diff options
Diffstat (limited to 'nixos')
47 files changed, 628 insertions, 173 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 58a7b44cb4208..587a54d736bc3 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -74,12 +74,20 @@ - `services.lemmy.settings.federation` was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the [release notes](https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions) for more details. +- `pict-rs` was upgraded from 0.3 to 0.4 and contains an incompatible database & configuration change. To upgrade on systems with `stateVersion = "23.05";` or older follow the migration steps from https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide and set `services.pict-rs.package = pkgs.pict-rs;`. + - The following packages in `haskellPackages` have now a separate bin output: `cabal-fmt`, `calligraphy`, `eventlog2html`, `ghc-debug-brick`, `hindent`, `nixfmt`, `releaser`. This means you need to replace e.g. `"${pkgs.haskellPackages.nixfmt}/bin/nixfmt"` with `"${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt"` or `"${lib.getExe pkgs.haskellPackages.nixfmt}"`. The binaries also won’t be in scope if you rely on them being installed e.g. via `ghcWithPackages`. `environment.packages` picks the `bin` output automatically, so for normal installation no intervention is required. Also, toplevel attributes like `pkgs.nixfmt` are not impacted negatively by this change. - `spamassassin` no longer supports the `Hashcash` module. The module needs to be removed from the `loadplugin` list if it was copied over from the default `initPreConf` option. +- `services.outline.sequelizeArguments` has been removed, as `outline` no longer executes database migrations via the `sequelize` cli. + - The Caddy module gained a new option named `services.caddy.enableReload` which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the [Caddy admin API](https://caddyserver.com/docs/caddyfile/options#admin). If you keep this option enabled, you should consider setting [`grace_period`](https://caddyserver.com/docs/caddyfile/options#grace-period) to a non-infinite value to prevent Caddy from delaying the reload indefinitely. +- mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by `stateVersion`), but the appropriate settings will be generated by `nixos-generate-config` when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use `stateVersion` correctly or set `boot.swraid.enable` manually. + +- The `go-ethereum` package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed from `leveldb` to `pebble` but `leveldb` can be forced with the --db.engine=leveldb flag. The `checkpoint-admin` command was [removed along with trusted checkpoints](https://github.com/ethereum/go-ethereum/pull/27147). + ## Other Notable Changes {#sec-release-23.11-notable-changes} - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration. diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 058ab7280ccc3..e1242276a74d4 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -31,7 +31,7 @@ evalConfigArgs@ , prefix ? [] , lib ? import ../../lib , extraModules ? let e = builtins.getEnv "NIXOS_EXTRA_MODULE_PATH"; - in if e == "" then [] else [(import e)] + in lib.optional (e != "") (import e) }: let pkgs_ = pkgs; diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index 0a7e45bffb267..8989a64082643 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -252,6 +252,11 @@ in let realDevice' = escapeSystemdPath sw.realDevice; in nameValuePair "mkswap-${sw.deviceName}" { description = "Initialisation of swap device ${sw.device}"; + # The mkswap service fails for file-backed swap devices if the + # loop module has not been loaded before the service runs. + # We add an ordering constraint to run after systemd-modules-load to + # avoid this race condition. + after = [ "systemd-modules-load.service" ]; wantedBy = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ]; path = [ pkgs.util-linux pkgs.e2fsprogs ] diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 54352a517a24d..75c343523e275 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -147,7 +147,7 @@ foreach my $g (@{$spec->{groups}}) { if (defined $existing) { $g->{gid} = $existing->{gid} if !defined $g->{gid}; if ($g->{gid} != $existing->{gid}) { - dry_print("warning: not applying", "warning: would not apply", "GID change of group ‘$name’ ($existing->{gid} -> $g->{gid})"); + dry_print("warning: not applying", "warning: would not apply", "GID change of group ‘$name’ ($existing->{gid} -> $g->{gid}) in /etc/group"); $g->{gid} = $existing->{gid}; } $g->{password} = $existing->{password}; # do we want this? @@ -209,7 +209,7 @@ foreach my $u (@{$spec->{users}}) { if (defined $existing) { $u->{uid} = $existing->{uid} if !defined $u->{uid}; if ($u->{uid} != $existing->{uid}) { - dry_print("warning: not applying", "warning: would not apply", "UID change of user ‘$name’ ($existing->{uid} -> $u->{uid})"); + dry_print("warning: not applying", "warning: would not apply", "UID change of user ‘$name’ ($existing->{uid} -> $u->{uid}) in /etc/passwd"); $u->{uid} = $existing->{uid}; } } else { diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index a55c0ab2d6557..a50f22cbe471d 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -39,9 +39,7 @@ with lib; # !!! Hack - attributes expected by other modules. environment.systemPackages = [ pkgs.grub2_efi ] - ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" - then [] - else [ pkgs.grub2 pkgs.syslinux ]); + ++ (lib.optionals (pkgs.stdenv.hostPlatform.system != "aarch64-linux") [pkgs.grub2 pkgs.syslinux]); fileSystems."