diff options
Diffstat (limited to 'nixos')
136 files changed, 4793 insertions, 2482 deletions
diff --git a/nixos/README.md b/nixos/README.md index 07e82bf0ad938..5f751e10e20a0 100644 --- a/nixos/README.md +++ b/nixos/README.md @@ -48,7 +48,7 @@ Reviewing process: - Description, default and example should be provided. - Ensure that option changes are backward compatible. - `mkRenamedOptionModuleWith` provides a way to make renamed option backward compatible. - - Use `lib.versionAtLeast config.system.stateVersion "23.11"` on backward incompatible changes which may corrupt, change or update the state stored on existing setups. + - Use `lib.versionAtLeast config.system.stateVersion "24.05"` on backward incompatible changes which may corrupt, change or update the state stored on existing setups. - Ensure that removed options are declared with `mkRemovedOptionModule`. - Ensure that changes that are not backward compatible are mentioned in release notes. - Ensure that documentations affected by the change is updated. diff --git a/nixos/doc/manual/installation/upgrading.chapter.md b/nixos/doc/manual/installation/upgrading.chapter.md index 11fc65502f953..1a3fc10ec8005 100644 --- a/nixos/doc/manual/installation/upgrading.chapter.md +++ b/nixos/doc/manual/installation/upgrading.chapter.md @@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated automatically from NixOS's Git repository after certain tests have passed and all packages have been built. These channels are: -- *Stable channels*, such as [`nixos-23.11`](https://channels.nixos.org/nixos-23.11). +- *Stable channels*, such as [`nixos-24.05`](https://channels.nixos.org/nixos-24.05). These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not @@ -19,7 +19,7 @@ passed and all packages have been built. These channels are: radical changes between channel updates. It's not recommended for production systems. -- *Small channels*, such as [`nixos-23.11-small`](https://channels.nixos.org/nixos-23.11-small) +- *Small channels*, such as [`nixos-24.05-small`](https://channels.nixos.org/nixos-24.05-small) or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small). These are identical to the stable and unstable channels described above, except that they contain fewer binary packages. This means they get updated @@ -38,8 +38,8 @@ supported stable release. When you first install NixOS, you're automatically subscribed to the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 23.11 ISO, you will be subscribed to -the `nixos-23.11` channel. To see which NixOS channel you're subscribed +instance, if you installed from a 24.05 ISO, you will be subscribed to +the `nixos-24.05` channel. To see which NixOS channel you're subscribed to, run the following as root: ```ShellSession @@ -54,16 +54,16 @@ To switch to a different NixOS channel, do ``` (Be sure to include the `nixos` parameter at the end.) For instance, to -use the NixOS 23.11 stable channel: +use the NixOS 24.05 stable channel: ```ShellSession -# nix-channel --add https://channels.nixos.org/nixos-23.11 nixos +# nix-channel --add https://channels.nixos.org/nixos-24.05 nixos ``` If you have a server, you may want to use the "small" channel instead: ```ShellSession -# nix-channel --add https://channels.nixos.org/nixos-23.11-small nixos +# nix-channel --add https://channels.nixos.org/nixos-24.05-small nixos ``` And if you want to live on the bleeding edge: @@ -117,6 +117,6 @@ modules. You can also specify a channel explicitly, e.g. ```nix { - system.autoUpgrade.channel = "https://channels.nixos.org/nixos-23.11"; + system.autoUpgrade.channel = "https://channels.nixos.org/nixos-24.05"; } ``` diff --git a/nixos/doc/manual/release-notes/release-notes.md b/nixos/doc/manual/release-notes/release-notes.md index 0514a1b0044af..24494ed95ca88 100644 --- a/nixos/doc/manual/release-notes/release-notes.md +++ b/nixos/doc/manual/release-notes/release-notes.md @@ -3,6 +3,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. ```{=include=} sections +rl-2411.section.md rl-2405.section.md rl-2311.section.md rl-2305.section.md diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 8edf4fd35e4fb..4143f440f2890 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -146,7 +146,7 @@ In addition to numerous new and upgraded packages, this release has the followin - [touchegg](https://github.com/JoseExposito/touchegg), a multi-touch gesture recognizer. Available as [services.touchegg](#opt-services.touchegg.enable). -- [pantheon-tweaks](https://github.com/pantheon-tweaks/pantheon-tweaks), an unofficial system settings panel for Pantheon. Available as [programs.pantheon-tweaks](#opt-programs.pantheon-tweaks.enable). +- [pantheon-tweaks](https://github.com/pantheon-tweaks/pantheon-tweaks), an unofficial system settings panel for Pantheon. Available as `programs.pantheon-tweaks`. - [joycond](https://github.com/DanielOgorchock/joycond), a service that uses `hid-nintendo` to provide nintendo joycond pairing and better nintendo switch pro controller support. diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 77cb6c9baadbc..4630b0987436c 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -366,7 +366,7 @@ In addition to numerous new and upgraded packages, this release includes the fol __Note:__ secrets from these files will be leaked into the store unless you use a [**file**-provider or env-var](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider) for secrets! - - [services.grafana.provision.notifiers](#opt-services.grafana.provision.notifiers) is not affected by this change because + - `services.grafana.provision.notifiers` is not affected by this change because this feature is deprecated by Grafana and will probably be removed in Grafana 10. It's recommended to use `services.grafana.provision.alerting.contactPoints` instead. diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 9b57225de21ac..900ac60df908a 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -1,4 +1,4 @@ -# Release 24.05 (“Uakari”, 2024.05/??) {#sec-release-24.05} +# Release 24.05 (“Uakari”, 2024.05/31) {#sec-release-24.05} Support is planned until the end of December 2024, handing over to 24.11. @@ -6,60 +6,29 @@ Support is planned until the end of December 2024, handing over to 24.11. In addition to numerous new and upgraded packages, this release has the following highlights: -<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> - -- `cryptsetup` has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption. - Take the time to review [the release notes](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.7.0/docs/v2.7.0-ReleaseNotes). - One of the highlights is that it is now possible to use hardware OPAL-based encryption of your disk with `cryptsetup`. It has a lot of caveats, see the above notes for the full details. - -- `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment. - -- `linuxPackages_testing_bcachefs` is now fully deprecated by `linuxPackages_latest`, and is therefore no longer available. +<!-- Please keep entries alphabetically sorted. --> - The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available. +- For each supporting version of the Linux kernel, firmware blobs + are compressed with zstd. For firmware blobs this means an increase of 4.4% in size, however + a significantly higher decompression speed. + - NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS. - - This can be disabled through the `environment.stub-ld.enable` option. - - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically. + - This can be disabled through the `environment.stub-ld.enable` option. + - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically. - On flake-based NixOS configurations using `nixpkgs.lib.nixosSystem`, NixOS will automatically set `NIX_PATH` and the system-wide flake registry (`/etc/nix/registry.json`) to point `<nixpkgs>` and the unqualified flake path `nixpkgs` to the version of nixpkgs used to build the system. This makes `nix run nixpkgs#hello` and `nix-build '<nixpkgs>' -A hello` work out of the box with no added configuration, reusing dependencies already on the system. - This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled. - - To disable this, set [nixpkgs.flake.setNixPath](#opt-nixpkgs.flake.setNixPath) and [nixpkgs.flake.setFlakeRegistry](#opt-nixpkgs.flake.setFlakeRegistry) to false. - -- `nixVersions.unstable` was removed. Instead the following attributes are provided: - - `nixVersions.git` which tracks the latest Nix master and is roughly updated once a week. This is intended to enable people to easily test unreleased changes of Nix to catch regressions earlier. - - `nixVersions.latest` which points to the latest Nix version packaged in nixpkgs. - -- `julia` environments can now be built with arbitrary packages from the ecosystem using the `.withPackages` function. For example: `julia.withPackages ["Plots"]`. - -- `pipewire` and `wireplumber` modules have removed support for using -`environment.etc."pipewire/..."` and `environment.etc."wireplumber/..."`. -Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for PipeWire and -`services.pipewire.wireplumber.configPackages` for WirePlumber instead." - -- `teleport` has been upgraded from major version 14 to major version 15. - Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) - and release notes for [v15](https://goteleport.com/docs/changelog/#1500-013124). - -- `systemd.sysusers.enable` option was added. If enabled, users and - groups are created with systemd-sysusers instead of with a custom perl script. - -- `virtualisation.docker.enableNvidia` and `virtualisation.podman.enableNvidia` options are deprecated. `hardware.nvidia-container-toolkit.enable` should be used instead. This option will expose GPUs on containers with the `--device` CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature. - -- `system.etc.overlay.enable` option was added. If enabled, `/etc` is - mounted via an overlayfs instead of being created by a custom perl script. + This may be undesirable if Nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled. -- For each supporting version of the Linux kernel firmware blobs - are compressed with zstd. For firmware blobs this means an increase of 4.4% in size, however - a significantly higher decompression speed. + To disable it, set [nixpkgs.flake.setNixPath](#opt-nixpkgs.flake.setNixPath) and [nixpkgs.flake.setFlakeRegistry](#opt-nixpkgs.flake.setFlakeRegistry) to false. - NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on <https://nixos.github.io/amis>. - We are working on integration the data into the NixOS homepage. + We are working on integrating the data into the NixOS homepage. The list in `nixos/modules/virtualisation/amazon-ec2-amis.nix` will stop being updated and will be removed in the future. @@ -73,289 +42,318 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi } ``` -- `virtialisation.incus` now defaults to the newly-added `incus-lts` release (v6.0.x). Users who wish to continue using the non-LTS release will need to set `virtualisation.incus.package = pkgs.incus`. Stable release users are encouraged to stay on the LTS release as non-LTS releases will by default not be backported. +- Cinnamon has been updated to 6.0. Please be aware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions. -- Canonical `lxd` has been upgraded to v5.21.x, an LTS release. The LTS release is now the only supported LXD release. Users are encouraged to [migrate to Incus](https://linuxcontainers.org/incus/docs/main/howto/server_migrate_lxd/) for better support on NixOS. +- GNOME has been updated to 46 "Kathmandu". Refer to the [release notes](https://release.gnome.org/46/) for more details. Notably this release brings experimental VRR support, default GTK renderer changes and WebDAV support in Online Accounts. This release we have also stopped including the legacy and unsupported Adwaita-Dark theme by default. -- `lua` interpreters default LUA_PATH and LUA_CPATH are not overriden by nixpkgs - anymore, we patch LUA_ROOT instead which is more respectful to upstream. +- Lomiri (formerly known as Unity8) desktop mode, using Mir 2.x to function as a Wayland compositor, is now available and can be installed with `services.desktopManager.lomiri.enable = true`. Note that some core applications, services and indicators have yet to be packaged, and some functions may remain incomplete, but the base experience should be there. + +- LXQt has been updated to 2.0, which is based on Qt 6 and features Wayland support for many applications. -- `plasma6` is now available and can be installed with `services.xserver.desktopManager.plasma6.enable = true;`. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary. +- MATE has been updated to 1.28. + - To properly support panel plugins built with Wayland (in-process) support, we are introducing the `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets. + - Similarly, please use the `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions. + - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early an stage and introduces a new set of Wayfire closures. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM as the display manager. -- `lomiri` (formerly known as Unity8) desktop mode, using Mir 2.x to function as a Wayland compositor, is now available and can be installed with `services.desktopManager.lomiri.enable = true`. Note that some core applications, services and indicators have yet to be packaged, and some functions may remain incomplete, but the base experience should be there. +- Plasma 6 is now available and can be installed with `services.xserver.desktopManager.plasma6.enable = true;`. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary. ## New Services {#sec-release-24.05-new-services} -<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> +<!-- Please keep entries alphabetically sorted. --> -- [ownCloud Infinite Scale Stack](https://owncloud.com/infinite-scale-4-0/), a modern and scalable rewrite of ownCloud. +- [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable). +The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server software. -- [Handheld Daemon](https://github.com/hhd-dev/hhd), support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as [services.handheld-daemon](#opt-services.handheld-daemon.enable). +- [ALVR](https://github.com/alvr-org/alvr), a VR desktop streamer. Available as [programs.alvr](#opt-programs.alvr.enable). + +- [AppImage](https://appimage.org/), a tool to package desktop applications, now has a `binfmt` option to support running AppImages seamlessly on NixOS. Available as [programs.appimage.binfmt](#opt-programs.appimage.binfmt). + +- [armagetronad](https://wiki.armagetronad.org), a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using `services.armagetronad.<server>.enable`. - [BenchExec](https://github.com/sosy-lab/benchexec), a framework for reliable benchmarking and resource measurement, available as [programs.benchexec](#opt-programs.benchexec.enable), - As well as related programs + as well as related programs [CPU Energy Meter](https://github.com/sosy-lab/cpu-energy-meter), available as [programs.cpu-energy-meter](#opt-programs.cpu-energy-meter.enable), and [PQoS Wrapper](https://gitlab.com/sosy-lab/software/pqos-wrapper), available as [programs.pqos-wrapper](#opt-programs.pqos-wrapper.enable). -- [Guix](https://guix.gnu.org), a functional package manager inspired by Nix. Available as [services.guix](#opt-services.guix.enable). +- [Bluemap](https://bluemap.bluecolored.de/), a 3D minecraft map renderer. Available as [services.bluemap](#opt-services.bluemap.enable). -- [Flarum](https://flarum.org/), a delightfully simple discussion platform for your website. Available as [services.flarum](#opt-services.flarum.enable). +- [clatd](https://github.com/toreanderson/clatd), a CLAT / SIIT-DC Edge Relay implementation for Linux. -- [PhotonVision](https://photonvision.org/), a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition. +- [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). -- [clatd](https://github.com/toreanderson/clatd), a CLAT / SIIT-DC Edge Relay implementation for Linux. +- [CommaFeed](https://github.com/Athou/commafeed), a Google Reader-inspired self-hosted RSS reader. Available as [services.commafeed](#opt-services.commafeed.enable). -- [pyLoad](https://pyload.net/), a FOSS download manager written in Python. Available as [services.pyload](#opt-services.pyload.enable). +- [davis](https://github.com/tchapi/davis), a simple CardDav and CalDav server inspired by Baïkal. Available as [services.davis](#opt-services.davis.enable). -- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable). +- [db-rest](https://github.com/derhuerst/db-rest), a wrapper around Deutsche Bahn's internal API for public transport data. Available as [services.db-rest](#opt-services.db-rest.enable). -- [ryzen-monitor-ng](https://github.com/mann1x/ryzen_monitor_ng), a desktop AMD CPU power monitor and controller, similar to Ryzen Master but for Linux. Available as [programs.ryzen-monitor-ng](#opt-programs.ryzen-monitor-ng.enable). +- [dnsproxy](https://github.com/AdguardTeam/dnsproxy), a simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support. Available as [services.dnsproxy](#opt-services.dnsproxy.enable). -- [ryzen-smu](https://gitlab.com/leogx9r/ryzen_smu), Linux kernel driver to expose the SMU (System Management Unit) for certain AMD Ryzen Processors. Includes the userspace program `monitor_cpu`. Available at [hardward.cpu.amd.ryzen-smu](#opt-hardware.cpu.amd.ryzen-smu.enable). +- [FCast Receiver](https://fcast.org), an open-source alternative to Chromecast and AirPlay. Available as [programs.fcast-receiver](#opt-programs.fcast-receiver.enable). -- `systemd`'s `gateway`, `upload`, and `remote` services, which provide ways of sending journals across the network. Enable using [services.journald.gateway](#opt-services.journald.gateway.enable), [services.journald.upload](#opt-services.journald.upload.enable), and [services.journald.remote](#opt-services.journald.remote.enable). +- [FileSender](https://filesender.org/), a file sharing software. Available as [services.filesender](#opt-services.filesender.enable). -- [GNS3](https://www.gns3.com/), a network software emulator. Available as [services.gns3-server](#opt-services.gns3-server.enable). +- [Firefly-iii](https://www.firefly-iii.org), a free and open source personal finance manager. Available as [services.firefly-iii](#opt-services.firefly-iii.enable). -- [pretalx](https://github.com/pretalx/pretalx), a conference planning tool. Available as [services.pretalx](#opt-services.pretalx.enable). +- [Flarum](https://flarum.org/), a delightfully simple discussion platform for your website. Available as [services.flarum](#opt-services.flarum.enable). -- [dnsproxy](https://github.com/AdguardTeam/dnsproxy), a simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support. Available as [services.dnsproxy](#opt-services.dnsproxy.enable). +- [fritz-exporter](https://github.com/pdreker/fritz_exporter), a Prometheus exporter for extracting metrics from [FRITZ!](https://avm.de/produkte/) devices. Available as [services.prometheus.exporters.fritz](#opt-services.prometheus.exporters.fritz.enable). -- [manticoresearch](https://manticoresearch.com), easy to use open source fast database for search. Available as [services.manticore](#opt-services.manticore.enable). +- [GNS3](https://www.gns3.com/), a network software emulator. Available as [services.gns3-server](#opt-services.gns3-server.enable). -- [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training. +- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable). -- [ollama](https://ollama.ai), server for running large language models locally. +- [Guix](https://guix.gnu.org), a functional package manager inspired by Nix. Available as [services.guix](#opt-services.guix.enable). -- [Mihomo](https://github.com/MetaCubeX/mihomo/tree/Alpha), a rule-based proxy in Go. Available as [services.mihomo.enable](#opt-services.mihomo.enable). +- [Handheld Daemon](https://github.com/hhd-dev/hhd), support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as [services.handheld-daemon](#opt-services.handheld-daemon.enable). - [hebbot](https://github.com/haecker-felix/hebbot), a Matrix bot to generate "This Week in X" like blog posts. Available as [services.hebbot](#opt-services.hebbot.enable). -- [Workout-tracker](https://github.com/jovandeginste/workout-tracker), a workout tracking web application for personal use. +- [inadyn](https://github.com/troglobit/inadyn), a Dynamic DNS client with built-in support for multiple providers. Available as [services.inadyn](#opt-services.inadyn.enable). -- [Python Matter Server](https://github.com/home-assistant-libs/python-matter-server), a - Matter Controller Server exposing websocket connections for use with other services, notably Home Assistant. - Available as [services.matter-server](#opt-services.matter-server.enable). +- [intel-gpu-tools](https://drm.pages.freedesktop.org/igt-gpu-tools), tools for development and testing of the Intel DRM driver. Available as [hardware.intel-gpu-tools](#opt-hardware.intel-gpu-tools.enable). -- [db-rest](https://github.com/derhuerst/db-rest), a wrapper around Deutsche Bahn's internal API for public transport data. Available as [services.db-rest](#opt-services.db-rest.enable). +- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable). -- [mautrix-signal](https://github.com/mautrix/signal), a Matrix-Signal puppeting bridge. Available as [services.mautrix-signal](#opt-services.mautrix-signal.enable). +- [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool), a CLI for the [Jottacloud](https://jottacloud.com/) cloud storage provider. Available as [services.jotta-cli](#opt-services.jotta-cli.enable). -- [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable). -The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server software. +- [keto](https://www.ory.sh/keto/), a permission & access control server, the first open source implementation of [*Zanzibar: Google's Consistent, Global Authorization System*](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/). -- [mautrix-meta](https://github.com/mautrix/meta), a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta. +- [manticoresearch](https://manticoresearch.com), easy to use open source fast database for search. Available as [services.manticore](#opt-services.manticore.enable). -- [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool), a CLI for the [Jottacloud](https://jottacloud.com/) cloud storage provider. Available as [services.jotta-cli](#opt-services.jotta-cli.enable). +- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable). -- [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable). +- [mautrix-meta](https://github.com/mautrix/meta), a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta. -- [FCast Receiver](https://fcast.org), an open-source alternative to Chromecast and AirPlay. Available as [programs.fcast-receiver](#opt-programs.fcast-receiver.enable). +- [mautrix-signal](https://github.com/mautrix/signal), a Matrix-Signal puppeting bridge. Available as [services.mautrix-signal](#opt-services.mautrix-signal.enable). + +- [Mealie](https://nightly.mealie.io/), a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as [services.mealie](#opt-services.mealie.enable). - [MollySocket](https://github.com/mollyim/mollysocket) which allows getting Signal notifications via UnifiedPush. -- [Suwayomi Server](https://github.com/Suwayomi/Suwayomi-Server), a free and open source manga reader server that runs extensions built for [Tachiyomi](https://tachiyomi.org). Available as [services.suwayomi-server](#opt-services.suwayomi-server.enable). +- [microsocks](https://github.com/rofl0r/microsocks), a tiny, portable SOCKS5 server with very moderate resource usage. Available as [services.microsocks](#opt-services.microsocks.enable). + +- [Mihomo](https://github.com/MetaCubeX/mihomo/tree/Alpha), a rule-based proxy in Go. Available as [services.mihomo.enable](#opt-services.mihomo.enable). + +- [Monado](https://monado.freedesktop.org/), an open source XR runtime. Available as [services.monado](#opt-services.monado.enable). - [Netbird](https://netbird.io), an open-source VPN management platform, now has a self-hosted management server. Available as [services.netbird.server](#opt-services.netbird.server.enable). -- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable). +- [nh](https://github.com/viperML/nh), yet another Nix CLI helper. Available as [programs.nh](#opt-programs.nh.enable). -- [Prometheus DNSSEC Exporter](https://github.com/chrj/prometheus-dnssec-exporter), check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as [services.prometheus.exporters.dnssec](#opt-services.prometheus.exporters.dnssec.enable). +- [oink](https://github.com/rlado/oink), a dynamic DNS client for Porkbun. Available as [services.oink](#opt-services.oink.enable). -- [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable). +- [ollama](https://ollama.ai), server for running large language models locally. -- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable). +- [nextjs-ollama-llm-ui](https://github.com/jakobhoeg/nextjs-ollama-llm-ui), light-weight frontend server to chat with Ollama models through a web app. -- [CommaFeed](https://github.com/Athou/commafeed), a Google Reader inspired self-hosted RSS reader. Available as [services.commafeed](#opt-services.commafeed.enable). +- [ownCloud Infinite Scale Stack](https://owncloud.com/infinite-scale-4-0/), a modern and scalable rewrite of ownCloud. -- [Monado](https://monado.freedesktop.org/), an open source XR runtime. Available as [services.monado](#opt-services.monado.enable). +- [PhotonVision](https://photonvision.org/), a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition. -- [intel-gpu-tools](https://drm.pages.freedesktop.org/igt-gpu-tools), tools for development and testing of the Intel DRM driver. Available as [hardware.intel-gpu-tools](#opt-hardware.intel-gpu-tools.enable). +- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable). - [Pretix](https://pretix.eu/about/en/), an open source ticketing software for events. Available as [services.pretix](#opt-services.pretix.enable). -- [microsocks](https://github.com/rofl0r/microsocks), a tiny, portable SOCKS5 server with very moderate resource usage. Available as [services.microsocks](#opt-services.microsocks.enable). - -- [inadyn](https://github.com/troglobit/inadyn), a Dynamic DNS client with built-in support for multiple providers. Available as [services.inadyn](#opt-services.inadyn.enable). +- [pretalx](https://github.com/pretalx/pretalx), a conference planning tool. Available as [services.pretalx](#opt-services.pretalx.enable). -- [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). +- [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable). -- [fritz-exporter](https://github.com/pdreker/fritz_exporter), a Prometheus exporter for extracting metrics from [FRITZ!](https://avm.de/produkte/) devices. Available as [services.prometheus.exporters.fritz](#opt-services.prometheus.exporters.fritz.enable). +- [Prometheus DNSSEC Exporter](https://github.com/chrj/prometheus-dnssec-exporter): check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as [services.prometheus.exporters.dnssec](#opt-services.prometheus.exporters.dnssec.enable). -- [armagetronad](https://wiki.armagetronad.org), a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using `services.armagetronad.<server>.enable`. +- [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable). -- [wyoming-satellite](https://github.com/rhasspy/wyoming-satellite), a voice assistant satellite for Home Assistant using the Wyoming protocol. Available as [services.wyoming.satellite](#opt-services.wyoming.satellite.enable). +- [pyLoad](https://pyload.net/), a FOSS download manager written in Python. Available as [services.pyload](#opt-services.pyload.enable). -- [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable). +- [Python Matter Server](https://github.com/home-assistant-libs/python-matter-server), a + Matter Controller Server exposing websocket connections for use with other services, notably Home Assistant. + Available as [services.matter-server](#opt-services.matter-server.enable). -- [AppImage](https://appimage.org/), a tool to package desktop applications, now has a `binfmt` option to support running AppImages seamlessly on NixOS. Available as [programs.appimage.binfmt](#opt-programs.appimage.binfmt). +- [RustDesk](https://rustdesk.com), a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer. Available as [services.rustdesk-server](#opt-services.rustdesk-server.enable). -- [nh](https://github.com/viperML/nh), yet another Nix CLI helper. Available as [programs.nh](#opt-programs.nh.enable). +- [ryzen-monitor-ng](https://github.com/mann1x/ryzen_monitor_ng), a desktop AMD CPU power monitor and controller, similar to Ryzen Master but for Linux. Available as [programs.ryzen-monitor-ng](#opt-programs.ryzen-monitor-ng.enable). -- [ALVR](https://github.com/alvr-org/alvr), a VR desktop streamer. Available as [programs.alvr](#opt-programs.alvr.enable). +- [ryzen-smu](https://gitlab.com/leogx9r/ryzen_smu), Linux kernel driver to expose the SMU (System Management Unit) for certain AMD Ryzen Processors. Includes the userspace program `monitor_cpu`. Available at [hardward.cpu.amd.ryzen-smu](#opt-hardware.cpu.amd.ryzen-smu.enable). -- [xdg-terminal-exec](https://github.com/Vladimir-csp/xdg-terminal-exec), the proposed Default Terminal Execution Specification. +- [Scrutiny](https://github.com/AnalogJ/scrutiny), a S.M.A.R.T monitoring tool for hard disks with a web frontend. Available as [services.scrutiny](#opt-services.scrutiny.enable). -- [your_spotify](https://github.com/Yooooomi/your_spotify), a self hosted Spotify tracking dashboard. Available as [services.your_spotify](#opt-services.your_spotify.enable) +- [SimpleSAMLphp](https://simplesamlphp.org/), an application written in native PHP that deals with authentication (SQL, .htpasswd, YubiKey, LDAP, PAPI, Radius). Available as [services.simplesamlphp](#opt-services.simplesamlphp). -- [RustDesk](https://rustdesk.com), a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer. Available as [services.rustdesk-server](#opt-services.rustdesk-server.enable). +- `systemd`'s `gateway`, `upload`, and `remote` services, which provide ways of sending journals across the network. Enable using [services.journald.gateway](#opt-services.journald.gateway.enable), [services.journald.upload](#opt-services.journald.upload.enable), and [services.journald.remote](#opt-services.journald.remote.enable). -- [Scrutiny](https://github.com/AnalogJ/scrutiny), a S.M.A.R.T monitoring tool for hard disks with a web frontend. Available as [services.scrutiny](#opt-services.scrutiny.enable). +- [systemd-lock-handler](https://git.sr.ht/~whynothugo/systemd-lock-handler/), a bridge between logind D-Bus events and systemd targets. Available as [services.systemd-lock-handler.enable](#opt-services.systemd-lock-handler.enable). -- [davis](https://github.com/tchapi/davis), a simple CardDav and CalDav server inspired by Baïkal. Available as [services.davis](#opt-services.davis.enable). +- [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training. -- [Firefly-iii](https://www.firefly-iii.org), a free and open source personal finance manager. Available as [services.firefly-iii](#opt-services.firefly-iii.enable). +- [Sunshine](https://app.lizardbyte.dev/Sunshine), a self-hosted game stream host for Moonlight. Available as [services.sunshine](#opt-services.sunshine.enable). -- [systemd-lock-handler](https://git.sr.ht/~whynothugo/systemd-lock-handler/), a bridge between logind D-Bus events and systemd targets. Available as [services.systemd-lock-handler.enable](#opt-services.systemd-lock-handler.enable). +- [Suwayomi Server](https://github.com/Suwayomi/Suwayomi-Server), a free and open source manga reader server that runs extensions built for [Tachiyomi](https://tachiyomi.org). Available as [services.suwayomi-server](#opt-services.suwayomi-server.enable). -- [wastebin](https://github.com/matze/wastebin), a pastebin server written in rust. Available as [services.wastebin](#opt-services.wastebin.enable). +- [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable). -- [Mealie](https://nightly.mealie.io/), a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as [services.mealie](#opt-services.mealie.enable). +- [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable). -- [Sunshine](https://app.lizardbyte.dev/Sunshine), a self-hosted game stream host for Moonlight. Available as [services.sunshine](#opt-services.sunshine.enable). +- [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable). - [Uni-Sync](https://github.com/EightB1ts/uni-sync), a synchronization tool for Lian Li Uni Controllers. Available as [hardware.uni-sync](#opt-hardware.uni-sync.enable). -- [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable). +- [wastebin](https://github.com/matze/wastebin), a pastebin server written in rust. Available as [services.wastebin](#opt-services.wastebin.enable). -- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable). +- [watchdogd](https://troglobit.com/projects/watchdogd/), a system and process supervisor using watchdog timers. Available as [services.watchdogd](#opt-services.watchdogd.enable). + +- [Workout-tracker](https://github.com/jovandeginste/workout-tracker), a workout tracking web application for personal use. + +- [wyoming-satellite](https://github.com/rhasspy/wyoming-satellite), a voice assistant satellite for Home Assistant using the Wyoming protocol. Available as [services.wyoming.satellite](#opt-services.wyoming.satellite.enable). + +- [xdg-terminal-exec](https://github.com/Vladimir-csp/xdg-terminal-exec), the proposed Default Terminal Execution Specification. - [ydotool](https://github.com/ReimuNotMoe/ydotool), a generic command-line automation tool now has a module. Available as [programs.ydotool](#opt-programs.ydotool.enable). -- [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable). +- [your_spotify](https://github.com/Yooooomi/your_spotify), a self hosted Spotify tracking dashboard. Available as [services.your_spotify](#opt-services.your_spotify.enable) -- [keto](https://www.ory.sh/keto/), a permission & access control server, the first open source implementation of ["Zanzibar: Google's Consistent, Global Authorization System"](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/). +- [RKE2](https://github.com/rancher/rke2), also known as RKE Government, is Rancher's next-generation Kubernetes distribution. Available as [services.rke2](#opt-services.rke2.enable). ## Backward Incompatibilities {#sec-release-24.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> -- `k3s`: has been updated to version [v1.30](https://github.com/k3s-io/k3s/releases/tag/v1.30.0%2Bk3s1), previous supported versions are available under release specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) and present to help you migrate to the latest supported version. See [changelog and upgrade notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290) for more information. +- `akkoma` now requires explicitly setting the base URL for uploaded media (`settings."Pleroma.Upload".base_url`), as well as for the media proxy if enabled (`settings."Media"`). + This is recommended to be a separate (sub)domain to the one Akkoma is hosted at. + See [here](https://meta.akkoma.dev/t/akkoma-stable-2024-03-securer-i-barely-know-her/681#explicit-upload-and-media-proxy-domains-5) for more details. -- `himalaya` was updated to v1.0.0-beta.4, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details. +- `appimageTools.wrapAppImage` now creates the binary at `$out/bin/${pname}` rather than `$out/bin/${pname}-${version}`, which will break downstream workarounds. -- `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only** - `authorized_keys` files listed in [`sshAgentAuth.authorizedKeysFiles`] are trusted, - defaulting to `/etc/ssh/authorized_keys.d/%u`. - ::: {.warning} - Users of {manpage}`pam_ssh_agent_auth(8)` must take care that the pubkeys they use (for instance with `sudo`) - are listed in [`sshAgentAuth.authorizedKeysFiles`]. - ::: - ::: {.note} - Previously, all `services.openssh.authorizedKeysFiles` were trusted, including `~/.ssh/authorized_keys`, - which results in an **insecure** configuration; see [#31611](https://github.com/NixOS/nixpkgs/issues/31611). - ::: +- `azure-cli` now has extension support. For example, to install the `aks-preview` extension, use -[`sshAgentAuth.authorizedKeysFiles`]: #opt-security.pam.sshAgentAuth.authorizedKeysFiles + ```nix + environment.systemPackages = [ + (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ]) + ]; + ``` + To make the `azure-cli` immutable and prevent clashes in case `azure-cli` is also installed via other package managers, some configuration files were moved into the derivation. + This can be disabled by overriding `withImmutableConfig = false` when building `azure-cli`. -- The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS. +- `boot.supportedFilesystems` and `boot.initrd.supportedFilesystems` are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using `supportedFilesystems.fs or false` instead of using `lib.elem "fs" supportedFilesystems` as was done previously. -- `programs.nix-ld.libraries` no longer sets `baseLibraries` via the option's default but in config and now merges any additional libraries with the default ones. - This means that `lib.mkForce` must be used to clear the list of default libraries. +- `buildGoModule` now throws an error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias. + +- `chromium` and `ungoogled-chromium` had a long-standing issue regarding Widevine DRM handling in nixpkgs fixed. + `chromium` now no longer automatically downloads Widevine when encountering DRM protected content. + To be able to play DRM protected content in `chromium`, you now have to explicitly opt-in as originally intended using `chromium.override { enableWideVine = true; }`. + This override was added almost 10 years ago. + +- `craftos-pc` package has been updated to v2.8, which includes [breaking changes](https://github.com/MCJack123/craftos2/releases/tag/v2.8). + - Files are now handled in binary mode; this could break programs with embedded UTF-8 characters. + - The ROM was updated to match ComputerCraft version v1.109.2. + - The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the [Lua manual](https://www.lua.org/manual/5.2/manual.html#8) for more information. + - The WebSocket API [was rewritten](https://github.com/MCJack123/craftos2/issues/337), which introduced breaking changes. + +- `cryptsetup` has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption. + Take the time to review [the release notes](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.7.0/docs/v2.7.0-ReleaseNotes). + One of the highlights is that it is now possible to use hardware OPAL-based encryption of your disk with `cryptsetup`. It has a lot of caveats, see the above notes for the full details. + +- `crystal` package has been updated to 1.11.x, which has some breaking changes. + Refer to crystal's changelog for more information. ([v1.10](https://github.com/crystal-lang/crystal/blob/master/CHANGELOG.md#1100-2023-10-09), [v1.11](https://github.com/crystal-lang/crystal/blob/master/CHANGELOG.md#1110-2024-01-08)) + +- `cudaPackages` package scope has been updated to `cudaPackages_12`. - `cudaPackages.autoAddOpenGLRunpathHook` and `cudaPackages.autoAddDriverRunpath` have been deprecated for `pkgs.autoAddDriverRunpath`. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope. -- `cudaPackages.autoFixElfFiles` has been deprecated for `pkgs.autoFixElfFiles`. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope. +- `cudaPackages.cudatoolkit` has been deprecated and replaced with a + symlink-based wrapper for the splayed redistributable CUDA packages. The + wrapper only includes tools and libraries necessary to build common packages + such as tensorflow. The original runfile-based `cudatoolkit` is still + available as `cudatoolkit-legacy-runfile`. -- `appimageTools.wrapAppImage` now creates the binary at `$out/bin/${pname}` rather than `$out/bin/${pname}-${version}`, which will break downstream workarounds. +- `cudaPackages.nsight_systems` now has most vendored third-party libraries removed, though we now only ship it for `cudaPackages_11_8` and later, due to outdated dependencies. Users comfortable with the vendored dependencies may use `overrideAttrs` to amend the `postPatch` phase and the `meta.broken` correspondingly. Alternatively, one could package the deprecated `boost170` locally, as required for `cudaPackages_11_4.nsight_systems`. -- `pdns` was updated to version [v4.9.x](https://doc.powerdns.com/authoritative/changelog/4.9.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-9-0) for details. +- `cudaPackages.autoFixElfFiles` has been deprecated for `pkgs.autoFixElfFiles`. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope. -- `unrar` was updated to v7. See [changelog](https://www.rarlab.com/unrar7notes.htm) for more information. +- `davfs2`'s `services.davfs2.extraConfig` setting has been deprecated and converted to the free-form type option named `services.davfs2.settings` according to RFC42. -- `percona-server` now follows [the same two-fold release cycle](https://www.percona.com/blog/lts-and-innovation-releases-for-percona-server-for-mysql/) as Oracle MySQL and provides a *Long-Term-Support (LTS)* in parallel with a continuous-delivery *Innovation* release. `percona-server` defaults to `percona-server_lts`, will be backed by the same release branch throughout the lifetime of this stable NixOS release, and is still available under the versioned attribute `percona-server_8_0`. - The `percona-server_innovation` releases however have support periods shorter than the lifetime of this NixOS release and will continuously be updated to newer Percona releases. Note that Oracle considers the *Innovation* releases to be production-grade, but each release might include backwards-incompatible changes, even in its on-disk format. - The same release scheme is applied to the supporting `percona-xtrabackup` tool as well. +- `dwarf-fortress` has been updated to version 50, which is identical to the version on Steam, but without the paid elements like tilepacks. + dfhack and Dwarf Therapist still work, and older versions are still packaged in case you'd like to roll back. Note that DF 50 saves will not be compatible with DF 0.47 and earlier. + See [Bay 12 Games](http://www.bay12games.com/dwarves/) for more details on what's new in Dwarf Fortress. -- `git-town` was updated from version 11 to 13. See the [changelog](https://github.com/git-town/git-town/blob/main/CHANGELOG.md#1300-2024-03-22) for breaking changes. + - Running an earlier version can be achieved through an override: `dwarf-fortress-packages.dwarf-fortress-full.override { dfVersion = "0.47.5"; }` -- `k9s` was updated to v0.31. There have been various breaking changes in the config file format, - check out the changelog of [v0.29](https://github.com/derailed/k9s/releases/tag/v0.29.0), - [v0.30](https://github.com/derailed/k9s/releases/tag/v0.30.0) and - [v0.31](https://github.com/derailed/k9s/releases/tag/v0.31.0) for details. It is recommended - to back up your current configuration and let k9s recreate the new base configuration. + - Ruby plugin support has been disabled in DFHack. Many of the Ruby plugins have been converted to Lua, and support was removed upstream due to frequent crashes. -- the .csv format used to define lua packages to be updated via - `luarocks-packages-updater` has changed: `src` (URL towards a git repository) has now become `rockspec` (URL towards a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation. +- `erlang-ls` package no longer ships the `els_dap` binary as of v0.51.0. -- NixOS AMIs are now uploaded regularly to a new AWS Account. - Instructions on how to use them can be found on <https://nixos.github.io/amis>. - We are working on integration the data into the NixOS homepage. - The list in `nixos/modules/virtualisation/amazon-ec2-amis.nix` will stop - being updated and will be removed in the future. +- `erlang_node_short_name`, `erlang_node_name`: `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter. + Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead. -- The option `services.postgresql.ensureUsers._.ensurePermissions` has been removed as it is - not declarative and is broken with newer postgresql versions. Consider using - [](#opt-services.postgresql.ensureUsers._.ensureDBOwnership) - instead or a tool that is more suited for managing the data inside a postgresql database. +- `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. -- `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details. +- `gauge` now supports installing plugins using Nix. For the old imperative approach, switch to `gauge-unwrapped`. + You can load plugins from an existing gauge manifest file using `gauge.fromManifest ./path/to/manifest.json` or + specify plugins in Nix using `gauge.withPlugins (p: with p; [ js html-report xml-report ])`. -- `hvm` was updated to version 2. +- `gitea` has been updated to 1.21, which introduces several breaking changes, including: + - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*` + - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command. -- `nvtop` family of packages was reorganized into nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are now named as `nvtopPackages.{amd,nvidia,intel,msm}`. +- `git-town` was updated from version 11 to 13. See the [changelog](https://github.com/git-town/git-town/blob/main/CHANGELOG.md#1300-2024-03-22) for breaking changes. -- `neo4j` has been updated to version 5. You may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/). +- `gonic` has been updated to v0.16.4. Config now requires `playlists-path` to be set. See the rest of the [v0.16.0 release notes](https://github.com/sentriz/gonic/releases/tag/v0.16.0) for more details. -- `services.neo4j.allowUpgrade` was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades. +- `go-ethereum` has been updated to v1.14.3. Geth v1.14.0 introduced a brand new live-tracing feature, + which required a number of breaking internal API changes. If you had your own native tracers implemented before this change, + the [changelog](https://github.com/ethereum/go-ethereum/blob/master/core/tracing/CHANGELOG.md) contains the necessary steps needed to update your old code for the new APIs. + Geth v1.14.0 drops support for running pre-merge networks ([#29169](https://github.com/ethereum/go-ethereum/pull/29169)). + It also stops automatically constructing the pending block ([#28623](https://github.com/ethereum/go-ethereum/pull/28623)), + removes support for filtering pending logs, switched to using Go v1.22 by default (#28946), which means we've dropped support for Go v1.20. + See [the 1.14.0 release notes](https://github.com/ethereum/go-ethereum/releases/tag/v1.14.0) for more details. -- `unifiLTS`, `unifi5` and `unifi6` have been removed, as they require MongoDB versions which are end-of-life. All these versions can be upgraded to `unifi7` directly. +- `grafana-loki` has been updated to 3.0.0, which includes [breaking changes](https://github.com/grafana/loki/releases/tag/v3.0.0). -- `mongodb-4_4` has been removed as it has reached end of life. Consequently, `unifi7` and `unifi8` now use MongoDB 5.0 by default. +- `gtest` package has been updated past v1.13.0, which requires C++14 or higher. -- `mongodb-5_0` and newer requires a cpu with the avx instruction set to run. +- `hare` may now be cross-compiled. For that to work, however, `haredoc` needed to stop being built together with it. Thus, the latter is now its own package with the name of `haredoc`. -- `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details. +- `himalaya` has been updated to v1.0.0-beta.4, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details. -- `boot.supportedFilesystems` and `boot.initrd.supportedFilesystems` are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using `supportedFilesystems.fs or false` instead of using `lib.elem "fs" supportedFilesystems` as was done previously. +- `halloy` has been updated to 2024.5, which introduced a breaking change by switching the config format from YAML to TOML. See <https://github.com/squidowl/halloy/releases/tag/2024.5> for details. -- `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`. - This was done so that secrets aren't stored in the world-readable nix store. - To migrate, you will have to create a file with the same exact string, and change - your module options to point to that file. For example, `services.aria2.rpcSecret = - "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"` - where the file `secret_file` contains the string `mysecret`. +- `hvm` was updated to version 2. -- The `system.forbiddenDependenciesRegex` option has been renamed to `system.forbiddenDependenciesRegexes` and now has the type of `listOf string` instead of `string` to accept multiple regexes. +- `icu` no longer includes `install-sh` and `mkinstalldirs` in the shared folder. -- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading - to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`. +- `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details. -- `buildGoModule` now throws an error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias. +- `inetutils` now has a lower priority to avoid shadowing the commonly-used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`. -- `services.invidious.settings.db.user`, the default database username has changed from `kemal` to `invidious`. Setups involving an externally-provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857). +- `jdt-language-server` package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes: -- `writeReferencesToFile` is deprecated in favour of the new trivial build helper `writeClosure`. The latter accepts a list of paths and has an unambiguous name and cleaner implementation. + - The main binary for the package is now named `jdtls` instead of `jdt-language-server`, equivalent to what most editors expect the binary to be named. -- `inetutils` now has a lower priority to avoid shadowing the commonly used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`. + - JVM arguments should now be provided with the `--jvm-arg` flag instead of setting `JAVA_OPTS`. -- `paperless`' `services.paperless.extraConfig` setting has been removed and converted to the free-form type and option named `services.paperless.settings`. + - The `-data` path is no longer required to run the package, and will be set to point to a folder in `$TMP` if missing. -- `davfs2`' `services.davfs2.extraConfig` setting has been deprecated and converted to the free-form type option named `services.davfs2.settings` according to RFC42. +- `julia` environments can now be built with arbitrary packages from the ecosystem using the `.withPackages` function. For example: `julia.withPackages ["Plots"]`. -- `services.homepage-dashboard` now takes its configuration using native Nix expressions, rather than dumping templated configurations into `/var/lib/homepage-dashboard` where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix. +- `k3s` has been updated to version [v1.30](https://github.com/k3s-io/k3s/releases/tag/v1.30.0%2Bk3s1), previous supported versions are available under release-specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) in order to help you migrate to the latest supported version. See [changelog and upgrade notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290) for more information. -- `hare` may now be cross-compiled. For that to work, however, `haredoc` needed to stop being built together with it. Thus, the latter is now its own package with the name of `haredoc`. +- `k9s` was updated to v0.31. There have been various breaking changes in the config file format, + check out the changelog of [v0.29](https://github.com/derailed/k9s/releases/tag/v0.29.0), + [v0.30](https://github.com/derailed/k9s/releases/tag/v0.30.0) and + [v0.31](https://github.com/derailed/k9s/releases/tag/v0.31.0) for details. It is recommended + to back up your current configuration and let k9s recreate the new base configuration. -- `network-interfaces.target` system target was removed as it has been deprecated for a long time. Use `network.target` instead. +- `kanata` package has been updated to v1.6.1, which includes breaking changes. Check out the changelog of [v1.5.0](https://github.com/jtroo/kanata/releases/tag/v1.5.0) and [v1.6.0](https://github.com/jtroo/kanata/releases/tag/v1.6.0) for details. -- `services.redis.vmOverCommit` now defaults to `true` and no longer enforces Transparent Hugepages (THP) to be disabled. Redis only works with THP configured to `madvise` which is the kernel's default. +- `linuxPackages_testing_bcachefs` is now fully deprecated by `linuxPackages_latest`, and is therefore no longer available. -- `azure-cli` now has extension support. For example, to install the `aks-preview` extension, use +- `livebook` package is now built as a `mix release` instead of an `escript`. + This means that configuration now has to be done using [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) instead of command line arguments. + This has the further consequence that the `livebook` service configuration has changed. - ```nix - environment.systemPackages = [ - (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ]) - ]; - ``` - To make the `azure-cli` immutable and prevent clashes in case `azure-cli` is also installed via other package managers, some configuration files were moved into the derivation. - This can be disabled by overriding `withImmutableConfig = false` when building `azure-cli`. +- `lua` interpreters default LUA_PATH and LUA_CPATH are not overriden by nixpkgs + anymore, we patch LUA_ROOT instead which is more respectful to upstream. -- `services.frp.settings` now generates the frp configuration file in TOML format as [recommended by upstream](https://github.com/fatedier/frp#configuration-files), instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options. - - The `settings.common` section in the configuration is no longer valid and all the options form inside it now goes directly under `settings`. - - The `_` separating words in the configuration options is removed so the options are now in camel case. For example: `server_addr` becomes `serverAddr`, `server_port` becomes `serverPort` etc. - - Proxies are now defined with a new option `settings.proxies` which takes a list of proxies. - - Consult the [upstream documentation](https://github.com/fatedier/frp#example-usage) for more details on the changes. +- `luarocks-packages-updater`'s .csv format, used to define lua packages to be updated, has changed: `src` (URL of a git repository) has now become `rockspec` (URL of a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation. - `mkosi` was updated to v22. Parts of the user interface have changed. Consult the release notes of [v19](https://github.com/systemd/mkosi/releases/tag/v19), @@ -363,80 +361,111 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m [v21](https://github.com/systemd/mkosi/releases/tag/v21) and [v22](https://github.com/systemd/mkosi/releases/tag/v22) for a list of changes. -- `gonic` has been updated to v0.16.4. Config now requires `playlists-path` to be set. See the rest of the [v0.16.0 release notes](https://github.com/sentriz/gonic/releases/tag/v0.16.0) for more details. +- `mongodb-4_4` has been removed as it has reached end of life. Consequently, `unifi7` and `unifi8` now use MongoDB 5.0 by default. -- `services.vikunja` systemd service now uses `vikunja` as dynamic user instead of `vikunja-api`. Database users might need to be changed. +- `mongodb-5_0` and newer requires a cpu with the AVX instruction set to run. -- `services.vikunja.setupNginx` setting has been removed. Users now need to setup the webserver configuration on their own with a proxy pass to the vikunja service. +- `neo4j` has been updated to version 5. You may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/). -- `services.vmagent` module deprecates `dataDir`, `group` and `user` setting in favor of systemd provided CacheDirectory and DynamicUser. +- `netbox` was updated to v3.7. `services.netbox.package` still defaults + to v3.6 if `stateVersion` is earlier than 24.05. Refer to upstream's breaking + changes [for + v3.7.0](https://github.com/netbox-community/netbox/releases/tag/v3.7.0) and + upgrade NetBox by changing `services.netbox.package`. Database migrations + will be run automatically. -- `services.vmagent.remoteWriteUrl` setting has been renamed to `services.vmagent.remoteWrite.url` and now defaults to `null`. +- `network-interfaces.target` system target was removed as it has been deprecated for a long time. Use `network.target` instead. -- `woodpecker-*` packages have been updated to v2 which includes [breaking changes](https://woodpecker-ci.org/docs/next/migrations#200). +- `networking.iproute2.enable` now does not set `environment.etc."iproute2/rt_tables".text`. -- `services.nginx` will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. - Example: + Setting `environment.etc."iproute2/{CONFIG_FILE_NAME}".text` will override the whole configuration file instead of appending it to the upstream configuration file. - ```nix - { - locations."/".extraConfig = '' - add_header Alt-Svc 'h3=":$server_port"; ma=86400'; - ''; - locations."^~ /assets/".extraConfig = '' - add_header Alt-Svc 'h3=":$server_port"; ma=86400'; - ''; - } - ``` + `CONFIG_FILE_NAME` includes `bpf_pinning`, `ematch_map`, `group`, `nl_protos`, `rt_dsfield`, `rt_protos`, `rt_realms`, `rt_scopes`, and `rt_tables`. + +- `nextcloud26` has been removed since it's not maintained anymore by upstream. The latest available version of Nextcloud is now v29 (available as `pkgs.nextcloud29`). The installation logic is as follows: + - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**). + - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud29` will be installed by default. + - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default. + - Please note that an upgrade from v27 (or older) to v29 directly is not possible. Please upgrade to `nextcloud28` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud28;`](options.html#opt-services.nextcloud.package). + - Known warnings after the upgrade are documented in [](#module-services-nextcloud-known-warnings) from now on. + - The "Photos" app only displays Media from inside the `Photos` directory. This can be changed manually in the "Photos" tab below "Photos settings". + +- `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details. + +- `nixVersions.unstable` was removed. Instead the following attributes are provided: + - `nixVersions.git` which tracks the latest Nix master and is roughly updated once a week. This is intended to enable people to easily test unreleased changes of Nix to catch regressions earlier. + - `nixVersions.latest` which points to the latest Nix version packaged in nixpkgs. + +- `nomad` has been updated - note that HashiCorp recommends updating one minor version at a time. Please check [their upgrade guide](https://developer.hashicorp.com/nomad/docs/upgrade) for information on safely updating clusters and potential breaking changes. + + - `nomad` is now Nomad 1.7.x. + + - `nomad_1_4` has been removed, as it is now unsupported upstream. + +- `nvtop` family of packages was reorganized into a nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are renamed to `nvtopPackages.{amd,nvidia,intel,msm}`. + +- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading + to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`. - `optparse-bash` is now dropped due to upstream inactivity. Alternatives available in Nixpkgs include [`argc`](https://github.com/sigoden/argc), [`argbash`](https://github.com/matejak/argbash), [`bashly`](https://github.com/DannyBen/bashly) and [`gum`](https://github.com/charmbracelet/gum), to name a few. -- `kanata` package has been updated to v1.6.1, which includes breaking changes. Check out the changelog of [v1.5.0](https://github.com/jtroo/kanata/releases/tag/v1.5.0) and [v1.6.0](https://github.com/jtroo/kanata/releases/tag/v1.6.0) for details. +- `paperless`' `services.paperless.extraConfig` setting has been removed and converted to the free-form type and option named `services.paperless.settings`. -- `craftos-pc` package has been updated to v2.8, which includes [breaking changes](https://github.com/MCJack123/craftos2/releases/tag/v2.8). - - Files are now handled in binary mode; this could break programs with embedded UTF-8 characters. - - The ROM was updated to match ComputerCraft version v1.109.2. - - The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the [Lua manual](https://www.lua.org/manual/5.2/manual.html#8) for more information. - - The WebSocket API [was rewritten](https://github.com/MCJack123/craftos2/issues/337), which introduced breaking changes. +- `pdns` was updated to version [v4.9.x](https://doc.powerdns.com/authoritative/changelog/4.9.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-9-0) for details. -- `gtest` package has been updated past v1.13.0, which requires C++14 or higher. +- `percona-server` now follows [the same two-fold release cycle](https://www.percona.com/blog/lts-and-innovation-releases-for-percona-server-for-mysql/) as Oracle MySQL and provides a *Long-Term-Support (LTS)* in parallel with a continuous-delivery *Innovation* release. `percona-server` defaults to `percona-server_lts`, will be backed by the same release branch throughout the lifetime of this stable NixOS release, and is still available under the versioned attribute `percona-server_8_0`. + The `percona-server_innovation` releases however have support periods shorter than the lifetime of this NixOS release and will continuously be updated to newer Percona releases. Note that Oracle considers the *Innovation* releases to be production-grade, but each release might include backwards-incompatible changes, even in its on-disk format. + The same release scheme is applied to the supporting `percona-xtrabackup` tool as well. -- Nextcloud 26 has been removed since it's not maintained anymore by upstream. +- `pipewire` and `wireplumber` modules have removed support for using +`environment.etc."pipewire/..."` and `environment.etc."wireplumber/..."`. +Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for PipeWire and +`services.pipewire.wireplumber.configPackages` for WirePlumber instead. -- The latest available version of Nextcloud is v29 (available as `pkgs.nextcloud29`). The installation logic is as follows: - - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**) - - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud29` will be installed by default. - - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default. - - Please note that an upgrade from v27 (or older) to v29 directly is not possible. Please upgrade to `nextcloud28` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud28;`](options.html#opt-services.nextcloud.package). - - Known warnings after the upgrade are documented in [](#module-services-nextcloud-known-warnings) from now on. - - The "Photos" app only displays Media from inside the `Photos` directory. This can be changed manually in the "Photos" tab below "Photos settings". +- `power.ups` now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS. -- The vendored third party libraries have been mostly removed from `cudaPackages.nsight_systems`, which we now only ship for `cudaPackages_11_8` and later due to outdated dependencies. Users comfortable with the vendored dependencies may use `overrideAttrs` to amend the `postPatch` phase and the `meta.broken` correspondingly. Alternatively, one could package the deprecated `boost170` locally, as required for `cudaPackages_11_4.nsight_systems`. +- `programs.nix-ld.libraries` no longer sets `baseLibraries` via the option's default but in config and now merges any additional libraries with the default ones. + This means that `lib.mkForce` must be used to clear the list of default libraries. -- `cudaPackages` package scope has been updated to `cudaPackages_12`. +- `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment. -- The deprecated `cudaPackages.cudatoolkit` has been replaced with a - symlink-based wrapper for the splayed redistributable CUDA packages. The - wrapper only includes tools and libraries necessary to build common packages - like e.g. tensorflow. The original runfile-based `cudatoolkit` is still - available as `cudatoolkit-legacy-runfile`. +- `security.pam.enableSSHAgentAuth` now requires `services.openssh.authorizedKeysFiles` to be non-empty, + which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work. -- `halloy` package was updated past 2024.5 which introduced a breaking change by switching the config format from YAML to TOML. See https://github.com/squidowl/halloy/releases/tag/2024.5 for details. +- `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only** + `authorized_keys` files listed in [`sshAgentAuth.authorizedKeysFiles`] are trusted, + defaulting to `/etc/ssh/authorized_keys.d/%u`. + ::: {.warning} + Users of {manpage}`pam_ssh_agent_auth(8)` must take care that the pubkeys they use (for instance with `sudo`) + are listed in [`sshAgentAuth.authorizedKeysFiles`]. + ::: + ::: {.note} + Previously, all `services.openssh.authorizedKeysFiles` were trusted, including `~/.ssh/authorized_keys`, + which results in an **insecure** configuration; see [#31611](https://github.com/NixOS/nixpkgs/issues/31611). + ::: -- If `services.smokeping.webService` was enabled, smokeping is now served via nginx instead of thttpd. This change brings the following consequences: - - The default port for smokeping is now the nginx default port 80 instead of 8081. - - The option `services.smokeping.port` has been removed. To customize the port, use `services.nginx.virtualHosts.smokeping.listen.*.port`. +[`sshAgentAuth.authorizedKeysFiles`]: #opt-security.pam.sshAgentAuth.authorizedKeysFiles -- The `wpaperd` package has a breaking change moving to 1.0.1, previous version 0.3.0 had 2 different configuration files, one for wpaperd and one for the wallpapers. Remove the former and move the latter (`wallpaper.toml`) to `config.toml`. +- `services.archisteamfarm` no longer uses the abbreviation `asf` for its state directory (`/var/lib/asf`), user and group (both `asf`). Instead the long name `archisteamfarm` is used. + Configurations with `system.stateVersion` 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory. -- Ada packages (libraries and tools) have been moved into the `gnatPackages` scope. `gnatPackages` uses the default GNAT compiler, `gnat12Packages` and `gnat13Packages` use the respective matching compiler version. +- `frr` was updated to 10.0, which introduces the default of `enforce-first-as` for BGP. Please disable again if needed. -- Paths provided as `restartTriggers` and `reloadTriggers` for systemd units will now be copied into the nix store to make the behavior consistent. - Previously, `restartTriggers = [ ./config.txt ]`, if defined in a flake, would trigger a restart when any part of the flake changed; and if not defined in a flake, would never trigger a restart even if the contents of `config.txt` changed. +- `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`. + This was done so that secrets aren't stored in the world-readable Nix store. + To migrate, you will have to create a file with the same exact string, and change + your module options to point to that file. For example, `services.aria2.rpcSecret = + "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"` + where the file `secret_file` contains the string `mysecret`. -- `spark2014` has been renamed to `gnatprove`. A version of `gnatprove` matching different GNAT versions is available from the different `gnatPackages` sets. +- `services.avahi.nssmdns` was split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switches for IPv4 and IPv6 respectively. + Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. -- `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead. +- `services.frp.settings` now generates the frp configuration file in TOML format as [recommended by upstream](https://github.com/fatedier/frp#configuration-files), instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options: + - The `settings.common` section in the configuration is no longer valid and all the options form inside it now go directly under `settings`. + - Configuration option names have been changed from snake_case to camelCase. For example: `server_addr` becomes `serverAddr`, `server_port` becomes `serverPort` etc. + - Proxies are now defined with a new option, `settings.proxies`, which takes a list of proxies. + - Consult the [upstream documentation](https://github.com/fatedier/frp#example-usage) for more details on the changes. - `services.hledger-web.capabilities` options has been replaced by a new option `services.hledger-web.allow`. @@ -445,127 +474,133 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `allow = "edit"` means `capabilities = { view = true; add = true; edit = true }`; - `allow = "sandstorm"` reads permissions from the `X-Sandstorm-Permissions` request header. -- `xxd` has been moved from `vim` default output to its own output to reduce closure size. The canonical way to reference it across all platforms is `unixtools.xxd`. - -- `stalwart-mail` package has been updated to v0.5.3, which includes [breaking changes](https://github.com/stalwartlabs/mail-server/blob/v0.5.3/UPGRADING.md). +- `services.homepage-dashboard` now takes its configuration using native Nix expressions, rather than dumping templated configurations into `/var/lib/homepage-dashboard` where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix. -- `services.zope2` has been removed as `zope2` is unmaintained and was relying on Python2. +- `services.invidious.settings.db.user`, the default database username has changed from `kemal` to `invidious`. Setups involving an externally-provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857). - `services.oauth2_proxy` was renamed to `services.oauth2-proxy`. Also the corresponding service, user and group were renamed. -- `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively. - Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. +- `services.smokeping` now has an option `webService`. When enabled, smokeping is now served via nginx instead of thttpd. This change brings the following consequences: + - The default port for smokeping is now the nginx default port 80 instead of 8081. + - The option `services.smokeping.port` has been removed. To customize the port, use `services.nginx.virtualHosts.smokeping.listen.*.port`. -- A warning has been added for services that are - `after = [ "network-online.target" ]` but do not depend on it (e.g. using - `wants`), because the dependency that `multi-user.target` has on - `network-online.target` is planned for removal. +- `services.neo4j.allowUpgrade` was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades. + +- `services.nextcloud` has the following options moved into [`services.nextcloud.settings`](#opt-services.nextcloud.settings) and renamed to match the name from Nextcloud's `config.php`: + - `logLevel` -> [`loglevel`](#opt-services.nextcloud.settings.loglevel), + - `logType` -> [`log_type`](#opt-services.nextcloud.settings.log_type), + - `defaultPhoneRegion` -> [`default_phone_region`](#opt-services.nextcloud.settings.default_phone_region), + - `overwriteProtocol` -> [`overwriteprotocol`](#opt-services.nextcloud.settings.overwriteprotocol), + - `skeletonDirectory` -> [`skeletondirectory`](#opt-services.nextcloud.settings.skeletondirectory), + - `globalProfiles` -> [`profile.enabled`](#opt-services.nextcloud.settings._profile.enabled_), + - `extraTrustedDomains` -> [`trusted_domains`](#opt-services.nextcloud.settings.trusted_domains) and + - `trustedProxies` -> [`trusted_proxies`](#opt-services.nextcloud.settings.trusted_proxies). + +- `services.nginx` will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. + Example: + + ```nix + { + locations."/".extraConfig = '' + add_header Alt-Svc 'h3=":$server_port"; ma=86400'; + ''; + locations."^~ /assets/".extraConfig = '' + add_header Alt-Svc 'h3=":$server_port"; ma=86400'; + ''; + } + ``` - `services.pgbouncer` now has systemd support enabled and will log to journald. The default setting for `services.pgbouncer.logFile` is now `null` to disable logging to a separate log file. -- `services.archisteamfarm` no longer uses the abbreviation `asf` for its state directory (`/var/lib/asf`), user and group (both `asf`). Instead the long name `archisteamfarm` is used. - Configurations with `system.stateVersion` 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory. +- `services.postgresql.ensureUsers._.ensurePermissions` has been removed as it is + not declarative and is broken with newer postgresql versions. Consider using + [](#opt-services.postgresql.ensureUsers._.ensureDBOwnership) + instead or a tool that is more suited for managing the data inside a postgresql database. -- `xfsprogs` was updated to version 6.6.0, which enables reverse mapping (rmapbt) and large extent counts (nrext64) by default. - Support for these features was added in kernel 4.9 and 5.19 and nrext64 was deemed stable in kernel 6.5. - Format your filesystems with `mkfs.xfs -i nrext64=0`, if they need to be readable by GRUB2 before 2.12 or kernels older than 5.19. +- `services.redis.vmOverCommit` now defaults to `true` and no longer enforces Transparent Hugepages (THP) to be disabled. Redis only works with THP configured to `madvise` which is the kernel's default. -- `networking.iproute2.enable` now does not set `environment.etc."iproute2/rt_tables".text`. +- `services.resolved.fallbackDns` + - can now be used to disable the upstream fallback servers entirely by setting it to `[]` + - to get previous behaviour of upstream defaults, set it to `null` + - default value has changed from `[]` to `null`, in order to preserve default behaviour - Setting `environment.etc."iproute2/{CONFIG_FILE_NAME}".text` will override the whole configuration file instead of appending it to the upstream configuration file. +- `services.vikunja` systemd service now uses `vikunja` as dynamic user instead of `vikunja-api`. Database users might need to be changed. - `CONFIG_FILE_NAME` includes `bpf_pinning`, `ematch_map`, `group`, `nl_protos`, `rt_dsfield`, `rt_protos`, `rt_realms`, `rt_scopes`, and `rt_tables`. +- `services.vikunja.setupNginx` setting has been removed. Users now need to set up the webserver configuration on their own with a proxy pass to the vikunja service. -- `netbox` was updated to v3.7. `services.netbox.package` still defaults - to v3.6 if `stateVersion` is earlier than 24.05. Refer to upstream's breaking - changes [for - v3.7.0](https://github.com/netbox-community/netbox/releases/tag/v3.7.0) and - upgrade NetBox by changing `services.netbox.package`. Database migrations - will be run automatically. +- `services.vmagent` module deprecates `dataDir`, `group` and `user` settings in favor of the systemd-provided CacheDirectory and DynamicUser. -- `gauge` now supports installing plugins using nix. For the old imperative approach, switch to `gauge-unwrapped`. - You can load plugins from an existing gauge manifest file using `gauge.fromManifest ./path/to/manifest.json` or - specify plugins in nix using `gauge.withPlugins (p: with p; [ js html-report xml-report ])`. +- `services.vmagent.remoteWriteUrl` setting has been renamed to `services.vmagent.remoteWrite.url` and now defaults to `null`. -- `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. +- `services.zope2` has been removed, as `zope2` is unmaintained and was relying on Python 2. -- `chromium` and `ungoogled-chromium` had a long standing issue regarding Widevine DRM handling in nixpkgs fixed. - `chromium` now no longer automatically downloads Widevine when encountering DRM protected content. - To be able to play DRM protected content in `chromium` now, you have to explicitly opt-in as originally intended using `chromium.override { enableWideVine = true; }`. - This override has been added almost 10 years ago. +- `spark2014` has been renamed to `gnatprove`. A version of `gnatprove` matching different GNAT versions is available from the different `gnatPackages` sets. -- switch-to-configuration does not directly call systemd-tmpfiles anymore. - Instead, the new artificial sysinit-reactivation.target is introduced which - allows to restart multiple services that are ordered before sysinit.target - and respect the ordering between the services. +- `stalwart-mail` has been updated to v0.5.3, which includes [breaking changes](https://github.com/stalwartlabs/mail-server/blob/v0.5.3/UPGRADING.md). + +- `system.etc.overlay.enable` option was added. If enabled, `/etc` is + mounted via an overlayfs instead of being created by a custom perl script. + +- `system.forbiddenDependenciesRegex` has been renamed to `system.forbiddenDependenciesRegexes` and now has the type of `listOf string` instead of `string` to accept multiple regexes. -- `systemd.oomd` module behavior is changed as: +- `systemd.oomd` module behavior has changed: - Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like [this](https://pagure.io/fedora-workstation/issue/358). Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/806c95e1c70af18f81d499b24cd7acfa4c36ffd6?branch=806c95e1c70af18f81d499b24cd7acfa4c36ffd6). - Remove swap policy. This helps prevent killing processes when user's swap is small. - - Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb). + - Expand the memory pressure policy to `system.slice`, `user-.slice`, and all user-owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb). - - `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`. + - Rename `systemd.oomd.enableUserServices` to `systemd.oomd.enableUserSlices`. -- `security.pam.enableSSHAgentAuth` now requires `services.openssh.authorizedKeysFiles` to be non-empty, - which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work. - -- The configuration format for `services.prometheus.exporters.snmp` changed with release 0.23.0. - The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. - More information about the configuration syntax change is available in the [upstream repository](https://github.com/prometheus/snmp_exporter/blob/b75fc6b839ee3f3ccbee68bee55f1ae99555084a/auth-split-migration.md). - -- [watchdogd](https://troglobit.com/projects/watchdogd/), a system and process supervisor using watchdog timers. Available as [services.watchdogd](#opt-services.watchdogd.enable). - -- `jdt-language-server` package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes: +- `systemd.sysusers.enable` option was added. If enabled, users and + groups are created with systemd-sysusers instead of with a custom perl script. - - The main binary for the package is now named `jdtls` instead of `jdt-language-server`, equivalent to what most editors expect the binary to be named. +- `teleport` has been upgraded from major version 14 to major version 15. + Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) + and release notes for [v15](https://goteleport.com/docs/changelog/#1500-013124). - - JVM arguments should now be provided with the `--jvm-arg` flag instead of setting `JAVA_OPTS`. +- `unifiLTS`, `unifi5` and `unifi6` have been removed, as they require MongoDB versions which are end-of-life. All these versions can be upgraded to `unifi7` directly. - - The `-data` path is no longer required to run the package, and will be set to point to a folder in `$TMP` if missing. +- `unrar` was updated to v7. See [changelog](https://www.rarlab.com/unrar7notes.htm) for more information. -- `nomad` has been updated - note that HashiCorp recommends updating one minor version at a time. Please check [their upgrade guide](https://developer.hashicorp.com/nomad/docs/upgrade) for information on safely updating clusters and potential breaking changes. +- `virtualisation.docker.enableNvidia` and `virtualisation.podman.enableNvidia` options are deprecated. `hardware.nvidia-container-toolkit.enable` should be used instead. This option will expose GPUs on containers with the `--device` CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature. - - `nomad` is now Nomad 1.7.x. +- `virtialisation.incus` now defaults to the newly-added `incus-lts` release (v6.0.x). Users who wish to continue using the non-LTS release will need to set `virtualisation.incus.package = pkgs.incus`. Stable release users are encouraged to stay on the LTS release as non-LTS releases will by default not be backported. - - `nomad_1_4` has been removed, as it is now unsupported upstream. +- `woodpecker-*` packages have been updated to v2 which includes [breaking changes](https://woodpecker-ci.org/docs/next/migrations#200). -- Dwarf Fortress has been updated to version 50, and its derivations continue to menace with spikes of Nix and bash. Version 50 is identical to the version on Steam, but without the paid elements like tilepacks. - dfhack and Dwarf Therapist still work, and older versions are still packaged in case you'd like to roll back. Note that DF 50 saves will not be compatible with DF 0.47 and earlier. - See [Bay 12 Games](http://www.bay12games.com/dwarves/) for more details on what's new in Dwarf Fortress. +- `wpaperd` has been updated to 1.0.1, which has a breaking change: previous version 0.3.0 had 2 different configuration files, one for wpaperd and one for the wallpapers. Remove the former and move the latter (`wallpaper.toml`) to `config.toml`. - - Running an earlier version can be achieved through an override: `dwarf-fortress-packages.dwarf-fortress-full.override { dfVersion = "0.47.5"; }` +- `writeReferencesToFile` is deprecated in favour of the new trivial build helper `writeClosure`. The latter accepts a list of paths and has an unambiguous name and cleaner implementation. - - Ruby plugin support has been disabled in DFHack. Many of the Ruby plugins have been converted to Lua, and support was removed upstream due to frequent crashes. +- `xfsprogs` was updated to version 6.6.0, which enables reverse mapping (rmapbt) and large extent counts (nrext64) by default. + Support for these features was added in kernel 4.9 and 5.19 and nrext64 was deemed stable in kernel 6.5. + Format your filesystems with `mkfs.xfs -i nrext64=0`, if they need to be readable by GRUB2 before 2.12 or kernels older than 5.19. -- `livebook` package is now built as a `mix release` instead of an `escript`. - This means that configuration now has to be done using [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) instead of command line arguments. - This has the further implication that the `livebook` service configuration has changed: +- `xxd` has been moved from `vim` default output to its own output to reduce closure size. The canonical way to reference it across all platforms is `unixtools.xxd`. -- `erlang_node_short_name`, `erlang_node_name`, `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter. - Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead. +- `youtrack` was bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details. -- `akkoma` now requires explicitly setting the base URL for uploaded media (`settings."Pleroma.Upload".base_url`), as well as for the media proxy if enabled (`settings."Media"`). - This is recommended to be a separate (sub)domain to the one Akkoma is hosted at. - See [here](https://meta.akkoma.dev/t/akkoma-stable-2024-03-securer-i-barely-know-her/681#explicit-upload-and-media-proxy-domains-5) for more details. +- Ada packages (libraries and tools) have been moved into the `gnatPackages` scope. `gnatPackages` uses the default GNAT compiler, `gnat12Packages` and `gnat13Packages` use the respective matching compiler version. -- `crystal` package has been updated to 1.11.x, which has some breaking changes. - Refer to crystal's changelog for more information. ([v1.10](https://github.com/crystal-lang/crystal/blob/master/CHANGELOG.md#1100-2023-10-09), [v1.11](https://github.com/crystal-lang/crystal/blob/master/CHANGELOG.md#1110-2024-01-08)) +- Paths provided as `restartTriggers` and `reloadTriggers` for systemd units will now be copied into the Nix store to make the behavior consistent. + Previously, `restartTriggers = [ ./config.txt ]`, if defined in a flake, would trigger a restart when any part of the flake changed; and if not defined in a flake, would never trigger a restart even if the contents of `config.txt` changed. -- `erlang-ls` package no longer ships the `els_dap` binary as of v0.51.0. +- A warning has been added for services that are + `after = [ "network-online.target" ]` but do not depend on it (e.g. using + `wants`), because the dependency that `multi-user.target` has on + `network-online.target` is planned for removal. -- `icu` no longer includes `install-sh` and `mkinstalldirs` in the shared folder. +- switch-to-configuration does not directly call systemd-tmpfiles anymore. + Instead, the new artificial sysinit-reactivation.target is introduced which + allows to restart multiple services that are ordered before sysinit.target + and respect the ordering between the services. -- The `go-ethereum` package has been updated to v1.14.3. Geth v1.14.0 introduced a brand new live-tracing feature, - which required a number of breaking internal API changes. If you had your own native tracers implemented before this change, - the [changelog](https://github.com/ethereum/go-ethereum/blob/master/core/tracing/CHANGELOG.md) contains the necessary steps needed to update your old code for the new APIs. - Geth v1.14.0 drops support for running pre-merge networks ([#29169](https://github.com/ethereum/go-ethereum/pull/29169)). - It also stops automatically constructing the pending block ([#28623](https://github.com/ethereum/go-ethereum/pull/28623)), - removes support for filtering pending logs, switched to using Go v1.22 by default (#28946), which means we've dropped support for Go v1.20. - See [the 1.14.0 release notes](https://github.com/ethereum/go-ethereum/releases/tag/v1.14.0) for more details. +- `services.prometheus.exporters.snmp`'s configuration format changed with release 0.23.0. + The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. + More information about the configuration syntax change is available in the [upstream repository](https://github.com/prometheus/snmp_exporter/blob/b75fc6b839ee3f3ccbee68bee55f1ae99555084a/auth-split-migration.md). ## Other Notable Changes {#sec-release-24.05-notable-changes} @@ -573,148 +608,104 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `addDriverRunpath` has been added to facilitate the deprecation of the old `addOpenGLRunpath` setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration. -- `cinnamon` has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions. - -- `mate` has been updated to 1.28. - - To properly support panel plugins built with Wayland (in-process) support, we are introducing `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets. - - Similarly, please use `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions. - - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM for display manager. - -- `services.xserver.desktopManager.budgie` installs `gnome.gnome-terminal` by default (instead of `mate.mate-terminal`). - -- New `boot.loader.systemd-boot.xbootldrMountPoint` allows setting up a separate [XBOOTLDR partition](https://uapi-group.org/specifications/specs/boot_loader_specification/) to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned. - -- `boot.loader.systemd-boot` will now verify that `efiSysMountPoint` (and `xbootldrMountPoint` if configured) are mounted partitions. - -- `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list. - For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``; - -- `services.openssh` now has an option `authorizedKeysInHomedir`, controlling whether `~/.ssh/authorizedKeys` is - added to `authorizedKeysFiles`. - ::: {.note} - This option currently defaults to `true` for NixOS 24.05, preserving the previous behaviour. - This is expected to change in NixOS 24.11. - ::: - ::: {.warning} - Users should check that their SSH keys are in `users.users.*.openssh`, or that they have another way to access - and administer the system, before setting this option to `false`. - ::: +- `appimage`, `appimageTools.wrapAppImage` and `buildFHSEnvBubblewrap` now properly accept `pname` and `version`. -- [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option. - The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. +- `bacula` now allows to configure `TLS` for encrypted communication. - `boot.initrd.network.ssh.authorizedKeyFiles` is a new option in the initrd ssh daemon module, for adding authorized keys via list of files. -- `appimage`, `appimageTools.wrapAppImage` and `buildFHSEnvBubblewrap` now properly accepts `pname` and `version`. +- `boot.kernel.sysctl."net.core.wmem_max"` changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as `boot.kernel.sysctl."net.core.rmem_max"` since 22.11. -- Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles. - The `nimPackages` and `nim2Packages` sets have been removed. - See https://nixos.org/manual/nixpkgs/unstable#nim for more information. +- `boot.loader.systemd-boot.xbootldrMountPoint` is a new option for setting up a separate [XBOOTLDR partition](https://uapi-group.org/specifications/specs/boot_loader_specification/) to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned. + +- `boot.loader.systemd-boot` will now verify that `efiSysMountPoint` (and `xbootldrMountPoint` if configured) are mounted partitions. - `buildDubPackage` can now be used to build Programs written in [D](https://dlang.org/) using the `dub` build system and package manager. See the [D section](https://nixos.org/manual/nixpkgs/unstable#dlang) in the manual for more information. -- `stalwart-mail` service uses the legacy version 0.6.X as default because newer `stalwart-mail` versions require a [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md). Change [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package) to `pkgs.stalwart-mail` if you wish to switch to the new version. +- `castopod` has some migration actions to be taken in case of a S3 setup. Some new features may also need some manual migration actions. See [https://code.castopod.org/adaures/castopod/-/releases](https://code.castopod.org/adaures/castopod/-/releases) for more information. -- [`portunus`](https://github.com/majewsky/portunus) has been updated to major version 2. - This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. - After upgrading, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all user accounts to strong password hashes. - Support for weak password hashes will be removed in NixOS 24.11. - -- A stdenv's default set of hardening flags can now be set via its `bintools-wrapper`'s `defaultHardeningFlags` argument. A convenient stdenv adapter, `withDefaultHardeningFlags`, can be used to override an existing stdenv's `defaultHardeningFlags`. - -- `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc. +- `documentation.man.mandoc` now, by default, uses `MANPATH` to set the directories where mandoc will search for manual pages. + This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via the `mandoc.conf` configuration file like before, use `documentation.man.mandoc.settings.manpath` instead. -- [`lilypond`](https://lilypond.org/index.html) and [`denemo`](https://www.denemo.org) are now compiled with Guile 3.0. +- `drbd` out-of-tree Linux kernel driver has been added in version 9.2.7. With it the DRBD 9.x features can be used instead of the 8.x features provided by the 8.4.11 in-tree driver. - `garage` has been updated to v1.x.x. Users should read the [upstream release notes](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.0) and follow the documentation when changing over their `services.garage.package` and performing this manual upgrade. -- The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default. +- `hardware.pulseaudio` module now sets permissions of pulse user home directory to 755 when running in systemWide mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399). -- The following options of the Nextcloud module were moved into [`services.nextcloud.settings`](#opt-services.nextcloud.settings) and renamed to match the name from Nextcloud's `config.php`: - - `logLevel` -> [`loglevel`](#opt-services.nextcloud.settings.loglevel), - - `logType` -> [`log_type`](#opt-services.nextcloud.settings.log_type), - - `defaultPhoneRegion` -> [`default_phone_region`](#opt-services.nextcloud.settings.default_phone_region), - - `overwriteProtocol` -> [`overwriteprotocol`](#opt-services.nextcloud.settings.overwriteprotocol), - - `skeletonDirectory` -> [`skeletondirectory`](#opt-services.nextcloud.settings.skeletondirectory), - - `globalProfiles` -> [`profile.enabled`](#opt-services.nextcloud.settings._profile.enabled_), - - `extraTrustedDomains` -> [`trusted_domains`](#opt-services.nextcloud.settings.trusted_domains) and - - `trustedProxies` -> [`trusted_proxies`](#opt-services.nextcloud.settings.trusted_proxies). - -- `services.nextcloud.config.dbport` option of the Nextcloud module was removed to match upstream. - The port can be specified in [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost). +- `kavita` has been updated to 0.8.0, requiring a manual forced library scan on all libraries for migration. Refer to upstream's [release notes](https://github.com/Kareadita/Kavita/releases/tag/v0.8.0) for details. -- A new abstraction to create both read-only as well as writable overlay file - systems was added. Available via - [fileSystems.overlay](#opt-fileSystems._name_.overlay.lowerdir). See also the - [NixOS docs](#sec-overlayfs). +- `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`. -- `systemd` units can now specify the `Upholds=` and `UpheldBy=` unit dependencies via the aptly - named `upholds` and `upheldBy` options. These options get systemd to enforce that the - dependencies remain continuosly running for as long as the dependent unit is in a running state. +- `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc. -- `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`. +- `libjxl` version was bumped from 0.8.2 to 0.9.1 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`. -- A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`. +- [`lilypond`](https://lilypond.org/index.html) and [`denemo`](https://www.denemo.org) are now compiled with Guile 3.0. -- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`. +- `lxd` has been upgraded to v5.21.x, an LTS release. The LTS release is now the only supported LXD release. Users are encouraged to [migrate to Incus](https://linuxcontainers.org/incus/docs/main/howto/server_migrate_lxd/) for better support on NixOS. -- New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.). - The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime. +- [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option. + The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. -- `sonarr` version bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089). +- `mockgen` has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock). -- The kernel Yama LSM is now enabled by default, which prevents ptracing - non-child processes. This means you will not be able to attach gdb to an - existing process, but will need to start that process from gdb (so it is a - child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. +- `mpich` now requires `withPm` to be a list, e.g. `"hydra:gforker"` becomes `[ "hydra" "gforker" ]`. -- `netbird` module now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels). +- `nextcloud-setup.service` no longer changes the group of each file and directory inside `/var/lib/nextcloud/{config,data,store-apps}` if one of these directories has the wrong owner group. This was part of transitioning the group used for `/var/lib/nextcloud`, but isn't necessary anymore. -- [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or - `globalRedirect` can now have redirect codes other than 301 through `redirectCode`. +- `oils-for-unix`, the oil shell's C++ version is now available. The Python version is still available as `oil`. -- `bacula` now allows to configure `TLS` for encrypted communication. +- `pkgsExtraHardening`, a new top-level package set, was added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features). -- `libjxl` version bumped from 0.8.2 to 0.9.1 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`. +- [`portunus`](https://github.com/majewsky/portunus) has been updated to major version 2. + This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. + After upgrading, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all user accounts to strong password hashes. + Support for weak password hashes will be removed in NixOS 24.11. -- `mockgen` package source has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock). +- `programs.fish.package` now allows you to override the package used in the `fish` module. -- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11. +- `qt6.qtmultimedia` has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on macOS). + The previous native backends remain available but are now minimally maintained. Refer to [upstream documentation](https://doc.qt.io/qt-6/qtmultimedia-index.html#ffmpeg-as-the-default-backend) for further details about each platform. -- `pkgsExtraHardening`, a new top-level package set, was added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features). +- `services.btrbk` now automatically selects and provides required compression + program depending on the configured `stream_compress` option. Since this + replaces the need for the `extraPackages` option, this option will be + deprecated in future releases. -- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module - (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. +- `services.github-runner` module has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration. -- `castopod` has some migration actions to be taken in case of a S3 setup. Some new features may also need some manual migration actions. See [https://code.castopod.org/adaures/castopod/-/releases](https://code.castopod.org/adaures/castopod/-/releases) for more informations. +- `services.networkmanager.extraConfig` was renamed to `services.networkmanager.settings` and changed to use the ini type instead of using a multiline string. -- `nextcloud-setup.service` no longer changes the group of each file & directory inside `/var/lib/nextcloud/{config,data,store-apps}` if one of these directories has the wrong owner group. This was part of transitioning the group used for `/var/lib/nextcloud`, but isn't necessary anymore. +- `services.nextcloud.config.dbport` option of the Nextcloud module was removed to match upstream. + The port can be specified in [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost). - `services.kavita` now uses the free-form option `services.kavita.settings` for the application settings file. The options `services.kavita.ipAdresses` and `services.kavita.port` now exist at `services.kavita.settings.IpAddresses` and `services.kavita.settings.IpAddresses`. The file at `services.kavita.tokenKeyFile` now needs to contain a secret with 512+ bits instead of 128+ bits. -- `kavita` has been updated to 0.8.0, requiring a manual forced library scan on all libraries for migration. Refer to upstream's [release notes](https://github.com/Kareadita/Kavita/releases/tag/v0.8.0) for details. - -- `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`. +- `services.netbird` now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels). -- `services.soju` now has a wrapper for the `sojuctl` command, pointed at the service config file. It also has the new option `adminSocket.enable`, which creates a unix admin socket at `/run/soju/admin`. +- `services.nginx.virtualHosts` using `forceSSL` or + `globalRedirect` can now have redirect codes other than 301 through `redirectCode`. -- `gitea` upgrade to 1.21 has several breaking changes, including: - - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*` - - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command. +- `services.openssh` now has an option `authorizedKeysInHomedir`, controlling whether `~/.ssh/authorizedKeys` is + added to `authorizedKeysFiles`. + ::: {.note} + This option currently defaults to `true` for NixOS 24.05, preserving the previous behaviour. + This is expected to change in NixOS 24.11. + ::: + ::: {.warning} + Users should check that their SSH keys are in `users.users.*.openssh`, or that they have another way to access + and administer the system, before setting this option to `false`. + ::: - `services.paperless` module no longer uses the previously downloaded NLTK data stored in `/var/cache/paperless/nltk`. This directory can be removed. -- `services.teeworlds` module now has a wealth of configuration options, including a new `package` option. - -- `hardware.pulseaudio` module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399). - -- `services.networkmanager.extraConfig` was renamed to `services.networkmanager.settings` and was changed to use the ini type instead of using a multiline string. - -- `services.github-runner` module has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration. +- `services.postgresql.extraPlugins`' type has expanded. Previously it was a list of packages, now it can also be a function that returns such a list. + For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``; - `services.slskd` has been refactored to include more configuation options in the free-form `services.slskd.settings` option, and some defaults (including listen ports) @@ -722,34 +713,102 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m disabled by default, and the log rotation timer has been removed. The nginx virtualhost option is now of the `vhost-options` type. -- `services.btrbk` now automatically selects and provides required compression - program depending on the configured `stream_compress` option. Since this - replaces the need for the `extraPackages` option, this option will be - deprecated in future releases. +- `services.soju` now has a wrapper for the `sojuctl` command, pointed at the service config file. It also has the new option `adminSocket.enable`, which creates a unix admin socket at `/run/soju/admin`. + +- `services.stalwart-mail` uses the legacy version 0.6.X as default because newer `stalwart-mail` versions require a [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md). Change [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package) to `pkgs.stalwart-mail` if you wish to switch to the new version. + +- `services.teeworlds` module now has a wealth of configuration options, including a new `package` option. + +- `services.xserver.desktopManager.budgie` installs `gnome.gnome-terminal` by default (instead of `mate.mate-terminal`). + +- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module + (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. + +- `sonarr` version was bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089). -- `mpich` package expression now requires `withPm` to be a list, e.g. `"hydra:gforker"` becomes `[ "hydra" "gforker" ]`. +- `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`. - `systemd`: when merging unit options (of type `unitOption`), if at least one definition is a list, all those which aren't are now lifted into a list, making it possible to accumulate definitions without resorting to `mkForce`, hence to retain the definitions not anticipating that need. -- Lisp modules: previously deprecated interface based on `common-lisp.sh` has now been removed. +- `systemd` units can now specify the `Upholds=` and `UpheldBy=` unit dependencies via the aptly + named `upholds` and `upheldBy` options. These options get systemd to enforce that the + dependencies remain continuosly running for as long as the dependent unit is in a running state. -- `youtrack` is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details. +- A stdenv's default set of hardening flags can now be set via its `bintools-wrapper`'s `defaultHardeningFlags` argument. A convenient stdenv adapter, `withDefaultHardeningFlags`, can be used to override an existing stdenv's `defaultHardeningFlags`. -- `qt6.qtmultimedia` has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on MacOS). - The previous native backends remain available but are now minimally maintained. Refer to [upstream documentation](https://doc.qt.io/qt-6/qtmultimedia-index.html#ffmpeg-as-the-default-backend) for further details about each platform. +- Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles. + The `nimPackages` and `nim2Packages` sets have been removed. + See https://nixos.org/manual/nixpkgs/unstable#nim for more information. -- `drbd` out-of-tree Linux kernel driver has been added in version 9.2.7. With it the DRBD 9.x features can be used instead of the 8.x features provided by the 8.4.11 in-tree driver. +- The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default. -- `oils-for-unix`, the oil shell's c++ version is now available. The python version is still available as `oil`. +- A new abstraction to create both read-only as well as writable overlay file + systems was added. Available via + [fileSystems.overlay](#opt-fileSystems._name_.overlay.lowerdir). See also the + [NixOS docs](#sec-overlayfs). -- `documentation.man.mandoc` now by default uses `MANPATH` to set the directories where mandoc will search for manual pages. - This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via the `mandoc.conf` configuration file like before, use `documentation.man.mandoc.settings.manpath` instead. +- A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`. + +- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`. + +- `dnsdist` has new options to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.). + The module can generate the DNSCrypt provider key pair and certificates, and also rotates them automatically with no downtime. + +- The kernel Yama LSM is now enabled by default, which prevents ptracing + non-child processes. This means you will not be able to attach gdb to an + existing process, but will need to start that process from gdb (so it is a + child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. + +- Lisp modules: previously deprecated interface based on `common-lisp.sh` has now been removed. - The `systemd-confinement` module extension is now compatible with `DynamicUser=true` and thus `ProtectSystem=strict` too. -- `grafana-loki` package was updated to 3.0.0 which includes [breaking changes](https://github.com/grafana/loki/releases/tag/v3.0.0). -- `programs.fish.package` now allows you to override the package used in the `fish` module. +## Nixpkgs Library {#sec-release-24.05-nixpkgs-lib} + +### Additions and Improvements {#sec-release-24.05-lib-additions-improvements} + +New functions: +- [`lib.asserts.assertEachOneOf`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.asserts.assertEachOneOf): Check that each value is one of the allowed ones. +- [`lib.attrsets.longestValidPathPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.longestValidPathPrefix): The longest prefix of an attribute path that refers to an existing attribute in a nesting of attribute sets. +- [`lib.attrsets.mapCartesianProduct`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.mapCartesianProduct): Apply a function to the cartesian product of attribute set value combinations. +- [`lib.trivial.xor`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.trivial.xor): Boolean "exclusive or" +- [`lib.lists.ifilter0`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.ifilter0): Filter a list for elements that satisfy a predicate function. The predicate function is called with both the index and value for each element. +- [`lib.lists.sortOn`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.sortOn): Sort a list based on the default comparison of a derived property. +- [`lib.path.hasStorePathPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.hasStorePathPrefix): Whether a [path](https://nixos.org/manual/nix/stable/language/values.html#type-path) has a [store path](https://nixos.org/manual/nix/stable/store/store-path.html#store-path) as a prefix. +- [`lib.filesystem.packagesFromDirectoryRecursive`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.filesystem.packagesFromDirectoryRecursive): Transform a directory tree containing package files suitable for `callPackage` into a matching nested attribute set of derivations. +- [`lib.fileset.toList`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.fileset.toList): The list of file paths contained in a given file set. +- [`lib.fileset.maybeMissing`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.fileset.maybeMissing): Create a file set from a path that may or may not exist. +- [`lib.derivations.optionalDrvAttr`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.derivations.optionalDrvAttr): Conditionally set a derivation attribute. +- [`lib.strings.makeIncludePath`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.makeIncludePath): Construct an include search path (such as `C_INCLUDE_PATH`) containing the header files for a set of packages or paths. + +Improvements: +- [`lib.fixedPoints.extends`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.fixedPoints.extends): Better documentation +- [`lib.customisation.makeScope`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.customisation.makeScope): Better documentation +- [`lib.derivations.lazyDerivation`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.derivations.lazyDerivation): Now supports multiple outputs with an `outputs` argument +- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-gvariant): Better error message for integers and attribute set values +- [`lib.filesets.gitTracked`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.fileset.gitTracked): Now works within store paths + +Misc: +- The [`lib/` directory](https://github.com/NixOS/nixpkgs/tree/release-24.05/lib) is a self-contained flake now, including a working [`lib.trivial.version`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.version) (but note that fetching a subtree by itself is not supported in Nix yet) +- [Various minor performance improvements](https://github.com/NixOS/nixpkgs/issues?q=author%3Aadisbladis+label%3A%226.topic%3A+lib%22+created%3A%3C2024-05-31+) + +Module System: +- New types: + - [`types.attrTag`](https://nixos.org/manual/nixos/unstable/#sec-option-types-sums): A tagged union type + - `types.nonEmptyListOf`: A non-empty list +- Improved types: + - `types.uniq`/`unique` now check the wrapped type + +### Deprecations {#sec-release-24.05-lib-deprecations} + +- [`lib.options.mdDoc`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mdDoc) is obsolete and now emits a warning. The core ecosystem has completely migrated to markdown, so marking markdown as markdown is redundant. +- `lib.attrsets.zipWithNames` is now a deprecated alias of [`lib.attrsets.zipAttrsWithNames`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.attrsets.zipAttrsWithNames) +- `lib.attrsets.cartesianProductOfSets` has been renamed to [`lib.attrsets.cartesianProduct`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.attrsets.cartesianProduct) + +### Internal {#sec-release-24.05-lib-internal} +- `lib` now has [Readme for contributing](https://github.com/NixOS/nixpkgs/tree/master/lib#readme). +- Some function's documentation is now written using the [accepted doc comment syntax](https://github.com/NixOS/rfcs/pull/145). diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md new file mode 100644 index 0000000000000..1e0af734ed40b --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -0,0 +1,39 @@ +# Release 24.11 (“Vicuña”, 2024.11/??) {#sec-release-24.11} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +## Highlights {#sec-release-24.11-highlights} + +- Create the first release note entry in this section! + +## New Services {#sec-release-24.11-new-services} + +- Create the first release note entry in this section! + +## Backward Incompatibilities {#sec-release-24.11-incompatibilities} + +- `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`. + +- `nvimpager` was updated to version 0.13.0, which changes the order of user and + nvimpager settings: user commands in `-c` and `--cmd` now override the + respective default settings because they are executed later. + +- The Invoiceplane module now only accepts the structured `settings` option. + `extraConfig` is now removed. + +- Legacy package `stalwart-mail_0_6` was dropped, please note the + [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) + before changing the package to `pkgs.stalwart-mail` in + [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package). + +- The `stalwart-mail` module now uses RocksDB as the default storage backend + for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured + data and the filesystem for blobs). + +## Other Notable Changes {#sec-release-24.11-notable-changes} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules. + The derivation now installs "impl" headers selectively instead of by a wildcard. + Use `imgui.src` if you just want to access the unpacked sources. diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix index 0641da8e77517..dac5cc7b700c8 100644 --- a/nixos/lib/systemd-lib.nix +++ b/nixos/lib/systemd-lib.nix @@ -182,6 +182,30 @@ in rec { in if errors == [] then true else trace (concatStringsSep "\n" errors) false; + checkUnitConfigWithLegacyKey = legacyKey: group: checks: attrs: + let + dump = lib.generators.toPretty { } + (lib.generators.withRecursion { depthLimit = 2; throwOnDepthLimit = false; } attrs); + attrs' = + if legacyKey == null + then attrs + else if ! attrs?${legacyKey} + then attrs + else if removeAttrs attrs [ legacyKey ] == {} + then attrs.${legacyKey} + else throw '' + The declaration + + ${dump} + + must not mix unit options with the legacy key '${legacyKey}'. + + This can be fixed by moving all settings from within ${legacyKey} + one level up. + ''; + in + checkUnitConfig group checks attrs'; + toOption = x: if x == true then "true" else if x == false then "false" diff --git a/nixos/lib/systemd-network-units.nix b/nixos/lib/systemd-network-units.nix index ae581495772a8..d15485240bd0a 100644 --- a/nixos/lib/systemd-network-units.nix +++ b/nixos/lib/systemd-network-units.nix @@ -63,13 +63,13 @@ in { ${attrsToSection def.l2tpConfig} '' + flip concatMapStrings def.l2tpSessions (x: '' [L2TPSession] - ${attrsToSection x.l2tpSessionConfig} + ${attrsToSection x} '') + optionalString (def.wireguardConfig != { }) '' [WireGuard] ${attrsToSection def.wireguardConfig} '' + flip concatMapStrings def.wireguardPeers (x: '' [WireGuardPeer] - ${attrsToSection x.wireguardPeerConfig} + ${attrsToSection x} '') + optionalString (def.bondConfig != { }) '' [Bond] ${attrsToSection def.bondConfig} @@ -122,13 +122,13 @@ in { ${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)} '' + "\n" + flip concatMapStrings def.addresses (x: '' [Address] - ${attrsToSection x.addressConfig} + ${attrsToSection x} '') + flip concatMapStrings def.routingPolicyRules (x: '' [RoutingPolicyRule] - ${attrsToSection x.routingPolicyRuleConfig} + ${attrsToSection x} '') + flip concatMapStrings def.routes (x: '' [Route] - ${attrsToSection x.routeConfig} + ${attrsToSection x} '') + optionalString (def.dhcpV4Config != { }) '' [DHCPv4] ${attrsToSection def.dhcpV4Config} @@ -149,22 +149,22 @@ in { ${attrsToSection def.ipv6SendRAConfig} '' + flip concatMapStrings def.ipv6Prefixes (x: '' [IPv6Prefix] - ${attrsToSection x.ipv6PrefixConfig} + ${attrsToSection x} '') + flip concatMapStrings def.ipv6RoutePrefixes (x: '' [IPv6RoutePrefix] - ${attrsToSection x.ipv6RoutePrefixConfig} + ${attrsToSection x} '') + flip concatMapStrings def.dhcpServerStaticLeases (x: '' [DHCPServerStaticLease] - ${attrsToSection x.dhcpServerStaticLeaseConfig} + ${attrsToSection x} '') + optionalString (def.bridgeConfig != { }) '' [Bridge] ${attrsToSection def.bridgeConfig} '' + flip concatMapStrings def.bridgeFDBs (x: '' [BridgeFDB] - ${attrsToSection x.bridgeFDBConfig} + ${attrsToSection x} '') + flip concatMapStrings def.bridgeMDBs (x: '' [BridgeMDB] - ${attrsToSection x.bridgeMDBConfig} + ${attrsToSection x} '') + optionalString (def.lldpConfig != { }) '' [LLDP] ${attrsToSection def.lldpConfig} @@ -251,7 +251,7 @@ in { ${attrsToSection def.quickFairQueueingConfigClass} '' + flip concatMapStrings def.bridgeVLANs (x: '' [BridgeVLAN] - ${attrsToSection x.bridgeVLANConfig} + ${attrsToSection x} '') + def.extraConfig; } diff --git a/nixos/lib/test-driver/default.nix b/nixos/lib/test-driver/default.nix index 1acdaacc4e658..7a88694b3167e 100644 --- a/nixos/lib/test-driver/default.nix +++ b/nixos/lib/test-driver/default.nix @@ -24,6 +24,7 @@ python3Packages.buildPythonApplication { coreutils netpbm python3Packages.colorama + python3Packages.junit-xml python3Packages.ptpython qemu_pkg socat @@ -46,7 +47,7 @@ python3Packages.buildPythonApplication { echo -e "\x1b[32m## run mypy\x1b[0m" mypy test_driver extract-docstrings.py echo -e "\x1b[32m## run ruff\x1b[0m" - ruff . + ruff check . echo -e "\x1b[32m## run black\x1b[0m" black --check --diff . ''; diff --git a/nixos/lib/test-driver/pyproject.toml b/nixos/lib/test-driver/pyproject.toml index 17b7130a4bad7..714139bc1b25c 100644 --- a/nixos/lib/test-driver/pyproject.toml +++ b/nixos/lib/test-driver/pyproject.toml @@ -19,8 +19,8 @@ test_driver = ["py.typed"] [tool.ruff] line-length = 88 -select = ["E", "F", "I", "U", "N"] -ignore = ["E501"] +lint.select = ["E", "F", "I", "U", "N"] +lint.ignore = ["E501"] # xxx: we can import https://pypi.org/project/types-colorama/ here [[tool.mypy.overrides]] @@ -31,6 +31,10 @@ ignore_missing_imports = true module = "ptpython.*" ignore_missing_imports = true +[[tool.mypy.overrides]] +module = "junit_xml.