exception("could not determine systemd-boot version") - if needs_install: + installed_version = installed_match.group(1) + available_version = available_match.group(1) + + if installed_version < available_version: + print("updating systemd-boot from %s to %s" % (installed_version, available_version)) subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "update"]) + else: + print("leaving systemd-boot %s in place (%s is not newer)" % (installed_version, available_version)) mkdir_p("@efiSysMountPoint@/efi/nixos") mkdir_p("@efiSysMountPoint@/loader/entries") diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 22d5ec76af70b..337064034efb0 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -14,6 +14,8 @@ extraUtils="@extraUtils@" export LD_LIBRARY_PATH=@extraUtils@/lib export PATH=@extraUtils@/bin ln -s @extraUtils@/bin /bin +# hardcoded in util-linux's mount helper search path `/run/wrappers/bin:/run/current-system/sw/bin:/sbin` +ln -s @extraUtils@/bin /sbin # Copy the secrets to their needed location if [ -d "@extraUtils@/secrets" ]; then diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index d10ebac568282..e35ccff290786 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -31,6 +31,9 @@ let # mounting `/`, like `/` on a loopback). fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems; + # Determine whether zfs-mount(8) is needed. + zfsRequiresMountHelper = any (fs: lib.elem "zfsutil" fs.options) fileSystems; + # A utility for enumerating the shared-library dependencies of a program findLibs = pkgs.buildPackages.writeShellScriptBin "find-libs" '' set -euo pipefail @@ -107,6 +110,22 @@ let copy_bin_and_libs $BIN done + ${optionalString zfsRequiresMountHelper '' + # Filesystems using the "zfsutil" option are mounted regardless of the + # mount.zfs(8) helper, but it is required to ensure that ZFS properties + # are used as mount options. + # + # BusyBox does not use the ZFS helper in the first place. + # util-linux searches /sbin/ as last path for helpers (stage-1-init.sh + # must symlink it to the store PATH). + # Without helper program, both `mount`s silently fails back to internal + # code, using default options and effectively ignore security relevant + # ZFS properties such as `setuid=off` and `exec=off` (unless manually + # duplicated in `fileSystems.*.options`, defeating "zfsutil"'s purpose). + copy_bin_and_libs ${pkgs.util-linux}/bin/mount + copy_bin_and_libs ${pkgs.zfs}/bin/mount.zfs + ''} + # Copy some util-linux stuff. copy_bin_and_libs ${pkgs.util-linux}/sbin/blkid @@ -204,24 +223,29 @@ let # Run patchelf to make the programs refer to the copied libraries. find $out/bin $out/lib -type f | while read i; do - if ! test -L $i; then - nuke-refs -e $out $i - fi + nuke-refs -e $out $i done find $out/bin -type f | while read i; do - if ! test -L $i; then - echo "patching $i..." - patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true - fi + echo "patching $i..." + patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true + done + + find $out/lib -type f \! -name 'ld*.so.?' | while read i; do + echo "patching $i..." + patchelf --set-rpath $out/lib $i done if [ -z "${toString (pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform)}" ]; then # Make sure that the patchelf'ed binaries still work. echo "testing patched programs..." $out/bin/ash -c 'echo hello world' | grep "hello world" - export LD_LIBRARY_PATH=$out/lib - $out/bin/mount --help 2>&1 | grep -q "BusyBox" + ${if zfsRequiresMountHelper then '' + $out/bin/mount -V 1>&1 | grep -q "mount from util-linux" + $out/bin/mount.zfs -h 2>&1 | grep -q "Usage: mount.zfs" + '' else '' + $out/bin/mount --help 2>&1 | grep -q "BusyBox" + ''} $out/bin/blkid -V 2>&1 | grep -q 'libblkid' $out/bin/udevadm --version $out/bin/dmsetup --version 2>&1 | tee -a log | grep -q "version:" @@ -260,8 +284,6 @@ let } '' mkdir -p $out - echo 'ENV{LD_LIBRARY_PATH}="${extraUtils}/lib"' > $out/00-env.rules - cp -v ${udev}/lib/udev/rules.d/60-cdrom_id.rules $out/ cp -v ${udev}/lib/udev/rules.d/60-persistent-storage.rules $out/ cp -v ${udev}/lib/udev/rules.d/75-net-description.rules $out/ diff --git a/nixos/modules/virtualisation/appvm.nix b/nixos/modules/virtualisation/appvm.nix new file mode 100644 index 0000000000000..24315a85d0edf --- /dev/null +++ b/nixos/modules/virtualisation/appvm.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.appvm; + +in { + + options = { + virtualisation.appvm = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + This enables AppVMs and related virtualisation settings. + ''; + }; + user = mkOption { + type = types.str; + description = '' + AppVM user login. Currenly only AppVMs are supported for a single user only. + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + virtualisation.libvirtd = { + enable = true; + qemu.verbatimConfig = '' + namespaces = [] + user = "${cfg.user}" + group = "users" + remember_owner = 0 + ''; + }; + + users.users."${cfg.user}" = { + packages = [ pkgs.appvm ]; + extraGroups = [ "libvirtd" ]; + }; + + }; + +} + diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index e0bccb83a97ff..31d18ae734495 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -11,10 +11,9 @@ let auth_unix_rw = "polkit" ${cfg.extraConfig} ''; - ovmfFilePrefix = if pkgs.stdenv.isAarch64 then "AAVMF" else "OVMF"; qemuConfigFile = pkgs.writeText "qemu.conf" '' ${optionalString cfg.qemu.ovmf.enable '' - nvram = [ "/run/libvirt/nix-ovmf/${ovmfFilePrefix}_CODE.fd:/run/libvirt/nix-ovmf/${ovmfFilePrefix}_VARS.fd" ] + nvram = [ "/run/libvirt/nix-ovmf/AAVMF_CODE.fd:/run/libvirt/nix-ovmf/AAVMF_VARS.fd", "/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd" ] ''} ${optionalString (!cfg.qemu.runAsRoot) '' user = "qemu-libvirtd" @@ -36,13 +35,20 @@ let ''; }; + # mkRemovedOptionModule does not work in submodules, do it manually package = mkOption { - type = types.package; - default = pkgs.OVMF; - defaultText = literalExpression "pkgs.OVMF"; - example = literalExpression "pkgs.OVMFFull"; + type = types.nullOr types.package; + default = null; + internal = true; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ pkgs.OVMF.fd ]; + defaultText = literalExpression "[ pkgs.OVMF.fd ]"; + example = literalExpression "[ pkgs.OVMFFull.fd pkgs.pkgsCross.aarch64-multiplatform.OVMF.fd ]"; description = '' - OVMF package to use. + List of OVMF packages to use. Each listed package must contain files names FV/OVMF_CODE.fd and FV/OVMF_VARS.fd or FV/AAVMF_CODE.fd and FV/AAVMF_VARS.fd ''; }; }; @@ -141,9 +147,9 @@ in (mkRenamedOptionModule [ "virtualisation" "libvirtd" "qemuOvmf" ] [ "virtualisation" "libvirtd" "qemu" "ovmf" "enable" ]) - (mkRenamedOptionModule + (mkRemovedOptionModule [ "virtualisation" "libvirtd" "qemuOvmfPackage" ] - [ "virtualisation" "libvirtd" "qemu" "ovmf" "package" ]) + "If this option was set to `foo`, set the option `virtualisation.libvirtd.qemu.ovmf.packages' to `[foo.fd]` instead.") (mkRenamedOptionModule [ "virtualisation" "libvirtd" "qemuSwtpm" ] [ "virtualisation" "libvirtd" "qemu" "swtpm" "enable" ]) @@ -238,12 +244,15 @@ in assertions = [ { - assertion = config.security.polkit.enable; - message = "The libvirtd module currently requires Polkit to be enabled ('security.polkit.enable = true')."; + assertion = config.virtualisation.libvirtd.qemu.ovmf.package == null; + message = '' + The option virtualisation.libvirtd.qemu.ovmf.package is superseded by virtualisation.libvirtd.qemu.ovmf.packages. + If this option was set to `foo`, set the option `virtualisation.libvirtd.qemu.ovmf.packages' to `[foo.fd]` instead. + ''; } { - assertion = builtins.elem "fd" cfg.qemu.ovmf.package.outputs; - message = "The option 'virtualisation.libvirtd.qemuOvmfPackage' needs a package that has an 'fd' output."; + assertion = config.security.polkit.enable; + message = "The libvirtd module currently requires Polkit to be enabled ('security.polkit.enable = true')."; } ]; @@ -303,10 +312,18 @@ in ln -s --force ${cfg.qemu.package}/$helper /run/${dirName}/nix-helpers/ done - ${optionalString cfg.qemu.ovmf.enable '' - ln -s --force ${cfg.qemu.ovmf.package.fd}/FV/${ovmfFilePrefix}_CODE.fd /run/${dirName}/nix-ovmf/ - ln -s --force ${cfg.qemu.ovmf.package.fd}/FV/${ovmfFilePrefix}_VARS.fd /run/${dirName}/nix-ovmf/ - ''} + ${optionalString cfg.qemu.ovmf.enable (let + ovmfpackage = pkgs.buildEnv { + name = "qemu-ovmf"; + paths = cfg.qemu.ovmf.packages; + }; + in + '' + ln -s --force ${ovmfpackage}/FV/AAVMF_CODE.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${ovmfpackage}/FV/OVMF_CODE.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${ovmfpackage}/FV/AAVMF_VARS.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${ovmfpackage}/FV/OVMF_VARS.fd /run/${dirName}/nix-ovmf/ + '')} ''; serviceConfig = { diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 23228a109bce9..b930151571294 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -284,7 +284,7 @@ let DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; }; - system = config.nixpkgs.localSystem.system; + inherit (config.nixpkgs) localSystem; kernelVersion = config.boot.kernelPackages.kernel.version; bindMountOpts = { name, ... }: { @@ -478,12 +478,12 @@ in type = lib.mkOptionType { name = "Toplevel NixOS config"; merge = loc: defs: (import "${toString config.nixpkgs}/nixos/lib/eval-config.nix" { - inherit system; modules = let extraConfig = { _file = "module at ${__curPos.file}:${toString __curPos.line}"; config = { + nixpkgs = { inherit localSystem; }; boot.isContainer = true; networking.hostName = mkDefault name; networking.useDHCP = false; diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index 3caed746ca91e..d468a2008722f 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -64,7 +64,6 @@ in environment.etc.vmware-tools.source = "${open-vm-tools}/etc/vmware-tools/*"; services.xserver = mkIf (!cfg.headless) { - videoDrivers = mkOverride 50 [ "vmware" ]; modules = [ xf86inputvmmouse ]; config = '' diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index bd0cdcb408aeb..1d177f595b568 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -171,6 +171,7 @@ in frr = handleTest ./frr.nix {}; fsck = handleTest ./fsck.nix {}; ft2-clone = handleTest ./ft2-clone.nix {}; + grafana-mimir = handleTest ./grafana-mimir.nix {}; gerrit = handleTest ./gerrit.nix {}; geth = handleTest ./geth.nix {}; ghostunnel = handleTest ./ghostunnel.nix {}; diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index a21ce97a23b15..3007efaf88710 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -18,8 +18,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { # container available within the VM, because we don't have network access. virtualisation.additionalPaths = let emptyContainer = import ../lib/eval-config.nix { - inherit (config.nixpkgs.localSystem) system; modules = lib.singleton { + nixpkgs = { inherit (config.nixpkgs) localSystem; }; + containers.foo.config = { system.stateVersion = "18.03"; }; diff --git