/" = mkImageMediaOverride { fsType = "tmpfs"; diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 2e572ef02473b..7d0c5898e23df 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -381,6 +381,7 @@ sub in { my $fileSystems; my %fsByDev; +my $useSwraid = 0; foreach my $fs (read_file("/proc/self/mountinfo")) { chomp $fs; my @fields = split / /, $fs; @@ -510,8 +511,8 @@ EOF # boot.initrd.luks.devices entry. if (-e $device) { my $deviceName = basename(abs_path($device)); - if (-e "/sys/class/block/$deviceName" - && read_file("/sys/class/block/$deviceName/dm/uuid", err_mode => 'quiet') =~ /^CRYPT-LUKS/) + my $dmUuid = read_file("/sys/class/block/$deviceName/dm/uuid", err_mode => 'quiet'); + if ($dmUuid =~ /^CRYPT-LUKS/) { my @slaves = glob("/sys/class/block/$deviceName/slaves/*"); if (scalar @slaves == 1) { @@ -527,8 +528,14 @@ EOF } } } + if (-e "/sys/class/block/$deviceName/md/uuid") { + $useSwraid = 1; + } } } +if ($useSwraid) { + push @attrs, "boot.swraid.enable = true;\n\n"; +} # Generate the hardware configuration file. diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 1e36d10b391f8..54b0f81ee7804 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -42,10 +42,7 @@ let xserverEnabled = config.services.xserver.enable; }; - nixos-option = - if lib.versionAtLeast (lib.getVersion config.nix.package) "2.4pre" - then null - else pkgs.nixos-option; + inherit (pkgs) nixos-option; nixos-version = makeProg { name = "nixos-version"; @@ -232,9 +229,10 @@ in nixos-install nixos-rebuild nixos-generate-config + nixos-option nixos-version nixos-enter - ] ++ lib.optional (nixos-option != null) nixos-option; + ]; documentation.man.man-db.skipPackages = [ nixos-version ]; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index aa8c2e67073e0..a20fbd69a2cb3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -160,6 +160,7 @@ ./programs/darling.nix ./programs/dconf.nix ./programs/digitalbitbox/default.nix + ./programs/direnv.nix ./programs/dmrconfig.nix ./programs/droidcam.nix ./programs/environment.nix @@ -645,6 +646,7 @@ ./services/misc/greenclip.nix ./services/misc/headphones.nix ./services/misc/heisenbridge.nix + ./services/misc/homepage-dashboard.nix ./services/misc/ihaskell.nix ./services/misc/input-remapper.nix ./services/misc/irkerd.nix @@ -1107,6 +1109,7 @@ ./services/security/clamav.nix ./services/security/endlessh-go.nix ./services/security/endlessh.nix + ./services/security/esdm.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix ./services/security/haka.nix @@ -1410,6 +1413,7 @@ ./tasks/filesystems/nfs.nix ./tasks/filesystems/ntfs.nix ./tasks/filesystems/reiserfs.nix + ./tasks/filesystems/squashfs.nix ./tasks/filesystems/unionfs-fuse.nix ./tasks/filesystems/vboxsf.nix ./tasks/filesystems/vfat.nix diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 32884f4b8754d..4120d5919d7d7 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -106,6 +106,8 @@ with lib; systemdStage1Network ]; + boot.swraid.enable = true; + # Show all debug messages from the kernel but don't log refused packets # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. diff --git a/nixos/modules/programs/direnv.nix b/nixos/modules/programs/direnv.nix new file mode 100644 index 0000000000000..53717fae11a02 --- /dev/null +++ b/nixos/modules/programs/direnv.nix @@ -0,0 +1,147 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.programs.direnv; +in { + options.programs.direnv = { + + enable = lib.mkEnableOption (lib.mdDoc '' + direnv integration. Takes care of both installation and + setting up the sourcing of the shell. Additionally enables nix-direnv + integration. Note that you need to logout and login for this change to apply. + ''); + + package = lib.mkPackageOptionMD pkgs "direnv" {}; + + direnvrcExtra = lib.mkOption { + type = lib.types.lines; + default = ""; + example = '' + export FOO="foo" + echo "loaded direnv!" + ''; + description = lib.mdDoc '' + Extra lines to append to the sourced direnvrc + ''; + }; + + silent = lib.mkEnableOption (lib.mdDoc '' + the hiding of direnv logging + ''); + + persistDerivations = + (lib.mkEnableOption (lib.mdDoc '' + setting keep-derivations and keep-outputs to true + to prevent shells from getting garbage collected + '')) + // { + default = true; + }; + + loadInNixShell = + lib.mkEnableOption (lib.mdDoc '' + loading direnv in `nix-shell` `nix shell` or `nix develop` + '') + // { + default = true; + }; + + nix-direnv = { + enable = + (lib.mkEnableOption (lib.mdDoc '' + a faster, persistent implementation of use_nix and use_flake, to replace the built-in one + '')) + // { + default = true; + }; + + package = lib.mkPackageOptionMD pkgs "nix-direnv" {}; + }; + }; + + config = lib.mkIf cfg.enable { + + programs = { + zsh.interactiveShellInit = '' + if ${lib.boolToString cfg.loadInNixShell} || printenv PATH | grep -vqc '/nix/store'; then + eval "$(${lib.getExe cfg.package} hook zsh)" + fi + ''; + + #$NIX_GCROOT for "nix develop" https://github.com/NixOS/nix/blob/6db66ebfc55769edd0c6bc70fcbd76246d4d26e0/src/nix/develop.cc#L530 + #$IN_NIX_SHELL for "nix-shell" + bash.interactiveShellInit = '' + if ${lib.boolToString cfg.loadInNixShell} || [ -z "$IN_NIX_SHELL$NIX_GCROOT$(printenv PATH | grep '/nix/store')" ] ; then + eval "$(${lib.getExe cfg.package} hook bash)" + fi + ''; + + fish.interactiveShellInit = '' + if ${lib.boolToString cfg.loadInNixShell}; + or printenv PATH | grep -vqc '/nix/store'; + ${lib.getExe cfg.package} hook fish | source + end + ''; + }; + + nix.settings = lib.mkIf cfg.persistDerivations { + keep-outputs = true; + keep-derivations = true; + }; + + environment = { + systemPackages = + if cfg.loadInNixShell then [cfg.package] + else [ + #direnv has a fish library which sources direnv for some reason + (cfg.package.overrideAttrs (old: { + installPhase = + (old.installPhase or "") + + '' + rm -rf $out/share/fish + ''; + })) + ]; + + variables = { + DIRENV_CONFIG = "/etc/direnv"; + DIRENV_LOG_FORMAT = lib.mkIf cfg.silent ""; + }; + + etc = { + "direnv/direnvrc".text = '' + ${lib.optionalString cfg.nix-direnv.enable '' + #Load nix-direnv + source ${cfg.nix-direnv.package}/share/nix-direnv/direnvrc + ''} + + #Load direnvrcExtra + ${cfg.direnvrcExtra} + + #Load user-configuration if present (~/.direnvrc or ~/.config/direnv/direnvrc) + direnv_config_dir_home="''${DIRENV_CONFIG_HOME:-''${XDG_CONFIG_HOME:-$HOME/.config}/direnv}" + if [[ -f $direnv_config_dir_home/direnvrc ]]; then + source "$direnv_config_dir_home/direnvrc" >&2 + elif [[ -f $HOME/.direnvrc ]]; then + source "$HOME/.direnvrc" >&2 + fi + + unset direnv_config_dir_home + ''; + + "direnv/lib/zz-user.sh".text = '' + direnv_config_dir_home="''${DIRENV_CONFIG_HOME:-''${XDG_CONFIG_HOME:-$HOME/.config}/direnv}" + + for lib in "$direnv_config_dir_home/lib/"*.sh; do + source "$lib" + done + + unset direnv_config_dir_home + ''; + }; + }; + }; +} diff --git a/nixos/modules/services/home-automation/evcc.nix b/nixos/modules/services/home-automation/evcc.nix index efa2cf2443139..d0ce3fb4a1ce6 100644 --- a/nixos/modules/services/home-automation/evcc.nix +++ b/nixos/modules/services/home-automation/evcc.nix @@ -50,7 +50,7 @@ in ]; environment.HOME = "/var/lib/evcc"; path = with pkgs; [ - glibc # requires getent + getent ]; serviceConfig = { ExecStart = "${package}/bin/evcc --config ${configFile} ${escapeShellArgs cfg.extraArgs}"; diff --git a/nixos/modules/services/mail/nullmailer.nix b/nixos/modules/services/mail/nullmailer.nix index 7c72229efb241..f6befe246b12a 100644 --- a/nixos/modules/services/mail/nullmailer.nix +++ b/nixos/modules/services/mail/nullmailer.nix @@ -203,7 +203,7 @@ with lib; users = { users.