*" +ignore_missing_imports = true + [tool.black] line-length = 88 target-version = ['py39'] diff --git a/nixos/lib/test-driver/test_driver/__init__.py b/nixos/lib/test-driver/test_driver/__init__.py index 9daae1e941a65..42b6d29b76714 100755 --- a/nixos/lib/test-driver/test_driver/__init__.py +++ b/nixos/lib/test-driver/test_driver/__init__.py @@ -6,7 +6,12 @@ from pathlib import Path import ptpython.repl from test_driver.driver import Driver -from test_driver.logger import rootlog +from test_driver.logger import ( + CompositeLogger, + JunitXMLLogger, + TerminalLogger, + XMLLogger, +) class EnvDefault(argparse.Action): @@ -93,6 +98,11 @@ def main() -> None: type=writeable_dir, ) arg_parser.add_argument( + "--junit-xml", + help="Enable JunitXML report generation to the given path", + type=Path, + ) + arg_parser.add_argument( "testscript", action=EnvDefault, envvar="testScript", @@ -102,14 +112,24 @@ def main() -> None: args = arg_parser.parse_args() + output_directory = args.output_directory.resolve() + logger = CompositeLogger([TerminalLogger()]) + + if "LOGFILE" in os.environ.keys(): + logger.add_logger(XMLLogger(os.environ["LOGFILE"])) + + if args.junit_xml: + logger.add_logger(JunitXMLLogger(output_directory / args.junit_xml)) + if not args.keep_vm_state: - rootlog.info("Machine state will be reset. To keep it, pass --keep-vm-state") + logger.info("Machine state will be reset. To keep it, pass --keep-vm-state") with Driver( args.start_scripts, args.vlans, args.testscript.read_text(), - args.output_directory.resolve(), + output_directory, + logger, args.keep_vm_state, args.global_timeout, ) as driver: @@ -125,7 +145,7 @@ def main() -> None: tic = time.time() driver.run_tests() toc = time.time() - rootlog.info(f"test script finished in {(toc-tic):.2f}s") + logger.info(f"test script finished in {(toc-tic):.2f}s") def generate_driver_symbols() -> None: @@ -134,7 +154,7 @@ def generate_driver_symbols() -> None: in user's test scripts. That list is then used by pyflakes to lint those scripts. """ - d = Driver([], [], "", Path()) + d = Driver([], [], "", Path(), CompositeLogger([])) test_symbols = d.test_symbols() with open("driver-symbols", "w") as fp: fp.write(",".join(test_symbols.keys())) diff --git a/nixos/lib/test-driver/test_driver/driver.py b/nixos/lib/test-driver/test_driver/driver.py index f792c04591996..10092fc966c8f 100644 --- a/nixos/lib/test-driver/test_driver/driver.py +++ b/nixos/lib/test-driver/test_driver/driver.py @@ -9,7 +9,7 @@ from typing import Any, Callable, ContextManager, Dict, Iterator, List, Optional from colorama import Fore, Style -from test_driver.logger import rootlog +from test_driver.logger import AbstractLogger from test_driver.machine import Machine, NixStartScript, retry from test_driver.polling_condition import PollingCondition from test_driver.vlan import VLan @@ -49,6 +49,7 @@ class Driver: polling_conditions: List[PollingCondition] global_timeout: int race_timer: threading.Timer + logger: AbstractLogger def __init__( self, @@ -56,6 +57,7 @@ class Driver: vlans: List[int], tests: str, out_dir: Path, + logger: AbstractLogger, keep_vm_state: bool = False, global_timeout: int = 24 * 60 * 60 * 7, ): @@ -63,12 +65,13 @@ class Driver: self.out_dir = out_dir self.global_timeout = global_timeout self.race_timer = threading.Timer(global_timeout, self.terminate_test) + self.logger = logger tmp_dir = get_tmp_dir() - with rootlog.nested("start all VLans"): + with self.logger.nested("start all VLans"): vlans = list(set(vlans)) - self.vlans = [VLan(nr, tmp_dir) for nr in vlans] + self.vlans = [VLan(nr, tmp_dir, self.logger) for nr in vlans] def cmd(scripts: List[str]) -> Iterator[NixStartScript]: for s in scripts: @@ -84,6 +87,7 @@ class Driver: tmp_dir=tmp_dir, callbacks=[self.check_polling_conditions], out_dir=self.out_dir, + logger=self.logger, ) for cmd in cmd(start_scripts) ] @@ -92,19 +96,19 @@ class Driver: return self def __exit__(self, *_: Any) -> None: - with rootlog.nested("cleanup"): + with self.logger.nested("cleanup"): self.race_timer.cancel() for machine in self.machines: machine.release() def subtest(self, name: str) -> Iterator[None]: """Group logs under a given test name""" - with rootlog.nested("subtest: " + name): + with self.logger.subtest(name): try: yield return True except Exception as e: - rootlog.error(f'Test "{name}" failed with error: "{e}"') + self.logger.error(f'Test "{name}" failed with error: "{e}"') raise e def test_symbols(self) -> Dict[str, Any]: @@ -118,7 +122,7 @@ class Driver: machines=self.machines, vlans=self.vlans, driver=self, - log=rootlog, + log=self.logger, os=os, create_machine=self.create_machine, subtest=subtest, @@ -150,13 +154,13 @@ class Driver: def test_script(self) -> None: """Run the test script""" - with rootlog.nested("run the VM test script"): + with self.logger.nested("run the VM test script"): symbols = self.test_symbols() # call eagerly exec(self.tests, symbols, None) def run_tests(self) -> None: """Run the test script (for non-interactive test runs)""" - rootlog.info( + self.logger.info( f"Test will time out and terminate in {self.global_timeout} seconds" ) self.race_timer.start() @@ -168,13 +172,13 @@ class Driver: def start_all(self) -> None: """Start all machines""" - with rootlog.nested("start all VMs"): + with self.logger.nested("start all VMs"): for machine in self.machines: machine.start() def join_all(self) -> None: """Wait for all machines to shut down""" - with rootlog.nested("wait for all VMs to finish"): + with self.logger.nested("wait for all VMs to finish"): for machine in self.machines: machine.wait_for_shutdown() self.race_timer.cancel() @@ -182,7 +186,7 @@ class Driver: def terminate_test(self) -> None: # This will be usually running in another thread than # the thread actually executing the test script. - with rootlog.nested("timeout reached; test terminating..."): + with self.logger.nested("timeout reached; test terminating..."): for machine in self.machines: machine.release() # As we cannot `sys.exit` from another thread @@ -227,7 +231,7 @@ class Driver: f"Unsupported arguments passed to create_machine: {args}" ) - rootlog.warning( + self.logger.warning( Fore.YELLOW + Style.BRIGHT + "WARNING: Using create_machine with a single dictionary argument is deprecated and will be removed in NixOS 24.11" @@ -246,13 +250,14 @@ class Driver: start_command=cmd, name=name, keep_vm_state=keep_vm_state, + logger=self.logger, ) def serial_stdout_on(self) -> None: - rootlog._print_serial_logs = True + self.logger.print_serial_logs(True) def serial_stdout_off(self) -> None: - rootlog._print_serial_logs = False + self.logger.print_serial_logs(False) def check_polling_conditions(self) -> None: for condition in self.polling_conditions: @@ -271,6 +276,7 @@ class Driver: def __init__(self, fun: Callable): self.condition = PollingCondition( fun, + driver.logger, seconds_interval, description, ) @@ -285,15 +291,17 @@ class Driver: def wait(self, timeout: int = 900) -> None: def condition(last: bool) -> bool: if last: - rootlog.info(f"Last chance for {self.condition.description}") + driver.logger.info( + f"Last chance for {self.condition.description}" + ) ret = self.condition.check(force=True) if not ret and not last: - rootlog.info( + driver.logger.info( f"({self.condition.description} failure not fatal yet)" ) return ret - with rootlog.nested(f"waiting for {self.condition.description}"): + with driver.logger.nested(f"waiting for {self.condition.description}"): retry(condition, timeout=timeout) if fun_ is None: diff --git a/nixos/lib/test-driver/test_driver/logger.py b/nixos/lib/test-driver/test_driver/logger.py index 0b0623bddfa1e..484829254b812 100644 --- a/nixos/lib/test-driver/test_driver/logger.py +++ b/nixos/lib/test-driver/test_driver/logger.py @@ -1,33 +1,238 @@ +import atexit import codecs import os import sys import time import unicodedata -from contextlib import contextmanager +from abc import ABC, abstractmethod +from contextlib import ExitStack, contextmanager +from pathlib import Path from queue import Empty, Queue -from typing import Any, Dict, Iterator +from typing import Any, Dict, Iterator, List from xml.sax.saxutils import XMLGenerator from xml.sax.xmlreader import AttributesImpl from colorama import Fore, Style +from junit_xml import TestCase, TestSuite -class Logger: - def __init__(self) -> None: - self.logfile = os.environ.get("LOGFILE", "/dev/null") - self.logfile_handle = codecs.open(self.logfile, "wb") - self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8") - self.queue: "Queue[Dict[str, str]]" = Queue() +class AbstractLogger(ABC): + @abstractmethod + def log(self, message: str, attributes: Dict[str, str] = {}) -> None: + pass - self.xml.startDocument() - self.xml.startElement("logfile", attrs=AttributesImpl({})) + @abstractmethod + @contextmanager + def subtest(self, name: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + pass + + @abstractmethod + @contextmanager + def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + pass + + @abstractmethod + def info(self, *args, **kwargs) -> None: # type: ignore + pass + + @abstractmethod + def warning(self, *args, **kwargs) -> None: # type: ignore + pass + + @abstractmethod + def error(self, *args, **kwargs) -> None: # type: ignore + pass + + @abstractmethod + def log_serial(self, message: str, machine: str) -> None: + pass + + @abstractmethod + def print_serial_logs(self, enable: bool) -> None: + pass + + +class JunitXMLLogger(AbstractLogger): + class TestCaseState: + def __init__(self) -> None: + self.stdout = "" + self.stderr = "" + self.failure = False + + def __init__(self, outfile: Path) -> None: + self.tests: dict[str, JunitXMLLogger.TestCaseState] = { + "main": self.TestCaseState() + } + self.currentSubtest = "main" + self.outfile: Path = outfile + self._print_serial_logs = True + atexit.register(self.close) + + def log(self, message: str, attributes: Dict[str, str] = {}) -> None: + self.tests[self.currentSubtest].stdout += message + os.linesep + + @contextmanager + def subtest(self, name: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + old_test = self.currentSubtest + self.tests.setdefault(name, self.TestCaseState()) + self.currentSubtest = name + + yield + + self.currentSubtest = old_test + + @contextmanager + def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + self.log(message) + yield + + def info(self, *args, **kwargs) -> None: # type: ignore + self.tests[self.currentSubtest].stdout += args[0] + os.linesep + + def warning(self, *args, **kwargs) -> None: # type: ignore + self.tests[self.currentSubtest].stdout += args[0] + os.linesep + + def error(self, *args, **kwargs) -> None: # type: ignore + self.tests[self.currentSubtest].stderr += args[0] + os.linesep + self.tests[self.currentSubtest].failure = True + + def log_serial(self, message: str, machine: str) -> None: + if not self._print_serial_logs: + return + + self.log(f"{machine} # {message}") + + def print_serial_logs(self, enable: bool) -> None: + self._print_serial_logs = enable + + def close(self) -> None: + with open(self.outfile, "w") as f: + test_cases = [] + for name, test_case_state in self.tests.items(): + tc = TestCase( + name, + stdout=test_case_state.stdout, + stderr=test_case_state.stderr, + ) + if test_case_state.failure: + tc.add_failure_info("test case failed") + + test_cases.append(tc) + ts = TestSuite("NixOS integration test", test_cases) + f.write(TestSuite.to_xml_string([ts])) + + +class CompositeLogger(AbstractLogger): + def __init__(self, logger_list: List[AbstractLogger]) -> None: + self.logger_list = logger_list + + def add_logger(self, logger: AbstractLogger) -> None: + self.logger_list.append(logger) + + def log(self, message: str, attributes: Dict[str, str] = {}) -> None: + for logger in self.logger_list: + logger.log(message, attributes) + + @contextmanager + def subtest(self, name: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + with ExitStack() as stack: + for logger in self.logger_list: + stack.enter_context(logger.subtest(name, attributes)) + yield + + @contextmanager + def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + with ExitStack() as stack: + for logger in self.logger_list: + stack.enter_context(logger.nested(message, attributes)) + yield + + def info(self, *args, **kwargs) -> None: # type: ignore + for logger in self.logger_list: + logger.info(*args, **kwargs) + + def warning(self, *args, **kwargs) -> None: # type: ignore + for logger in self.logger_list: + logger.warning(*args, **kwargs) + + def error(self, *args, **kwargs) -> None: # type: ignore + for logger in self.logger_list: + logger.error(*args, **kwargs) + sys.exit(1) + def print_serial_logs(self, enable: bool) -> None: + for logger in self.logger_list: + logger.print_serial_logs(enable) + + def log_serial(self, message: str, machine: str) -> None: + for logger in self.logger_list: + logger.log_serial(message, machine) + + +class TerminalLogger(AbstractLogger): + def __init__(self) -> None: self._print_serial_logs = True + def maybe_prefix(self, message: str, attributes: Dict[str, str]) -> str: + if "machine" in attributes: + return f"{attributes['machine']}: {message}" + return message + @staticmethod def _eprint(*args: object, **kwargs: Any) -> None: print(*args, file=sys.stderr, **kwargs) + def log(self, message: str, attributes: Dict[str, str] = {}) -> None: + self._eprint(self.maybe_prefix(message, attributes)) + + @contextmanager + def subtest(self, name: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + with self.nested("subtest: " + name, attributes): + yield + + @contextmanager + def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + self._eprint( + self.maybe_prefix( + Style.BRIGHT + Fore.GREEN + message + Style.RESET_ALL, attributes + ) + ) + + tic = time.time() + yield + toc = time.time() + self.log(f"(finished: {message}, in {toc - tic:.2f} seconds)") + + def info(self, *args, **kwargs) -> None: # type: ignore + self.log(*args, **kwargs) + + def warning(self, *args, **kwargs) -> None: # type: ignore + self.log(*args, **kwargs) + + def error(self, *args, **kwargs) -> None: # type: ignore + self.log(*args, **kwargs) + + def print_serial_logs(self, enable: bool) -> None: + self._print_serial_logs = enable + + def log_serial(self, message: str, machine: str) -> None: + if not self._print_serial_logs: + return + + self._eprint(Style.DIM + f"{machine} # {message}" + Style.RESET_ALL) + + +class XMLLogger(AbstractLogger): + def __init__(self, outfile: str) -> None: + self.logfile_handle = codecs.open(outfile, "wb") + self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8") + self.queue: Queue[dict[str, str]] = Queue() + + self._print_serial_logs = True + + self.xml.startDocument() + self.xml.startElement("logfile", attrs=AttributesImpl({})) + def close(self) -> None: self.xml.endElement("logfile") self.xml.endDocument() @@ -54,17 +259,19 @@ class Logger: def error(self, *args, **kwargs) -> None: # type: ignore self.log(*args, **kwargs) - sys.exit(1) def log(self, message: str, attributes: Dict[str, str] = {}) -> None: - self._eprint(self.maybe_prefix(message, attributes)) self.drain_log_queue() self.log_line(message, attributes) + def print_serial_logs(self, enable: bool) -> None: + self._print_serial_logs = enable + def log_serial(self, message: str, machine: str) -> None: + if not self._print_serial_logs: + return + self.enqueue({"msg": message, "machine": machine, "type": "serial"}) - if self._print_serial_logs: - self._eprint(Style.DIM + f"{machine} # {message}" + Style.RESET_ALL) def enqueue(self, item: Dict[str, str]) -> None: self.queue.put(item) @@ -80,13 +287,12 @@ class Logger: pass @contextmanager - def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: - self._eprint( - self.maybe_prefix( - Style.BRIGHT + Fore.GREEN + message + Style.RESET_ALL, attributes - ) - ) + def subtest(self, name: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + with self.nested("subtest: " + name, attributes): + yield + @contextmanager + def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: self.xml.startElement("nest", attrs=AttributesImpl({})) self.xml.startElement("head", attrs=AttributesImpl(attributes)) self.xml.characters(message) @@ -100,6 +306,3 @@ class Logger: self.log(f"(finished: {message}, in {toc - tic:.2f} seconds)") self.xml.endElement("nest") - - -rootlog = Logger() diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index 652cc600fad59..3a1d5bc1be764 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -17,7 +17,7 @@ from pathlib import Path from queue import Queue from typing import Any, Callable, Dict, Iterable, List, Optional, Tuple -from test_driver.logger import rootlog +from test_driver.logger import AbstractLogger from .qmp import QMPSession @@ -270,6 +270,7 @@ class Machine: out_dir: Path, tmp_dir: Path, start_command: StartCommand, + logger: AbstractLogger, name: str = "machine", keep_vm_state: bool = False, callbacks: Optional[List[Callable]] = None, @@ -280,6 +281,7 @@ class Machine: self.name = name self.start_command = start_command self.callbacks = callbacks if callbacks is not None else [] + self.logger = logger # set up directories self.shared_dir = self.tmp_dir / "shared-xchg" @@ -307,15 +309,15 @@ class Machine: return self.booted and self.connected def log(self, msg: str) -> None: - rootlog.log(msg, {"machine": self.name}) + self.logger.log(msg, {"machine": self.name}) def log_serial(self, msg: str) -> None: - rootlog.log_serial(msg, self.name) + self.logger.log_serial(msg, self.name) def nested(self, msg: str, attrs: Dict[str, str] = {}) -> _GeneratorContextManager: my_attrs = {"machine": self.name} my_attrs.update(attrs) - return rootlog.nested(msg, my_attrs) + return self.logger.nested(msg, my_attrs) def wait_for_monitor_prompt(self) -> str: assert self.monitor is not None @@ -1113,8 +1115,8 @@ class Machine: def cleanup_statedir(self) -> None: shutil.rmtree(self.state_dir) - rootlog.log(f"deleting VM state directory {self.state_dir}") - rootlog.log("if you want to keep the VM state, pass --keep-vm-state") + self.logger.log(f"deleting VM state directory {self.state_dir}") + self.logger.log("if you want to keep the VM state, pass --keep-vm-state") def shutdown(self) -> None: """ @@ -1221,7 +1223,7 @@ class Machine: def release(self) -> None: if self.pid is None: return - rootlog.info(f"kill machine (pid {self.pid})") + self.logger.info(f"kill machine (pid {self.pid})") assert self.process assert self.shell assert self.monitor diff --git a/nixos/lib/test-driver/test_driver/polling_condition.py b/nixos/lib/test-driver/test_driver/polling_condition.py index 12cbad69e34e9..1cccaf2c71e74 100644 --- a/nixos/lib/test-driver/test_driver/polling_condition.py +++ b/nixos/lib/test-driver/test_driver/polling_condition.py @@ -2,7 +2,7 @@ import time from math import isfinite from typing import Callable, Optional -from .logger import rootlog +from test_driver.logger import AbstractLogger class PollingConditionError(Exception): @@ -13,6 +13,7 @@ class PollingCondition: condition: Callable[[], bool] seconds_interval: float description: Optional[str] + logger: AbstractLogger last_called: float entry_count: int @@ -20,11 +21,13 @@ class PollingCondition: def __init__( self, condition: Callable[[], Optional[bool]], + logger: AbstractLogger, seconds_interval: float = 2.0, description: Optional[str] = None, ): self.condition = condition # type: ignore self.seconds_interval = seconds_interval + self.logger = logger if description is None: if condition.__doc__: @@ -41,7 +44,7 @@ class PollingCondition: if (self.entered or not self.overdue) and not force: return True - with self, rootlog.nested(self.nested_message): + with self, self.logger.nested(self.nested_message): time_since_last = time.monotonic() - self.last_called last_message = ( f"Time since last: {time_since_last:.2f}s" @@ -49,13 +52,13 @@ class PollingCondition: else "(not called yet)" ) - rootlog.info(last_message) + self.logger.info(last_message) try: res = self.condition() # type: ignore except Exception: res = False res = res is None or res - rootlog.info(self.status_message(res)) + self.logger.info(self.status_message(res)) return res def maybe_raise(self) -> None: diff --git a/nixos/lib/test-driver/test_driver/vlan.py b/nixos/lib/test-driver/test_driver/vlan.py index ec9679108e58d..9340fc92ed4c4 100644 --- a/nixos/lib/test-driver/test_driver/vlan.py +++ b/nixos/lib/test-driver/test_driver/vlan.py @@ -4,7 +4,7 @@ import pty import subprocess from pathlib import Path -from test_driver.logger import rootlog +from test_driver.logger import AbstractLogger class VLan: @@ -19,17 +19,20 @@ class VLan: pid: int fd: io.TextIOBase + logger: AbstractLogger + def __repr__(self) -> str: return f"<Vlan Nr. {self.nr}>" - def __init__(self, nr: int, tmp_dir: Path): + def __init__(self, nr: int, tmp_dir: Path, logger: AbstractLogger): self.nr = nr self.socket_dir = tmp_dir / f"vde{self.nr}.ctl" + self.logger = logger # TODO: don't side-effect environment here os.environ[f"QEMU_VDE_SOCKET_{self.nr}"] = str(self.socket_dir) - rootlog.info("start vlan") + self.logger.info("start vlan") pty_master, pty_slave = pty.openpty() # The --hub is required for the scenario determined by @@ -52,11 +55,11 @@ class VLan: assert self.process.stdout is not None self.process.stdout.readline() if not (self.socket_dir / "ctl").exists(): - rootlog.error("cannot start vde_switch") + self.logger.error("cannot start vde_switch") - rootlog.info(f"running vlan (pid {self.pid}; ctl {self.socket_dir})") + self.logger.info(f"running vlan (pid {self.pid}; ctl {self.socket_dir})") def __del__(self) -> None: - rootlog.info(f"kill vlan (pid {self.pid})") + self.logger.info(f"kill vlan (pid {self.pid})") self.fd.close() self.process.terminate() diff --git a/nixos/lib/test-script-prepend.py b/nixos/lib/test-script-prepend.py index 976992ea00158..9d2efdf973031 100644 --- a/nixos/lib/test-script-prepend.py +++ b/nixos/lib/test-script-prepend.py @@ -4,7 +4,7 @@ from test_driver.driver import Driver from test_driver.vlan import VLan from test_driver.machine import Machine -from test_driver.logger import Logger +from test_driver.logger import AbstractLogger from typing import Callable, Iterator, ContextManager, Optional, List, Dict, Any, Union from typing_extensions import Protocol from pathlib import Path @@ -44,7 +44,7 @@ test_script: Callable[[], None] machines: List[Machine] vlans: List[VLan] driver: Driver -log: Logger +log: AbstractLogger create_machine: CreateMachineProtocol run_tests: Callable[[], None] join_all: Callable[[], None] diff --git a/nixos/maintainers/scripts/ec2/README.md b/nixos/maintainers/scripts/ec2/README.md index 1328109d464a3..eb2c9088d5a2c 100644 --- a/nixos/maintainers/scripts/ec2/README.md +++ b/nixos/maintainers/scripts/ec2/README.md @@ -1,7 +1,36 @@ # Amazon images -* The `create-amis.sh` script will be replaced by https://github.com/NixOS/amis which will regularly upload AMIs per NixOS channel bump. +AMIs are regularly uploaded from Hydra. This automation lives in +https://github.com/NixOS/amis -* @arianvp is planning to drop zfs support -* @arianvp is planning to rewrite the image builder to use the repart-based image builder. +## How to upload an AMI for testing + +If you want to upload an AMI from changes in a local nixpkgs checkout. + +```bash +nix-build nixos/release.nix -A amazonImage + +export AWS_REGION=us-west-2 +export AWS_PROFILE=my-profile +nix run nixpkgs#upload-ami -- --image-info ./result/nix-support/image-info.json +``` + +## How to build your own NixOS config into an AMI + +I suggest looking at https://github.com/nix-community/nixos-generators for a user-friendly interface. + +```bash +nixos-generate -c ./my-config.nix -f amazon + +export AWS_REGION=us-west-2 +export AWS_PROFILE=my-profile +nix run github:NixOS/amis#upload-ami -- --image-info ./result/nix-support/image-info.json +``` + +## Roadmap + +* @arianvp is planning to drop zfs support unless someone else picks it up +* @arianvp is planning to rewrite the image builder to use the repart-based image builder. +* @arianvp is planning to perhaps rewrite `upload-ami` to use coldnsap +* @arianvp is planning to move `upload-ami` tooling into nixpkgs once it has stabilized. And only keep the Github Action in separate repo diff --git a/nixos/maintainers/scripts/ec2/create-amis.sh b/nixos/maintainers/scripts/ec2/create-amis.sh deleted file mode 100755 index d182c5c2a4794..0000000000000 --- a/nixos/maintainers/scripts/ec2/create-amis.sh +++ /dev/null @@ -1,368 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -p awscli -p jq -p qemu -i bash -# shellcheck shell=bash -# -# Future Deprecation? -# This entire thing should probably be replaced with a generic terraform config - -# Uploads and registers NixOS images built from the -# <nixos/release.nix> amazonImage attribute. Images are uploaded and -# registered via a home region, and then copied to other regions. - -# The home region requires an s3 bucket, and an IAM role named "vmimport" -# (by default) with access to the S3 bucket. The name can be -# configured with the "service_role_name" variable. Configuration of the -# vmimport role is documented in -# https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html - -# set -x -set -euo pipefail - -var () { true; } - -# configuration -var ${state_dir:=$HOME/amis/ec2-images} -var ${home_region:=eu-west-1} -var ${bucket:=nixos-amis} -var ${service_role_name:=vmimport} - -# Output of the command: -# $ nix-shell -I nixpkgs=. -p awscli --run 'aws ec2 describe-regions --region us-east-1 --all-regions --query "Regions[].{Name:RegionName}" --output text | sort | sed -e s/^/\ \ /' -var ${regions:= - af-south-1 - ap-east-1 - ap-northeast-1 - ap-northeast-2 - ap-northeast-3 - ap-south-1 - ap-south-2 - ap-southeast-1 - ap-southeast-2 - ap-southeast-3 - ap-southeast-4 - ca-central-1 - eu-central-1 - eu-central-2 - eu-north-1 - eu-south-1 - eu-south-2 - eu-west-1 - eu-west-2 - eu-west-3 - il-central-1 - me-central-1 - me-south-1 - sa-east-1 - us-east-1 - us-east-2 - us-west-1 - us-west-2 -} - -regions=($regions) - -log() { - echo "$@" >&2 -} - -if [ "$#" -ne 1 ]; then - log "Usage: ./upload-amazon-image.sh IMAGE_OUTPUT" - exit 1 -fi - -# result of the amazon-image from nixos/release.nix -store_path=$1 - -if [ ! -e "$store_path" ]; then - log "Store path: $store_path does not exist, fetching..." - nix-store --realise "$store_path" -fi - -if [ ! -d "$store_path" ]; then - log "store_path: $store_path is not a directory. aborting" - exit 1 -fi - -read_image_info() { - if [ ! -e "$store_path/nix-support/image-info.json" ]; then - log "Image missing metadata" - exit 1 - fi - jq -r "$1" "$store_path/nix-support/image-info.json" -} - -# We handle a single image per invocation, store all attributes in -# globals for convenience. -zfs_disks=$(read_image_info .disks) -is_zfs_image= -if jq -e .boot <<< "$zfs_disks"; then - is_zfs_image=1 - zfs_boot=".disks.boot" -fi -image_label="$(read_image_info .label)${is_zfs_image:+-ZFS}" -image_system=$(read_image_info .system) -image_files=( $(read_image_info ".disks.root.file") ) - -image_logical_bytes=$(read_image_info "${zfs_boot:-.disks.root}.logical_bytes") - -if [[ -n "$is_zfs_image" ]]; then - image_files+=( $(read_image_info .disks.boot.file) ) -fi - -# Derived attributes - -image_logical_gigabytes=$(((image_logical_bytes-1)/1024/1024/1024+1)) # Round to the next GB - -case "$image_system" in - aarch64-linux) - amazon_arch=arm64 - ;; - x86_64-linux) - amazon_arch=x86_64 - ;; - *) - log "Unknown system: $image_system" - exit 1 -esac - -image_name="NixOS-${image_label}-${image_system}" -image_description="NixOS ${image_label} ${image_system}" - -log "Image Details:" -log " Name: $image_name" -log " Description: $image_description" -log " Size (gigabytes): $image_logical_gigabytes" -log " System: $image_system" -log " Amazon Arch: $amazon_arch" - -read_state() { - local state_key=$1 - local type=$2 - - cat "$state_dir/$state_key.$type" 2>/dev/null || true -} - -write_state() { - local state_key=$1 - local type=$2 - local val=$3 - - mkdir -p "$state_dir" - echo "$val" > "$state_dir/$state_key.$type" -} - -wait_for_import() { - local region=$1 - local task_id=$2 - local state snapshot_id - log "Waiting for import task $task_id to be completed" - while true; do - read -r state message snapshot_id < <( - aws ec2 describe-import-snapshot-tasks --region "$region" --import-task-ids "$task_id" | \ - jq -r '.ImportSnapshotTasks[].SnapshotTaskDetail | "\(.Status) \(.StatusMessage) \(.SnapshotId)"' - ) - log " ... state=$state message=$message snapshot_id=$snapshot_id" - case "$state" in - active) - sleep 10 - ;; - completed) - echo "$snapshot_id" - return - ;; - *) - log "Unexpected snapshot import state: '${state}'" - log "Full response: " - aws ec2 describe-import-snapshot-tasks --region "$region" --import-task-ids "$task_id" >&2 - exit 1 - ;; - esac - done -} - -wait_for_image() { - local region=$1 - local ami_id=$2 - local state - log "Waiting for image $ami_id to be available" - - while true; do - read -r state < <( - aws ec2 describe-images --image-ids "$ami_id" --region "$region" | \ - jq -r ".Images[].State" - ) - log " ... state=$state" - case "$state" in - pending) - sleep 10 - ;; - available) - return - ;; - *) - log "Unexpected AMI state: '${state}'" - exit 1 - ;; - esac - done -} - - -make_image_public() { - local region=$1 - local ami_id=$2 - - wait_for_image "$region" "$ami_id" - - log "Making image $ami_id public" - - aws ec2 modify-image-attribute \ - --image-id "$ami_id" --region "$region" --launch-permission 'Add={Group=all}' >&2 -} - -upload_image() { - local region=$1 - - for image_file in "${image_files[@]}"; do - local aws_path=${image_file#/} - - if [[ -n "$is_zfs_image" ]]; then - local suffix=${image_file%.*} - suffix=${suffix##*.} - fi - - local state_key="$region.$image_label${suffix:+.${suffix}}.$image_system" - local task_id - task_id=$(read_state "$state_key" task_id) - local snapshot_id - snapshot_id=$(read_state "$state_key" snapshot_id) - local ami_id - ami_id=$(read_state "$state_key" ami_id) - - if [ -z "$task_id" ]; then - log "Checking for image on S3" - if ! aws s3 ls --region "$region" "s3://${bucket}/${aws_path}" >&2; then - log "Image missing from aws, uploading" - aws s3 cp --region "$region" "$image_file" "s3://${bucket}/${aws_path}" >&2 - fi - - log "Importing image from S3 path s3://$bucket/$aws_path" - - task_id=$(aws ec2 import-snapshot --role-name "$service_role_name" --disk-container "{ - \"Description\": \"nixos-image-${image_label}-${image_system}\", - \"Format\": \"vhd\", - \"UserBucket\": { - \"S3Bucket\": \"$bucket\", - \"S3Key\": \"$aws_path\" - } - }" --region "$region" | jq -r '.ImportTaskId') - - write_state "$state_key" task_id "$task_id" - fi - - if [ -z "$snapshot_id" ]; then - snapshot_id=$(wait_for_import "$region" "$task_id") - write_state "$state_key" snapshot_id "$snapshot_id" - fi - done - - if [ -z "$ami_id" ]; then - log "Registering snapshot $snapshot_id as AMI" - - local block_device_mappings=( - "DeviceName=/dev/xvda,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp3}" - ) - - if [[ -n "$is_zfs_image" ]]; then - local root_snapshot_id=$(read_state "$region.$image_label.root.$image_system" snapshot_id) - - local root_image_logical_bytes=$(read_image_info ".disks.root.logical_bytes") - local root_image_logical_gigabytes=$(((root_image_logical_bytes-1)/1024/1024/1024+1)) # Round to the next GB - - block_device_mappings+=( - "DeviceName=/dev/xvdb,Ebs={SnapshotId=$root_snapshot_id,VolumeSize=$root_image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp3}" - ) - fi - - - local extra_flags=( - --root-device-name /dev/xvda - --sriov-net-support simple - --ena-support - --virtualization-type hvm - ) - - block_device_mappings+=("DeviceName=/dev/sdb,VirtualName=ephemeral0") - block_device_mappings+=("DeviceName=/dev/sdc,VirtualName=ephemeral1") - block_device_mappings+=("DeviceName=/dev/sdd,VirtualName=ephemeral2") - block_device_mappings+=("DeviceName=/dev/sde,VirtualName=ephemeral3") - - ami_id=$( - aws ec2 register-image \ - --name "$image_name" \ - --description "$image_description" \ - --region "$region" \ - --architecture $amazon_arch \ - --block-device-mappings "${block_device_mappings[@]}" \ - --boot-mode $(read_image_info .boot_mode) \ - "${extra_flags[@]}" \ - | jq -r '.ImageId' - ) - - write_state "$state_key" ami_id "$ami_id" - fi - - [[ -v PRIVATE ]] || make_image_public "$region" "$ami_id" - - echo "$ami_id" -} - -copy_to_region() { - local region=$1 - local from_region=$2 - local from_ami_id=$3 - - state_key="$region.$image_label.$image_system" - ami_id=$(read_state "$state_key" ami_id) - - if [ -z "$ami_id" ]; then - log "Copying $from_ami_id to $region" - ami_id=$( - aws ec2 copy-image \ - --region "$region" \ - --source-region "$from_region" \ - --source-image-id "$from_ami_id" \ - --name "$image_name" \ - --description "$image_description" \ - | jq -r '.ImageId' - ) - - write_state "$state_key" ami_id "$ami_id" - fi - - [[ -v PRIVATE ]] || make_image_public "$region" "$ami_id" - - echo "$ami_id" -} - -upload_all() { - home_image_id=$(upload_image "$home_region") - jq -n \ - --arg key "$home_region.$image_system" \ - --arg value "$home_image_id" \ - '$ARGS.named' - - for region in "${regions[@]}"; do - if [ "$region" = "$home_region" ]; then - continue - fi - copied_image_id=$(copy_to_region "$region" "$home_region" "$home_image_id") - - jq -n \ - --arg key "$region.$image_system" \ - --arg value "$copied_image_id" \ - '$ARGS.named' - done -} - -upload_all | jq --slurp from_entries diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 1d7976cef36a2..87b6fea92ba4a 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -46,18 +46,20 @@ with lib; graphviz = super.graphviz-nox; gst_all_1 = super.gst_all_1 // { gst-plugins-bad = super.gst_all_1.gst-plugins-bad.override { guiSupport = false; }; - gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableWayland = false; enableX11 = false; }; + gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableGl = false; enableWayland = false; enableX11 = false; }; gst-plugins-good = super.gst_all_1.gst-plugins-good.override { enableWayland = false; enableX11 = false; gtkSupport = false; qt5Support = false; qt6Support = false; }; + gst-plugins-rs = super.gst_all_1.gst-plugins-rs.override { withGtkPlugins = false; }; }; imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; }; imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; }; intel-vaapi-driver = super.intel-vaapi-driver.override { enableGui = false; }; libdevil = super.libdevil-nox; libextractor = super.libextractor.override { gtkSupport = false; }; + libplacebo = super.libplacebo.override { vulkanSupport = false; }; libva = super.libva-minimal; limesuite = super.limesuite.override { withGui = false; }; mc = super.mc.override { x11Support = false; }; - mpv-unwrapped = super.mpv-unwrapped.override { sdl2Support = false; x11Support = false; waylandSupport = false; }; + mpv-unwrapped = super.mpv-unwrapped.override { drmSupport = false; screenSaverSupport = false; sdl2Support = false; vulkanSupport = false; waylandSupport = false; x11Support = false; }; msmtp = super.msmtp.override { withKeyring = false; }; mupdf = super.mupdf.override { enableGL = false; enableX11 = false; }; neofetch = super.neofetch.override { x11Support = false; }; @@ -70,6 +72,7 @@ with lib; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; pango = super.pango.override { x11Support = false; }; pinentry-curses = super.pinentry-curses.override { withLibsecret = false; }; + pinentry-tty = super.pinentry-tty.override { withLibsecret = false; }; pipewire = super.pipewire.override { vulkanSupport = false; x11Support = false; }; pythonPackagesExtensions = super.pythonPackagesExtensions ++ [ (python-final: python-prev: { diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 37d8e53a2e049..949b1e346269e 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -3,12 +3,10 @@ lib, pkgs, ... -}: let +}: +let nvidiaEnabled = (lib.elem "nvidia" config.services.xserver.videoDrivers); - nvidia_x11 = - if nvidiaEnabled || cfg.datacenter.enable - then cfg.package - else null; + nvidia_x11 = if nvidiaEnabled || cfg.datacenter.enable then cfg.package else null; cfg = config.hardware.nvidia; @@ -19,8 +17,9 @@ primeEnabled = syncCfg.enable || reverseSyncCfg.enable || offloadCfg.enable; busIDType = lib.types.strMatching "([[:print:]]+[\:\@][0-9]{1,3}\:[0-9]{1,2}\:[0-9])?"; ibtSupport = cfg.open || (nvidia_x11.ibtSupport or false); - settingsFormat = pkgs.formats.keyValue {}; -in { + settingsFormat = pkgs.formats.keyValue { }; +in +{ options = { hardware.nvidia = { datacenter.enable = lib.mkEnableOption '' @@ -29,50 +28,50 @@ in { datacenter.settings = lib.mkOption { type = settingsFormat.type; default = { - LOG_LEVEL=4; - LOG_FILE_NAME="/var/log/fabricmanager.log"; - LOG_APPEND_TO_LOG=1; - LOG_FILE_MAX_SIZE=1024; - LOG_USE_SYSLOG=0; - DAEMONIZE=1; - BIND_INTERFACE_IP="127.0.0.1"; - STARTING_TCP_PORT=16000; - FABRIC_MODE=0; - FABRIC_MODE_RESTART=0; - STATE_FILE_NAME="/var/tmp/fabricmanager.state"; - FM_CMD_BIND_INTERFACE="127.0.0.1"; - FM_CMD_PORT_NUMBER=6666; - FM_STAY_RESIDENT_ON_FAILURES=0; - ACCESS_LINK_FAILURE_MODE=0; - TRUNK_LINK_FAILURE_MODE=0; - NVSWITCH_FAILURE_MODE=0; - ABORT_CUDA_JOBS_ON_FM_EXIT=1; - TOPOLOGY_FILE_PATH="${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; - DATABASE_PATH="${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + LOG_LEVEL = 4; + LOG_FILE_NAME = "/var/log/fabricmanager.log"; + LOG_APPEND_TO_LOG = 1; + LOG_FILE_MAX_SIZE = 1024; + LOG_USE_SYSLOG = 0; + DAEMONIZE = 1; + BIND_INTERFACE_IP = "127.0.0.1"; + STARTING_TCP_PORT = 16000; + FABRIC_MODE = 0; + FABRIC_MODE_RESTART = 0; + STATE_FILE_NAME = "/var/tmp/fabricmanager.state"; + FM_CMD_BIND_INTERFACE = "127.0.0.1"; + FM_CMD_PORT_NUMBER = 6666; + FM_STAY_RESIDENT_ON_FAILURES = 0; + ACCESS_LINK_FAILURE_MODE = 0; + TRUNK_LINK_FAILURE_MODE = 0; + NVSWITCH_FAILURE_MODE = 0; + ABORT_CUDA_JOBS_ON_FM_EXIT = 1; + TOPOLOGY_FILE_PATH = "${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + DATABASE_PATH = "${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; }; defaultText = lib.literalExpression '' - { - LOG_LEVEL=4; - LOG_FILE_NAME="/var/log/fabricmanager.log"; - LOG_APPEND_TO_LOG=1; - LOG_FILE_MAX_SIZE=1024; - LOG_USE_SYSLOG=0; - DAEMONIZE=1; - BIND_INTERFACE_IP="127.0.0.1"; - STARTING_TCP_PORT=16000; - FABRIC_MODE=0; - FABRIC_MODE_RESTART=0; - STATE_FILE_NAME="/var/tmp/fabricmanager.state"; - FM_CMD_BIND_INTERFACE="127.0.0.1"; - FM_CMD_PORT_NUMBER=6666; - FM_STAY_RESIDENT_ON_FAILURES=0; - ACCESS_LINK_FAILURE_MODE=0; - TRUNK_LINK_FAILURE_MODE=0; - NVSWITCH_FAILURE_MODE=0; - ABORT_CUDA_JOBS_ON_FM_EXIT=1; - TOPOLOGY_FILE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; - DATABASE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; - } + { + LOG_LEVEL=4; + LOG_FILE_NAME="/var/log/fabricmanager.log"; + LOG_APPEND_TO_LOG=1; + LOG_FILE_MAX_SIZE=1024; + LOG_USE_SYSLOG=0; + DAEMONIZE=1; + BIND_INTERFACE_IP="127.0.0.1"; + STARTING_TCP_PORT=16000; + FABRIC_MODE=0; + FABRIC_MODE_RESTART=0; + STATE_FILE_NAME="/var/tmp/fabricmanager.state"; + FM_CMD_BIND_INTERFACE="127.0.0.1"; + FM_CMD_PORT_NUMBER=6666; + FM_STAY_RESIDENT_ON_FAILURES=0; + ACCESS_LINK_FAILURE_MODE=0; + TRUNK_LINK_FAILURE_MODE=0; + NVSWITCH_FAILURE_MODE=0; + ABORT_CUDA_JOBS_ON_FM_EXIT=1; + TOPOLOGY_FILE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + DATABASE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + } ''; description = '' Additional configuration options for fabricmanager. @@ -211,7 +210,9 @@ in { (lib.mkEnableOption '' nvidia-settings, NVIDIA's GUI configuration tool '') - // {default = true;}; + // { + default = true; + }; nvidiaPersistenced = lib.mkEnableOption '' nvidia-persistenced a update for NVIDIA GPU headless mode, i.e. @@ -226,7 +227,8 @@ in { ''; package = lib.mkOption { - default = config.boot.kernelPackages.nvidiaPackages."${if cfg.datacenter.enable then "dc" else "stable"}"; + default = + config.boot.kernelPackages.nvidiaPackages."${if cfg.datacenter.enable then "dc" else "stable"}"; defaultText = lib.literalExpression '' config.boot.kernelPackages.nvidiaPackages."\$\{if cfg.datacenter.enable then "dc" else "stable"}" ''; @@ -242,403 +244,404 @@ in { }; }; - config = let - igpuDriver = - if pCfg.intelBusId != "" - then "modesetting" - else "amdgpu"; - igpuBusId = - if pCfg.intelBusId != "" - then pCfg.intelBusId - else pCfg.amdgpuBusId; - in - lib.mkIf (nvidia_x11 != null) (lib.mkMerge [ - # Common - ({ - assertions = [ - { - assertion = !