a/nixos/tests/dendrite.nix b/nixos/tests/dendrite.nix index d4a5bb1322638..1ff415433b47f 100644 --- a/nixos/tests/dendrite.nix +++ b/nixos/tests/dendrite.nix @@ -17,10 +17,11 @@ import ./make-test-python.nix ( homeserver = { pkgs, ... }: { services.dendrite = { enable = true; + loadCredential = [ "test_private_key:${private_key}" ]; openRegistration = true; settings = { global.server_name = "test-dendrite-server.com"; - global.private_key = private_key; + global.private_key = "$CREDENTIALS_DIRECTORY/test_private_key"; client_api.registration_disabled = false; }; }; diff --git a/nixos/tests/gitolite.nix b/nixos/tests/gitolite.nix index 128677cebde3a..9b3af59e4fbd8 100644 --- a/nixos/tests/gitolite.nix +++ b/nixos/tests/gitolite.nix @@ -107,7 +107,7 @@ in with subtest("gitolite server starts"): server.wait_for_unit("gitolite-init.service") server.wait_for_unit("sshd.service") - client.succeed("ssh gitolite@server info") + client.succeed("ssh -n gitolite@server info") with subtest("admin can clone and configure gitolite-admin.git"): client.succeed( diff --git a/nixos/tests/grafana-mimir.nix b/nixos/tests/grafana-mimir.nix new file mode 100644 index 0000000000000..0aafa956f0be2 --- /dev/null +++ b/nixos/tests/grafana-mimir.nix @@ -0,0 +1,50 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "grafana-mimir"; + nodes = { + server = { ... }: { + environment.systemPackages = [ pkgs.jq ]; + services.mimir.enable = true; + services.mimir.configuration = { + ingester.ring.replication_factor = 1; + }; + + services.telegraf.enable = true; + services.telegraf.extraConfig = { + agent.interval = "1s"; + agent.flush_interval = "1s"; + inputs.exec = { + commands = [ + "${pkgs.coreutils}/bin/echo 'foo i=42i'" + ]; + data_format = "influx"; + }; + outputs = { + http = { + # test remote write + url = "http://localhost:8080/api/v1/push"; + + # Data format to output. + data_format = "prometheusremotewrite"; + + headers = { + Content-Type = "application/x-protobuf"; + Content-Encoding = "snappy"; + X-Scope-OrgID = "nixos"; + X-Prometheus-Remote-Write-Version = "0.1.0"; + }; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + server.wait_for_unit("mimir.service") + server.wait_for_unit("telegraf.service") + server.wait_for_open_port(8080) + server.wait_until_succeeds( + "curl -H 'X-Scope-OrgID: nixos' http://127.0.0.1:8080/prometheus/api/v1/label/host/values | jq -r '.data[0]' | grep server" + ) + ''; +}) diff --git a/nixos/tests/libreddit.nix b/nixos/tests/libreddit.nix index f7ef701d0865f..01f6aeffb3661 100644 --- a/nixos/tests/libreddit.nix +++ b/nixos/tests/libreddit.nix @@ -6,14 +6,16 @@ with lib; name = "libreddit"; meta.maintainers = with maintainers; [ fab ]; - nodes.machine = - { pkgs, ... }: - { services.libreddit.enable = true; }; + nodes.machine = { + services.libreddit.enable = true; + # Test CAP_NET_BIND_SERVICE + services.libreddit.port = 80; + }; testScript = '' machine.wait_for_unit("libreddit.service") - machine.wait_for_open_port("8080") - # The service wants to get data from https://www.reddit.com - machine.succeed("curl http://localhost:8080/") + machine.wait_for_open_port("80") + # Query a page that does not require Internet access + machine.succeed("curl --fail http://localhost:80/settings") ''; }) diff --git a/nixos/tests/matrix/mjolnir.nix b/nixos/tests/matrix/mjolnir.nix index 54094ab9d611c..3864f0ff2bb6d 100644 --- a/nixos/tests/matrix/mjolnir.nix +++ b/nixos/tests/matrix/mjolnir.nix @@ -43,7 +43,9 @@ import ../make-test-python.nix ( tls_certificate_path = "${cert}"; tls_private_key_path = "${key}"; enable_registration = true; + enable_registration_without_verification = true; registration_shared_secret = "supersecret-registration"; + enable_registration_without_verification = true; listeners = [ { # The default but tls=false diff --git a/nixos/tests/meilisearch.nix b/nixos/tests/meilisearch.nix index 9f54aa97d6adc..05109a944bc43 100644 --- a/nixos/tests/meilisearch.nix +++ b/nixos/tests/meilisearch.nix @@ -5,9 +5,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: apiUrl = "http://${listenAddress}:${toString listenPort}"; uid = "movies"; indexJSON = pkgs.writeText "index.json" (builtins.toJSON { inherit uid; }); - moviesJSON = pkgs.runCommand "movies.json" {} '' - sed -n '1,5p;$p' ${pkgs.meilisearch.src}/datasets/movies/movies.json > $out - ''; + moviesJSON = pkgs.fetchurl { + url = "https://github.com/meilisearch/meilisearch/raw/v0.23.1/datasets/movies/movies.json"; + sha256 = "1r3srld63dpmg9yrmysm6xl175661j5cspi93mk5q2wf8xwn50c5"; + }; in { name = "meilisearch"; meta.maintainers = with lib.maintainers; [ Br1ght0ne ]; @@ -34,7 +35,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: with subtest("create index"): machine.succeed( - "curl -XPOST ${apiUrl}/indexes --data @${indexJSON}" + "curl -XPOST --header 'Content-Type: application/json' ${apiUrl}/indexes --data @${indexJSON}" ) indexes = json.loads(machine.succeed("curl ${apiUrl}/indexes")) assert len(indexes) == 1, "index wasn't created" @@ -42,7 +43,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: with subtest("add documents"): response = json.loads( machine.succeed( - "curl -XPOST ${apiUrl}/indexes/${uid}/documents --data @${moviesJSON}" + "curl -XPOST --header 'Content-Type: application/json' ${apiUrl}/indexes/${uid}/documents --data @${moviesJSON}" ) ) update_id = response["updateId"] diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index ac05bd80c601a..1c89cf8c1c677 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -75,21 +75,30 @@ in { # The test cannot access the network, so any packages # nixos-rebuild needs must be included in the VM. system.extraDependencies = with pkgs; - [ sudo - libxml2.bin - libxslt.bin + [ + brotli + brotli.dev + brotli.lib desktop-file-utils docbook5 docbook_xsl_ns - unionfs-fuse - ntp + grub2 + kmod.dev + libarchive + libarchive.dev + libxml2.bin + libxslt.bin nixos-artwork.wallpapers.simple-dark-gray-bottom - perlPackages.XMLLibXML + ntp perlPackages.ListCompare + perlPackages.XMLLibXML + python3Minimal shared-mime-info + stdenv + sudo texinfo + unionfs-fuse xorg.lndir - grub2 # add curl so that rather than seeing the test attempt to download # curl's tarball, we see what it's trying to download diff --git a/nixos/tests/web-apps/peertube.nix b/nixos/tests/web-apps/peertube.nix index d42b4e3d677bb..ecc45bff2e2ca 100644 --- a/nixos/tests/web-apps/peertube.nix +++ b/nixos/tests/web-apps/peertube.nix @@ -11,7 +11,7 @@ import ../make-test-python.nix ({pkgs, ...}: { address = "192.168.2.10"; prefixLength = 24; } ]; }; - firewall.allowedTCPPorts = [ 5432 6379 ]; + firewall.allowedTCPPorts = [ 5432 31638 ]; }; services.postgresql = { @@ -34,7 +34,7 @@ import ../make-test-python.nix ({pkgs, ...}: enable = true; bind = "0.0.0.0"; requirePass = "turrQfaQwnanGbcsdhxy"; - port = 6379; + port = 31638; }; }; @@ -76,6 +76,7 @@ import ../make-test-python.nix ({pkgs, ...}: redis = { host = "192.168.2.10"; + port = 31638; passwordFile = "/etc/peertube/password-redis-db"; }; @@ -113,7 +114,7 @@ import ../make-test-python.nix ({pkgs, ...}: database.wait_for_unit("redis-peertube.service") database.wait_for_open_port(5432) - database.wait_for_open_port(6379) + database.wait_for_open_port(31638) server.wait_for_unit("peertube.service") server.wait_for_open_port(9000) |