${cfg.user} = { description = "Nullmailer relay-only mta user"; - group = cfg.group; + inherit (cfg) group; isSystemUser = true; }; @@ -211,10 +211,10 @@ with lib; }; systemd.tmpfiles.rules = [ - "d /var/spool/nullmailer - ${cfg.user} - - -" - "d /var/spool/nullmailer/failed 750 ${cfg.user} - - -" - "d /var/spool/nullmailer/queue 750 ${cfg.user} - - -" - "d /var/spool/nullmailer/tmp 750 ${cfg.user} - - -" + "d /var/spool/nullmailer - ${cfg.user} ${cfg.group} - -" + "d /var/spool/nullmailer/failed 770 ${cfg.user} ${cfg.group} - -" + "d /var/spool/nullmailer/queue 770 ${cfg.user} ${cfg.group} - -" + "d /var/spool/nullmailer/tmp 770 ${cfg.user} ${cfg.group} - -" ]; systemd.services.nullmailer = { @@ -238,7 +238,7 @@ with lib; program = "sendmail"; source = "${pkgs.nullmailer}/bin/sendmail"; owner = cfg.user; - group = cfg.group; + inherit (cfg) group; setuid = true; setgid = true; }; diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix index 388553d4182ec..5526df785c356 100644 --- a/nixos/modules/services/matrix/appservice-irc.nix +++ b/nixos/modules/services/matrix/appservice-irc.nix @@ -187,7 +187,7 @@ in { sed -i "s/^as_token:.*$/$as_token/g" ${registrationFile} fi # Allow synapse access to the registration - if ${getBin pkgs.glibc}/bin/getent group matrix-synapse > /dev/null; then + if ${pkgs.getent}/bin/getent group matrix-synapse > /dev/null; then chgrp matrix-synapse ${registrationFile} chmod g+r ${registrationFile} fi diff --git a/nixos/modules/services/misc/heisenbridge.nix b/nixos/modules/services/misc/heisenbridge.nix index d07e0e420462b..822a09d7cd4d6 100644 --- a/nixos/modules/services/misc/heisenbridge.nix +++ b/nixos/modules/services/misc/heisenbridge.nix @@ -137,7 +137,7 @@ in mv -f ${registrationFile}.new ${registrationFile} # Grant Synapse access to the registration - if ${getBin pkgs.glibc}/bin/getent group matrix-synapse > /dev/null; then + if ${pkgs.getent}/bin/getent group matrix-synapse > /dev/null; then chgrp -v matrix-synapse ${registrationFile} chmod -v g+r ${registrationFile} fi diff --git a/nixos/modules/services/misc/homepage-dashboard.nix b/nixos/modules/services/misc/homepage-dashboard.nix new file mode 100644 index 0000000000000..e685712534333 --- /dev/null +++ b/nixos/modules/services/misc/homepage-dashboard.nix @@ -0,0 +1,55 @@ +{ config +, pkgs +, lib +, ... +}: + +let + cfg = config.services.homepage-dashboard; +in +{ + options = { + services.homepage-dashboard = { + enable = lib.mkEnableOption (lib.mdDoc "Homepage Dashboard"); + + package = lib.mkPackageOptionMD pkgs "homepage-dashboard" { }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Open ports in the firewall for Homepage."; + }; + + listenPort = lib.mkOption { + type = lib.types.int; + default = 8082; + description = lib.mdDoc "Port for Homepage to bind to."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.homepage-dashboard = { + description = "Homepage Dashboard"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + HOMEPAGE_CONFIG_DIR = "/var/lib/homepage-dashboard"; + PORT = "${toString cfg.listenPort}"; + }; + + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = "homepage-dashboard"; + ExecStart = "${lib.getExe cfg.package}"; + Restart = "on-failure"; + }; + }; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listenPort ]; + }; + }; +} diff --git a/nixos/modules/services/misc/klipper.nix b/nixos/modules/services/misc/klipper.nix index ad881d4462a3c..67a217c994e45 100644 --- a/nixos/modules/services/misc/klipper.nix +++ b/nixos/modules/services/misc/klipper.nix @@ -111,8 +111,11 @@ in (submodule { options = { enable = mkEnableOption (lib.mdDoc '' - building of firmware and addition of klipper-flash tools for manual flashing. - This will add `klipper-flash-$mcu` scripts to your environment which can be called to flash the firmware. + building of firmware for manual flashing. + ''); + enableKlipperFlash = mkEnableOption (lib.mdDoc '' + flashings scripts for firmware. This will add `klipper-flash-$mcu` scripts to your environment which can be called to flash the firmware. + Please check the configs at [klipper](https://github.com/Klipper3d/klipper/tree/master/config) whether your board supports flashing via `make flash`. ''); serial = mkOption { type = types.nullOr path; @@ -213,11 +216,14 @@ in with pkgs; let default = a: b: if a != null then a else b; - firmwares = filterAttrs (n: v: v!= null) (mapAttrs - (mcu: { enable, configFile, serial }: if enable then pkgs.klipper-firmware.override { - mcu = lib.strings.sanitizeDerivationName mcu; - firmwareConfig = configFile; - } else null) + firmwares = filterAttrs (n: v: v != null) (mapAttrs + (mcu: { enable, enableKlipperFlash, configFile, serial }: + if enable then + pkgs.klipper-firmware.override + { + mcu = lib.strings.sanitizeDerivationName mcu; + firmwareConfig = configFile; + } else null) cfg.firmwares); firmwareFlasher = mapAttrsToList (mcu: firmware: pkgs.klipper-flash.override { @@ -226,7 +232,7 @@ in flashDevice = default cfg.firmwares."${mcu}".serial cfg.settings."${mcu}".serial; firmwareConfig = cfg.firmwares."${mcu}".configFile; }) - firmwares; + (filterAttrs (mcu: firmware: cfg.firmwares."${mcu}".enableKlipperFlash) firmwares); in [ klipper-genconf ] ++ firmwareFlasher ++ attrValues firmwares; }; diff --git a/nixos/modules/services/misc/nitter.nix b/nixos/modules/services/misc/nitter.nix index 9336dbe38f348..77f5459d117cc 100644 --- a/nixos/modules/services/misc/nitter.nix +++ b/nixos/modules/services/misc/nitter.nix @@ -334,7 +334,8 @@ in systemd.services.nitter = { description = "Nitter (An alternative Twitter front-end)"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; serviceConfig = { DynamicUser = true; StateDirectory = "nitter"; diff --git a/nixos/modules/services/misc/prowlarr.nix b/nixos/modules/services/misc/prowlarr.nix index 77b8ec9894795..836280d3e5fe3 100644 --- a/nixos/modules/services/misc/prowlarr.nix +++ b/nixos/modules/services/misc/prowlarr.nix @@ -11,6 +11,8 @@ in services.prowlarr = { enable = mkEnableOption (lib.mdDoc "Prowlarr"); + package = mkPackageOptionMD pkgs "prowlarr" { }; + openFirewall = mkOption { type = types.bool; default = false; @@ -29,7 +31,7 @@ in Type = "simple"; DynamicUser = true; StateDirectory = "prowlarr"; - ExecStart = "${pkgs.prowlarr}/bin/Prowlarr -nobrowser -data=/var/lib/prowlarr"; + ExecStart = "${lib.getExe cfg.package} -nobrowser -data=/var/lib/prowlarr"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index 