(nvidiaEnabled && cfg.datacenter.enable); - message = "You cannot configure both X11 and Data Center drivers at the same time."; - } - ]; - boot = { - blacklistedKernelModules = ["nouveau" "nvidiafb"]; - - # Don't add `nvidia-uvm` to `kernelModules`, because we want - # `nvidia-uvm` be loaded only after `udev` rules for `nvidia` kernel - # module are applied. - # - # Instead, we use `softdep` to lazily load `nvidia-uvm` kernel module - # after `nvidia` kernel module is loaded and `udev` rules are applied. - extraModprobeConfig = '' - softdep nvidia post: nvidia-uvm - ''; - }; - systemd.tmpfiles.rules = - lib.optional config.virtualisation.docker.enableNvidia - "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"; - services.udev.extraRules = - '' - # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c 195 255'" - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'for i in $$(cat /proc/driver/nvidia/gpus/*/information | grep Minor | cut -d \ -f 4); do mknod -m 666 /dev/nvidia$${i} c 195 $${i}; done'" - KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c 195 254'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'" - ''; - hardware.opengl = { - extraPackages = [ - nvidia_x11.out - ]; - extraPackages32 = [ - nvidia_x11.lib32 + config = + let + igpuDriver = if pCfg.intelBusId != "" then "modesetting" else "amdgpu"; + igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId; + in + lib.mkIf (nvidia_x11 != null) ( + lib.mkMerge [ + # Common + ({ + assertions = [ + { + assertion = !(nvidiaEnabled && cfg.datacenter.enable); + message = "You cannot configure both X11 and Data Center drivers at the same time."; + } ]; - }; - environment.systemPackages = [ - nvidia_x11.bin - ]; - }) - # X11 - (lib.mkIf nvidiaEnabled { - assertions = [ - { - assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == ""; - message = "You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor."; - } - - { - assertion = offloadCfg.enableOffloadCmd -> offloadCfg.enable || reverseSyncCfg.enable; - message = "Offload command requires offloading or reverse prime sync to be enabled."; - } - - { - assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != ""); - message = "When NVIDIA PRIME is enabled, the GPU bus IDs must be configured."; - } - - { - assertion = offloadCfg.enable -> lib.versionAtLeast nvidia_x11.version "435.21"; - message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21."; - } - - { - assertion = (reverseSyncCfg.enable && pCfg.amdgpuBusId != "") -> lib.versionAtLeast nvidia_x11.version "470.0"; - message = "NVIDIA PRIME render offload for AMD APUs is currently only supported on versions >= 470 beta."; - } - - { - assertion = !(syncCfg.enable && offloadCfg.enable); - message = "PRIME Sync and Offload cannot be both enabled"; - } - - { - assertion = !(syncCfg.enable && reverseSyncCfg.enable); - message = "PRIME Sync and PRIME Reverse Sync cannot be both enabled"; - } - - { - assertion = !(syncCfg.enable && cfg.powerManagement.finegrained); - message = "Sync precludes powering down the NVIDIA GPU."; - } - - { - assertion = cfg.powerManagement.finegrained -> offloadCfg.enable; - message = "Fine-grained power management requires offload to be enabled."; - } - - { - assertion = cfg.powerManagement.enable -> lib.versionAtLeast nvidia_x11.version "430.09"; - message = "Required files for driver based power management only exist on versions >= 430.09."; - } - - { - assertion = cfg.open -> (cfg.package ? open && cfg.package ? firmware); - message = "This version of NVIDIA driver does not provide a corresponding opensource kernel driver"; - } - - { - assertion = cfg.dynamicBoost.enable -> lib.versionAtLeast nvidia_x11.version "510.39.01"; - message = "NVIDIA's Dynamic Boost feature only exists on versions >= 510.39.01"; - }]; - - # If Optimus/PRIME is enabled, we: - # - Specify the configured NVIDIA GPU bus ID in the Device section for the - # "nvidia" driver. - # - Add the AllowEmptyInitialConfiguration option to the Screen section for the - # "nvidia" driver, in order to allow the X server to start without any outputs. - # - Add a separate Device section for the Intel GPU, using the "modesetting" - # driver and with the configured BusID. - # - OR add a separate Device section for the AMD APU, using the "amdgpu" - # driver and with the configures BusID. - # - Reference that Device section from the ServerLayout section as an inactive - # device. - # - Configure the display manager to run specific `xrandr` commands which will - # configure/enable displays connected to the Intel iGPU / AMD APU. - - # reverse sync implies offloading - hardware.nvidia.prime.offload.enable = lib.mkDefault reverseSyncCfg.enable; - - services.xserver.drivers = - lib.optional primeEnabled { - name = igpuDriver; - display = offloadCfg.enable; - modules = lib.optional (igpuDriver == "amdgpu") pkgs.xorg.xf86videoamdgpu; - deviceSection = - '' - BusID "${igpuBusId}" - '' - + lib.optionalString (syncCfg.enable && igpuDriver != "amdgpu") '' - Option "AccelMethod" "none" - ''; - } - ++ lib.singleton { - name = "nvidia"; - modules = [nvidia_x11.bin]; - display = !offloadCfg.enable; - deviceSection = - '' - Option "SidebandSocketPath" "/run/nvidia-xdriver/" - '' + - lib.optionalString primeEnabled - '' - BusID "${pCfg.nvidiaBusId}" - '' - + lib.optionalString pCfg.allowExternalGpu '' - Option "AllowExternalGpus" - ''; - screenSection = - '' - Option "RandRRotation" "on" - '' - + lib.optionalString syncCfg.enable '' - Option "AllowEmptyInitialConfiguration" - '' - + lib.optionalString cfg.forceFullCompositionPipeline '' - Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" - Option "AllowIndirectGLXProtocol" "off" - Option "TripleBuffer" "on" - ''; + boot = { + blacklistedKernelModules = [ + "nouveau" + "nvidiafb" + ]; + + # Don't add `nvidia-uvm` to `kernelModules`, because we want + # `nvidia-uvm` be loaded only after `udev` rules for `nvidia` kernel + # module are applied. + # + # Instead, we use `softdep` to lazily load `nvidia-uvm` kernel module + # after `nvidia` kernel module is loaded and `udev` rules are applied. + extraModprobeConfig = '' + softdep nvidia post: nvidia-uvm + ''; }; - - services.xserver.serverLayoutSection = - lib.optionalString syncCfg.enable '' - Inactive "Device-${igpuDriver}[0]" - '' - + lib.optionalString reverseSyncCfg.enable '' - Inactive "Device-nvidia[0]" - '' - + lib.optionalString offloadCfg.enable '' - Option "AllowNVIDIAGPUScreens" + systemd.tmpfiles.rules = lib.optional config.virtualisation.docker.enableNvidia "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"; + services.udev.extraRules = '' + # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c 195 255'" + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'for i in $$(cat /proc/driver/nvidia/gpus/*/information | grep Minor | cut -d \ -f 4); do mknod -m 666 /dev/nvidia$${i} c 195 $${i}; done'" + KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c 195 254'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'" ''; + hardware.opengl = { + extraPackages = [ nvidia_x11.out nvidia_x11.settings.libXNVCtrl ]; + extraPackages32 = [ nvidia_x11.lib32 ]; + }; + environment.systemPackages = [ nvidia_x11.bin ]; + }) + # X11 + (lib.mkIf nvidiaEnabled { + assertions = [ + { + assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == ""; + message = "You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor."; + } + + { + assertion = offloadCfg.enableOffloadCmd -> offloadCfg.enable || reverseSyncCfg.enable; + message = "Offload command requires offloading or reverse prime sync to be enabled."; + } + + { + assertion = + primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != ""); + message = "When NVIDIA PRIME is enabled, the GPU bus IDs must be configured."; + } + + { + assertion = offloadCfg.enable -> lib.versionAtLeast nvidia_x11.version "435.21"; + message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21."; + } + + { + assertion = + (reverseSyncCfg.enable && pCfg.amdgpuBusId != "") -> lib.versionAtLeast nvidia_x11.version "470.0"; + message = "NVIDIA PRIME render offload for AMD APUs is currently only supported on versions >= 470 beta."; + } + + { + assertion = !(syncCfg.enable && offloadCfg.enable); + message = "PRIME Sync and Offload cannot be both enabled"; + } + + { + assertion = !(syncCfg.enable && reverseSyncCfg.enable); + message = "PRIME Sync and PRIME Reverse Sync cannot be both enabled"; + } + + { + assertion = !(syncCfg.enable && cfg.powerManagement.finegrained); + message = "Sync precludes powering down the NVIDIA GPU."; + } + + { + assertion = cfg.powerManagement.finegrained -> offloadCfg.enable; + message = "Fine-grained power management requires offload to be enabled."; + } + + { + assertion = cfg.powerManagement.enable -> lib.versionAtLeast nvidia_x11.version "430.09"; + message = "Required files for driver based power management only exist on versions >= 430.09."; + } + + { + assertion = cfg.open -> (cfg.package ? open && cfg.package ? firmware); + message = "This version of NVIDIA driver does not provide a corresponding opensource kernel driver"; + } + + { + assertion = cfg.dynamicBoost.enable -> lib.versionAtLeast nvidia_x11.version "510.39.01"; + message = "NVIDIA's Dynamic Boost feature only exists on versions >= 510.39.01"; + } + ]; - services.xserver.displayManager.setupCommands = let - gpuProviderName = - if igpuDriver == "amdgpu" - then - # find the name of the provider if amdgpu - "`${lib.getExe pkgs.xorg.xrandr} --listproviders | ${lib.getExe pkgs.gnugrep} -i AMD | ${lib.getExe pkgs.gnused} -n 's/^.*name://p'`" - else igpuDriver; - providerCmdParams = - if syncCfg.enable - then "\"${gpuProviderName}\" NVIDIA-0" - else "NVIDIA-G0 \"${gpuProviderName}\""; - in - lib.optionalString (syncCfg.enable || reverseSyncCfg.enable) '' - # Added by nvidia configuration module for Optimus/PRIME. - ${lib.getExe pkgs.xorg.xrandr} --setprovideroutputsource ${providerCmdParams} - ${lib.getExe pkgs.xorg.xrandr} --auto - ''; + # If Optimus/PRIME is enabled, we: + # - Specify the configured NVIDIA GPU bus ID in the Device section for the + # "nvidia" driver. + # - Add the AllowEmptyInitialConfiguration option to the Screen section for the + # "nvidia" driver, in order to allow the X server to start without any outputs. + # - Add a separate Device section for the Intel GPU, using the "modesetting" + # driver and with the configured BusID. + # - OR add a separate Device section for the AMD APU, using the "amdgpu" + # driver and with the configures BusID. + # - Reference that Device section from the ServerLayout section as an inactive + # device. + # - Configure the display manager to run specific `xrandr` commands which will + # configure/enable displays connected to the Intel iGPU / AMD APU. + + # reverse sync implies offloading + hardware.nvidia.prime.offload.enable = lib.mkDefault reverseSyncCfg.enable; + + services.xserver.drivers = + lib.optional primeEnabled { + name = igpuDriver; + display = offloadCfg.enable; + modules = lib.optional (igpuDriver == "amdgpu") pkgs.xorg.xf86videoamdgpu; + deviceSection = + '' + BusID "${igpuBusId}" + '' + + lib.optionalString (syncCfg.enable && igpuDriver != "amdgpu") '' + Option "AccelMethod" "none" + ''; + } + ++ lib.singleton { + name = "nvidia"; + modules = [ nvidia_x11.bin ]; + display = !offloadCfg.enable; + deviceSection = + '' + Option "SidebandSocketPath" "/run/nvidia-xdriver/" + '' + + lib.optionalString primeEnabled '' + BusID "${pCfg.nvidiaBusId}" + '' + + lib.optionalString pCfg.allowExternalGpu '' + Option "AllowExternalGpus" + ''; + screenSection = + '' + Option "RandRRotation" "on" + '' + + lib.optionalString syncCfg.enable '' + Option "AllowEmptyInitialConfiguration" + '' + + lib.optionalString cfg.forceFullCompositionPipeline '' + Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" + Option "AllowIndirectGLXProtocol" "off" + Option "TripleBuffer" "on" + ''; + }; - environment.etc = { - "nvidia/nvidia-application-profiles-rc" = lib.mkIf nvidia_x11.useProfiles {source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";}; + services.xserver.serverLayoutSection = + lib.optionalString syncCfg.enable '' + Inactive "Device-${igpuDriver}[0]" + '' + + lib.optionalString reverseSyncCfg.enable '' + Inactive "Device-nvidia[0]" + '' + + lib.optionalString offloadCfg.enable '' + Option "AllowNVIDIAGPUScreens" + ''; + + services.xserver.displayManager.setupCommands = + let + gpuProviderName = + if igpuDriver == "amdgpu" then + # find the name of the provider if amdgpu + "`${lib.getExe pkgs.xorg.xrandr} --listproviders | ${lib.getExe pkgs.gnugrep} -i AMD | ${lib.getExe pkgs.gnused} -n 's/^.*name://p'`" + else + igpuDriver; + providerCmdParams = + if syncCfg.enable then "\"${gpuProviderName}\" NVIDIA-0" else "NVIDIA-G0 \"${gpuProviderName}\""; + in + lib.optionalString (syncCfg.enable || reverseSyncCfg.enable) '' + # Added by nvidia configuration module for Optimus/PRIME. + ${lib.getExe pkgs.xorg.xrandr} --setprovideroutputsource ${providerCmdParams} + ${lib.getExe pkgs.xorg.xrandr} --auto + ''; + + environment.etc = { + "nvidia/nvidia-application-profiles-rc" = lib.mkIf nvidia_x11.useProfiles { + source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc"; + }; - # 'nvidia_x11' installs it's files to /run/opengl-driver/... - "egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/"; - }; + # 'nvidia_x11' installs it's files to /run/opengl-driver/... + "egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/"; + }; - hardware.opengl = { - extraPackages = [ - pkgs.nvidia-vaapi-driver - ]; - extraPackages32 = [ - pkgs.pkgsi686Linux.nvidia-vaapi-driver - ]; - }; - environment.systemPackages = - lib.optional cfg.nvidiaSettings nvidia_x11.settings - ++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced - ++ lib.optional offloadCfg.enableOffloadCmd - (pkgs.writeShellScriptBin "nvidia-offload" '' - export __NV_PRIME_RENDER_OFFLOAD=1 - export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 - export __GLX_VENDOR_LIBRARY_NAME=nvidia - export __VK_LAYER_NV_optimus=NVIDIA_only - exec "$@" - ''); - - systemd.packages = lib.optional cfg.powerManagement.enable nvidia_x11.out; - - systemd.services = let - nvidiaService = state: { - description = "NVIDIA system ${state} actions"; - path = [pkgs.kbd]; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'"; - }; - before = ["systemd-${state}.service"]; - requiredBy = ["systemd-${state}.service"]; + hardware.opengl = { + extraPackages = [ pkgs.nvidia-vaapi-driver ]; + extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ]; }; - in - lib.mkMerge [ - (lib.mkIf cfg.powerManagement.enable { - nvidia-suspend = nvidiaService "suspend"; - nvidia-hibernate = nvidiaService "hibernate"; - nvidia-resume = - (nvidiaService "resume") - // { - before = []; - after = ["systemd-suspend.service" "systemd-hibernate.service"]; - requiredBy = ["systemd-suspend.service" "systemd-hibernate.service"]; - }; - }) - (lib.mkIf cfg.nvidiaPersistenced { - "nvidia-persistenced" = { - description = "NVIDIA Persistence Daemon"; - wantedBy = ["multi-user.target"]; + environment.systemPackages = + lib.optional cfg.nvidiaSettings nvidia_x11.settings + ++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced + ++ lib.optional offloadCfg.enableOffloadCmd ( + pkgs.writeShellScriptBin "nvidia-offload" '' + export __NV_PRIME_RENDER_OFFLOAD=1 + export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 + export __GLX_VENDOR_LIBRARY_NAME=nvidia + export __VK_LAYER_NV_optimus=NVIDIA_only + exec "$@" + '' + ); + + systemd.packages = lib.optional cfg.powerManagement.enable nvidia_x11.out; + + systemd.services = + let + nvidiaService = state: { + description = "NVIDIA system ${state} actions"; + path = [ pkgs.kbd ]; serviceConfig = { - Type = "forking"; - Restart = "always"; - PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; - ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose"; - ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + Type = "oneshot"; + ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'"; }; + before = [ "systemd-${state}.service" ]; + requiredBy = [ "systemd-${state}.service" ]; }; - }) - (lib.mkIf cfg.dynamicBoost.enable { - "nvidia-powerd" = { - description = "nvidia-powerd service"; - path = [ - pkgs.util-linux # nvidia-powerd wants lscpu - ]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "dbus"; - BusName = "nvidia.powerd.server"; - ExecStart = "${nvidia_x11.bin}/bin/nvidia-powerd"; + in + lib.mkMerge [ + (lib.mkIf cfg.powerManagement.enable { + nvidia-suspend = nvidiaService "suspend"; + nvidia-hibernate = nvidiaService "hibernate"; + nvidia-resume = (nvidiaService "resume") // { + before = [ ]; + after = [ + "systemd-suspend.service" + "systemd-hibernate.service" + ]; + requiredBy = [ + "systemd-suspend.service" + "systemd-hibernate.service" + ]; }; - }; - }) - ]; - services.acpid.enable = true; - - services.dbus.packages = lib.optional cfg.dynamicBoost.enable nvidia_x11.bin; - - hardware.firmware = lib.optional cfg.open nvidia_x11.firmware; - - systemd.tmpfiles.rules = [ - # Remove the following log message: - # (WW) NVIDIA: Failed to bind sideband socket to - # (WW) NVIDIA: '/var/run/nvidia-xdriver-b4f69129' Permission denied - # - # https://bbs.archlinux.org/viewtopic.php?pid=1909115#p1909115 - "d /run/nvidia-xdriver 0770 root users" - ] ++ lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) - "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; - - boot = { - extraModulePackages = - if cfg.open - then [nvidia_x11.open] - else [nvidia_x11.bin]; - # nvidia-uvm is required by CUDA applications. - kernelModules = - lib.optionals config.services.xserver.enable ["nvidia" "nvidia_modeset" "nvidia_drm"]; - - # If requested enable modesetting via kernel parameter. - kernelParams = - lib.optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1" - ++ lib.optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1" - ++ lib.optional cfg.open "nvidia.NVreg_OpenRmEnableUnsupportedGpus=1" - ++ lib.optional (config.boot.kernelPackages.kernel.kernelAtLeast "6.2" && !ibtSupport) "ibt=off"; - - # enable finegrained power management - extraModprobeConfig = lib.optionalString cfg.powerManagement.finegrained '' - options nvidia "NVreg_DynamicPowerManagement=0x02" - ''; - }; - services.udev.extraRules = - lib.optionalString cfg.powerManagement.finegrained ( - lib.optionalString (lib.versionOlder config.boot.kernelPackages.kernel.version "5.5") '' - # Remove NVIDIA USB xHCI Host Controller devices, if present - ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1" - - # Remove NVIDIA USB Type-C UCSI devices, if present - ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1" - - # Remove NVIDIA Audio devices, if present - ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1" - '' - + '' - # Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind - ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto" - ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto" - - # Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind - ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on" - ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on" - '' - ); - }) - # Data Center - (lib.mkIf (cfg.datacenter.enable) { - boot.extraModulePackages = [ - nvidia_x11.bin - ]; - - systemd = { - tmpfiles.rules = - lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) - "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; - - services = lib.mkMerge [ - ({ - nvidia-fabricmanager = { - enable = true; - description = "Start NVIDIA NVLink Management"; - wantedBy = [ "multi-user.target" ]; - unitConfig.After = [ "network-online.target" ]; - unitConfig.Requires = [ "network-online.target" ]; - serviceConfig = { - Type = "forking"; - TimeoutStartSec = 240; - ExecStart = let - nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings; - in + }) + (lib.mkIf cfg.nvidiaPersistenced { + "nvidia-persistenced" = { + description = "NVIDIA Persistence Daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + Restart = "always"; + PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; + ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose"; + ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + }; + }; + }) + (lib.mkIf cfg.dynamicBoost.enable { + "nvidia-powerd" = { + description = "nvidia-powerd service"; + path = [ + pkgs.util-linux # nvidia-powerd wants lscpu + ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "dbus"; + BusName = "nvidia.powerd.server"; + ExecStart = "${nvidia_x11.bin}/bin/nvidia-powerd"; + }; + }; + }) + ]; + services.acpid.enable = true; + + services.dbus.packages = lib.optional cfg.dynamicBoost.enable nvidia_x11.bin; + + hardware.firmware = + let + isOpen = cfg.open; + isNewUnfree = lib.versionAtLeast nvidia_x11.version "555"; + in + lib.optional (isOpen || isNewUnfree) nvidia_x11.firmware; + + systemd.tmpfiles.rules = + [ + # Remove the following log message: + # (WW) NVIDIA: Failed to bind sideband socket to + # (WW) NVIDIA: '/var/run/nvidia-xdriver-b4f69129' Permission denied + # + # https://bbs.archlinux.org/viewtopic.php?pid=1909115#p1909115 + "d /run/nvidia-xdriver 0770 root users" + ] + ++ lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) + "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; + + boot = { + extraModulePackages = if cfg.open then [ nvidia_x11.open ] else [ nvidia_x11.bin ]; + # nvidia-uvm is required by CUDA applications. + kernelModules = lib.optionals config.services.xserver.enable [ + "nvidia" + "nvidia_modeset" + "nvidia_drm" + ]; + + # If requested enable modesetting via kernel parameter. + kernelParams = + lib.optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1" + ++ lib.optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + ++ lib.optional cfg.open "nvidia.NVreg_OpenRmEnableUnsupportedGpus=1" + ++ lib.optional (config.boot.kernelPackages.kernel.kernelAtLeast "6.2" && !ibtSupport) "ibt=off"; + + # enable finegrained power management + extraModprobeConfig = lib.optionalString cfg.powerManagement.finegrained '' + options nvidia "NVreg_DynamicPowerManagement=0x02" + ''; + }; + services.udev.extraRules = lib.optionalString cfg.powerManagement.finegrained ( + lib.optionalString (lib.versionOlder config.boot.kernelPackages.kernel.version "5.5") '' + # Remove NVIDIA USB xHCI Host Controller devices, if present + ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1" + + # Remove NVIDIA USB Type-C UCSI devices, if present + ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1" + + # Remove NVIDIA Audio devices, if present + ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1" + '' + + '' + # Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind + ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto" + ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto" + + # Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind + ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on" + ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on" + '' + ); + }) + # Data Center + (lib.mkIf (cfg.datacenter.enable) { + boot.extraModulePackages = [ nvidia_x11.bin ]; + + systemd = { + tmpfiles.rules = + lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) + "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; + + services = lib.mkMerge [ + ({ + nvidia-fabricmanager = { + enable = true; + description = "Start NVIDIA NVLink Management"; + wantedBy = [ "multi-user.target" ]; + unitConfig.After = [ "network-online.target" ]; + unitConfig.Requires = [ "network-online.target" ]; + serviceConfig = { + Type = "forking"; + TimeoutStartSec = 240; + ExecStart = + let + nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings; + in "${lib.getExe nvidia_x11.fabricmanager} -c ${nv-fab-conf}"; - LimitCORE="infinity"; + LimitCORE = "infinity"; + }; }; - }; - }) - (lib.mkIf cfg.nvidiaPersistenced { - "nvidia-persistenced" = { - description = "NVIDIA Persistence Daemon"; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "forking"; - Restart = "always"; - PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; - ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose"; - ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + }) + (lib.mkIf cfg.nvidiaPersistenced { + "nvidia-persistenced" = { + description = "NVIDIA Persistence Daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + Restart = "always"; + PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; + ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose"; + ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + }; }; - }; - }) - ]; - }; + }) + ]; + }; - environment.systemPackages = - lib.optional cfg.datacenter.enable nvidia_x11.fabricmanager - ++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced; - }) - ]); + environment.systemPackages = + lib.optional cfg.datacenter.enable nvidia_x11.fabricmanager + ++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced; + }) + ] + ); } diff --git a/nixos/modules/hardware/xone.nix b/nixos/modules/hardware/xone.nix index 89690d8c6fb10..bb3b42399d8e1 100644 --- a/nixos/modules/hardware/xone.nix +++ b/nixos/modules/hardware/xone.nix @@ -6,7 +6,7 @@ let in { options.hardware.xone = { - enable = mkEnableOption "the xone driver for Xbox One and Xbobx Series X|S accessories"; + enable = mkEnableOption "the xone driver for Xbox One and Xbox Series X|S accessories"; }; config = mkIf cfg.enable { diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index c88a53393d13f..2228766aca963 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -39,7 +39,8 @@ with lib; # !!! Hack - attributes expected by other modules. environment.systemPackages = [ pkgs.grub2_efi ] - ++ (lib.optionals (pkgs.stdenv.hostPlatform.system != "aarch64-linux") [pkgs.grub2 pkgs.syslinux]); + ++ (lib.optionals (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.syslinux) + [pkgs.grub2 pkgs.syslinux]); fileSystems."/" = mkImageMediaOverride { fsType = "tmpfs"; diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 29e9498018ec9..db917f73a0645 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -121,7 +121,7 @@ in image = { id = lib.mkOption { - type = types.nullOr (types.strMatching "^[a-z0-9._-]+$"); + type = types.nullOr types.str; default = null; description = '' Image identifier. @@ -135,7 +135,7 @@ in }; version = lib.mkOption { - type = types.nullOr (types.strMatching "^[a-z0-9._-~^]+$"); + type = types.nullOr types.str; default = null; description = '' Image version. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index d2e5d4ecdfe56..b7725051597a3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -218,6 +218,7 @@ ./programs/kbdlight.nix ./programs/kclock.nix ./programs/kdeconnect.nix + ./programs/ladybird.nix ./programs/lazygit.nix ./programs/kubeswitch.nix ./programs/less.nix @@ -249,7 +250,6 @@ ./programs/oblogout.nix ./programs/oddjobd.nix ./programs/openvpn3.nix - ./programs/pantheon-tweaks.nix ./programs/partition-manager.nix ./programs/plotinus.nix ./programs/pqos-wrapper.nix @@ -282,6 +282,7 @@ ./programs/systemtap.nix ./programs/thefuck.nix ./programs/thunar.nix + ./programs/thunderbird.nix ./programs/tmux.nix ./programs/traceroute.nix ./programs/trippy.nix @@ -293,6 +294,7 @@ ./programs/virt-manager.nix ./programs/wavemon.nix ./programs/wayland/cardboard.nix + ./programs/wayland/hyprlock.nix ./programs/wayland/hyprland.nix ./programs/wayland/labwc.nix ./programs/wayland/river.nix @@ -418,6 +420,7 @@ ./services/cluster/kubernetes/scheduler.nix ./services/cluster/pacemaker/default.nix ./services/cluster/patroni/default.nix + ./services/cluster/rke2/default.nix ./services/cluster/spark/default.nix ./services/computing/boinc/client.nix ./services/computing/foldingathome/client.nix @@ -1109,6 +1112,7 @@ ./services/networking/ocserv.nix ./services/networking/ofono.nix ./services/networking/oidentd.nix + ./services/networking/oink.nix ./services/networking/onedrive.nix ./services/networking/openconnect.nix ./services/networking/openvpn.nix @@ -1325,6 +1329,7 @@ ./services/video/unifi-video.nix ./services/video/v4l2-relayd.nix ./services/wayland/cage.nix + ./services/wayland/hypridle.nix ./services/web-apps/akkoma.nix ./services/web-apps/alps.nix ./services/web-apps/anuko-time-tracker.nix @@ -1353,6 +1358,7 @@ ./services/web-apps/dolibarr.nix ./services/web-apps/engelsystem.nix ./services/web-apps/ethercalc.nix + ./services/web-apps/filesender.nix ./services/web-apps/firefly-iii.nix ./services/web-apps/flarum.nix ./services/web-apps/fluidd.nix @@ -1398,6 +1404,7 @@ ./services/web-apps/netbox.nix ./services/web-apps/nextcloud.nix ./services/web-apps/nextcloud-notify_push.nix + ./services/web-apps/nextjs-ollama-llm-ui.nix ./services/web-apps/nexus.nix ./services/web-apps/nifi.nix ./services/web-apps/node-red.nix @@ -1426,6 +1433,7 @@ ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix ./services/web-apps/silverbullet.nix + ./services/web-apps/simplesamlphp.nix ./services/web-apps/slskd.nix ./services/web-apps/snipe-it.nix ./services/web-apps/sogo.nix @@ -1443,6 +1451,7 @@ ./services/web-apps/zitadel.nix ./services/web-servers/agate.nix ./services/web-servers/apache-httpd/default.nix + ./services/web-servers/bluemap.nix ./services/web-servers/caddy/default.nix ./services/web-servers/darkhttpd.nix ./services/web-servers/fcgiwrap.nix diff --git a/nixos/modules/programs/coolercontrol.nix b/nixos/modules/programs/coolercontrol.nix index 8c9a39d2eba99..1c64d46ae2b90 100644 --- a/nixos/modules/programs/coolercontrol.nix +++ b/nixos/modules/programs/coolercontrol.nix @@ -48,9 +48,11 @@ in # Nvidia support (lib.mkIf cfg.nvidiaSupport { - systemd.services.coolercontrold.path = with config.boot.kernelPackages; [ - nvidia_x11 # nvidia-smi - nvidia_x11.settings # nvidia-settings + systemd.services.coolercontrold.path = let + nvidiaPkg = config.hardware.nvidia.package; + in [ + nvidiaPkg # nvidia-smi + nvidiaPkg.settings # nvidia-settings ]; }) ]); diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index c755d110170c6..eb983d9ce78a9 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -8,22 +8,6 @@ let agentSettingsFormat = pkgs.formats.keyValue { mkKeyValue = lib.generators.mkKeyValueDefault { } " "; }; - - xserverCfg = config.services.xserver; - - defaultPinentryFlavor = - if xserverCfg.desktopManager.lxqt.enable - || xserverCfg.desktopManager.plasma5.enable - || xserverCfg.desktopManager.plasma6.enable - || xserverCfg.desktopManager.deepin.enable then - "qt" - else if xserverCfg.desktopManager.xfce.enable then - "gtk2" - else if xserverCfg.enable || config.programs.sway.enable then - "gnome3" - else - "curses"; - in { imports = [ diff --git a/nixos/modules/programs/ladybird.nix b/nixos/modules/programs/ladybird.nix new file mode 100644 index 0000000000000..43bfe445ef58e --- /dev/null +++ b/nixos/modules/programs/ladybird.nix @@ -0,0 +1,14 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.programs.ladybird; +in { + options = { + programs.ladybird.enable = lib.mkEnableOption "the Ladybird web browser"; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.ladybird ]; + fonts.fontDir.enable = true; + }; +} diff --git a/nixos/modules/programs/less.nix b/nixos/modules/programs/less.nix index c904fc2089aa3..50ea1586f6880 100644 --- a/nixos/modules/programs/less.nix +++ b/nixos/modules/programs/less.nix @@ -35,6 +35,8 @@ in # therefore also enables this module enable = lib.mkEnableOption "less, a file pager"; + package = lib.mkPackageOption pkgs "less" { }; + configFile = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; @@ -110,7 +112,7 @@ in config = lib.mkIf cfg.enable { - environment.systemPackages = [ pkgs.less ]; + environment.systemPackages = [ cfg.package ]; environment.variables = { LESSKEYIN_SYSTEM = builtins.toString lessKey; diff --git a/nixos/modules/programs/pantheon-tweaks.nix b/nixos/modules/programs/pantheon-tweaks.nix deleted file mode 100644 index b7258e2eb4bfe..0000000000000 --- a/nixos/modules/programs/pantheon-tweaks.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - meta = { - maintainers = lib.teams.pantheon.members; - }; - - ###### interface - options = { - programs.pantheon-tweaks.enable = lib.mkEnableOption "Pantheon Tweaks, an unofficial system settings panel for Pantheon"; - }; - - ###### implementation - config = lib.mkIf config.programs.pantheon-tweaks.enable { - services.xserver.desktopManager.pantheon.extraSwitchboardPlugs = [ pkgs.pantheon-tweaks ]; - }; -} diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index d76863aff83be..5138588dbd3e5 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -4,6 +4,8 @@ let cfg = config.programs.steam; gamescopeCfg = config.programs.gamescope; + extraCompatPaths = lib.makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; + steam-gamescope = let exports = builtins.attrValues (builtins.mapAttrs (n: v: "export ${n}=${v}") cfg.gamescopeSession.env); in @@ -42,7 +44,7 @@ in { ''; apply = steam: steam.override (prev: { extraEnv = (lib.optionalAttrs (cfg.extraCompatPackages != [ ]) { - STEAM_EXTRA_COMPAT_TOOLS_PATHS = lib.makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; + STEAM_EXTRA_COMPAT_TOOLS_PATHS = extraCompatPaths; }) // (lib.optionalAttrs cfg.extest.enable { LD_PRELOAD = "${pkgs.pkgsi686Linux.extest}/lib/libextest.so"; }) // (prev.extraEnv or {}); @@ -53,6 +55,7 @@ in { then [ package ] ++ extraPackages else [ package32 ] ++ extraPackages32; in prevLibs ++ additionalLibs; + extraPkgs = p: (cfg.extraPackages ++ lib.optionals (prev ? extraPkgs) (prev.extraPkgs p)); } // lib.optionalAttrs (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { buildFHSEnv = pkgs.buildFHSEnv.override { @@ -69,6 +72,19 @@ in { ''; }; + extraPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = [ ]; + example = lib.literalExpression '' + with pkgs; [ + gamescope + ] + ''; + description = '' + Additional packages to add to the Steam environment. + ''; + }; + extraCompatPackages = lib.mkOption { type = lib.types.listOf lib.types.package; default = [ ]; @@ -86,6 +102,19 @@ in { ''; }; + fontPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; + # `fonts.packages` is a list of paths now, filter out which are not packages + default = builtins.filter lib.types.package.check config.fonts.packages; + defaultText = lib.literalExpression "builtins.filter lib.types.package.check config.fonts.packages"; + example = lib.literalExpression "with pkgs; [ source-han-sans ]"; + description = '' + Font packages to use in Steam. + + Defaults to system fonts, but could be overridden to use other fonts — useful for users who would like to customize CJK fonts used in Steam. According to the [upstream issue](https://github.com/ValveSoftware/steam-for-linux/issues/10422#issuecomment-1944396010), Steam only follows the per-user fontconfig configuration. + ''; + }; + remotePlay.openFirewall = lib.mkOption { type = lib.types.bool; default = false; @@ -139,6 +168,11 @@ in { Load the extest library into Steam, to translate X11 input events to uinput events (e.g. for using Steam Input on Wayland) ''; + + protontricks = { + enable = lib.mkEnableOption "protontricks, a simple wrapper for running Winetricks commands for Proton-enabled games"; + package = lib.mkPackageOption pkgs "protontricks" { }; + }; }; config = lib.mkIf cfg.enable { @@ -158,6 +192,8 @@ in { }; }; + programs.steam.extraPackages = cfg.fontPackages; + programs.gamescope.enable = lib.mkDefault cfg.gamescopeSession.enable; services.displayManager.sessionPackages = lib.mkIf cfg.gamescopeSession.enable [ gamescopeSessionFile ]; @@ -169,7 +205,8 @@ in { environment.systemPackages = [ cfg.package cfg.package.run - ] ++ lib.optional cfg.gamescopeSession.enable steam-gamescope; + ] ++ lib.optional cfg.gamescopeSession.enable steam-gamescope + ++ lib.optional cfg.protontricks.enable (cfg.protontricks.package.override { inherit extraCompatPaths; }); networking.firewall = lib.mkMerge [ (lib.mkIf (cfg.remotePlay.openFirewall || cfg.localNetworkGameTransfers.openFirewall) { diff --git a/nixos/modules/programs/thunderbird.nix b/nixos/modules/programs/thunderbird.nix new file mode 100644 index 0000000000000..b15c1df609439 --- /dev/null +++ b/nixos/modules/programs/thunderbird.nix @@ -0,0 +1,89 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.programs.thunderbird; + policyFormat = pkgs.formats.json { }; + policyDoc = "https://github.com/thunderbird/policy-templates"; +in +{ + options.programs.thunderbird = { + enable = lib.mkEnableOption "Thunderbird mail client"; + + package = lib.mkPackageOption pkgs "thunderbird" { }; + + policies = lib.mkOption { + type = policyFormat.type; + default = { }; + description = '' + Group policies to install. + + See [Thunderbird's documentation](${policyDoc}) + for a list of available options. + + This can be used to install extensions declaratively! Check out the + documentation of the `ExtensionSettings` policy for details. + + ''; + }; + + preferences = lib.mkOption { + type = + with lib.types; + attrsOf (oneOf [ + bool + int + str + ]); + default = { }; + description = '' + Preferences to set from `about:config`. + + Some of these might be able to be configured more ergonomically + using policies. + ''; + }; + + preferencesStatus = lib.mkOption { + type = lib.types.enum [ + "default" + "locked" + "user" + "clear" + ]; + default = "locked"; + description = '' + The status of `thunderbird.preferences`. + + `status` can assume the following values: + - `"default"`: Preferences appear as default. + - `"locked"`: Preferences appear as default and can't be changed. + - `"user"`: Preferences appear as changed. + - `"clear"`: Value has no effect. Resets to factory defaults on each startup. