diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2021-01-15 17:46:46 +0100 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2021-01-15 17:46:46 +0100 |
| commit | c0d2951fa6f27449373765e6e6eb3e5200b45301 (patch) | |
| tree | 9fe735a2418a531cac733d9bb1e95d072466c5dd /nixos | |
| parent | 83c50873f5810152bf1aad2b9a97a225926d04cf (diff) | |
| parent | bb9601719890dc04241304bb1a5cf224683d5740 (diff) | |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/installer/cd-dvd/iso-image.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitea.nix | 50 | ||||
| -rw-r--r-- | nixos/modules/services/security/tor.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/docker.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/podman.nix | 12 | ||||
| -rw-r--r-- | nixos/tests/docker-tools.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/docker.nix | 2 |
7 files changed, 58 insertions, 29 deletions
diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 43d20a556f8d1..1418420afcd98 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -425,7 +425,12 @@ in }; isoImage.squashfsCompression = mkOption { - default = "xz -Xdict-size 100%"; + default = with pkgs.stdenv.targetPlatform; "xz -Xdict-size 100% " + + lib.optionalString (isx86_32 || isx86_64) "-Xbcj x86" + # Untested but should also reduce size for these platforms + + lib.optionalString (isAarch32 || isAarch64) "-Xbcj arm" + + lib.optionalString (isPowerPC) "-Xbcj powerpc" + + lib.optionalString (isSparc) "-Xbcj sparc"; description = '' Compression settings to use for the squashfs nix store. ''; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 7eb52fef43d5e..2735185ec888a 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -349,7 +349,7 @@ in { DOMAIN = cfg.domain; STATIC_ROOT_PATH = cfg.staticRootPath; - LFS_JWT_SECRET = "#jwtsecret#"; + LFS_JWT_SECRET = "#lfsjwtsecret#"; ROOT_URL = cfg.rootUrl; } (mkIf cfg.enableUnixSocket { @@ -381,6 +381,7 @@ in security = { SECRET_KEY = "#secretkey#"; + INTERNAL_TOKEN = "#internaltoken#"; INSTALL_LOCK = true; }; @@ -396,6 +397,10 @@ in mailer = mkIf (cfg.mailerPasswordFile != null) { PASSWD = "#mailerpass#"; }; + + oauth2 = { + JWT_SECRET = "#oauth2jwtsecret#"; + }; }; services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { @@ -455,10 +460,20 @@ in wantedBy = [ "multi-user.target" ]; path = [ gitea pkgs.git ]; + # In older versions the secret naming for JWT was kind of confusing. + # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET + # wasn't persistant at all. + # To fix that, there is now the file oauth2_jwt_secret containing the + # values for JWT_SECRET and the file jwt_secret gets renamed to + # lfs_jwt_secret. + # We have to consider this to stay compatible with older installations. preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; - jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; + oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret"; + oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET + lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET + internalToken = "${cfg.stateDir}/custom/conf/internal_token"; in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' @@ -468,24 +483,41 @@ in ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} fi - if [ ! -e ${jwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} + # Migrate LFS_JWT_SECRET filename + if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then + mv ${oldLfsJwtSecret} ${lfsJwtSecret} + fi + + if [ ! -e ${oauth2JwtSecret} ]; then + ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + fi + + if [ ! -e ${lfsJwtSecret} ]; then + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + fi + + if [ ! -e ${internalToken} ]; then + ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} fi - KEY="$(head -n1 ${secretKey})" + SECRETKEY="$(head -n1 ${secretKey})" DBPASS="$(head -n1 ${cfg.database.passwordFile})" - JWTSECRET="$(head -n1 ${jwtSecret})" + OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" + LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" + INTERNALTOKEN="$(head -n1 ${internalToken})" ${if (cfg.mailerPasswordFile == null) then '' MAILERPASSWORD="#mailerpass#" '' else '' MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" ''} - sed -e "s,#secretkey#,$KEY,g" \ + sed -e "s,#secretkey#,$SECRETKEY,g" \ -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#jwtsecret#,$JWTSECRET,g" \ + -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ + -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ + -e "s,#internaltoken#,$INTERNALTOKEN,g" \ -e "s,#mailerpass#,$MAILERPASSWORD,g" \ -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} ${jwtSecret} + chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken} ''} # update all hooks' binary paths diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 390dcfccfec3c..54c2c2dea23af 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -909,8 +909,11 @@ in networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = - concatMap (o: optional (isInt o && o > 0 || o ? "port" && isInt o.port && o.port > 0) o.port) - (flatten [ + concatMap (o: + if isInt o && o > 0 then [o] + else if o ? "port" && isInt o.port && o.port > 0 then [o.port] + else [] + ) (flatten [ cfg.settings.ORPort cfg.settings.DirPort ]); diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 70d6fcc89674c..689f664b676d5 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -165,7 +165,7 @@ in '' ${cfg.package}/bin/dockerd \ --group=docker \ - --host=unix:// \ + --host=fd:// \ --log-driver=${cfg.logDriver} \ ${optionalString (cfg.storageDriver != null) "--storage-driver=${cfg.storageDriver}"} \ ${optionalString cfg.liveRestore "--live-restore" } \ @@ -213,13 +213,10 @@ in message = "Option enableNvidia requires 32bit support libraries"; }]; } - (mkIf cfg.enableNvidia { - environment.etc."nvidia-container-runtime/config.toml".source = "${pkgs.nvidia-docker}/etc/config.toml"; - }) ]); imports = [ - (mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed in favor of starting docker at boot") + (mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed and socket activation is now always active") ]; } diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index 36c0ca8dfea36..98da5a096d911 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -2,7 +2,6 @@ let cfg = config.virtualisation.podman; toml = pkgs.formats.toml { }; - nvidia-docker = pkgs.nvidia-docker.override { containerRuntimePath = "${pkgs.runc}/bin/runc"; }; inherit (lib) mkOption types; @@ -100,8 +99,8 @@ in containersConf.extraConfig = lib.optionalString cfg.enableNvidia (builtins.readFile (toml.generate "podman.nvidia.containers.conf" { engine = { - conmon_env_vars = [ "PATH=${lib.makeBinPath [ nvidia-docker ]}" ]; - runtimes.nvidia = [ "${nvidia-docker}/bin/nvidia-container-runtime" ]; + conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ]; + runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ]; }; })); }; @@ -111,14 +110,7 @@ in assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; message = "Option dockerCompat conflicts with docker"; } - { - assertion = cfg.enableNvidia -> !config.virtualisation.docker.enableNvidia; - message = "Option enableNvidia conflicts with docker.enableNvidia"; - } ]; } - (lib.mkIf cfg.enableNvidia { - environment.etc."nvidia-container-runtime/config.toml".source = "${nvidia-docker}/etc/podman-config.toml"; - }) ]); } diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index e2bd9ddf64701..6638ec4927ce1 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -18,7 +18,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { testScript = with pkgs.dockerTools; '' unix_time_second1 = "1970-01-01T00:00:01Z" - docker.wait_for_unit("docker.service") + docker.wait_for_unit("sockets.target") with subtest("Ensure Docker images use a stable date by default"): docker.succeed( diff --git a/nixos/tests/docker.nix b/nixos/tests/docker.nix index a0f328af775c0..58e33535ed31e 100644 --- a/nixos/tests/docker.nix +++ b/nixos/tests/docker.nix @@ -33,7 +33,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { testScript = '' start_all() - docker.wait_for_unit("docker.service") + docker.wait_for_unit("sockets.target") docker.succeed("tar cv --files-from /dev/null | docker import - scratchimg") docker.succeed( "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" |