11722979851c2..616a60a123ea9 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -351,7 +351,7 @@ in { CacheDirectory = dirs cacheDirs; RuntimeDirectory = dirName; ReadWriteDirectories = lib.mkIf useCustomDir [ cfg.storageDir ]; - StateDirectory = dirs (if useCustomDir then [] else libDirs); + StateDirectory = dirs (lib.optional (!useCustomDir) libDirs); LogsDirectory = dirName; PrivateTmp = true; ProtectSystem = "strict"; diff --git a/nixos/modules/services/networking/cgit.nix b/nixos/modules/services/networking/cgit.nix index 672b0b030eeee..7d1f12fa91469 100644 --- a/nixos/modules/services/networking/cgit.nix +++ b/nixos/modules/services/networking/cgit.nix @@ -14,7 +14,9 @@ let # taken from https://github.com/python/cpython/blob/05cb728d68a278d11466f9a6c8258d914135c96c/Lib/re.py#L251-L266 special = [ "(" ")" "[" "]" "{" "}" "?" "*" "+" "-" "|" "^" "$" "\\" "." "&" "~" - "#" " " "\t" "\n" "\r" "\v" "\f" + "#" " " "\t" "\n" "\r" + " " # \v / 0x0B + " " # \f / 0x0C ]; in replaceStrings special (map (c: "\\${c}") special); diff --git a/nixos/modules/services/networking/keepalived/vrrp-instance-options.nix b/nixos/modules/services/networking/keepalived/vrrp-instance-options.nix index 20e5558d78299..35401d439a919 100644 --- a/nixos/modules/services/networking/keepalived/vrrp-instance-options.nix +++ b/nixos/modules/services/networking/keepalived/vrrp-instance-options.nix @@ -22,9 +22,9 @@ with lib; }; virtualRouterId = mkOption { - type = types.int; + type = types.ints.between 1 255; description = lib.mdDoc '' - Arbitrary unique number 0..255. Used to differentiate multiple instances + Arbitrary unique number 1..255. Used to differentiate multiple instances of vrrpd running on the same NIC (and hence same socket). ''; }; diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 384c86bd879e7..6eeee71e8345b 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -59,7 +59,7 @@ in { path = [ config.networking.resolvconf.package # for configuring DNS in some configs pkgs.procps # for collecting running services (opt-in feature) - pkgs.glibc # for `getent` to look up user shells + pkgs.getent # for `getent` to look up user shells pkgs.kmod # required to pass tailscale's v6nat check ]; serviceConfig.Environment = [ diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index f6a23fb900f08..279b26bb89573 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -4,7 +4,7 @@ with lib; let - inherit (pkgs) cups cups-pk-helper cups-filters; + inherit (pkgs) cups cups-pk-helper cups-filters xdg-utils; cfg = config.services.printing; @@ -313,7 +313,9 @@ in description = "CUPS printing services"; }; - environment.systemPackages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; + # We need xdg-open (part of xdg-utils) for the desktop-file to proper open the users default-browser when opening "Manage Printing" + # https://github.com/NixOS/nixpkgs/pull/237994#issuecomment-1597510969 + environment.systemPackages = [ cups.out xdg-utils ] ++ optional polkitEnabled cups-pk-helper; environment.etc.cups.source = "/var/lib/cups"; services.dbus.packages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper; diff --git a/nixos/modules/services/search/kibana.nix b/nixos/modules/services/search/kibana.nix index 5eb2381d5d399..a5e132d5c38db 100644 --- a/nixos/modules/services/search/kibana.nix +++ b/nixos/modules/services/search/kibana.nix @@ -130,9 +130,9 @@ in { This defaults to the singleton list [ca] when the {option}`ca` option is defined. ''; - default = if cfg.elasticsearch.ca == null then [] else [ca]; + default = lib.optional (cfg.elasticsearch.ca != null) ca; defaultText = literalExpression '' - if config.${opt.elasticsearch.ca} == null then [ ] else [ ca ] + lib.optional (config.${opt.elasticsearch.ca} != null) ca ''; type = types.listOf types.path; }; diff --git a/nixos/modules/services/security/esdm.nix b/nixos/modules/services/security/esdm.nix new file mode 100644 index 0000000000000..2b246fff7e960 --- /dev/null +++ b/nixos/modules/services/security/esdm.nix @@ -0,0 +1,102 @@ +{ lib, config, pkgs, ... }: + +let + cfg = config.services.esdm; +in +{ + options.services.esdm = { + enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); + package = lib.mkPackageOptionMD pkgs "esdm" { }; + serverEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM server service. If serverEnable == false, then the esdm-server + will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom + and esdm-proc will not start as these have the entry Want=esdm-server.service. + ''; + }; + cuseRandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service + is started. + ''; + }; + cuseUrandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service + is started. + ''; + }; + procEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM proc service. Determines if the esdm-proc.service + is started. + ''; + }; + verbose = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart" + values of the 4 aforementioned services are overwritten with the option + for the highest verbosity. + ''; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + ({ + systemd.packages = [ cfg.package ]; + }) + # It is necessary to set those options for these services to be started by systemd in NixOS + (lib.mkIf cfg.serverEnable { + systemd.services."esdm-server".wantedBy = [ "basic.target" ]; + systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-server.service' + "${cfg.package}/bin/esdm-server -f -vvvvvv" + ]; + }; + }) + + (lib.mkIf cfg.cuseRandomEnable { + systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-random.service' + "${cfg.package}/bin/esdm-cuse-random -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.cuseUrandomEnable { + systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-urandom.service' + "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.procEnable { + systemd.services."esdm-proc".wantedBy = [ "basic.target" ]; + systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-proc.service' + "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6" + ]; + }; + }) + ]); + + meta.maintainers = with lib.maintainers; [ orichter thillux ]; +} diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 71ccded7dce19..cea2a56bdcd1b 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -17,7 +17,7 @@ let # If the new path is a prefix to some existing path, we need to filter it out filteredPaths = lib.filter (p: !lib.hasPrefix (builtins.toString newPath) (builtins.toString p)) merged; # If a prefix of the new path is already in the list, do not add it - filteredNew = if hasPrefixInList filteredPaths newPath then [] else [ newPath ]; + filteredNew = lib.optional (!hasPrefixInList filteredPaths newPath) newPath; in filteredPaths ++ filteredNew) []; defaultServiceConfig = { diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 651f5255ac834..9b158bb9d18c0 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -15,7 +15,7 @@ let daemonConf = '' # generated by nixos/modules/services/security/usbguard.nix RuleFile=${ruleFile} - ImplicitPolicyTarget=${cfg.implictPolicyTarget} + ImplicitPolicyTarget=${cfg.implicitPolicyTarget} PresentDevicePolicy=${cfg.presentDevicePolicy} PresentControllerPolicy=${cfg.presentControllerPolicy} InsertedDevicePolicy=${cfg.insertedDevicePolicy} @@ -73,7 +73,7 @@ in ''; }; - implictPolicyTarget = mkOption { + implicitPolicyTarget = mkOption { type = policy; default = "block"; description = lib.mdDoc '' @@ -251,5 +251,6 @@ in (mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.") (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.") (mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.") + (mkRenamedOptionModule [ "services" "usbguard" "implictPolicyTarget" ] [ "services" "usbguard" "implicitPolicyTarget" ]) ]; } diff --git a/nixos/modules/services/web-apps/lemmy.nix b/nixos/modules/services/web-apps/lemmy.nix index 7662478f68b5d..a8ad4c50f2f00 100644 --- a/nixos/modules/services/web-apps/lemmy.nix +++ b/nixos/modules/services/web-apps/lemmy.nix @@ -90,7 +90,9 @@ in { bind = "127.0.0.1"; tls_enabled = true; - pictrs_url = with config.services.pict-rs; "http://${address}:${toString port}"; + pictrs = { + url = with config.services.pict-rs; "http://${address}:${toString port}"; + }; actor_name_max_length = 20; rate_limit.message = 180; @@ -253,6 +255,7 @@ in LEMMY_UI_LEMMY_INTERNAL_HOST = "127.0.0.1:${toString cfg.settings.port}"; LEMMY_UI_LEMMY_EXTERNAL_HOST = cfg.settings.hostname; LEMMY_UI_HTTPS = "false"; + NODE_ENV = "production"; }; documentation = [ diff --git a/nixos/modules/services/web-apps/nexus.nix b/nixos/modules/services/web-apps/nexus.nix index 1f4a758b87ea7..58c110c9512a4 100644 --- a/nixos/modules/services/web-apps/nexus.nix +++ b/nixos/modules/services/web-apps/nexus.nix @@ -7,7 +7,6 @@ let cfg = config.services.nexus; in - { options = { services.nexus = { @@ -20,6 +19,16 @@ in description = lib.mdDoc "Package which runs Nexus3"; }; + jdkPackage = mkOption { + type = types.package; + default = pkgs.openjdk8; + defaultText = literalExample "pkgs.openjdk8"; + example = literalExample "pkgs.openjdk8"; + description = '' + The JDK package to use. + ''; + }; + user = mkOption { type = types.str; default = "nexus"; @@ -110,7 +119,7 @@ in createHome = true; }; - users.groups.${cfg.group} = {}; + users.groups.${cfg.group} = { }; systemd.services.nexus = { description = "Sonatype Nexus3"; @@ -123,6 +132,7 @@ in NEXUS_USER = cfg.user; NEXUS_HOME = cfg.home; + INSTALL4J_JAVA_HOME = "${cfg.jdkPackage}"; VM_OPTS_FILE = pkgs.writeText "nexus.vmoptions" cfg.jvmOpts; }; diff --git a/nixos/modules/services/web-apps/outline.nix b/nixos/modules/services/web-apps/outline.nix index 6f63198a68a5a..1d8298963e6df 100644 --- a/nixos/modules/services/web-apps/outline.nix +++ b/nixos/modules/services/web-apps/outline.nix @@ -3,8 +3,12 @@ let defaultUser = "outline"; cfg = config.services.outline; + inherit (lib) mkRemovedOptionModule; in { + imports = [ + (mkRemovedOptionModule [ "services" "outline" "sequelizeArguments" ] "Database migration are run agains configurated database by outline directly") + ]; # See here for a reference of all the options: # https://github.com/outline/outline/blob/v0.67.0/.env.sample # https://github.com/outline/outline/blob/v0.67.0/app.json @@ -25,7 +29,7 @@ in # to still land in the same team. Note that this effectively makes # Outline a single-team instance. patchPhase = ${"''"} - sed -i 's/const domain = parts\.length && parts\[1\];/const domain = "example.com";/g' server/routes/auth/providers/oidc.ts + sed -i 's/const domain = parts\.length && parts\[1\];/const domain = "example.com";/g' plugins/oidc/server/auth/oidc.ts ${"''"}; }) ''; @@ -51,15 +55,6 @@ in ''; }; - sequelizeArguments = lib.mkOption { - type = lib.types.str; - default = ""; - example = "--env=production-ssl-disabled"; - description = lib.mdDoc '' - Optional arguments to pass to `sequelize` calls. - ''; - }; - # # Required options # @@ -583,16 +578,6 @@ in systemd.services.outline = let localRedisUrl = "redis+unix:///run/redis-outline/redis.sock"; localPostgresqlUrl = "postgres://localhost/outline?host=/run/postgresql"; - - # Create an outline-sequalize wrapper (a wrapper around the wrapper) that - # has the config file's path baked in. This is necessary because there is - # at least two occurrences of outline calling this from its own code. - sequelize = pkgs.writeShellScriptBin "outline-sequelize" '' - exec ${cfg.package}/bin/outline-sequelize \ - --config $RUNTIME_DIRECTORY/database.json \ - ${cfg.sequelizeArguments} \ - "$@" - ''; in { description = "Outline wiki and knowledge base"; wantedBy = [ "multi-user.target" ]; @@ -603,7 +588,6 @@ in ++ lib.optional (cfg.redisUrl == "local") "redis-outline.service"; path = [ pkgs.openssl # Required by the preStart script - sequelize ]; @@ -687,37 +671,6 @@ in openssl rand -hex 32 > ${lib.escapeShellArg cfg.utilsSecretFile} fi - # The config file is required for the sequelize CLI. - ${if (cfg.databaseUrl == "local") then '' - cat <<EOF > $RUNTIME_DIRECTORY/database.json - { - "production-ssl-disabled": { - "host": "/run/postgresql", - "username": null, - "password": null, - "dialect": "postgres" - } - } - EOF - '' else '' - cat <<EOF > $RUNTIME_DIRECTORY/database.json - { - "production": { - "use_env_variable": "DATABASE_URL", - "dialect": "postgres", - "dialectOptions": { - "ssl": { - "rejectUnauthorized": false - } - } - }, - "production-ssl-disabled": { - "use_env_variable": "DATABASE_URL", - "dialect": "postgres" - } - } - EOF - ''} ''; script = '' diff --git a/nixos/modules/services/web-apps/peering-manager.nix b/nixos/modules/services/web-apps/peering-manager.nix index 666b82621268c..641a3644614f7 100644 --- a/nixos/modules/services/web-apps/peering-manager.nix +++ b/nixos/modules/services/web-apps/peering-manager.