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + environment.etc = + let + policiesJSON = policyFormat.generate "thunderbird-policies.json" { inherit (cfg) policies; }; + in + lib.mkIf (cfg.policies != { }) { "thunderbird/policies/policies.json".source = policiesJSON; }; + + programs.thunderbird.policies = { + DisableAppUpdate = true; + Preferences = builtins.mapAttrs (_: value: { + Value = value; + Status = cfg.preferencesStatus; + }) cfg.preferences; + }; + }; + + meta.maintainers = with lib.maintainers; [ nydragon ]; +} diff --git a/nixos/modules/programs/wayland/hyprland.nix b/nixos/modules/programs/wayland/hyprland.nix index c963429f2e2a9..f5ca741f94328 100644 --- a/nixos/modules/programs/wayland/hyprland.nix +++ b/nixos/modules/programs/wayland/hyprland.nix @@ -1,46 +1,41 @@ -{ config -, lib -, pkgs -, ... -}: +{ config, lib, pkgs, ... }: + let cfg = config.programs.hyprland; - finalPortalPackage = cfg.portalPackage.override { - hyprland = cfg.finalPackage; - }; + wayland-lib = import ./lib.nix { inherit lib; }; in { options.programs.hyprland = { - enable = lib.mkEnableOption null // { - description = '' - Whether to enable Hyprland, the dynamic tiling Wayland compositor that doesn't sacrifice on its looks. - - You can manually launch Hyprland by executing {command}`Hyprland` on a TTY. - - A configuration file will be generated in {file}`~/.config/hypr/hyprland.conf`. - See <https://wiki.hyprland.org> for more information. + enable = lib.mkEnableOption '' + Hyprland, the dynamic tiling Wayland compositor that doesn't sacrifice on its looks. + You can manually launch Hyprland by executing {command}`Hyprland` on a TTY. + A configuration file will be generated in {file}`~/.config/hypr/hyprland.conf`. + See <https://wiki.hyprland.org> for more information''; + + package = lib.mkPackageOption pkgs "hyprland" { + extraDescription = '' + If the package is not overridable with `enableXWayland`, then the module option + {option}`xwayland` will have no effect. ''; - }; - - package = lib.mkPackageOption pkgs "hyprland" { }; - - finalPackage = lib.mkOption { - type = lib.types.package; - readOnly = true; - default = cfg.package.override { + } // { + apply = p: wayland-lib.genFinalPackage p { enableXWayland = cfg.xwayland.enable; }; - defaultText = lib.literalExpression - "`programs.hyprland.package` with applied configuration"; - description = '' - The Hyprland package after applying configuration. - ''; }; - portalPackage = lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" { }; + portalPackage = lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" { + extraDescription = '' + If the package is not overridable with `hyprland`, then the Hyprland package + used by the portal may differ from the one set in the module option {option}`package`. + ''; + } // { + apply = p: wayland-lib.genFinalPackage p { + hyprland = cfg.package; + }; + }; - xwayland.enable = lib.mkEnableOption ("XWayland") // { default = true; }; + xwayland.enable = lib.mkEnableOption "XWayland" // { default = true; }; systemd.setPath.enable = lib.mkEnableOption null // { default = true; @@ -53,33 +48,30 @@ in }; }; - config = lib.mkIf cfg.enable { - environment.systemPackages = [ cfg.finalPackage ]; - - fonts.enableDefaultPackages = lib.mkDefault true; - hardware.opengl.enable = lib.mkDefault true; + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + environment.systemPackages = [ cfg.package ]; - programs = { - dconf.enable = lib.mkDefault true; - xwayland.enable = lib.mkDefault cfg.xwayland.enable; - }; - - security.polkit.enable = true; + # To make a Hyprland session available if a display manager like SDDM is enabled: + services.displayManager.sessionPackages = [ cfg.package ]; - services.displayManager.sessionPackages = [ cfg.finalPackage ]; + xdg.portal = { + extraPortals = [ cfg.portalPackage ]; + configPackages = lib.mkDefault [ cfg.package ]; + }; - xdg.portal = { - enable = lib.mkDefault true; - extraPortals = [ finalPortalPackage ]; - configPackages = lib.mkDefault [ cfg.finalPackage ]; - }; + systemd = lib.mkIf cfg.systemd.setPath.enable { + user.extraConfig = '' + DefaultEnvironment="PATH=$PATH:/run/current-system/sw/bin:/etc/profiles/per-user/%u/bin:/run/wrappers/bin" + ''; + }; + } - systemd = lib.mkIf cfg.systemd.setPath.enable { - user.extraConfig = '' - DefaultEnvironment="PATH=$PATH:/run/current-system/sw/bin:/etc/profiles/per-user/%u/bin:/run/wrappers/bin" - ''; - }; - }; + (import ./wayland-session.nix { + inherit lib pkgs; + xwayland = cfg.xwayland.enable; + }) + ]); imports = [ (lib.mkRemovedOptionModule diff --git a/nixos/modules/programs/wayland/hyprlock.nix b/nixos/modules/programs/wayland/hyprlock.nix new file mode 100644 index 0000000000000..6c60765e80cc7 --- /dev/null +++ b/nixos/modules/programs/wayland/hyprlock.nix @@ -0,0 +1,25 @@ +{ lib, pkgs, config, ... }: + +let + cfg = config.programs.hyprlock; +in +{ + options.programs.hyprlock = { + enable = lib.mkEnableOption "hyprlock, Hyprland's GPU-accelerated screen locking utility"; + package = lib.mkPackageOption pkgs "hyprlock" { }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ + cfg.package + ]; + + # Hyprlock needs Hypridle systemd service to be running to detect idle time + services.hypridle.enable = true; + + # Hyprlock needs PAM access to authenticate, else it fallbacks to su + security.pam.services.hyprlock = {}; + }; + + meta.maintainers = with lib.maintainers; [ johnrtitor ]; +} diff --git a/nixos/modules/programs/wayland/lib.nix b/nixos/modules/programs/wayland/lib.nix new file mode 100644 index 0000000000000..0f275d3f18c56 --- /dev/null +++ b/nixos/modules/programs/wayland/lib.nix @@ -0,0 +1,12 @@ +{ lib }: + +{ + genFinalPackage = pkg: args: + let + expectedArgs = with lib; + lib.naturalSort (lib.attrNames args); + existingArgs = with lib; + naturalSort (intersectLists expectedArgs (attrNames (functionArgs pkg.override))); + in + if existingArgs != expectedArgs then pkg else pkg.override args; +} diff --git a/nixos/modules/programs/wayland/river.nix b/nixos/modules/programs/wayland/river.nix index 6f8bafb155064..0980bd28cf828 100644 --- a/nixos/modules/programs/wayland/river.nix +++ b/nixos/modules/programs/wayland/river.nix @@ -1,37 +1,40 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, lib, pkgs, ... }: + let cfg = config.programs.river; -in { + + wayland-lib = import ./lib.nix { inherit lib; }; +in +{ options.programs.river = { enable = lib.mkEnableOption "river, a dynamic tiling Wayland compositor"; package = lib.mkPackageOption pkgs "river" { nullable = true; extraDescription = '' + If the package is not overridable with `xwaylandSupport`, then the module option + {option}`xwayland` will have no effect. + Set to `null` to not add any River package to your path. This should be done if you want to use the Home Manager River module to install River. ''; + } // { + apply = p: if p == null then null else + wayland-lib.genFinalPackage p { + xwaylandSupport = cfg.xwayland.enable; + }; }; + xwayland.enable = lib.mkEnableOption "XWayland" // { default = true; }; + extraPackages = lib.mkOption { type = with lib.types; listOf package; - default = with pkgs; [ - swaylock - foot - dmenu - ]; + default = with pkgs; [ swaylock foot dmenu ]; defaultText = lib.literalExpression '' with pkgs; [ swaylock foot dmenu ]; ''; example = lib.literalExpression '' - with pkgs; [ - termite rofi light - ] + with pkgs; [ termite rofi light ] ''; description = '' Extra packages to be installed system wide. See @@ -41,19 +44,22 @@ in { }; }; - config = - lib.mkIf cfg.enable (lib.mkMerge [ - { - environment.systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + environment.systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + + # To make a river session available if a display manager like SDDM is enabled: + services.displayManager.sessionPackages = lib.optional (cfg.package != null) cfg.package; - # To make a river session available if a display manager like SDDM is enabled: - services.displayManager.sessionPackages = lib.optionals (cfg.package != null) [ cfg.package ]; + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 + xdg.portal.config.river.default = lib.mkDefault [ "wlr" "gtk" ]; + } - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 - xdg.portal.config.river.default = lib.mkDefault [ "wlr" "gtk" ]; - } - (import ./wayland-session.nix { inherit lib pkgs; }) - ]); + (import ./wayland-session.nix { + inherit lib pkgs; + xwayland = cfg.xwayland.enable; + }) + ]); meta.maintainers = with lib.maintainers; [ GaetanLepage ]; } diff --git a/nixos/modules/programs/wayland/sway.nix b/nixos/modules/programs/wayland/sway.nix index cec634b6b0338..31821a84a5bd7 100644 --- a/nixos/modules/programs/wayland/sway.nix +++ b/nixos/modules/programs/wayland/sway.nix @@ -1,52 +1,11 @@ -{ config, pkgs, lib, ... }: +{ config, lib, pkgs, ... }: let cfg = config.programs.sway; - wrapperOptions = lib.types.submodule { - options = - let - mkWrapperFeature = default: description: lib.mkOption { - type = lib.types.bool; - inherit default; - example = !default; - description = "Whether to make use of the ${description}"; - }; - in { - base = mkWrapperFeature true '' - base wrapper to execute extra session commands and prepend a - dbus-run-session to the sway command. - ''; - gtk = mkWrapperFeature false '' - wrapGAppsHook wrapper to execute sway with required environment - variables for GTK applications. - ''; - }; - }; - - genFinalPackage = pkg: - let - expectedArgs = lib.naturalSort [ - "extraSessionCommands" - "extraOptions" - "withBaseWrapper" - "withGtkWrapper" - "isNixOS" - ]; - existedArgs = with lib; - naturalSort - (intersectLists expectedArgs (attrNames (functionArgs pkg.override))); - in if existedArgs != expectedArgs then - pkg - else - pkg.override { - extraSessionCommands = cfg.extraSessionCommands; - extraOptions = cfg.extraOptions; - withBaseWrapper = cfg.wrapperFeatures.base; - withGtkWrapper = cfg.wrapperFeatures.gtk; - isNixOS = true; - }; -in { + wayland-lib = import ./lib.nix { inherit lib; }; +in +{ options.programs.sway = { enable = lib.mkEnableOption '' Sway, the i3-compatible tiling Wayland compositor. You can manually launch @@ -55,28 +14,36 @@ in { <https://github.com/swaywm/sway/wiki> and "man 5 sway" for more information''; - package = lib.mkOption { - type = with lib.types; nullOr package; - default = pkgs.sway; - apply = p: if p == null then null else genFinalPackage p; - defaultText = lib.literalExpression "pkgs.sway"; - description = '' - Sway package to use. If the package does not contain the override arguments - `extraSessionCommands`, `extraOptions`, `withBaseWrapper`, `withGtkWrapper`, - `isNixOS`, then the module options {option}`wrapperFeatures`, - {option}`wrapperFeatures` and {option}`wrapperFeatures` will have no effect. - Set to `null` to not add any Sway package to your path. This should be done if - you want to use the Home Manager Sway module to install Sway. + package = lib.mkPackageOption pkgs "sway" { + nullable = true; + extraDescription = '' + If the package is not overridable with `extraSessionCommands`, `extraOptions`, + `withBaseWrapper`, `withGtkWrapper`, `enableXWayland` and `isNixOS`, + then the module options {option}`wrapperFeatures`, {option}`extraSessionCommands`, + {option}`extraOptions` and {option}`xwayland` will have no effect. + + Set to `null` to not add any Sway package to your path. + This should be done if you want to use the Home Manager Sway module to install Sway. ''; + } // { + apply = p: if p == null then null else + wayland-lib.genFinalPackage p { + extraSessionCommands = cfg.extraSessionCommands; + extraOptions = cfg.extraOptions; + withBaseWrapper = cfg.wrapperFeatures.base; + withGtkWrapper = cfg.wrapperFeatures.gtk; + enableXWayland = cfg.xwayland.enable; + isNixOS = true; + }; }; - wrapperFeatures = lib.mkOption { - type = wrapperOptions; - default = { }; - example = { gtk = true; }; - description = '' - Attribute set of features to enable in the wrapper. - ''; + wrapperFeatures = { + base = lib.mkEnableOption '' + the base wrapper to execute extra session commands and prepend a + dbus-run-session to the sway command'' // { default = true; }; + gtk = lib.mkEnableOption '' + the wrapGAppsHook wrapper to execute sway with required environment + variables for GTK applications''; }; extraSessionCommands = lib.mkOption { @@ -114,19 +81,16 @@ in { ''; }; + xwayland.enable = lib.mkEnableOption "XWayland" // { default = true; }; + extraPackages = lib.mkOption { type = with lib.types; listOf package; - default = with pkgs; [ - swaylock swayidle foot dmenu wmenu - ]; + default = with pkgs; [ swaylock swayidle foot dmenu wmenu ]; defaultText = lib.literalExpression '' with pkgs; [ swaylock swayidle foot dmenu wmenu ]; ''; example = lib.literalExpression '' - with pkgs; [ - i3status i3status-rust - termite rofi light - ] + with pkgs; [ i3status i3status-rust termite rofi light ] ''; description = '' Extra packages to be installed system wide. See @@ -135,46 +99,50 @@ in { for a list of useful software. ''; }; - }; - config = lib.mkIf cfg.enable - (lib.mkMerge [ - { - assertions = [ - { - assertion = cfg.extraSessionCommands != "" -> cfg.wrapperFeatures.base; - message = '' - The extraSessionCommands for Sway will not be run if - wrapperFeatures.base is disabled. - ''; - } - ]; - - environment = { - systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; - # Needed for the default wallpaper: - pathsToLink = lib.optionals (cfg.package != null) [ "/share/backgrounds/sway" ]; - etc = { - "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' - # Import the most important environment variables into the D-Bus and systemd - # user environments (e.g. required for screen sharing and Pinentry prompts): - exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP - ''; - } // lib.optionalAttrs (cfg.package != null) { - "sway/config".source = lib.mkOptionDefault "${cfg.package}/etc/sway/config"; - }; + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + assertions = [ + { + assertion = cfg.extraSessionCommands != "" -> cfg.wrapperFeatures.base; + message = '' + The extraSessionCommands for Sway will not be run if wrapperFeatures.base is disabled. + ''; + } + ]; + + environment = { + systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + + # Needed for the default wallpaper: + pathsToLink = lib.optional (cfg.package != null) "/share/backgrounds/sway"; + + etc = { + "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' + # Import the most important environment variables into the D-Bus and systemd + # user environments (e.g. required for screen sharing and Pinentry prompts): + exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP + ''; + } // lib.optionalAttrs (cfg.package != null) { + "sway/config".source = lib.mkOptionDefault "${cfg.package}/etc/sway/config"; }; + }; + + programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3; - programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3; + # To make a Sway session available if a display manager like SDDM is enabled: + services.displayManager.sessionPackages = lib.optional (cfg.package != null) cfg.package; - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 - xdg.portal.config.sway.default = lib.mkDefault [ "wlr" "gtk" ]; + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 + xdg.portal.config.sway.default = lib.mkDefault [ "wlr" "gtk" ]; + } - # To make a Sway session available if a display manager like SDDM is enabled: - services.displayManager.sessionPackages = lib.optionals (cfg.package != null) [ cfg.package ]; } - (import ./wayland-session.nix { inherit lib pkgs; }) - ]); + (import ./wayland-session.nix { + inherit lib pkgs; + xwayland = cfg.xwayland.enable; + }) + ]); meta.maintainers = with lib.maintainers; [ primeos colemickens ]; } diff --git a/nixos/modules/programs/wayland/wayland-session.nix b/nixos/modules/programs/wayland/wayland-session.nix index 47ee0788e0f38..e9c12da156abc 100644 --- a/nixos/modules/programs/wayland/wayland-session.nix +++ b/nixos/modules/programs/wayland/wayland-session.nix @@ -1,23 +1,18 @@ -{ lib, pkgs, ... }: { - security = { - polkit.enable = true; - pam.services.swaylock = {}; - }; +{ lib, pkgs, xwayland ? true }: - hardware.opengl.enable = lib.mkDefault true; - fonts.enableDefaultPackages = lib.mkDefault true; +{ + security = { + polkit.enable = true; + pam.services.swaylock = {}; + }; - programs = { - dconf.enable = lib.mkDefault true; - xwayland.enable = lib.mkDefault true; - }; + hardware.opengl.enable = lib.mkDefault true; + fonts.enableDefaultPackages = lib.mkDefault true; - xdg.portal = { - enable = lib.mkDefault true; + programs = { + dconf.enable = lib.mkDefault true; + xwayland.enable = lib.mkDefault xwayland; + }; - extraPortals = [ - # For screen sharing - pkgs.xdg-desktop-portal-wlr - ]; - }; + xdg.portal.wlr.enable = lib.mkDefault true; } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 01985995a651d..d4661a19188c8 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -40,12 +40,16 @@ in (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") (mkRemovedOptionModule [ "networking" "wicd" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "programs" "gnome-documents" ] "The corresponding package was removed from nixpkgs.") + (mkRemovedOptionModule [ "programs" "pantheon-tweaks" ] '' + pantheon-tweaks is no longer a switchboard plugin but an independent app, + adding the package to environment.systemPackages is sufficient. + '') (mkRemovedOptionModule [ "programs" "tilp2" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " + "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html")) (mkRemovedOptionModule [ "security" "hideProcessInformation" ] '' - The hidepid module was removed, since the underlying machinery - is broken when using cgroups-v2. + The hidepid module was removed, since the underlying machinery + is broken when using cgroups-v2. '') (mkRemovedOptionModule [ "services" "baget" "enable" ] "The baget module was removed due to the upstream package being unmaintained.") (mkRemovedOptionModule [ "services" "beegfs" ] "The BeeGFS module has been removed") diff --git a/nixos/modules/services/audio/mopidy.nix b/nixos/modules/services/audio/mopidy.nix index 1d6c45b64a16c..198ca74359dc1 100644 --- a/nixos/modules/services/audio/mopidy.nix +++ b/nixos/modules/services/audio/mopidy.nix @@ -78,6 +78,7 @@ in { systemd.services.mopidy = { wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" "sound.target" ]; + wants = [ "network-online.target" ]; description = "mopidy music player daemon"; serviceConfig = { ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}"; diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix index ca1cd6ca43af0..a9db9228827a2 100644 --- a/nixos/modules/services/audio/navidrome.nix +++ b/nixos/modules/services/audio/navidrome.nix @@ -6,8 +6,18 @@ }: let - inherit (lib) mkEnableOption mkPackageOption mkOption maintainers; - inherit (lib.types) bool str; + inherit (lib) + mkEnableOption + mkPackageOption + mkOption + maintainers + ; + inherit (lib.types) + bool + port + str + submodule + ; cfg = config.services.navidrome; settingsFormat = pkgs.formats.json { }; in @@ -20,11 +30,24 @@ in package = mkPackageOption pkgs "navidrome" { }; settings = mkOption { - type = settingsFormat.type; - default = { - Address = "127.0.0.1"; - Port = 4533; + type = submodule { + freeformType = settingsFormat.type; + + options = { + Address = mkOption { + default = "127.0.0.1"; + description = "Address to run Navidrome on."; + type = str; + }; + + Port = mkOption { + default = 4533; + description = "Port to run Navidrome on."; + type = port; + }; + }; }; + default = { }; example = { MusicFolder = "/mnt/music"; }; @@ -134,5 +157,5 @@ in networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ]; }; - meta.maintainers = with maintainers; [ nu-nu-ko ]; + meta.maintainers = with maintainers; [ nu-nu-ko ]; } diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index 04f971008073e..a3c0715c9e607 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -361,7 +361,7 @@ in { type = types.bool; example = true; description = '' - Set the `persistentTimer` option for the + Set the `Persistent` option for the {manpage}`systemd.timer(5)` which triggers the backup immediately if the last trigger was missed (e.g. if the system was powered down). diff --git a/nixos/modules/services/cluster/rke2/default.nix b/nixos/modules/services/cluster/rke2/default.nix new file mode 100644 index 0000000000000..9ddbd299fdf8d --- /dev/null +++ b/nixos/modules/services/cluster/rke2/default.nix @@ -0,0 +1,311 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.rke2; +in +{ + imports = [ ]; + + options.services.rke2 = { + enable = mkEnableOption "rke2"; + + package = mkPackageOption pkgs "rke2" { }; + + role = mkOption { + type = types.enum [ "server" "agent" ]; + description = '' + Whether rke2 should run as a server or agent. + + If it's a server: + + - By default it also runs workloads as an agent. + - any optionals is allowed. + + If it's an agent: + + - `serverAddr` is required. + - `token` or `tokenFile` is required. + - `agentToken` or `agentTokenFile` or `disable` or `cni` are not allowed. + ''; + default = "server"; + }; + + configPath = mkOption { + type = types.path; + description = "Load configuration from FILE."; + default = "/etc/rancher/rke2/config.yaml"; + }; + + debug = mkOption { + type = types.bool; + description = "Turn on debug logs."; + default = false; + }; + + dataDir = mkOption { + type = types.path; + description = "The folder to hold state in."; + default = "/var/lib/rancher/rke2"; + }; + + token = mkOption { + type = types.str; + description = '' + Shared secret used to join a server or agent to a cluster. + + > WARNING: This option will expose store your token unencrypted world-readable in the nix store. + If this is undesired use the `tokenFile` option instead. + ''; + default = ""; + }; + + tokenFile = mkOption { + type = types.nullOr types.path; + description = "File path containing rke2 token to use when connecting to the server."; + default = null; + }; + + disable = mkOption { + type = types.listOf types.str; + description = "Do not deploy packaged components and delete any deployed components."; + default = [ ]; + }; + + nodeName = mkOption { + type = types.nullOr types.str; + description = "Node name."; + default = null; + }; + + nodeLabel = mkOption { + type = types.listOf types.str; + description = "Registering and starting kubelet with set of labels."; + default = [ ]; + }; + + nodeTaint = mkOption { + type = types.listOf types.str; + description = "Registering kubelet with set of taints."; + default = [ ]; + }; + + nodeIP = mkOption { + type = types.nullOr types.str; + description = "IPv4/IPv6 addresses to advertise for node."; + default = null; + }; + + agentToken = mkOption { + type = types.str; + description = '' + Shared secret used to join agents to the cluster, but not servers. + + > **WARNING**: This option will expose store your token unencrypted world-readable in the nix store. + If this is undesired use the `agentTokenFile` option instead. + ''; + default = ""; + }; + + agentTokenFile = mkOption { + type = types.nullOr types.path; + description = "File path containing rke2 agent token to use when connecting to the server."; + default = null; + }; + + serverAddr = mkOption { + type = types.str; + description = "The rke2 server to connect to, used to join a cluster."; + example = "https://10.0.0.10:6443"; + default = ""; + }; + + selinux = mkOption { + type = types.bool; + description = "Enable SELinux in containerd."; + default = false; + }; + + cni = mkOption { + type = types.enum [ "none" "canal" "cilium" "calico" "flannel" ]; + description = '' + CNI Plugins to deploy, one of `none`, `calico`, `canal`, `cilium` or `flannel`. + + All CNI plugins get installed via a helm chart after the main components are up and running + and can be [customized by modifying the helm chart options](https://docs.rke2.io/helm). + + [Learn more about RKE2 and CNI plugins](https://docs.rke2.io/networking/basic_network_options) + + > **WARNING**: Flannel support in RKE2 is currently experimental. + ''; + default = "canal"; + }; + + cisHardening = mkOption { + type = types.bool; + description = '' + Enable CIS Hardening for RKE2. + + It will set the configurations and controls required to address Kubernetes benchmark controls + from the Center for Internet Security (CIS). + + Learn more about [CIS Hardening for RKE2](https://docs.rke2.io/security/hardening_guide). + + > **NOTICE**: + > + > You may need restart the `systemd-sysctl` muaually by: + > + > ```shell + > sudo systemctl restart systemd-sysctl + > ``` + ''; + default = false; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + description = '' + Extra flags to pass to the rke2 service/agent. + + Here you can find all the available flags: + + - [Server Configuration Reference](https://docs.rke2.io/reference/server_config) + - [Agent Configuration Reference](https://docs.rke2.io/reference/linux_agent_config) + ''; + example = [ "--disable-kube-proxy" "--cluster-cidr=10.24.0.0/16" ]; + default = [ ]; + }; + + environmentVars = mkOption { + type = types.attrsOf types.str; + description = '' + Environment variables for configuring the rke2 service/agent. + + Here you can find all the available environment variables: + + - [Server Configuration Reference](https://docs.rke2.io/reference/server_config) + - [Agent Configuration Reference](https://docs.rke2.io/reference/linux_agent_config) + + Besides the options above, you can also active environment variables by edit/create those files: + + - `/etc/default/rke2` + - `/etc/sysconfig/rke2` + - `/usr/local/lib/systemd/system/rke2.env` + ''; + # See: https://github.com/rancher/rke2/blob/master/bundle/lib/systemd/system/rke2-server.env#L1 + default = { + HOME = "/root"; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.role == "agent" -> (builtins.pathExists cfg.configPath || cfg.serverAddr != ""); + message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'"; + } + { + assertion = cfg.role == "agent" -> (builtins.pathExists cfg.configPath || cfg.tokenFile != null || cfg.token != ""); + message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'"; + } + { + assertion = cfg.role == "agent" -> ! (cfg.agentTokenFile != null || cfg.agentToken != ""); + message = "agentToken or agentTokenFile should be set if role is 'agent'"; + } + { + assertion = cfg.role == "agent" -> ! (cfg.disable != [ ]); + message = "disable should not be set if role is 'agent'"; + } + { + assertion = cfg.role == "agent" -> ! (cfg.cni != "canal"); + message = "cni should not be set if role is 'agent'"; + } + ]; + + environment.systemPackages = [ config.services.rke2.package ]; + # To configure NetworkManager to ignore calico/flannel related network interfaces. + # See: https://docs.rke2.io/known_issues#networkmanager + environment.etc."NetworkManager/conf.d/rke2-canal.conf" = { + enable = config.networking.networkmanager.enable; + text = '' + [keyfile] + unmanaged-devices=interface-name:cali*;interface-name:flannel* + ''; + }; + # See: https://docs.rke2.io/security/hardening_guide#set-kernel-parameters + boot.kernel.sysctl = mkIf cfg.cisHardening { + "vm.panic_on_oom" = 0; + "vm.overcommit_memory" = 1; + "kernel.panic" = 10; + "kernel.panic_on_oops" = 1; + }; + + systemd.services.rke2 = { + description = "Rancher Kubernetes Engine v2"; + documentation = [ "https://github.com/rancher/rke2#readme" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = if cfg.role == "agent" then "exec" else "notify"; + EnvironmentFile = [ + "-/etc/default/%N" + "-/etc/sysconfig/%N" + "-/usr/local/lib/systemd/system/%N.env" + ]; + Environment = mapAttrsToList (k: v: "${k}=${v}") cfg.environmentVars; + KillMode = "process"; + Delegate = "yes"; + LimitNOFILE = 1048576; + LimitNPROC = "infinity"; + LimitCORE = "infinity"; + TasksMax = "infinity"; + TimeoutStartSec = 0; + Restart = "always"; + RestartSec = "5s"; + ExecStartPre = [ + # There is a conflict between RKE2 and `nm-cloud-setup.service`. This service add a routing table that + # interfere with the CNI plugin's configuration. This script checks if the service is enabled and if so, + # failed the RKE2 start. + # See: https://github.com/rancher/rke2/issues/1053 + (pkgs.writeScript "check-nm-cloud-setup.sh" '' + #! ${pkgs.runtimeShell} + set -x + ! /run/current-system/systemd/bin/systemctl is-enabled --quiet nm-cloud-setup.service + '') + "-${pkgs.kmod}/bin/modprobe br_netfilter" + "-${pkgs.kmod}/bin/modprobe overlay" + ]; + ExecStart = "${cfg.package}/bin/rke2 '${cfg.role}' ${escapeShellArgs ( + (optional (cfg.configPath != "/etc/rancher/rke2/config.yaml") "--config=${cfg.configPath}") + ++ (optional cfg.debug "--debug") + ++ (optional (cfg.dataDir != "/var/lib/rancher/rke2") "--data-dir=${cfg.dataDir}") + ++ (optional (cfg.token != "") "--token=${cfg.token}") + ++ (optional (cfg.tokenFile != null) "--token-file=${cfg.tokenFile}") + ++ (optionals (cfg.role == "server" && cfg.disable != [ ]) (map (d: "--disable=${d}") cfg.disable)) + ++ (optional (cfg.nodeName != null) "--node-name=${cfg.nodeName}") + ++ (optionals (cfg.nodeLabel != [ ]) (map (l: "--node-label=${l}") cfg.nodeLabel)) + ++ (optionals (cfg.nodeTaint != [ ]) (map (t: "--node-taint=${t}") cfg.nodeTaint)) + ++ (optional (cfg.nodeIP != null) "--node-ip=${cfg.nodeIP}") + ++ (optional (cfg.role == "server" && cfg.agentToken != "") "--agent-token=${cfg.agentToken}") + ++ (optional (cfg.role == "server" && cfg.agentTokenFile != null) "--agent-token-file=${cfg.agentTokenFile}") + ++ (optional (cfg.serverAddr != "") "--server=${cfg.serverAddr}") + ++ (optional cfg.selinux "--selinux") + ++ (optional (cfg.role == "server" && cfg.cni != "canal") "--cni=${cfg.cni}") + ++ (optional cfg.cisHardening "--profile=${if cfg.package.version >= "1.25" then "cis-1.23" else "cis-1.6"}") + ++ cfg.extraFlags + )}"; + ExecStopPost = let + killProcess = pkgs.writeScript "kill-process.sh" '' + #! ${pkgs.runtimeShell} + /run/current-system/systemd/bin/systemd-cgls /system.slice/$1 | \ + ${pkgs.gnugrep}/bin/grep -Eo '[0-9]+ (containerd|kubelet)' | \ + ${pkgs.gawk}/bin/awk '{print $1}' | \ + ${pkgs.findutils}/bin/xargs -r ${pkgs.util-linux}/bin/kill + ''; + in "-${killProcess} %n"; + }; + }; + }; +} diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index 23f07eb64b92d..b516c3d6192cb 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -335,7 +335,7 @@ in mkdir -m 0700 -p ${baseDir}/queue-runner mkdir -m 0750 -p ${baseDir}/build-logs mkdir -m 0750 -p ${baseDir}/runcommand-logs - chown hydra-queue-runner.hydra \ + chown hydra-queue-runner:hydra \ ${baseDir}/queue-runner \ ${baseDir}/build-logs \ ${baseDir}/runcommand-logs diff --git a/nixos/modules/services/desktop-managers/lomiri.nix b/nixos/modules/services/desktop-managers/lomiri.nix index e11867b691071..214ec17e0dc43 100644 --- a/nixos/modules/services/desktop-managers/lomiri.nix +++ b/nixos/modules/services/desktop-managers/lomiri.nix @@ -34,10 +34,11 @@ in { morph-browser qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session suru-icon-theme - telephony-service + # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043 ]); }; + hardware.pulseaudio.enable = lib.mkDefault true; networking.networkmanager.enable = lib.mkDefault true; systemd.packages = with pkgs.lomiri; [ @@ -71,10 +72,14 @@ in { enable = true; packages = (with pkgs; [ ayatana-indicator-datetime + ayatana-indicator-display ayatana-indicator-messages + ayatana-indicator-power ayatana-indicator-session + ] ++ lib.optionals (config.hardware.pulseaudio.enable || config.services.pipewire.pulse.enable) [ + ayatana-indicator-sound ]) ++ (with pkgs.lomiri; [ - telephony-service + # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043 ] ++ lib.optionals config.networking.networkmanager.enable [ lomiri-indicator-network ]); diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 842b0716b928d..83f6b5bc0ea10 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -60,10 +60,8 @@ in { qt.enable = true; environment.systemPackages = with kdePackages; let requiredPackages = [ - # Hack? To make everything run on Wayland - qtwayland - # Needed to render SVG icons - qtsvg + qtwayland # Hack? To make everything run on Wayland + qtsvg # Needed to render SVG icons # Frameworks with globally loadable bits frameworkintegration # provides Qt plugin @@ -75,6 +73,9 @@ in { kiconthemes # provides Qt plugins kimageformats # provides Qt plugins kio # provides helper service + a bunch of other stuff + kio-admin # managing files as admin + kio-extras # stuff for MTP, AFC, etc + kio-fuse # fuse interface for KIO kpackage # provides kpackagetool tool kservice # provides kbuildsycoca6 tool kwallet # provides helper service @@ -87,30 +88,26 @@ in { # Core Plasma parts kwin pkgs.xwayland - kscreen libkscreen - kscreenlocker - kactivitymanagerd kde-cli-tools - kglobalacceld + kglobalacceld # keyboard shortcut daemon kwrited # wall message proxy, not to be confused with kwrite - - milou - polkit-kde-agent-1 - + baloo # system indexer + milou # search engine atop baloo + kdegraphics-thumbnailers # pdf etc thumbnailer + polkit-kde-agent-1 # polkit auth ui plasma-desktop plasma-workspace - - # Crash handler - drkonqi + drkonqi # crash handler + kde-inotify-survey # warns the user on low inotifywatch limits # Application integration libplasma # provides Kirigami platform theme plasma-integration # provides Qt platform theme - kde-gtk-config + kde-gtk-config # syncs KDE settings to GTK # Artwork + themes breeze @@ -124,37 +121,21 @@ in { # misc Plasma extras kdeplasma-addons - pkgs.xdg-user-dirs # recommended upstream # Plasma utilities kmenuedit - kinfocenter plasma-systemmonitor ksystemstats libksysguard - - spectacle systemsettings kcmutils - - # Gear - baloo - dolphin - dolphin-plugins - ffmpegthumbs - kdegraphics-thumbnailers - kde-inotify-survey - kio-admin - kio-extras - kio-fuse ]; optionalPackages = [ plasma-browser-integration konsole (lib.getBin qttools) # Expose qdbus in PATH - ark elisa gwenview @@ -162,6 +143,10 @@ in { kate khelpcenter print-manager + dolphin + dolphin-plugins + spectacle + ffmpegthumbs ]; in requiredPackages diff --git a/nixos/modules/services/games/archisteamfarm.nix b/nixos/modules/services/games/archisteamfarm.nix index 33898f8387e99..c9c41d6f4eb5e 100644 --- a/nixos/modules/services/games/archisteamfarm.nix +++ b/nixos/modules/services/games/archisteamfarm.nix @@ -164,8 +164,11 @@ in }; config = lib.mkIf cfg.enable { - # TODO: drop with 24.11 - services.archisteamfarm.dataDir = lib.mkIf (lib.versionAtLeast config.system.stateVersion "24.05") (lib.mkDefault "/var/lib/asf"); + services.archisteamfarm = { + # TODO: drop with 24.11 + dataDir = lib.mkIf (lib.versionAtLeast config.system.stateVersion "24.05") (lib.mkDefault "/var/lib/asf"); + settings.IPC = lib.mkIf (!cfg.web-ui.enable) false; + }; users = { users.archisteamfarm = { diff --git a/nixos/modules/services/hardware/kanata.nix b/nixos/modules/services/hardware/kanata.nix index 46af3e36b9859..60fb33881f256 100644 --- a/nixos/modules/services/hardware/kanata.nix +++ b/nixos/modules/services/hardware/kanata.nix @@ -7,7 +7,7 @@ let upstreamDoc = "See [the upstream documentation](https://github.com/jtroo/kanata/blob/main/docs/config.adoc) and [example config files](https://github.com/jtroo/kanata/tree/main/cfg_samples) for more information."; - keyboard = { + keyboard = { name, config, ... }: { options = { devices = mkOption { type = types.listOf types.str; @@ -48,6 +48,21 @@ let ${upstreamDoc} ''; }; + configFile = mkOption { + type = types.path; + default = mkConfig name config; + defaultText = + "A config file generated by values from other kanata module options."; + description = '' + The config file. + + By default, it is generated by values from other kanata + module options. + + You can also set it to your own full config file which + overrides all other kanata module options. ${upstreamDoc} + ''; + }; extraArgs = mkOption { type = types.listOf types.str; default = [ ]; @@ -85,6 +100,10 @@ let ${keyboard.config} ''; + # Only the config file generated by this module is checked. A + # user-provided one is not checked because it may not be available + # at build time. I think this is a good balance between module + # complexity and functionality. checkPhase = '' ${getExe cfg.package} --cfg "$target" --check --debug ''; @@ -96,7 +115,7 @@ let Type = "notify"; ExecStart = '' ${getExe cfg.package} \ - --cfg ${mkConfig name keyboard} \ + --cfg ${keyboard.configFile} \ --symlink-path ''${RUNTIME_DIRECTORY}/${name} \ ${optionalString (keyboard.port != null) "--port ${toString keyboard.port}"} \ ${utils.escapeSystemdExecArgs keyboard.extraArgs} diff --git a/nixos/modules/services/hardware/nvidia-container-toolkit/default.nix b/nixos/modules/services/hardware/nvidia-container-toolkit/default.nix index 6c6bc667e6498..bd12667a56474 100644 --- a/nixos/modules/services/hardware/nvidia-container-toolkit/default.nix +++ b/nixos/modules/services/hardware/nvidia-container-toolkit/default.nix @@ -69,14 +69,18 @@ virtualisation.docker.daemon.settings = lib.mkIf (config.hardware.nvidia-container-toolkit.enable && (lib.versionAtLeast config.virtualisation.docker.package.version "25")) { - features.cdi = true; - }; + features.cdi = true; + }; hardware.nvidia-container-toolkit.mounts = let nvidia-driver = config.hardware.nvidia.package; in (lib.mkMerge [ [{ hostPath = pkgs.addDriverRunpath.driverLink; containerPath = pkgs.addDriverRunpath.driverLink; } + { hostPath = "${lib.getLib nvidia-driver}/etc"; + containerPath = "${lib.getLib nvidia-driver}/etc"; } + { hostPath = "${lib.getLib nvidia-driver}/share"; + containerPath = "${lib.getLib nvidia-driver}/share"; } { hostPath = "${lib.getLib pkgs.glibc}/lib"; containerPath = "${lib.getLib pkgs.glibc}/lib"; } { hostPath = "${lib.getLib pkgs.glibc}/lib64"; diff --git a/nixos/modules/services/home-automation/ebusd.nix b/nixos/modules/services/home-automation/ebusd.nix index ac9ec06639c13..f5c5479e8eaff 100644 --- a/nixos/modules/services/home-automation/ebusd.nix +++ b/nixos/modules/services/home-automation/ebusd.nix @@ -138,7 +138,7 @@ in after = [ "network.target" ]; serviceConfig = { ExecStart = let - args = cli.toGNUCommandLineShell { } (foldr (a: b: a // b) { } [ + args = cli.toGNUCommandLineShell { optionValueSeparator = "="; } (foldr (a: b: a // b) { } [ { inherit (cfg) device port configpath scanconfig readonly; foreground = true; diff --git a/nixos/modules/services/home-automation/wyoming/faster-whisper.nix b/nixos/modules/services/home-automation/wyoming/faster-whisper.nix index d0fca6a41c7b6..45664103665f7 100644 --- a/nixos/modules/services/home-automation/wyoming/faster-whisper.nix +++ b/nixos/modules/services/home-automation/wyoming/faster-whisper.nix @@ -113,6 +113,9 @@ in nameValuePair "wyoming-faster-whisper-${server}" { inherit (options) enable; description = "Wyoming faster-whisper server instance ${server}"; + wants = [ + "network-online.target" + ]; after = [ "network-online.target" ]; diff --git a/nixos/modules/services/home-automation/wyoming/openwakeword.nix b/nixos/modules/services/home-automation/wyoming/openwakeword.nix index 856a4ef7366d0..f9848970bf734 100644 --- a/nixos/modules/services/home-automation/wyoming/openwakeword.nix +++ b/nixos/modules/services/home-automation/wyoming/openwakeword.nix @@ -108,6 +108,9 @@ in config = mkIf cfg.enable { systemd.services."wyoming-openwakeword" = { description = "Wyoming openWakeWord server"; + wants = [ + "network-online.target" + ]; after = [ "network-online.target" ]; diff --git a/nixos/modules/services/home-automation/wyoming/piper.nix b/nixos/modules/services/home-automation/wyoming/piper.nix index 5b5f898d7ca35..a26fe8e84f609 100644 --- a/nixos/modules/services/home-automation/wyoming/piper.nix +++ b/nixos/modules/services/home-automation/wyoming/piper.nix @@ -117,6 +117,9 @@ in nameValuePair "wyoming-piper-${server}" { inherit (options) enable; description = "Wyoming Piper server instance ${server}"; + wants = [ + "network-online.target" + ]; after = [ "network-online.target" ]; diff --git a/nixos/modules/services/mail/stalwart-mail.nix b/nixos/modules/services/mail/stalwart-mail.nix index c69a2ca400bae..ed3c5389354ce 100644 --- a/nixos/modules/services/mail/stalwart-mail.nix +++ b/nixos/modules/services/mail/stalwart-mail.nix @@ -7,28 +7,13 @@ let configFormat = pkgs.formats.toml { }; configFile = configFormat.generate "stalwart-mail.toml" cfg.settings; dataDir = "/var/lib/stalwart-mail"; - stalwartAtLeast = versionAtLeast cfg.package.version; + useLegacyStorage = versionOlder config.system.stateVersion "24.11"; in { options.services.stalwart-mail = { enable = mkEnableOption "the Stalwart all-in-one email server"; - package = mkOption { - type = types.package; - description = '' - Which package to use for the Stalwart mail server. - - ::: {.note} - Upgrading from version 0.6.0 to version 0.7.0 or higher requires manual - intervention. See <https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md> - for upgrade instructions. - ::: - ''; - default = pkgs.stalwart-mail_0_6; - defaultText = lib.literalExpression "pkgs.stalwart-mail_0_6"; - example = lib.literalExpression "pkgs.stalwart-mail"; - relatedPackages = [ "stalwart-mail_0_6" "stalwart-mail" ]; - }; + package = mkPackageOption pkgs "stalwart-mail" { }; settings = mkOption { inherit (configFormat) type; @@ -44,90 +29,109 @@ in { config = mkIf cfg.enable { - warnings = lib.optionals (!stalwartAtLeast "0.7.0") [ - '' - Versions of stalwart-mail < 0.7.0 will get deprecated in NixOS 24.11. - Please set services.stalwart-mail.package to pkgs.stalwart-mail to - upgrade to the latest version. - Please