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, buildEnv, ... }: -with lib; - let cfg = config.services.peering-manager; configFile = pkgs.writeTextFile { @@ -41,24 +39,24 @@ let pkg = (pkgs.peering-manager.overrideAttrs (old: { postInstall = '' ln -s ${configFile} $out/opt/peering-manager/peering_manager/configuration.py - '' + optionalString cfg.enableLdap '' + '' + lib.optionalString cfg.enableLdap '' ln -s ${cfg.ldapConfigPath} $out/opt/peering-manager/peering_manager/ldap_config.py ''; })).override { inherit (cfg) plugins; }; - peeringManagerManageScript = with pkgs; (writeScriptBin "peering-manager-manage" '' - #!${stdenv.shell} + peeringManagerManageScript = pkgs.writeScriptBin "peering-manager-manage" '' + #!${pkgs.stdenv.shell} export PYTHONPATH=${pkg.pythonPath} sudo -u peering-manager ${pkg}/bin/peering-manager "$@" - ''); + ''; in { - options.services.peering-manager = { + options.services.peering-manager = with lib; { enable = mkOption { - type = lib.types.bool; + type = types.bool; default = false; - description = lib.mdDoc '' + description = mdDoc '' Enable Peering Manager. This module requires a reverse proxy that serves `/static` separately. @@ -69,7 +67,7 @@ in { listenAddress = mkOption { type = types.str; default = "[::1]"; - description = lib.mdDoc '' + description = mdDoc '' Address the server will listen on. ''; }; @@ -77,7 +75,7 @@ in { port = mkOption { type = types.port; default = 8001; - description = lib.mdDoc '' + description = mdDoc '' Port the server will listen on. ''; }; @@ -88,14 +86,14 @@ in { defaultText = literalExpression '' python3Packages: with python3Packages; []; ''; - description = lib.mdDoc '' + description = mdDoc '' List of plugin packages to install. ''; }; secretKeyFile = mkOption { type = types.path; - description = lib.mdDoc '' + description = mdDoc '' Path to a file containing the secret key. ''; }; @@ -103,7 +101,7 @@ in { peeringdbApiKeyFile = mkOption { type = with types; nullOr path; default = null; - description = lib.mdDoc '' + description = mdDoc '' Path to a file containing the PeeringDB API key. ''; }; @@ -111,7 +109,7 @@ in { extraConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc '' + description = mdDoc '' Additional lines of configuration appended to the `configuration.py`. See the [documentation](https://peering-manager.readthedocs.io/en/stable/configuration/optional-settings/) for more possible options. ''; @@ -120,7 +118,7 @@ in { enableLdap = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = mdDoc '' Enable LDAP-Authentication for Peering Manager. This requires a configuration file being pass through `ldapConfigPath`. @@ -129,15 +127,15 @@ in { ldapConfigPath = mkOption { type = types.path; - description = lib.mdDoc '' + description = mdDoc '' Path to the Configuration-File for LDAP-Authentication, will be loaded as `ldap_config.py`. See the [documentation](https://peering-manager.readthedocs.io/en/stable/setup/6-ldap/#configuration) for possible options. ''; }; }; - config = mkIf cfg.enable { - services.peering-manager.plugins = mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]); + config = lib.mkIf cfg.enable { + services.peering-manager.plugins = lib.mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]); system.build.peeringManagerPkg = pkg; @@ -262,4 +260,6 @@ in { users.groups.peering-manager = {}; users.groups."${config.services.redis.servers.peering-manager.user}".members = [ "peering-manager" ]; }; + + meta.maintainers = with lib.maintainers; [ yuka ]; } diff --git a/nixos/modules/services/web-apps/pict-rs.nix b/nixos/modules/services/web-apps/pict-rs.nix index 3270715a051ba..e1b8c83335536 100644 --- a/nixos/modules/services/web-apps/pict-rs.nix +++ b/nixos/modules/services/web-apps/pict-rs.nix @@ -1,21 +1,53 @@ { lib, pkgs, config, ... }: -with lib; + let cfg = config.services.pict-rs; + inherit (lib) maintainers mkOption types; + + is03 = lib.versionOlder cfg.package.version "0.4.0"; + in { meta.maintainers = with maintainers; [ happysalada ]; meta.doc = ./pict-rs.md; options.services.pict-rs = { - enable = mkEnableOption (lib.mdDoc "pict-rs server"); + enable = lib.mkEnableOption (lib.mdDoc "pict-rs server"); + + package = mkOption { + type = types.package; + example = lib.literalExpression "pkgs.pict-rs"; + description = lib.mdDoc '' + pict-rs package to use. + ''; + }; + dataDir = mkOption { type = types.path; default = "/var/lib/pict-rs"; description = lib.mdDoc '' + The directory where to store the uploaded images & database. + ''; + }; + + repoPath = mkOption { + type = types.nullOr (types.path); + default = null; + description = lib.mdDoc '' + The directory where to store the database. + This option takes precedence over dataDir. + ''; + }; + + storePath = mkOption { + type = types.nullOr (types.path); + default = null; + description = lib.mdDoc '' The directory where to store the uploaded images. + This option takes precedence over dataDir. ''; }; + address = mkOption { type = types.str; default = "127.0.0.1"; @@ -23,6 +55,7 @@ in The IPv4 address to deploy the service to. ''; }; + port = mkOption { type = types.port; default = 8080; @@ -31,18 +64,43 @@ in ''; }; }; + config = lib.mkIf cfg.enable { + services.pict-rs.package = lib.mkDefault ( + # An incompatible db change happened in the transition from 0.3 to 0.4. + if lib.versionAtLeast config.system.stateVersion "23.11" + then pkgs.pict-rs + else pkgs.pict-rs_0_3 + ); + + # Account for config differences between 0.3 and 0.4 + assertions = [ + { + assertion = !is03 || (cfg.repoPath == null && cfg.storePath == null); + message = '' + Using `services.pict-rs.repoPath` or `services.pict-rs.storePath` with pict-rs 0.3 or older has no effect. + ''; + } + ]; + systemd.services.pict-rs = { - environment = { - PICTRS__PATH = cfg.dataDir; - PICTRS__ADDR = "${cfg.address}:${toString cfg.port}"; - }; + # Pict-rs split it's database and image storage paths in 0.4.0. + environment = + if is03 then { + PICTRS__PATH = cfg.dataDir; + PICTRS__ADDR = "${cfg.address}:${toString cfg.port}"; + } else { + PICTRS__REPO__PATH = if cfg.repoPath != null then cfg.repoPath else "${cfg.dataDir}/sled-repo"; + PICTRS__STORE__PATH = if cfg.storePath != null then cfg.storePath else "${cfg.dataDir}/files"; + PICTRS__SERVER__ADDR = "${cfg.address}:${toString cfg.port}"; + }; wantedBy = [ "multi-user.target" ]; serviceConfig = { DynamicUser = true; StateDirectory = "pict-rs"; - ExecStart = "${pkgs.pict-rs}/bin/pict-rs"; + ExecStart = if is03 then "${lib.getBin cfg.package}/bin/pict-rs" else "${lib.getBin cfg.package}/bin/pict-rs run"; }; }; }; + } diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 4b32f06826e2c..959bcbc5c9f11 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -263,8 +263,8 @@ in serviceConfig.RemainAfterExit = true; wantedBy = [ "multi-user.target" ]; - requires = if cfg.database.host == null then [] else [ "postgresql.service" ]; - after = [ "network.target" ] ++ (if cfg.database.host == null then [] else [ "postgresql.service" ]); + requires = lib.optional (cfg.database.host != null) "postgresql.service"; + after = [ "network.target" ] ++ (lib.optional (cfg.database.host != null) "postgresql.service"); script = '' rm -rf "${runDir}" diff --git a/nixos/modules/services/x11/window-managers/herbstluftwm.nix b/nixos/modules/services/x11/window-managers/herbstluftwm.nix index 816cbb36cafdf..93705ada116d9 100644 --- a/nixos/modules/services/x11/window-managers/herbstluftwm.nix +++ b/nixos/modules/services/x11/window-managers/herbstluftwm.nix @@ -40,7 +40,7 @@ in (cfg.configFile != null) ''-c "${cfg.configFile}"'' ; - in "${cfg.package}/bin/herbstluftwm ${configFileClause}"; + in "${cfg.package}/bin/herbstluftwm ${configFileClause} &"; }; environment.systemPackages = [ cfg.package ]; }; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index dcb15cf7d42b7..eec3461de7e77 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -133,10 +133,6 @@ let copy_bin_and_libs ${getBin pkgs.lvm2}/bin/dmsetup copy_bin_and_libs ${getBin pkgs.lvm2}/bin/lvm - # Add RAID mdadm tool. - copy_bin_and_libs ${pkgs.mdadm}/sbin/mdadm - copy_bin_and_libs ${pkgs.mdadm}/sbin/mdmon - # Copy udev. copy_bin_and_libs ${udev}/bin/udevadm copy_bin_and_libs ${udev}/lib/systemd/systemd-sysctl @@ -225,7 +221,6 @@ let $out/bin/udevadm --version $out/bin/dmsetup --version 2>&1 | tee -a log | grep -q "version:" LVM_SYSTEM_DIR=$out $out/bin/lvm version 2>&1 | tee -a log | grep -q "LVM" - $out/bin/mdadm --version ${optionalString config.services.multipath.enable '' ($out/bin/multipath || true) 2>&1 | grep -q 'need to be root' ($out/bin/multipathd || true) 2>&1 | grep -q 'need to be root' @@ -354,9 +349,6 @@ let [ { object = bootStage1; symlink = "/init"; } - { object = pkgs.writeText "mdadm.conf" config.boot.initrd.services.swraid.mdadmConf; - symlink = "/etc/mdadm.conf"; - } { object = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" { src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf"; preferLocalBuild = true; @@ -727,6 +719,6 @@ in }; imports = [ - (mkRenamedOptionModule [ "boot" "initrd" "mdadmConf" ] [ "boot" "initrd" "services" "swraid" "mdadmConf" ]) + (mkRenamedOptionModule [ "boot" "initrd" "mdadmConf" ] [ "boot" "swraid" "mdadmConf" ]) ]; } diff --git a/nixos/modules/tasks/filesystems/squashfs.nix b/nixos/modules/tasks/filesystems/squashfs.nix new file mode 100644 index 0000000000000..10d45a21d3ca8 --- /dev/null +++ b/nixos/modules/tasks/filesystems/squashfs.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: + +let + + inInitrd = lib.any (fs: fs == "squashfs") config.boot.initrd.supportedFilesystems; + +in + +{ + + boot.initrd.availableKernelModules = lib.mkIf inInitrd [ "squashfs" ]; + +} diff --git a/nixos/modules/tasks/swraid.nix b/nixos/modules/tasks/swraid.nix index 1c3f1db15099d..f624294565b06 100644 --- a/nixos/modules/tasks/swraid.nix +++ b/nixos/modules/tasks/swraid.nix @@ -1,47 +1,76 @@ { config, pkgs, lib, ... }: let - cfg = config.boot.initrd.services.swraid; + cfg = config.boot.swraid; in { + imports = [ + (lib.mkRenamedOptionModule [ "boot" "initrd" "services" "swraid" "enable" ] [ "boot" "swraid" "enable" ]) + (lib.mkRenamedOptionModule [ "boot" "initrd" "services" "swraid" "mdadmConf" ] [ "boot" "swraid" "mdadmConf" ]) + ]; - options.boot.initrd.services.swraid = { + + options.boot.swraid = { enable = lib.mkEnableOption (lib.mdDoc "swraid support using mdadm") // { - description = '' - *This will only be used when systemd is used in stage 1.* + description = lib.mdDoc '' + Whether to enable support for Linux MD RAID arrays. + + When this is enabled, mdadm will be added to the system path, + and MD RAID arrays will be detected and activated + automatically, both in stage-1 (initramfs) and in stage-2 (the + final NixOS system). - Whether to enable swraid support using mdadm. + This should be enabled if you want to be able to access and/or + boot from MD RAID arrays. {command}`nixos-generate-config` + should detect it correctly in the standard installation + procedure. ''; + default = lib.versionOlder config.system.stateVersion "23.11"; + defaultText = lib.mdDoc "`true` if stateVersion is older than 23.11"; }; mdadmConf = lib.mkOption { - description = lib.mdDoc "Contents of {file}`/etc/mdadm.conf` in initrd."; + description = lib.mdDoc "Contents of {file}`/etc/mdadm.conf`."; type = lib.types.lines; default = ""; }; }; - config = { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.mdadm ]; services.udev.packages = [ pkgs.mdadm ]; systemd.packages = [ pkgs.mdadm ]; - boot.initrd.availableKernelModules = lib.mkIf (config.boot.initrd.systemd.enable -> cfg.enable) [ "md_mod" "raid0" "raid1" "raid10" "raid456" ]; + boot.initrd = { + availableKernelModules = [ "md_mod" "raid0" "raid1" "raid10" "raid456" ]; + + extraUdevRulesCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' + cp -v ${pkgs.mdadm}/lib/udev/rules.d/*.rules $out/ + ''; + + extraUtilsCommands = '' + # Add RAID mdadm tool. + copy_bin_and_libs ${pkgs.mdadm}/sbin/mdadm + copy_bin_and_libs ${pkgs.mdadm}/sbin/mdmon + ''; + + extraUtilsCommandsTest = '' + $out/bin/mdadm --version + ''; - boot.initrd.extraUdevRulesCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' - cp -v ${pkgs.mdadm}/lib/udev/rules.d/*.rules $out/ - ''; + extraFiles."/etc/mdadm.conf".source = pkgs.writeText "mdadm.conf" config.boot.swraid.mdadmConf; - boot.initrd.systemd = lib.mkIf cfg.enable { - contents."/etc/mdadm.conf" = lib.mkIf (cfg.mdadmConf != "") { - text = cfg.mdadmConf; + systemd = { + contents."