note that upgrading to version >= 0.7 requires manual - intervention, see <https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md> - for upgrade instructions. - '' - ]; - # Default config: all local services.stalwart-mail.settings = { - global.tracing.method = mkDefault "stdout"; - global.tracing.level = mkDefault "info"; + tracer.stdout = { + type = mkDefault "stdout"; + level = mkDefault "info"; + ansi = mkDefault false; # no colour markers to journald + enable = mkDefault true; + }; queue.path = mkDefault "${dataDir}/queue"; report.path = mkDefault "${dataDir}/reports"; - store.db.type = mkDefault "sqlite"; - store.db.path = mkDefault "${dataDir}/data/index.sqlite3"; - store.blob.type = mkDefault "fs"; - store.blob.path = mkDefault "${dataDir}/data/blobs"; + store = if useLegacyStorage then { + # structured data in SQLite, blobs on filesystem + db.type = mkDefault "sqlite"; + db.path = mkDefault "${dataDir}/data/index.sqlite3"; + fs.type = mkDefault "fs"; + fs.path = mkDefault "${dataDir}/data/blobs"; + } else { + # everything in RocksDB + db.type = mkDefault "rocksdb"; + db.path = mkDefault "${dataDir}/db"; + db.compression = mkDefault "lz4"; + }; storage.data = mkDefault "db"; storage.fts = mkDefault "db"; storage.lookup = mkDefault "db"; - storage.blob = mkDefault "blob"; + storage.blob = mkDefault (if useLegacyStorage then "fs" else "db"); + directory.internal.type = mkDefault "internal"; + directory.internal.store = mkDefault "db"; + storage.directory = mkDefault "internal"; resolver.type = mkDefault "system"; - resolver.public-suffix = mkDefault ["https://publicsuffix.org/list/public_suffix_list.dat"]; + resolver.public-suffix = lib.mkDefault [ + "file://${pkgs.publicsuffix-list}/share/publicsuffix/public_suffix_list.dat" + ]; }; - systemd.services.stalwart-mail = { - wantedBy = [ "multi-user.target" ]; - after = [ "local-fs.target" "network.target" ]; - - preStart = '' - mkdir -p ${dataDir}/{queue,reports,data/blobs} - ''; + # This service stores a potentially large amount of data. + # Running it as a dynamic user would force chown to be run everytime the + # service is restarted on a potentially large number of files. + # That would cause unnecessary and unwanted delays. + users = { + groups.stalwart-mail = { }; + users.stalwart-mail = { + isSystemUser = true; + group = "stalwart-mail"; + }; + }; - serviceConfig = { - ExecStart = - "${cfg.package}/bin/stalwart-mail --config=${configFile}"; - - # Base from template resources/systemd/stalwart-mail.service - Type = "simple"; - LimitNOFILE = 65536; - KillMode = "process"; - KillSignal = "SIGINT"; - Restart = "on-failure"; - RestartSec = 5; - StandardOutput = "journal"; - StandardError = "journal"; - SyslogIdentifier = "stalwart-mail"; - - DynamicUser = true; - User = "stalwart-mail"; - StateDirectory = "stalwart-mail"; - - # Bind standard privileged ports - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - - # Hardening - DeviceAllow = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - PrivateDevices = true; - PrivateUsers = false; # incompatible with CAP_NET_BIND_SERVICE - ProcSubset = "pid"; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" ]; - UMask = "0077"; + systemd = { + packages = [ cfg.package ]; + services.stalwart-mail = { + wantedBy = [ "multi-user.target" ]; + after = [ "local-fs.target" "network.target" ]; + + preStart = if useLegacyStorage then '' + mkdir -p ${dataDir}/{queue,reports,data/blobs} + '' else '' + mkdir -p ${dataDir}/{queue,reports,db} + ''; + + serviceConfig = { + ExecStart = [ + "" + "${cfg.package}/bin/stalwart-mail --config=${configFile}" + ]; + + StandardOutput = "journal"; + StandardError = "journal"; + + StateDirectory = "stalwart-mail"; + + # Bind standard privileged ports + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + + # Hardening + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = false; # incompatible with CAP_NET_BIND_SERVICE + ProcSubset = "pid"; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + UMask = "0077"; + }; + unitConfig.ConditionPathExists = [ + "" + "${configFile}" + ]; }; }; @@ -136,6 +140,6 @@ in { }; meta = { - maintainers = with maintainers; [ happysalada pacien ]; + maintainers = with maintainers; [ happysalada pacien onny ]; }; } diff --git a/nixos/modules/services/misc/devpi-server.nix b/nixos/modules/services/misc/devpi-server.nix index 0234db4bc2c5b..92c0c6206c8b3 100644 --- a/nixos/modules/services/misc/devpi-server.nix +++ b/nixos/modules/services/misc/devpi-server.nix @@ -74,8 +74,9 @@ in # have 0600 permissions. preStart = '' - cp ${cfg.secretFile} ${runtimeDir}/${secretsFileName} - chmod 0600 ${runtimeDir}/*${secretsFileName} + ${optionalString (!isNull cfg.secretFile) + "install -Dm 0600 \${CREDENTIALS_DIRECTORY}/devpi-secret ${runtimeDir}/${secretsFileName}" + } if [ -f ${serverDir}/.nodeinfo ]; then # already initialized the package index, exit gracefully @@ -85,6 +86,9 @@ in + strings.optionalString cfg.replica "--role=replica --master-url=${cfg.primaryUrl}"; serviceConfig = { + LoadCredential = lib.mkIf (! isNull cfg.secretFile) [ + "devpi-secret:${cfg.secretFile}" + ]; Restart = "always"; ExecStart = let diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index a8526688b074f..d43250c882683 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -722,5 +722,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; - meta.maintainers = with lib.maintainers; [ srhb ma27 pyrox0 ]; + meta.maintainers = with lib.maintainers; [ ma27 techknowlogick SuperSandro2000 ]; } diff --git a/nixos/modules/services/misc/invidious-router.nix b/nixos/modules/services/misc/invidious-router.nix index 33da7e96b5235..4a08f0bcb8dcb 100644 --- a/nixos/modules/services/misc/invidious-router.nix +++ b/nixos/modules/services/misc/invidious-router.nix @@ -8,7 +8,7 @@ settingsFormat = pkgs.formats.yaml {}; configFile = settingsFormat.generate "config.yaml" cfg.settings; in { - meta.maintainers = [lib.maintainers.s1ls]; + meta.maintainers = [lib.maintainers.sils]; options.services.invidious-router = { enable = lib.mkEnableOption "Enables the invidious-router service"; diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index c0341984aa351..6f00dbfa75312 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -11,6 +11,11 @@ let }; in { + imports = [ + (lib.mkRemovedOptionModule [ "services" "ollama" "listenAddress" ] + "Use `services.ollama.host` and `services.ollama.port` instead.") + ]; + options = { services.ollama = { enable = lib.mkEnableOption "ollama server for local large language models"; @@ -64,12 +69,20 @@ in See also `services.ollama.sandbox`. ''; }; - listenAddress = lib.mkOption { + host = lib.mkOption { type = types.str; - default = "127.0.0.1:11434"; - example = "0.0.0.0:11111"; + default = "127.0.0.1"; + example = "0.0.0.0"; + description = '' + The host address which the ollama server HTTP interface listens to. + ''; + }; + port = lib.mkOption { + type = types.nullOr types.ints.u16; + default = 11434; + example = 11111; description = '' - The address which the ollama server HTTP interface binds and listens to. + Which port the ollama server listens to. Set to `null` to not specify a port. ''; }; acceleration = lib.mkOption { @@ -80,9 +93,9 @@ in What interface to use for hardware acceleration. - `null`: default behavior - if `nixpkgs.config.rocmSupport` is enabled, uses `"rocm"` - if `nixpkgs.config.cudaSupport` is enabled, uses `"cuda"` - otherwise defaults to `false` + - if `nixpkgs.config.rocmSupport` is enabled, uses `"rocm"` + - if `nixpkgs.config.cudaSupport` is enabled, uses `"cuda"` + - otherwise defaults to `false` - `false`: disable GPU, only use CPU - `"rocm"`: supported by most modern AMD GPUs - `"cuda"`: supported by most modern NVIDIA GPUs @@ -114,7 +127,11 @@ in environment = cfg.environmentVariables // { HOME = cfg.home; OLLAMA_MODELS = cfg.models; - OLLAMA_HOST = cfg.listenAddress; + OLLAMA_HOST = + if cfg.port == null then + cfg.host + else + "${cfg.host}:${toString cfg.port}"; }; serviceConfig = { ExecStart = "${lib.getExe ollamaPackage} serve"; diff --git a/nixos/modules/services/misc/plex.nix b/nixos/modules/services/misc/plex.nix index fcd8ebbac6edd..212abda5d1e0b 100644 --- a/nixos/modules/services/misc/plex.nix +++ b/nixos/modules/services/misc/plex.nix @@ -93,6 +93,17 @@ in ''; }; + accelerationDevices = mkOption { + type = types.listOf types.str; + default = ["*"]; + example = [ "/dev/dri/renderD128" ]; + description = '' + A list of device paths to hardware acceleration devices that Plex should + have access to. This is useful when transcoding media files. + The special value `"*"` will allow all devices. + ''; + }; + package = mkPackageOption pkgs "plex" { extraDescription = '' Plex subscribers may wish to use their own package here, @@ -133,6 +144,24 @@ in KillSignal = "SIGQUIT"; PIDFile = "${cfg.dataDir}/Plex Media Server/plexmediaserver.pid"; Restart = "on-failure"; + + # Hardening + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = cfg.accelerationDevices == []; + DeviceAllow = mkIf (cfg.accelerationDevices != [] && !lib.elem "*" cfg.accelerationDevices) cfg.accelerationDevices; + ProtectSystem = true; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK"]; + # This could be made to work if the namespaces needed were known + # RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + MemoryDenyWriteExecute = true; + LockPersonality = true; }; environment = { diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index bdb35da788e3a..335806b261a23 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -98,6 +98,10 @@ in The OIDC secret must be set as the `DEX_CLIENT_''${id}` environment variable in the [](#opt-services.dex.environmentFile) setting. + + ::: {.note} + Make sure the id only contains characters that are allowed in an environment variable name, e.g. no -. + ::: ''; }; diff --git a/nixos/modules/services/misc/snapper.nix b/nixos/modules/services/misc/snapper.nix index 33207ac2b5bd5..a42fca5b60289 100644 --- a/nixos/modules/services/misc/snapper.nix +++ b/nixos/modules/services/misc/snapper.nix @@ -108,7 +108,7 @@ in type = types.bool; example = true; description = '' - Set the `persistentTimer` option for the + Set the `Persistent` option for the {manpage}`systemd.timer(5)` which triggers the snapshot immediately if the last trigger was missed (e.g. if the system was powered down). diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 9d453c5394824..32919950adc1e 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -47,13 +47,6 @@ let datasourceFileOrDir = mkProvisionCfg "datasource" "datasources" cfg.provision.datasources; dashboardFileOrDir = mkProvisionCfg "dashboard" "providers" cfg.provision.dashboards; - notifierConfiguration = { - apiVersion = 1; - notifiers = cfg.provision.notifiers; - }; - - notifierFileOrDir = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration); - generateAlertingProvisioningYaml = x: if (cfg.provision.alerting."${x}".path == null) then provisioningSettingsFormat.generate "${x}.yaml" cfg.provision.alerting."${x}".settings @@ -74,10 +67,9 @@ let fi ''; provisionConfDir = pkgs.runCommand "grafana-provisioning" { nativeBuildInputs = [ pkgs.xorg.lndir ]; } '' - mkdir -p $out/{alerting,datasources,dashboards,notifiers,plugins} + mkdir -p $out/{alerting,datasources,dashboards,plugins} ${ln { src = datasourceFileOrDir; dir = "datasources"; filename = "datasource"; }} ${ln { src = dashboardFileOrDir; dir = "dashboards"; filename = "dashboard"; }} - ${ln { src = notifierFileOrDir; dir = "notifiers"; filename = "notifier"; }} ${ln { src = rulesFileOrDir; dir = "alerting"; filename = "rules"; }} ${ln { src = contactPointsFileOrDir; dir = "alerting"; filename = "contactPoints"; }} ${ln { src = policiesFileOrDir; dir = "alerting"; filename = "policies"; }} @@ -161,73 +153,13 @@ let }; }; }; - - grafanaTypes.notifierConfig = types.submodule { - options = { - name = mkOption { - type = types.str; - default = "default"; - description = "Notifier name."; - }; - type = mkOption { - type = types.enum [ "dingding" "discord" "email" "googlechat" "hipchat" "kafka" "line" "teams" "opsgenie" "pagerduty" "prometheus-alertmanager" "pushover" "sensu" "sensugo" "slack" "telegram" "threema" "victorops" "webhook" ]; - description = "Notifier type."; - }; - uid = mkOption { - type = types.str; - description = "Unique notifier identifier."; - }; - org_id = mkOption { - type = types.int; - default = 1; - description = "Organization ID."; - }; - org_name = mkOption { - type = types.str; - default = "Main Org."; - description = "Organization name."; - }; - is_default = mkOption { - type = types.bool; - description = "Is the default notifier."; - default = false; - }; - send_reminder = mkOption { - type = types.bool; - default = true; - description = "Should the notifier be sent reminder notifications while alerts continue to fire."; - }; - frequency = mkOption { - type = types.str; - default = "5m"; - description = "How frequently should the notifier be sent reminders."; - }; - disable_resolve_message = mkOption { - type = types.bool; - default = false; - description = "Turn off the message that sends when an alert returns to OK."; - }; - settings = mkOption { - type = types.nullOr types.attrs; - default = null; - description = "Settings for the notifier type."; - }; - secure_settings = mkOption { - type = types.nullOr types.attrs; - default = null; - description = '' - Secure settings for the notifier type. Please note that the contents of this option - will end up in a world-readable Nix store. Use the file provider - pointing at a reasonably secured file in the local filesystem - to work around that. Look at the documentation for details: - <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> - ''; - }; - }; - }; in { imports = [ + (mkRemovedOptionModule [ "services" "grafana" "provision" "notifiers" ] '' + Notifiers (services.grafana.provision.notifiers) were removed in Grafana 11. + '') + (mkRenamedOptionModule [ "services" "grafana" "protocol" ] [ "services" "grafana" "settings" "server" "protocol" ]) (mkRenamedOptionModule [ "services" "grafana" "addr" ] [ "services" "grafana" "settings" "server" "http_addr" ]) (mkRenamedOptionModule [ "services" "grafana" "port" ] [ "services" "grafana" "settings" "server" "http_port" ]) @@ -1256,15 +1188,6 @@ in }; }; - - notifiers = mkOption { - description = "Grafana notifier configuration."; - default = [ ]; - type = types.listOf grafanaTypes.notifierConfig; - apply = x: map _filter x; - }; - - alerting = { rules = { path = mkOption { @@ -1746,12 +1669,6 @@ in Use file provider or an env-var instead. ''; - # Warn about deprecated notifiers. - deprecatedNotifiers = optional (cfg.provision.notifiers != [ ]) '' - Notifiers are deprecated upstream and will be removed in Grafana 11. - Use `services.grafana.provision.alerting.contactPoints` instead. - ''; - # Ensure that `secureJsonData` of datasources provisioned via `datasources.settings` # only uses file/env providers. secureJsonDataWithoutFileProvider = optional @@ -1770,15 +1687,10 @@ in Declarations in the `secureJsonData`-block of a datasource will be leaked to the Nix store unless a file-provider or an env-var is used! ''; - - notifierSecureSettingsWithoutFileProvider = optional - (any (x: x.secure_settings != null) cfg.provision.notifiers) - "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead."; in passwordWithoutFileProvider - ++ deprecatedNotifiers ++ secureJsonDataWithoutFileProvider - ++ notifierSecureSettingsWithoutFileProvider; + ; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 7e707a13b7903..4de80acfa9a8b 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -181,6 +181,10 @@ let communicating with external systems (federation, remote storage, Alertmanager). ''; + + query_log_file = mkOpt types.str '' + Path to the file prometheus should write its query log to. + ''; }; }; diff --git a/nixos/modules/services/networking/frr.nix b/nixos/modules/services/networking/frr.nix index 7f611ce7b1c7d..df2b4035d2f07 100644 --- a/nixos/modules/services/networking/frr.nix +++ b/nixos/modules/services/networking/frr.nix @@ -23,10 +23,9 @@ let "pbr" "bfd" "fabric" - "mgmt" ]; - allServices = services ++ [ "zebra" ]; + allServices = services ++ [ "zebra" "mgmt" ]; isEnabled = service: cfg.${service}.enable; @@ -137,6 +136,20 @@ in ''; }; }; + mgmt = (serviceOptions "mgmt") // { + enable = mkOption { + type = types.bool; + default = isEnabled "static"; + defaultText = lib.literalExpression "config.services.frr.static.enable"; + description = '' + Whether to enable the Configuration management daemon. + + The Configuration management daemon is automatically + enabled if needed, at the moment this is when staticd + is enabled. + ''; + }; + }; }; } { options.services.frr = (genAttrs services serviceOptions); } @@ -164,7 +177,7 @@ in environment.etc = let mkEtcLink = service: { - name = "frr/${service}.conf"; + name = "frr/${daemonName service}.conf"; value.source = configFile service; }; in @@ -196,18 +209,18 @@ in unitConfig.Documentation = if service == "zebra" then "man:zebra(8)" else "man:${daemon}(8) man:zebra(8)"; - restartTriggers = [ + restartTriggers = mkIf (service != "mgmt") [ (configFile service) ]; - reloadIfChanged = true; + reloadIfChanged = (service != "mgmt"); serviceConfig = { PIDFile = "frr/${daemon}.pid"; - ExecStart = "${pkgs.frr}/libexec/frr/${daemon} -f /etc/frr/${service}.conf" + ExecStart = "${pkgs.frr}/libexec/frr/${daemon}" + optionalString (scfg.vtyListenAddress != "") " -A ${scfg.vtyListenAddress}" + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}" + " " + (concatStringsSep " " scfg.extraOptions); - ExecReload = "${pkgs.python3.interpreter} ${pkgs.frr}/libexec/frr/frr-reload.py --reload --daemon ${daemonName service} --bindir ${pkgs.frr}/bin --rundir /run/frr /etc/frr/${service}.conf"; + ExecReload = mkIf (service != "mgmt") "${pkgs.python3.interpreter} ${pkgs.frr}/libexec/frr/frr-reload.py --reload --daemon ${daemon} --bindir ${pkgs.frr}/bin --rundir /run/frr /etc/frr/${daemon}.conf"; Restart = "on-abnormal"; }; }); diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix index 66173c145d16a..11add600b66fb 100644 --- a/nixos/modules/services/networking/kea.nix +++ b/nixos/modules/services/networking/kea.nix @@ -278,6 +278,9 @@ in "https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html" ]; + wants = [ + "network-online.target" + ]; after = [ "network-online.target" "time-sync.target" diff --git a/nixos/modules/services/networking/oink.nix b/nixos/modules/services/networking/oink.nix new file mode 100644 index 0000000000000..cd0fdf172331d --- /dev/null +++ b/nixos/modules/services/networking/oink.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.oink; + makeOinkConfig = attrs: (pkgs.formats.json { }).generate + "oink.json" (mapAttrs' (k: v: nameValuePair (toLower k) v) attrs); + oinkConfig = makeOinkConfig { + global = cfg.settings; + domains = cfg.domains; + }; +in +{ + options.services.oink = { + enable = mkEnableOption "Oink, a dynamic DNS client for Porkbun"; + package = mkPackageOption pkgs "oink" { }; + settings = { + apiKey = mkOption { + type = types.str; + description = "API key to use when modifying DNS records."; + }; + secretApiKey = mkOption { + type = types.str; + description = "Secret API key to use when modifying DNS records."; + }; + interval = mkOption { + # https://github.com/rlado/oink/blob/v1.1.1/src/main.go#L364 + type = types.ints.between 60 172800; # 48 hours + default = 900; + description = "Seconds to wait before sending another request."; + }; + ttl = mkOption { + type = types.ints.between 600 172800; + default = 600; + description = '' + The TTL ("Time to Live") value to set for your DNS records. + + The TTL controls how long in seconds your records will be cached + for. A smaller value will allow the record to update quicker. + ''; + }; + }; + domains = mkOption { + type = with types; listOf (attrsOf anything); + default = []; + example = [ + { + domain = "nixos.org"; + subdomain = ""; + ttl = 1200; + } + { + domain = "nixos.org"; + subdomain = "hydra"; + } + ]; + description = '' + List of attribute sets containing configuration for each domain. + + Each attribute set must have two attributes, one named *domain* + and another named *subdomain*. The domain attribute must specify + the root domain that you want to configure, and the subdomain + attribute must specify its subdomain if any. If you want to + configure the root domain rather than a subdomain, leave the + subdomain attribute as an empty string. + + Additionally, you can use attributes from *services.oink.settings* + to override settings per-domain. + + Every domain listed here *must* have API access enabled in + Porkbun's control panel. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.oink = { + description = "Dynamic DNS client for Porkbun"; + wantedBy = [ "multi-user.target" ]; + script = "${cfg.package}/bin/oink -c ${oinkConfig}"; + }; + }; +} diff --git a/nixos/modules/services/networking/rosenpass.nix b/nixos/modules/services/networking/rosenpass.nix index 66b6f960a81ab..92ecc1cb31a36 100644 --- a/nixos/modules/services/networking/rosenpass.nix +++ b/nixos/modules/services/networking/rosenpass.nix @@ -130,8 +130,8 @@ in relevant = config.systemd.network.enable; root = config.systemd.network.netdevs; peer = (x: x.wireguardPeers); - key = (x: if x.wireguardPeerConfig ? PublicKey then x.wireguardPeerConfig.PublicKey else null); - description = "${options.systemd.network.netdevs}.\"<name>\".wireguardPeers.*.wireguardPeerConfig.PublicKey"; + key = x: x.PublicKey or null; + description = "${options.systemd.network.netdevs}.\"<name>\".wireguardPeers.*.PublicKey"; } { relevant = config.networking.wireguard.enable; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 0fdb708bf052f..f69a35f0ffedc 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -5,11 +5,11 @@ with lib; let # The splicing information needed for nativeBuildInputs isn't available - # on the derivations likely to be used as `cfgc.package`. + # on the derivations likely to be used as `cfg.package`. # This middle-ground solution ensures *an* sshd can do their basic validation # on the configuration. validationPackage = if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform - then cfgc.package + then cfg.package else pkgs.buildPackages.openssh; # dont use the "=" operator @@ -169,6 +169,13 @@ in ''; }; + package = mkOption { + type = types.package; + default = config.programs.ssh.package; + defaultText = literalExpression "programs.ssh.package"; + description = "OpenSSH package to use for sshd."; + }; + startWhenNeeded = mkOption { type = types.bool; default = false; @@ -342,7 +349,7 @@ in freeformType = settingsFormat.type; options = { AuthorizedPrincipalsFile = mkOption { - type = types.str; + type = types.nullOr types.str; default = "none"; # upstream default description = '' Specifies a file that lists principal names that are accepted for certificate authentication. The default @@ -350,16 +357,18 @@ in ''; }; LogLevel = mkOption { - type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; + type = types.nullOr (types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]); default = "INFO"; # upstream default description = '' Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level violates the privacy of users and is not recommended. ''; }; - UsePAM = mkEnableOption "PAM authentication" // { default = true; }; + UsePAM = + mkEnableOption "PAM authentication" + // { default = true; type = types.nullOr types.bool; }; UseDns = mkOption { - type = types.bool; + type = types.nullOr types.bool; # apply if cfg.useDns then "yes" else "no" default = false; description = '' @@ -370,14 +379,14 @@ in ''; }; X11Forwarding = mkOption { - type = types.bool; + type = types.nullOr types.bool; default = false; description = '' Whether to allow X11 connections to be forwarded. ''; }; PasswordAuthentication = mkOption { - type = types.bool; + type = types.nullOr types.bool; default = true; description = '' Specifies whether password authentication is allowed. @@ -385,20 +394,20 @@ in }; PermitRootLogin = mkOption { default = "prohibit-password"; - type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]; + type = types.nullOr (types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]); description = '' Whether the root user can login using ssh. ''; }; KbdInteractiveAuthentication = mkOption { - type = types.bool; + type = types.nullOr types.bool; default = true; description = '' Specifies whether keyboard-interactive authentication is allowed. ''; }; GatewayPorts = mkOption { - type = types.str; + type = types.nullOr types.str; default = "no"; description = '' Specifies whether remote hosts are allowed to connect to @@ -407,7 +416,7 @@ in ''; }; KexAlgorithms = mkOption { - type = types.listOf types.str; + type = types.nullOr (types.listOf types.str); default = [ "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" @@ -424,7 +433,7 @@ in ''; }; Macs = mkOption { - type = types.listOf types.str; + type = types.nullOr (types.listOf types.str); default = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" @@ -440,14 +449,14 @@ in ''; }; StrictModes = mkOption { - type = types.bool; + type = types.nullOr (types.bool); default = true; description = '' Whether sshd should check file modes and ownership of directories ''; }; Ciphers = mkOption { - type = types.listOf types.str; + type = types.nullOr (types.listOf types.str); default = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" @@ -502,7 +511,9 @@ in ''; }; # Disabled by default, since pam_motd handles this. - PrintMotd = mkEnableOption "printing /etc/motd when a user logs in interactively"; + PrintMotd = + mkEnableOption "printing /etc/motd when a user logs in interactively" + // { type = types.nullOr types.bool; }; }; }); }; @@ -544,8 +555,8 @@ in }; users.groups.sshd = {}; - services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; - services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; + services.openssh.moduliFile = mkDefault "${cfg.package}/etc/ssh/moduli"; + services.openssh.sftpServerExecutable = mkDefault "${cfg.package}/libexec/sftp-server"; environment.etc = authKeysFiles // authPrincipalsFiles // { "ssh/moduli".source = cfg.moduliFile; @@ -559,7 +570,7 @@ in wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; after = [ "network.target" ]; stopIfChanged = false; - path = [ cfgc.package pkgs.gawk ]; + path = [ cfg.package pkgs.gawk ]; environment.LD_LIBRARY_PATH = nssModulesPath; restartTriggers = optionals (!cfg.startWhenNeeded) [ @@ -593,7 +604,7 @@ in serviceConfig = { ExecStart = (optionalString cfg.startWhenNeeded "-") + - "${cfgc.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") + + "${cfg.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") + "-D " + # don't detach into a daemon process "-f /etc/ssh/sshd_config"; KillMode = "process"; @@ -639,7 +650,10 @@ in security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM { startSession = true; showMotd = true; - unixAuth = cfg.settings.PasswordAuthentication; + unixAuth = + if cfg.settings.PasswordAuthentication == true + then true + else false; }; # These values are merged with the ones defined externally, see: diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 3f68af3a86c96..81abae2c9303d 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -80,6 +80,15 @@ let description = "Commands called at the end of the interface setup."; }; + preShutdown = mkOption { + example = literalExpression ''"''${pkgs.iproute2}/bin/ip netns del foo"''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = '' + Commands called before shutting down the interface. + ''; + }; + postShutdown = mkOption { example = literalExpression ''"''${pkgs.openresolv}/bin/resolvconf -d wg0"''; default = ""; @@ -497,6 +506,7 @@ let ''; postStop = '' + ${values.preShutdown} ${ipPostMove} link del dev "${name}" ${values.postShutdown} ''; diff --git a/nixos/modules/services/security/bitwarden-directory-connector-cli.nix b/nixos/modules/services/security/bitwarden-directory-connector-cli.nix index d21322caf4c33..fef4a88648979 100644 --- a/nixos/modules/services/security/bitwarden-directory-connector-cli.nix +++ b/nixos/modules/services/security/bitwarden-directory-connector-cli.nix @@ -260,6 +260,7 @@ in { description = "Sync timer for Bitwarden Directory Connector"; wantedBy = ["timers.target"]; after = ["network-online.target"]; + wants = ["network-online.target"]; timerConfig = { OnCalendar = cfg.interval; Unit = "bitwarden-directory-connector-cli.service"; diff --git a/nixos/modules/services/security/oauth2-proxy-nginx.nix b/nixos/modules/services/security/oauth2-proxy-nginx.nix index 07192e7287b05..44bf56233e95e 100644 --- a/nixos/modules/services/security/oauth2-proxy-nginx.nix +++ b/nixos/modules/services/security/oauth2-proxy-nginx.nix @@ -83,6 +83,15 @@ in } ++ (lib.mapAttrsToList (vhost: conf: { virtualHosts.${vhost} = { locations = { + "/".extraConfig = '' + # pass information via X-User and X-Email headers to backend, requires running with --set-xauthrequest flag + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + add_header Set-Cookie $auth_cookie; + ''; + "/oauth2/auth" = let maybeQueryArg = name: value: if value == null then null @@ -102,6 +111,7 @@ in proxy_pass_request_body off; ''; }; + "@redirectToAuth2ProxyLogin" = { return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri"; extraConfig = '' @@ -114,16 +124,10 @@ in auth_request /oauth2/auth; error_page 401 = @redirectToAuth2ProxyLogin; - # pass information via X-User and X-Email headers to backend, - # requires running with --set-xauthrequest flag + # set variables being used in locations."/".extraConfig auth_request_set $user $upstream_http_x_auth_request_user; auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; ''; }; }) cfg.virtualHosts))); diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index 26f4eba707f92..d84136125f934 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -128,10 +128,14 @@ in contents."/etc/dbus-1".source = pkgs.makeDBusConf { inherit (cfg) apparmor; suidHelper = "/bin/false"; - serviceDirectories = [ pkgs.dbus ]; + serviceDirectories = [ pkgs.dbus config.boot.initrd.systemd.package ]; }; packages = [ pkgs.dbus ]; - storePaths = [ "${pkgs.dbus}/bin/dbus-daemon" ]; + storePaths = [ + "${pkgs.dbus}/bin/dbus-daemon" + "${config.boot.initrd.systemd.package}/share/dbus-1/system-services" + "${config.boot.initrd.systemd.package}/share/dbus-1/system.d" + ]; targets.sockets.wants = [ "dbus.socket" ]; }; }) diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix index 0e6bde447c033..c3ec4a3c76c34 100644 --- a/nixos/modules/services/video/frigate.nix +++ b/nixos/modules/services/video/frigate.nix @@ -427,10 +427,6 @@ in PrivateTmp = true; CacheDirectory = "frigate"; CacheDirectoryMode = "0750"; - - BindPaths = [ - "/migrations:${cfg.package}/share/frigate/migrations:ro" - ]; }; }; }; diff --git a/nixos/modules/services/wayland/hypridle.nix b/nixos/modules/services/wayland/hypridle.nix new file mode 100644 index 0000000000000..5442802df9871 --- /dev/null +++ b/nixos/modules/services/wayland/hypridle.nix @@ -0,0 +1,26 @@ +{ lib, pkgs, config, ... }: + +let + cfg = config.services.hypridle; +in +{ + options.services.hypridle = { + enable = lib.mkEnableOption "hypridle, Hyprland's idle daemon"; + package = lib.mkPackageOption pkgs "hypridle" { }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ + cfg.package + ]; + + systemd.user.services.hypridle = { + description = "Hypridle idle daemon"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + script = lib.getExe cfg.package; + }; + }; + + meta.maintainers = with lib.maintainers; [ johnrtitor ]; +} diff --git a/nixos/modules/services/web-apps/filesender.md b/nixos/modules/services/web-apps/filesender.md new file mode 100644 index 0000000000000..44d066761b9a4 --- /dev/null +++ b/nixos/modules/services/web-apps/filesender.md @@ -0,0 +1,49 @@ +# FileSender {#module-services-filesender} + +[FileSender](https://filesender.org/software/) is a software that makes it easy to send and receive big files. + +## Quickstart {#module-services-filesender-quickstart} + +FileSender uses [SimpleSAMLphp](https://simplesamlphp.org/) for authentication, which needs to be configured separately. + +Minimal working instance of FileSender that uses password-authentication would look like this: + +```nix +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.filesender = { + enable = true; + localDomain = "filesender.example.com"; + configureNginx = true; + database.createLocally = true; + + settings = { + auth_sp_saml_authentication_source = "default"; + auth_sp_saml_uid_attribute = "uid"; + storage_filesystem_path = "<STORAGE PATH FOR UPLOADED FILES>"; + admin = "admin"; + admin_email = "admin@example.com"; + email_reply_to = "noreply@example.com"; + }; + }; + services.simplesamlphp.filesender = { + settings = { + "module.enable".exampleauth = true; + }; + authSources = { + admin = [ "core:AdminPassword" ]; + default = format.lib.mkMixedArray [ "exampleauth:UserPass" ] { + "admin:admin123" = { + uid = [ "admin" ]; + cn = [ "admin" ]; + mail = [ "admin@example.com" ]; + }; + }; + }; + }; +} +``` + +::: {.warning} +Example above uses hardcoded clear-text password, in production you should use other authentication method like LDAP. You can check supported authentication methods [in SimpleSAMLphp documentation](https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html). +::: diff --git a/nixos/modules/services/web-apps/filesender.nix b/nixos/modules/services/web-apps/filesender.nix new file mode 100644 index 0000000000000..bc8d465643f2f --- /dev/null +++ b/nixos/modules/services/web-apps/filesender.nix @@ -0,0 +1,253 @@ +{ + config, + lib, + pkgs, + ... +}: +let + format = pkgs.formats.php { finalVariable = "config"; }; + + cfg = config.services.filesender; + simpleSamlCfg = config.services.simplesamlphp.filesender; + fpm = config.services.phpfpm.pools.filesender; + + filesenderConfigDirectory = pkgs.runCommand "filesender-config" { } '' + mkdir $out + cp ${format.generate "config.php" cfg.settings} $out/config.php + ''; +in +{ + meta = { + maintainers = with lib.maintainers; [ nhnn ]; + doc = ./filesender.md; + }; + + options.services.filesender = with lib; { + enable = mkEnableOption "FileSender"; + package = mkPackageOption pkgs "filesender" { }; + user = mkOption { + description = "User under which filesender runs."; + type = types.str; + default = "filesender"; + }; + database = { + createLocally = mkOption { + type = types.bool; + default = true; + description = '' + Create the PostgreSQL database and database user locally. + ''; + }; + hostname = mkOption { + type = types.str; + default = "/run/postgresql"; + description = "Database hostname."; + }; + port = mkOption { + type = types.port; + default = 5432; + description = "Database port."; + }; + name = mkOption { + type = types.str; + default = "filesender"; + description = "Database name."; + }; + user = mkOption { + type = types.str; + default = "filesender"; + description = "Database user."; + }; + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/filesender-dbpassword"; + description = '' + A file containing the password corresponding to + [](#opt-services.filesender.database.user). + ''; + }; + }; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + site_url = mkOption { + type = types.str; + description = "Site URL. Used in emails, to build URLs for logging in, logging out, build URL for upload endpoint for web workers, to include scripts etc."; + }; + admin = mkOption { + type = types.commas; + description = '' + UIDs (as per the configured saml_uid_attribute) of FileSender administrators. + Accounts with these UIDs can access the Admin page through the web UI. + ''; + }; + admin_email = mkOption { + type = types.commas; + description = '' + Email address of FileSender administrator(s). + Emails regarding disk full etc. are sent here. + You should use a role-address here. + ''; + }; + storage_filesystem_path = mkOption { + type = types.nullOr types.str; + description = "When using storage type filesystem this is the absolute path to the file system where uploaded files are stored until they expire. Your FileSender storage root."; + }; + log_facilities = mkOption { + type = format.type; + default = [ { type = "error_log"; } ]; + description = "Defines where FileSender logging is sent. You can sent logging to a file, to syslog or to the default PHP log facility (as configured through your webserver's PHP module). The directive takes an array of one or more logging targets. Logging can be sent to multiple targets simultaneously. Each logging target is a list containing the name of the logging target and a number of attributes which vary per log target. See below for the exact definiation of each log target."; + }; + }; + }; + default = { }; + description = '' + Configuration options used by FileSender. + See [](https://docs.filesender.org/filesender/v2.0/admin/configuration/) + for available options. + ''; + }; + configureNginx = mkOption { + type = types.bool; + default = true; + description = "Configure nginx as a reverse proxy for FileSender."; + }; + localDomain = mkOption { + type = types.str; + example = "filesender.example.org"; + description = "The domain serving your FileSender instance."; + }; + poolSettings = mkOption { + type = + with types; + attrsOf (oneOf [ + str + int + bool + ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = "32"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "2"; + "pm.max_spare_servers" = "4"; + "pm.max_requests" = "500"; + }; + description = '' + Options for FileSender's PHP pool. See the documentation on `php-fpm.conf` for details on configuration directives. + ''; + }; + }; + config = lib.mkIf cfg.enable { + services.simplesamlphp.filesender = { + phpfpmPool = "filesender"; + localDomain = cfg.localDomain; + settings.baseurlpath = lib.mkDefault "https://${cfg.localDomain}/saml"; + }; + + services.phpfpm = { + pools.filesender = { + user = cfg.user; + group = config.services.nginx.group; + phpEnv = { + FILESENDER_CONFIG_DIR = toString filesenderConfigDirectory; + SIMPLESAMLPHP_CONFIG_DIR = toString simpleSamlCfg.configDir; + }; + settings = { + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + } // cfg.poolSettings; + }; + }; + + services.nginx = lib.mkIf cfg.configureNginx { + enable = true; + virtualHosts.