/etc/mdadm.conf" = lib.mkIf (cfg.mdadmConf != "") { + text = cfg.mdadmConf; + }; + + packages = [ pkgs.mdadm ]; + initrdBin = [ pkgs.mdadm ]; }; - packages = [ pkgs.mdadm ]; - initrdBin = [ pkgs.mdadm ]; + services.udev.packages = [ pkgs.mdadm ]; }; - - boot.initrd.services.udev.packages = lib.mkIf cfg.enable [ pkgs.mdadm ]; }; } diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index b8f0a4cf668ef..6880a257c2be6 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -24,12 +24,12 @@ in config = mkIf cfg.enable { assertions = [ { - assertion = pkgs.stdenv.hostPlatform.isx86; + assertion = pkgs.stdenv.hostPlatform.isx86 || pkgs.stdenv.hostPlatform.isAarch64; message = "VMWare guest is not currently supported on ${pkgs.stdenv.hostPlatform.system}"; } ]; boot.initrd.availableKernelModules = [ "mptspi" ]; - boot.initrd.kernelModules = [ "vmw_pvscsi" ]; + boot.initrd.kernelModules = lib.optionals pkgs.stdenv.hostPlatform.isx86 [ "vmw_pvscsi" ]; environment.systemPackages = [ open-vm-tools ]; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 790de7bbdc47b..723b030072e19 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -337,6 +337,7 @@ in { hbase3 = handleTest ./hbase.nix { package=pkgs.hbase3; }; hedgedoc = handleTest ./hedgedoc.nix {}; herbstluftwm = handleTest ./herbstluftwm.nix {}; + homepage-dashboard = handleTest ./homepage-dashboard.nix {}; installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); invidious = handleTest ./invidious.nix {}; oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {}; diff --git a/nixos/tests/common/resolver.nix b/nixos/tests/common/resolver.nix index 3ddf730668c4f..609058a7374a5 100644 --- a/nixos/tests/common/resolver.nix +++ b/nixos/tests/common/resolver.nix @@ -63,7 +63,7 @@ matched = builtins.match "[ \t]+(${reHost})(.*)" str; continue = lib.singleton (lib.head matched) ++ matchAliases (lib.last matched); - in if matched == null then [] else continue; + in lib.optional (matched != null) continue; matchLine = str: let result = builtins.match "[ \t]*(${reIp})[ \t]+(${reHost})(.*)" str; diff --git a/nixos/tests/homepage-dashboard.nix b/nixos/tests/homepage-dashboard.nix new file mode 100644 index 0000000000000..56e077f5ff6de --- /dev/null +++ b/nixos/tests/homepage-dashboard.nix @@ -0,0 +1,14 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "homepage-dashboard"; + meta.maintainers = with lib.maintainers; [ jnsgruk ]; + + nodes.machine = { pkgs, ... }: { + services.homepage-dashboard.enable = true; + }; + + testScript = '' + machine.wait_for_unit("homepage-dashboard.service") + machine.wait_for_open_port(8082) + machine.succeed("curl --fail http://localhost:8082/") + ''; +}) diff --git a/nixos/tests/installer-systemd-stage-1.nix b/nixos/tests/installer-systemd-stage-1.nix index 05fb2b2ae89c7..85155a6c682b3 100644 --- a/nixos/tests/installer-systemd-stage-1.nix +++ b/nixos/tests/installer-systemd-stage-1.nix @@ -28,7 +28,7 @@ simpleUefiGrubSpecialisation simpleUefiSystemdBoot stratisRoot - # swraid + swraid zfsroot ; diff --git a/nixos/tests/k3s/single-node.nix b/nixos/tests/k3s/single-node.nix index d61595d889e2a..e059603b9c9d7 100644 --- a/nixos/tests/k3s/single-node.nix +++ b/nixos/tests/k3s/single-node.nix @@ -62,20 +62,20 @@ import ../make-test-python.nix ({ pkgs, lib, k3s, ... }: start_all() machine.wait_for_unit("k3s") - machine.succeed("k3s kubectl cluster-info") - machine.fail("sudo -u noprivs k3s kubectl cluster-info") + machine.succeed("kubectl cluster-info") + machine.fail("sudo -u noprivs kubectl cluster-info") '' # Fix-Me: Tests fail for 'aarch64-linux' as: "CONFIG_CGROUP_FREEZER: missing (fail)" + lib.optionalString (!pkgs.stdenv.isAarch64) ''machine.succeed("k3s check-config")'' + '' machine.succeed( - "${pauseImage} | k3s ctr image import -" + "${pauseImage} | ctr image import -" ) # Also wait for our service account to show up; it takes a sec - machine.wait_until_succeeds("k3s kubectl get serviceaccount default") - machine.succeed("k3s kubectl apply -f ${testPodYaml}") - machine.succeed("k3s kubectl wait --for 'condition=Ready' pod/test") - machine.succeed("k3s kubectl delete -f ${testPodYaml}") + machine.wait_until_succeeds("kubectl get serviceaccount default") + machine.succeed("kubectl apply -f ${testPodYaml}") + machine.succeed("kubectl wait --for 'condition=Ready' pod/test") + machine.succeed("kubectl delete -f ${testPodYaml}") # regression test for #176445 machine.fail("journalctl -o cat -u k3s.service | grep 'ipset utility not found'") diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 82d9118c6fb10..76deb0f0aa1d6 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -32,6 +32,7 @@ let linux_5_15_hardened linux_6_1_hardened linux_6_3_hardened + linux_6_4_hardened linux_testing; }; diff --git a/nixos/tests/non-default-filesystems.nix b/nixos/tests/non-default-filesystems.nix index 6233e8d265d0f..08a17107dd2fd 100644 --- a/nixos/tests/non-default-filesystems.nix +++ b/nixos/tests/non-default-filesystems.nix @@ -94,6 +94,8 @@ with pkgs.lib; makeTest { name = "non-default-filesystems-erofs"; + meta.maintainers = with maintainers; [ nikstur ]; + nodes.machine = _: { virtualisation.qemu.drives = [{ name = "non-default-filesystem"; @@ -128,4 +130,43 @@ with pkgs.lib; assert "erofs" in file_contents ''; }; + + squashfs = + let + fsImage = "/tmp/non-default-filesystem.img"; + in + makeTest { + name = "non-default-filesystems-squashfs"; + + meta.maintainers = with maintainers; [ nikstur ]; + + nodes.machine = { + virtualisation.qemu.drives = [{ + name = "non-default-filesystem"; + file = fsImage; + deviceExtraOpts.serial = "non-default"; + }]; + + virtualisation.fileSystems."/non-default" = { + device = "/dev/disk/by-id/virtio-non-default"; + fsType = "squashfs"; + neededForBoot = true; + }; + }; + + testScript = '' + import subprocess + + with open("filesystem", "w") as f: + f.write("squashfs") + + subprocess.run([ + "${pkgs.squashfsTools}/bin/mksquashfs", + "filesystem", + "${fsImage}", + ]) + + assert "squashfs" in machine.succeed("cat /non-default/filesystem") + ''; + }; } diff --git a/nixos/tests/systemd-initrd-swraid.nix b/nixos/tests/systemd-initrd-swraid.nix index 0d5a1c6354d05..d87170c925742 100644 --- a/nixos/tests/systemd-initrd-swraid.nix +++ b/nixos/tests/systemd-initrd-swraid.nix @@ -14,17 +14,17 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { boot.loader.efi.canTouchEfiVariables = true; environment.systemPackages = with pkgs; [ mdadm e2fsprogs ]; # for mdadm and mkfs.ext4 + boot.swraid = { + enable = true; + mdadmConf = '' + ARRAY /dev/md0 devices=/dev/vdb,/dev/vdc + ''; + }; boot.initrd = { systemd = { enable = true; emergencyAccess = true; }; - services.swraid = { - enable = true; - mdadmConf = '' - ARRAY /dev/md0 devices=/dev/vdb,/dev/vdc - ''; - }; kernelModules = [ "raid0" ]; }; diff --git a/nixos/tests/web-apps/peering-manager.nix b/nixos/tests/web-apps/peering-manager.nix index 56b7eebfadffd..3f0acd560d132 100644 --- a/nixos/tests/web-apps/peering-manager.nix +++ b/nixos/tests/web-apps/peering-manager.nix @@ -34,7 +34,7 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { "sudo -u postgres psql -c 'ALTER USER \"peering-manager\" WITH SUPERUSER;'" ) machine.succeed( - "cd ${nodes.machine.config.system.build.peeringManagerPkg}/opt/peering-manager ; peering-manager-manage test --no-input" + "cd ${nodes.machine.system.build.peeringManagerPkg}/opt/peering-manager ; peering-manager-manage test --no-input" ) ''; }) |