${cfg.localDomain} = { + root = "${cfg.package}/www"; + extraConfig = '' + index index.php; + ''; + locations = { + "/".extraConfig = '' + try_files $uri $uri/ /index.php?args; + ''; + "~ [^/]\\.php(/|$)" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${fpm.socket}; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_intercept_errors on; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + ''; + }; + "~ /\\.".extraConfig = "deny all;"; + }; + }; + }; + + services.postgresql = lib.mkIf cfg.database.createLocally { + enable = true; + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { + name = cfg.database.user; + ensureDBOwnership = true; + } + ]; + }; + + services.filesender.settings = lib.mkMerge [ + (lib.mkIf cfg.database.createLocally { + db_host = "/run/postgresql"; + db_port = "5432"; + db_password = "."; # FileSender requires it even when on UNIX socket auth. + }) + (lib.mkIf (!cfg.database.createLocally) { + db_host = cfg.database.hostname; + db_port = toString cfg.database.port; + db_password = format.lib.mkRaw "file_get_contents('${cfg.database.passwordFile}')"; + }) + { + site_url = lib.mkDefault "https://${cfg.localDomain}"; + db_type = "pgsql"; + db_username = cfg.database.user; + db_database = cfg.database.name; + "auth_sp_saml_simplesamlphp_url" = "/saml"; + "auth_sp_saml_simplesamlphp_location" = "${simpleSamlCfg.libDir}"; + } + ]; + + systemd.services.filesender-initdb = { + description = "Init filesender DB"; + + wantedBy = [ + "multi-user.target" + "phpfpm-filesender.service" + ]; + after = [ "postgresql.service" ]; + + restartIfChanged = true; + + serviceConfig = { + Environment = [ + "FILESENDER_CONFIG_DIR=${toString filesenderConfigDirectory}" + "SIMPLESAMLPHP_CONFIG_DIR=${toString simpleSamlCfg.configDir}" + ]; + Type = "oneshot"; + Group = config.services.nginx.group; + User = "filesender"; + ExecStart = "${fpm.phpPackage}/bin/php ${cfg.package}/scripts/upgrade/database.php"; + }; + }; + + users.extraUsers.filesender = lib.mkIf (cfg.user == "filesender") { + home = "/var/lib/filesender"; + group = config.services.nginx.group; + createHome = true; + isSystemUser = true; + }; + }; +} diff --git a/nixos/modules/services/web-apps/firefly-iii.nix b/nixos/modules/services/web-apps/firefly-iii.nix index b0024ce09c38e..6b383139c8911 100644 --- a/nixos/modules/services/web-apps/firefly-iii.nix +++ b/nixos/modules/services/web-apps/firefly-iii.nix @@ -3,8 +3,8 @@ let inherit (lib) optionalString mkDefault mkIf mkOption mkEnableOption literalExpression; inherit (lib.types) nullOr attrsOf oneOf str int bool path package enum submodule; - inherit (lib.strings) concatMapStringsSep removePrefix toShellVars removeSuffix hasSuffix; - inherit (lib.attrsets) attrValues genAttrs filterAttrs mapAttrs' nameValuePair; + inherit (lib.strings) concatLines removePrefix toShellVars removeSuffix hasSuffix; + inherit (lib.attrsets) mapAttrsToList attrValues genAttrs filterAttrs mapAttrs' nameValuePair; inherit (builtins) isInt isString toString typeOf; cfg = config.services.firefly-iii; @@ -21,18 +21,10 @@ let (filterAttrs (n: v: hasSuffix "_FILE" n) cfg.settings); env-nonfile-values = filterAttrs (n: v: ! hasSuffix "_FILE" n) cfg.settings; - envfile = pkgs.writeText "firefly-iii-env" '' - ${toShellVars env-file-values} - ${toShellVars env-nonfile-values} - ''; - fileenv-func = '' - cp --no-preserve=mode ${envfile} /tmp/firefly-iii-env - ${concatMapStringsSep "\n" - (n: "${pkgs.replace-secret}/bin/replace-secret ${n} ${n} /tmp/firefly-iii-env") - (attrValues env-file-values)} set -a - . /tmp/firefly-iii-env + ${toShellVars env-nonfile-values} + ${concatLines (mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values)} set +a ''; @@ -41,15 +33,13 @@ let ${optionalString (cfg.settings.DB_CONNECTION == "sqlite") "touch ${cfg.dataDir}/storage/database/database.sqlite"} - ${artisan} migrate --seed --no-interaction --force - ${artisan} firefly-iii:decrypt-all + ${artisan} package:discover ${artisan} firefly-iii:upgrade-database - ${artisan} firefly-iii:correct-database - ${artisan} firefly-iii:report-integrity ${artisan} firefly-iii:laravel-passport-keys ${artisan} cache:clear - - mv /tmp/firefly-iii-env /run/phpfpm/firefly-iii-env + ${artisan} view:cache + ${artisan} route:cache + ${artisan} config:cache ''; commonServiceConfig = { @@ -146,6 +136,7 @@ in { virtualHost = mkOption { type = str; + default = "localhost"; description = '' The hostname at which you wish firefly-iii to be served. If you have enabled nginx using `services.firefly-iii.enableNginx` then this will @@ -170,14 +161,15 @@ in { }; settings = mkOption { + default = {}; description = '' Options for firefly-iii configuration. Refer to <https://github.com/firefly-iii/firefly-iii/blob/main/.env.example> for details on supported values. All <option>_FILE values supported by upstream are supported here. - APP_URL will be set by `services.firefly-iii.virtualHost`, do not - redefine it here. + APP_URL will be the same as `services.firefly-iii.virtualHost` if the + former is unset in `services.firefly-iii.settings`. ''; example = literalExpression '' { @@ -192,7 +184,6 @@ in { DB_PASSWORD_FILE = "/var/secrets/firefly-iii-mysql-password.txt; } ''; - default = {}; type = submodule { freeformType = attrsOf (oneOf [str int bool]); options = { @@ -216,9 +207,9 @@ in { }; DB_PORT = mkOption { type = nullOr int; - default = if cfg.settings.DB_CONNECTION == "sqlite" then null + default = if cfg.settings.DB_CONNECTION == "pgsql" then 5432 else if cfg.settings.DB_CONNECTION == "mysql" then 3306 - else 5432; + else null; defaultText = '' `null` if DB_CONNECTION is "sqlite", `3306` if "mysql", `5432` if "pgsql" ''; @@ -227,6 +218,21 @@ in { this value to be filled. ''; }; + DB_HOST = mkOption { + type = str; + default = if cfg.settings.DB_CONNECTION == "pgsql" then "/run/postgresql" + else "localhost"; + defaultText = '' + "localhost" if DB_CONNECTION is "sqlite" or "mysql", "/run/postgresql" if "pgsql". + ''; + description = '' + The machine which hosts your database. This is left at the + default value for "mysql" because we use the "DB_SOCKET" option + to connect to a unix socket instead. "pgsql" requires that the + unix socket location be specified here instead of at "DB_SOCKET". + This option does not affect "sqlite". + ''; + }; APP_KEY_FILE = mkOption { type = path; description = '' @@ -235,6 +241,20 @@ in { /dev/urandom | base64)" > /path/to/key-file`. ''; }; + APP_URL = mkOption { + type = str; + default = if cfg.virtualHost == "localhost" then "http://${cfg.virtualHost}" + else "https://${cfg.virtualHost}"; + defaultText = '' + http(s)://''${config.services.firefly-iii.virtualHost} + ''; + description = '' + The APP_URL used by firefly-iii internally. Please make sure this + URL matches the external URL of your Firefly III installation. It + is used to validate specific requests and to generate URLs in + emails. + ''; + }; }; }; }; @@ -242,12 +262,6 @@ in { config = mkIf cfg.enable { - services.firefly-iii = { - settings = { - APP_URL = cfg.virtualHost; - }; - }; - services.phpfpm.pools.firefly-iii = { inherit user group; phpPackage = cfg.package.phpPackage; @@ -262,29 +276,27 @@ in { } // cfg.poolConfig; }; - systemd.services.phpfpm-firefly-iii.serviceConfig = { - EnvironmentFile = "/run/phpfpm/firefly-iii-env"; - ExecStartPost = "${pkgs.coreutils}/bin/rm /run/phpfpm/firefly-iii-env"; - }; - systemd.services.firefly-iii-setup = { + after = [ "postgresql.service" "mysql.service" ]; requiredBy = [ "phpfpm-firefly-iii.service" ]; before = [ "phpfpm-firefly-iii.service" ]; serviceConfig = { ExecStart = firefly-iii-maintenance; RuntimeDirectory = "phpfpm"; RuntimeDirectoryPreserve = true; + RemainAfterExit = true; } // commonServiceConfig; unitConfig.JoinsNamespaceOf = "phpfpm-firefly-iii.service"; + restartTriggers = [ cfg.package ]; }; systemd.services.firefly-iii-cron = { + after = [ "firefly-iii-setup.service" "postgresql.service" "mysql.service" ]; + wants = [ "firefly-iii-setup.service" ]; description = "Daily Firefly III cron job"; - script = '' - ${fileenv-func} - ${artisan} firefly-iii:cron - ''; - serviceConfig = commonServiceConfig; + serviceConfig = { + ExecStart = "${artisan} firefly-iii:cron"; + } // commonServiceConfig; }; systemd.timers.firefly-iii-cron = { @@ -295,6 +307,7 @@ in { Persistent = true; }; wantedBy = [ "timers.target" ]; + restartTriggers = [ cfg.package ]; }; services.nginx = mkIf cfg.enableNginx { diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix index 4d0e25958e35a..c3dbb88619b33 100644 --- a/nixos/modules/services/web-apps/invoiceplane.nix +++ b/nixos/modules/services/web-apps/invoiceplane.nix @@ -39,10 +39,7 @@ let extraConfig = hostName: cfg: let settings = mapAttrsToList (k: v: "${k}=${mkPhpValue v}") cfg.settings; - in pkgs.writeText "extraConfig.php" '' - ${concatStringsSep "\n" settings} - ${toString cfg.extraConfig} - ''; + in pkgs.writeText "extraConfig.php" (concatStringsSep "\n" settings); pkg = hostName: cfg: pkgs.stdenv.mkDerivation rec { pname = "invoiceplane-${hostName}"; @@ -182,25 +179,6 @@ let ''; }; - extraConfig = mkOption { - type = types.nullOr types.lines; - default = null; - example = '' - SETUP_COMPLETED=true - DISABLE_SETUP=true - IP_URL=https://invoice.example.com - ''; - description = '' - InvoicePlane configuration. Refer to - <https://github.com/InvoicePlane/InvoicePlane/blob/master/ipconfig.php.example> - for details on supported values. - - **Note**: Please pass structured settings via - `services.invoiceplane.sites.${name}.settings` instead, this option - will get deprecated in the future. - ''; - }; - settings = mkOption { type = types.attrsOf types.anything; default = {}; @@ -269,12 +247,6 @@ in # implementation config = mkIf (eachSite != {}) (mkMerge [{ - warnings = flatten (mapAttrsToList (hostName: cfg: [ - (optional (cfg.extraConfig != null) '' - services.invoiceplane.sites."${hostName}".extraConfig will be deprecated in future releases, please use the settings option now. - '') - ]) eachSite); - assertions = flatten (mapAttrsToList (hostName: cfg: [ { assertion = cfg.database.createLocally -> cfg.database.user == user; message = ''services.invoiceplane.sites."${hostName}".database.user must be ${user} if the database is to be automatically provisioned''; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 570f2770fb291..daebd6441cb5d 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -20,8 +20,6 @@ let DB_USER = cfg.database.user; - REDIS_HOST = cfg.redis.host; - REDIS_PORT = toString(cfg.redis.port); DB_HOST = cfg.database.host; DB_NAME = cfg.database.name; LOCAL_DOMAIN = cfg.localDomain; @@ -34,6 +32,8 @@ let TRUSTED_PROXY_IP = cfg.trustedProxy; } + // lib.optionalAttrs (cfg.redis.host != null) { REDIS_HOST = cfg.redis.host; } + // lib.optionalAttrs (cfg.redis.port != null) { REDIS_PORT = toString(cfg.redis.port); } // lib.optionalAttrs (cfg.redis.createLocally && cfg.redis.enableUnixSocket) { REDIS_URL = "unix://${config.services.redis.servers.mastodon.unixSocket}"; } // lib.optionalAttrs (cfg.database.host != "/run/postgresql" && cfg.database.port != null) { DB_PORT = toString cfg.database.port; } // lib.optionalAttrs cfg.smtp.authenticate { SMTP_LOGIN = cfg.smtp.user; } @@ -90,6 +90,11 @@ let SystemCallArchitectures = "native"; }; + # Services that all Mastodon units After= and Requires= on + commonServices = lib.optional redisActuallyCreateLocally "redis-mastodon.service" + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") ( (lib.concatLists (lib.mapAttrsToList (name: value: lib.optional (value != null) ''${name}="${toString value}"'' @@ -117,14 +122,8 @@ let jobClassLabel = toString ([""] ++ processCfg.jobClasses); threads = toString (if processCfg.threads == null then cfg.sidekiqThreads else processCfg.threads); in { - after = [ "network.target" "mastodon-init-dirs.service" ] - ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; - requires = [ "mastodon-init-dirs.service" ] - ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + after = [ "network.target" "mastodon-init-dirs.service" ] ++ commonServices; + requires = [ "mastodon-init-dirs.service" ] ++ commonServices; description = "Mastodon sidekiq${jobClassLabel}"; wantedBy = [ "mastodon.target" ]; environment = env // { @@ -149,14 +148,8 @@ let (map (i: { name = "mastodon-streaming-${toString i}"; value = { - after = [ "network.target" "mastodon-init-dirs.service" ] - ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; - requires = [ "mastodon-init-dirs.service" ] - ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + after = [ "network.target" "mastodon-init-dirs.service" ] ++ commonServices; + requires = [ "mastodon-init-dirs.service" ] ++ commonServices; wantedBy = [ "mastodon.target" "mastodon-streaming.target" ]; description = "Mastodon streaming ${toString i}"; environment = env // { SOCKET = "/run/mastodon-streaming/streaming-${toString i}.socket"; }; @@ -401,14 +394,20 @@ in { host = lib.mkOption { description = "Redis host."; - type = lib.types.str; - default = "127.0.0.1"; + type = lib.types.nullOr lib.types.str; + default = if cfg.redis.createLocally && !cfg.redis.enableUnixSocket then "127.0.0.1" else null; + defaultText = lib.literalExpression '' + if config.${opt.redis.createLocally} && !config.${opt.redis.enableUnixSocket} then "127.0.0.1" else null + ''; }; port = lib.mkOption { description = "Redis port."; - type = lib.types.port; - default = 31637; + type = lib.types.nullOr lib.types.port; + default = if cfg.redis.createLocally && !cfg.redis.enableUnixSocket then 31637 else null; + defaultText = lib.literalExpression '' + if config.${opt.redis.createLocally} && !config.${opt.redis.enableUnixSocket} then 31637 else null + ''; }; passwordFile = lib.mkOption { @@ -632,6 +631,20 @@ in { config = lib.mkIf cfg.enable (lib.mkMerge [{ assertions = [ { + assertion = !redisActuallyCreateLocally -> (cfg.redis.host != "127.0.0.1" && cfg.redis.port != null); + message = '' + `services.mastodon.redis.host` and `services.mastodon.redis.port` need to be set if + `services.mastodon.redis.createLocally` is not enabled. + ''; + } + { + assertion = redisActuallyCreateLocally -> (!cfg.redis.enableUnixSocket || (cfg.redis.host == null && cfg.redis.port == null)); + message = '' + `services.mastodon.redis.enableUnixSocket` needs to be disabled if + `services.mastodon.redis.host` and `services.mastodon.redis.port` is used. + ''; + } + { assertion = redisActuallyCreateLocally -> (!cfg.redis.enableUnixSocket || cfg.redis.passwordFile == null); message = '' <option>services.mastodon.redis.enableUnixSocket</option> needs to be disabled if @@ -783,14 +796,8 @@ in { }; systemd.services.mastodon-web = { - after = [ "network.target" "mastodon-init-dirs.service" ] - ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; - requires = [ "mastodon-init-dirs.service" ] - ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + after = [ "network.target" "mastodon-init-dirs.service" ] ++ commonServices; + requires = [ "mastodon-init-dirs.service" ] ++ commonServices; wantedBy = [ "mastodon.target" ]; description = "Mastodon web"; environment = env // (if cfg.enableUnixSocket diff --git a/nixos/modules/services/web-apps/mealie.nix b/nixos/modules/services/web-apps/mealie.nix index 8f68828e7a0be..0d41cffd3d9dd 100644 --- a/nixos/modules/services/web-apps/mealie.nix +++ b/nixos/modules/services/web-apps/mealie.nix @@ -28,8 +28,6 @@ in Configuration of the Mealie service. See [the mealie documentation](https://nightly.mealie.io/documentation/getting-started/installation/backend-config/) for available options and default values. - - In addition to the official documentation, you can set {env}`MEALIE_LOG_FILE`. ''; example = { ALLOW_SIGNUP = "false"; @@ -61,6 +59,7 @@ in PRODUCTION = "true"; ALEMBIC_CONFIG_FILE="${pkg}/config/alembic.ini"; API_PORT = toString cfg.port; + BASE_URL = "http://localhost:${cfg.port}"; DATA_DIR = "/var/lib/mealie"; CRF_MODEL_PATH = "/var/lib/mealie/model.crfmodel"; } // (builtins.mapAttrs (_: val: toString val) cfg.settings); diff --git a/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix b/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix new file mode 100644 index 0000000000000..d58210c8d9610 --- /dev/null +++ b/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix @@ -0,0 +1,87 @@ +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.services.nextjs-ollama-llm-ui; + # we have to override the URL to a Ollama service here, because it gets baked into the web app. + nextjs-ollama-llm-ui = cfg.package.override { ollamaUrl = "https://ollama.lambdablob.com"; }; +in +{ + options = { + services.nextjs-ollama-llm-ui = { + enable = lib.mkEnableOption '' + Simple Ollama web UI service; an easy to use web frontend for a Ollama backend service. + Run state-of-the-art AI large language models (LLM) similar to ChatGPT locally with privacy + on your personal computer. + This service is stateless and doesn't store any data on the server; all data is kept + locally in your web browser. + See https://github.com/jakobhoeg/nextjs-ollama-llm-ui. + + Required: You need the Ollama backend service running by having + "services.nextjs-ollama-llm-ui.ollamaUrl" point to the correct url. + You can host such a backend service with NixOS through "services.ollama". + ''; + package = lib.mkPackageOption pkgs "nextjs-ollama-llm-ui" { }; + + hostname = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1"; + example = "ui.example.org"; + description = '' + The hostname under which the Ollama UI interface should be accessible. + By default it uses localhost/127.0.0.1 to be accessible only from the local machine. + Change to "0.0.0.0" to make it directly accessible from the local network. + + Note: You should keep it at 127.0.0.1 and only serve to the local + network or internet from a (home) server behind a reverse-proxy and secured encryption. + See https://wiki.nixos.org/wiki/Nginx for instructions on how to set up a reverse-proxy. + ''; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 3000; + example = 3000; + description = '' + The port under which the Ollama UI interface should be accessible. + ''; + }; + + ollamaUrl = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1:11434"; + example = "https://ollama.example.org"; + description = '' + The address (including host and port) under which we can access the Ollama backend server. + !Note that if the the UI service is running under a domain "https://ui.example.org", + the Ollama backend service must allow "CORS" requests from this domain, e.g. by adding + "services.ollama.environment.OLLAMA_ORIGINS = [ ... "https://ui.example.org" ];"! + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services = { + + nextjs-ollama-llm-ui = { + wantedBy = [ "multi-user.target" ]; + description = "Nextjs Ollama LLM Ui."; + after = [ "network.target" ]; + environment = { + HOSTNAME = cfg.hostname; + PORT = toString cfg.port; + NEXT_PUBLIC_OLLAMA_URL = cfg.ollamaUrl; + }; + serviceConfig = { + ExecStart = "${lib.getExe nextjs-ollama-llm-ui}"; + DynamicUser = true; + }; + }; + }; + }; + meta.maintainers = with lib.maintainers; [ malteneuss ]; +} diff --git a/nixos/modules/services/web-apps/simplesamlphp.nix b/nixos/modules/services/web-apps/simplesamlphp.nix new file mode 100644 index 0000000000000..e970266fc17dd --- /dev/null +++ b/nixos/modules/services/web-apps/simplesamlphp.nix @@ -0,0 +1,128 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.simplesamlphp; + + format = pkgs.formats.php { finalVariable = "config"; }; + + generateConfig = + opts: + pkgs.runCommand "simplesamlphp-config" { } '' + mkdir $out + cp ${format.generate "config.php" opts.settings} $out/config.php + cp ${format.generate "authsources.php" opts.authSources} $out/authsources.php + ''; +in +{ + meta = { + maintainers = with lib.maintainers; [ nhnn ]; + }; + + options.services.simplesamlphp = + with lib; + mkOption { + type = types.attrsOf ( + types.submodule ( + { config, ... }: + { + options = { + package = mkPackageOption pkgs "simplesamlphp" { }; + configureNginx = mkOption { + type = types.bool; + default = true; + description = "Configure nginx as a reverse proxy for SimpleSAMLphp."; + }; + phpfpmPool = mkOption { + type = types.str; + description = "The PHP-FPM pool that serves SimpleSAMLphp instance."; + }; + localDomain = mkOption { + type = types.str; + description = "The domain serving your SimpleSAMLphp instance. This option modifies only /saml route."; + }; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + baseurlpath = mkOption { + type = types.str; + example = "https://filesender.example.com/saml/"; + description = "URL where SimpleSAMLphp can be reached."; + }; + }; + }; + default = { }; + description = '' + Configuration options used by SimpleSAMLphp. + See [](https://simplesamlphp.org/docs/stable/simplesamlphp-install) + for available options. + ''; + }; + + authSources = mkOption { + type = format.type; + default = { }; + description = '' + Auth sources options used by SimpleSAMLphp. + ''; + }; + + libDir = mkOption { + type = types.str; + readOnly = true; + description = '' + Path to the SimpleSAMLphp library directory. + ''; + }; + configDir = mkOption { + type = types.str; + readOnly = true; + description = '' + Path to the SimpleSAMLphp config directory. + ''; + }; + }; + config = { + libDir = "${config.package}/share/php/simplesamlphp/"; + configDir = "${generateConfig config}"; + }; + } + ) + ); + default = { }; + description = "Instances of SimpleSAMLphp. This module is designed to work with already existing PHP-FPM pool and NGINX virtualHost."; + }; + + config = { + services.phpfpm.pools = lib.mapAttrs' ( + phpfpmName: opts: + lib.nameValuePair opts.phpfpmPool { phpEnv.SIMPLESAMLPHP_CONFIG_DIR = "${generateConfig opts}"; } + ) cfg; + + services.nginx.virtualHosts = lib.mapAttrs' ( + phpfpmName: opts: + lib.nameValuePair opts.localDomain ( + lib.mkIf opts.configureNginx { + locations."^~ /saml/" = { + alias = "${opts.package}/share/php/simplesamlphp/www/"; + extraConfig = '' + location ~ ^(?<prefix>/saml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ { + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.${phpfpmName}.socket}; + fastcgi_intercept_errors on; + fastcgi_param SCRIPT_FILENAME $document_root$phpfile; + fastcgi_param SCRIPT_NAME /saml$phpfile; + fastcgi_param PATH_INFO $pathinfo if_not_empty; + } + ''; + }; + } + ) + ) cfg; + }; +} diff --git a/nixos/modules/services/web-servers/bluemap.nix b/nixos/modules/services/web-servers/bluemap.nix new file mode 100644 index 0000000000000..28eaad3db313e --- /dev/null +++ b/nixos/modules/services/web-servers/bluemap.nix @@ -0,0 +1,311 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.bluemap; + format = pkgs.formats.hocon { }; + + coreConfig = format.generate "core.conf" cfg.coreSettings; + webappConfig = format.generate "webapp.conf" cfg.webappSettings; + webserverConfig = format.generate "webserver.conf" cfg.webserverSettings; + + mapsFolder = pkgs.linkFarm "maps" + (lib.attrsets.mapAttrs' (name: value: + lib.nameValuePair "${name}.conf" + (format.generate "${name}.conf" value)) + cfg.maps); + + storageFolder = pkgs.linkFarm "storage" + (lib.attrsets.mapAttrs' (name: value: + lib.nameValuePair "${name}.conf" + (format.generate "${name}.conf" value)) + cfg.storage); + + configFolder = pkgs.linkFarm "bluemap-config" { + "maps" = mapsFolder; + "storages" = storageFolder; + "core.conf" = coreConfig; + "webapp.conf" = webappConfig; + "webserver.conf" = webserverConfig; + "resourcepacks" = pkgs.linkFarm "resourcepacks" cfg.resourcepacks; + }; + + inherit (lib) mkOption; +in { + options.services.bluemap = { + enable = lib.mkEnableOption "bluemap"; + + eula = mkOption { + type = lib.types.bool; + description = '' + By changing this option to true you confirm that you own a copy of minecraft Java Edition, + and that you agree to minecrafts EULA. + ''; + default = false; + }; + + defaultWorld = mkOption { + type = lib.types.path; + description = '' + The world used by the default map ruleset. + If you configure your own maps you do not need to set this. + ''; + example = lib.literalExpression "\${config.services.minecraft.dataDir}/world"; + }; + + enableRender = mkOption { + type = lib.types.bool; + description = "Enable rendering"; + default = true; + }; + + webRoot = mkOption { + type = lib.types.path; + default = "/var/lib/bluemap/web"; + description = "The directory for saving and serving the webapp and the maps"; + }; + + enableNginx = mkOption { + type = lib.types.bool; + default = true; + description = "Enable configuring a virtualHost for serving the bluemap webapp"; + }; + + host = mkOption { + type = lib.types.str; + default = "bluemap.${config.networking.domain}"; + defaultText = lib.literalExpression "bluemap.\${config.networking.domain}"; + description = "Domain to configure nginx for"; + }; + + onCalendar = mkOption { + type = lib.types.str; + description = '' + How often to trigger rendering the map, + in the format of a systemd timer onCalendar configuration. + See {manpage}`systemd.timer(5)`. + ''; + default = "*-*-* 03:10:00"; + }; + + coreSettings = mkOption { + type = lib.types.submodule { + freeformType = format.type; + options = { + data = mkOption { + type = lib.types.path; + description = "Folder for where bluemap stores its data"; + default = "/var/lib/bluemap"; + }; + metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use"; + }; + }; + description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf)."; + }; + + webappSettings = mkOption { + type = lib.types.submodule { + freeformType = format.type; + }; + default = { + enabled = true; + webroot = cfg.webRoot; + }; + defaultText = lib.literalExpression '' + { + enabled = true; + webroot = config.services.bluemap.webRoot; + } + ''; + description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf)."; + }; + + webserverSettings = mkOption { + type = lib.types.submodule { + freeformType = format.type; + options = { + enabled = mkOption { + type = lib.types.bool; + description = '' + Enable bluemap's built-in webserver. + Disabled by default in nixos for use of nginx directly. + ''; + default = false; + }; + }; + }; + default = { }; + description = '' + Settings for the webserver.conf file, usually not required. + [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf). + ''; + }; + + maps = mkOption { + type = lib.types.attrsOf (lib.types.submodule { + freeformType = format.type; + options = { + world = lib.mkOption { + type = lib.types.path; + description = "Path to world folder containing the dimension to render"; + }; + }; + }); + default = { + "overworld" = { + world = "${cfg.defaultWorld}"; + ambient-light = 0.1; + cave-detection-ocean-floor = -5; + }; + + "nether" = { + world = "${cfg.defaultWorld}/DIM-1"; + sorting = 100; + sky-color = "#290000"; + void-color = "#150000"; + ambient-light = 0.6; + world-sky-light = 0; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; + cave-detection-uses-block-light = true; + max-y = 90; + }; + + "end" = { + world = "${cfg.defaultWorld}/DIM1"; + sorting = 200; + sky-color = "#080010"; + void-color = "#080010"; + ambient-light = 0.6; + world-sky-light = 0; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; + }; + }; + defaultText = lib.literalExpression '' + { + "overworld" = { + world = "''${cfg.defaultWorld}"; + ambient-light = 0.1; + cave-detection-ocean-floor = -5; + }; + + "nether" = { + world = "''${cfg.defaultWorld}/DIM-1"; + sorting = 100; + sky-color = "#290000"; + void-color = "#150000"; + ambient-light = 0.6; + world-sky-light = 0; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; + cave-detection-uses-block-light = true; + max-y = 90; + }; + + "end" = { + world = "''${cfg.defaultWorld}/DIM1"; + sorting = 200; + sky-color = "#080010"; + void-color = "#080010"; + ambient-light = 0.6; + world-sky-light = 0; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; + }; + }; + ''; + description = '' + Settings for files in `maps/`. + If you define anything here you must define everything yourself. + See the default for an example with good options for the different world types. + For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf). + ''; + }; + + storage = mkOption { + type = lib.types.attrsOf (lib.types.submodule { + freeformType = format.type; + options = { + storage-type = mkOption { + type = lib.types.enum [ "FILE" "SQL" ]; + description = "Type of storage config"; + default = "FILE"; + }; + }; + }); + description = '' + Where the rendered map will be stored. + Unless you are doing something advanced you should probably leave this alone and configure webRoot instead. + [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages) + ''; + default = { + "file" = { + root = "${cfg.webRoot}/maps"; + }; + }; + defaultText = lib.literalExpression '' + { + "file" = { + root = "''${config.services.bluemap.webRoot}/maps"; + }; + } + ''; + }; + + resourcepacks = mkOption { + type = lib.types.attrsOf lib.types.pathInStore; + default = { }; + description = "A set of resourcepacks to use, loaded in alphabetical order"; + }; + }; + + + config = lib.mkIf cfg.enable { + assertions = + [ { assertion = config.services.bluemap.eula; + message = '' + You have enabled bluemap but have not accepted minecraft's EULA. + You can achieve this through setting `services.bluemap.eula = true` + ''; + } + ]; + + services.bluemap.coreSettings.accept-download = cfg.eula; + + systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender { + serviceConfig = { + Type = "oneshot"; + Group = "nginx"; + UMask = "026"; + }; + script = '' + ${lib.getExe pkgs.bluemap} -c ${configFolder} -gs -r + ''; + }; + + systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.onCalendar; + Persistent = true; + Unit = "render-bluemap-maps.service"; + }; + }; + + services.nginx.virtualHosts = lib.mkIf cfg.enableNginx { + "${cfg.host}" = { + root = config.services.bluemap.webRoot; + locations = { + "~* ^/maps/[^/]*/tiles/[^/]*.json$".extraConfig = '' + error_page 404 =200 /assets/emptyTile.json; + gzip_static always; + ''; + "~* ^/maps/[^/]*/tiles/[^/]*.png$".tryFiles = "$uri =204"; + }; + }; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ dandellion h7x4 ]; + }; +} diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix index 3186360c70513..8d1966aee091b 100644 --- a/nixos/modules/services/web-servers/garage.nix +++ b/nixos/modules/services/web-servers/garage.nix @@ -49,8 +49,15 @@ in data_dir = mkOption { default = "/var/lib/garage/data"; - type = types.path; - description = "The main data storage, put this on your large storage (e.g. high capacity HDD)"; + example = [ { + path = "/var/lib/garage/data"; + capacity = "2T"; + } ]; + type = with types; either path (listOf attrs); + description = '' + The directory in which Garage will store the data blocks of objects. This folder can be placed on an HDD. + Since v0.9.0, Garage supports multiple data directories, refer to https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#data_dir for the exact format. + ''; }; }; }; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 03bff1dee5b9d..694d34d1c059a 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -196,8 +196,7 @@ def get_generations(profile: str | None = None) -> list[SystemIdentifier]: f"{NIX}/bin/nix-env", "--list-generations", "-p", - "/nix/var/nix/profiles/%s" % ("system-profiles/" + profile if profile else "system"), - "--option", "build-users-group", ""], + "/nix/var/nix/profiles/%s" % ("system-profiles/" + profile if profile else "system")], universal_newlines=True) gen_lines = gen_list.split('\n') gen_lines.pop() diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 7f53efbf83f5d..79d76a8caa94b 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -386,7 +386,7 @@ let (assertValueOneOf "UDP6ZeroChecksumRx" boolValues) ]; - sectionL2TPSession = checkUnitConfig "L2TPSession" [ + sectionL2TPSession = checkUnitConfigWithLegacyKey "l2tpSessionConfig" "L2TPSession" [ (assertOnlyFields [ "Name" "SessionId" @@ -421,7 +421,7 @@ let # NOTE The PresharedKey directive is missing on purpose here, please # do not add it to this list. The nix store is world-readable,let's # refrain ourselves from providing a footgun. - sectionWireGuardPeer = checkUnitConfig "WireGuardPeer" [ + sectionWireGuardPeer = checkUnitConfigWithLegacyKey "wireguardPeerConfig" "WireGuardPeer" [ (assertOnlyFields [ "PublicKey" "PresharedKeyFile" @@ -712,7 +712,7 @@ let (assertValueOneOf "KeepConfiguration" (boolValues ++ ["static" "dhcp-on-stop" "dhcp"])) ]; - sectionAddress = checkUnitConfig "Address" [ + sectionAddress = checkUnitConfigWithLegacyKey "addressConfig" "Address" [ (assertOnlyFields [ "Address" "Peer" @@ -737,7 +737,7 @@ let (assertValueOneOf "AutoJoin" boolValues) ]; - sectionRoutingPolicyRule = checkUnitConfig "RoutingPolicyRule" [ + sectionRoutingPolicyRule = checkUnitConfigWithLegacyKey "routingPolicyRuleConfig" "RoutingPolicyRule" [ (assertOnlyFields [ "TypeOfService" "From" @@ -772,7 +772,7 @@ let (assertRange "SuppressInterfaceGroup" 0 2147483647) ]; - sectionRoute = checkUnitConfig "Route" [ + sectionRoute = checkUnitConfigWithLegacyKey "routeConfig" "Route" [ (assertOnlyFields [ "Gateway" "GatewayOnLink" @@ -1033,7 +1033,7 @@ let (assertValueOneOf "EmitDomains" boolValues) ]; - sectionIPv6Prefix = checkUnitConfig "IPv6Prefix" [ + sectionIPv6Prefix = checkUnitConfigWithLegacyKey "ipv6PrefixConfig" "IPv6Prefix" [ (assertOnlyFields [ "AddressAutoconfiguration" "OnLink" @@ -1048,7 +1048,7 @@ let (assertValueOneOf "Assign" boolValues) ]; - sectionIPv6RoutePrefix = checkUnitConfig "IPv6RoutePrefix" [ + sectionIPv6RoutePrefix = checkUnitConfigWithLegacyKey "ipv6RoutePrefixConfig" "IPv6RoutePrefix" [ (assertOnlyFields [ "Route" "LifetimeSec" @@ -1057,7 +1057,7 @@ let (assertInt "LifetimeSec") ]; - sectionDHCPServerStaticLease = checkUnitConfig "DHCPServerStaticLease" [ + sectionDHCPServerStaticLease = checkUnitConfigWithLegacyKey "dhcpServerStaticLeaseConfig" "DHCPServerStaticLease" [ (assertOnlyFields [ "MACAddress" "Address" @@ -1104,7 +1104,7 @@ let (assertRange "Priority" 0 63) ]; - sectionBridgeFDB = checkUnitConfig "BridgeFDB" [ + sectionBridgeFDB = checkUnitConfigWithLegacyKey "bridgeFDBConfig" "BridgeFDB" [ (assertOnlyFields [ "MACAddress" "Destination" @@ -1121,7 +1121,7 @@ let (assertValueOneOf "AssociatedWith" [ "use" "self" "master" "router" ]) ]; - sectionBridgeMDB = checkUnitConfig "BridgeMDB" [ + sectionBridgeMDB = checkUnitConfigWithLegacyKey "bridgeMDBConfig" "BridgeMDB" [ (assertOnlyFields [ "MulticastGroupAddress" "VLANId" @@ -1524,7 +1524,7 @@ let (assertRange "Weight" 1 1023) ]; - sectionBridgeVLAN = checkUnitConfig "BridgeVLAN" [ + sectionBridgeVLAN = checkUnitConfigWithLegacyKey "bridgeVLANConfig" "BridgeVLAN" [ (assertOnlyFields [ "VLAN" "EgressUntagged" @@ -1627,34 +1627,21 @@ let }; - - l2tpSessionOptions = { - options = { - l2tpSessionConfig = mkOption { - default = {}; - type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionL2TPSession; - description = '' - Each attribute in this set specifies an option in the - `[L2TPSession]` section of the unit. See - {manpage}`systemd.netdev(5)` for details. - ''; - }; - }; - }; - - wireguardPeerOptions = { - options = { - wireguardPeerConfig = mkOption { - default = {}; - type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionWireGuardPeer; - description = '' - Each attribute in this set specifies an option in the - `[WireGuardPeer]` section of the unit. See - {manpage}`systemd.netdev(5)` for details. - ''; - }; + mkSubsectionType = oldKey: checkF: + let + type = types.addCheck (types.attrsOf unitOption) checkF; + in type // { + merge = loc: defs: + let + final = type.merge loc defs; + in + if final?${oldKey} + then warn + "Using '${oldKey}' is deprecated! Move all attributes inside one level up and remove it." + final.${oldKey} + else + final; }; - }; netdevOptions = commonNetworkOptions // { @@ -1805,12 +1792,12 @@ let l2tpSessions = mkOption { default = []; - example = [ { l2tpSessionConfig={ + example = [ { SessionId = 25; PeerSessionId = 26; Name = "l2tp-sess"; - };}]; - type = with types; listOf (submodule l2tpSessionOptions); + }]; + type = types.listOf (mkSubsectionType "l2tpSessionConfig" check.netdev.sectionL2TPSession); description = '' Each item in this array specifies an option in the `[L2TPSession]` section of the unit. See @@ -1838,14 +1825,14 @@ let wireguardPeers = mkOption { default = []; - example = [ { wireguardPeerConfig={ + example = [ { Endpoint = "192.168.1.1:51820"; PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; PresharedKeyFile = "/etc/wireguard/psk.key"; AllowedIPs = [ "10.0.0.1/32" ]; PersistentKeepalive = 15; - };}]; - type = with types; listOf (submodule wireguardPeerOptions); + } ]; + type = types.listOf (mkSubsectionType "wireguardPeerConfig" check.netdev.sectionWireGuardPeer); description = '' Each item in this array specifies an option in the `[WireGuardPeer]` section of the unit. See @@ -1917,143 +1904,6 @@ let }; - addressOptions = { - options = { - addressConfig = mkOption { - example = { Address = "192.168.0.100/24"; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionAddress; - description = '' - Each attribute in this set specifies an option in the - `[Address]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - - routingPolicyRulesOptions = { - options = { - routingPolicyRuleConfig = mkOption { - default = { }; - example = { Table = 10; IncomingInterface = "eth1"; Family = "both"; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionRoutingPolicyRule; - description = '' - Each attribute in this set specifies an option in the - `[RoutingPolicyRule]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - - routeOptions = { - options = { - routeConfig = mkOption { - default = {}; - example = { Gateway = "192.168.0.1"; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionRoute; - description = '' - Each attribute in this set specifies an option in the - `[Route]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - - ipv6PrefixOptions = { - options = { - ipv6PrefixConfig = mkOption { - default = {}; - example = { Prefix = "fd00::/64"; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionIPv6Prefix; - description = '' - Each attribute in this set specifies an option in the - `[IPv6Prefix]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - - ipv6RoutePrefixOptions = { - options = { - ipv6RoutePrefixConfig = mkOption { - default = {}; - example = { Route = "fd00::/64"; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionIPv6RoutePrefix; - description = '' - Each attribute in this set specifies an option in the - `[IPv6RoutePrefix]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - - dhcpServerStaticLeaseOptions = { - options = { - dhcpServerStaticLeaseConfig = mkOption { - default = {}; - example = { MACAddress = "65:43:4a:5b:d8:5f"; Address = "192.168.1.42"; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionDHCPServerStaticLease; - description = '' - Each attribute in this set specifies an option in the - `[DHCPServerStaticLease]` section of the unit. See - {manpage}`systemd.network(5)` for details. - - Make sure to configure the corresponding client interface to use - `ClientIdentifier=mac`. - ''; - }; - }; - }; - - bridgeFDBOptions = { - options = { - bridgeFDBConfig = mkOption { - default = {}; - example = { MACAddress = "65:43:4a:5b:d8:5f"; Destination = "192.168.1.42"; VNI = 20; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionBridgeFDB; - description = '' - Each attribute in this set specifies an option in the - `[BridgeFDB]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - - bridgeMDBOptions = { - options = { - bridgeMDBConfig = mkOption { - default = {}; - example = { MulticastGroupAddress = "ff02::1:2:3:4"; VLANId = 10; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionBridgeMDB; - description = '' - Each attribute in this set specifies an option in the - `[BridgeMDB]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - - bridgeVLANOptions = { - options = { - bridgeVLANConfig = mkOption { - default = {}; - example = { VLAN = 20; }; - type = types.addCheck (types.attrsOf unitOption) check.network.sectionBridgeVLAN; - description = '' - Each attribute in this set specifies an option in the - `[BridgeVLAN]` section of the unit. See - {manpage}`systemd.network(5)` for details. - ''; - }; - }; - }; - networkOptions = commonNetworkOptions // { linkConfig = mkOption { @@ -2165,8 +2015,8 @@ let dhcpServerStaticLeases = mkOption { default = []; - example = [ { dhcpServerStaticLeaseConfig = { MACAddress = "65:43:4a:5b:d8:5f"; Address = "192.168.1.42"; }; } ]; - type = with types; listOf (submodule dhcpServerStaticLeaseOptions); + example = [ { MACAddress = "65:43:4a:5b:d8:5f"; Address = "192.168.1.42"; } ]; + type = types.listOf (mkSubsectionType "dhcpServerStaticLeaseConfig" check.network.sectionDHCPServerStaticLease); description = '' A list of DHCPServerStaticLease sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2175,8 +2025,8 @@ let ipv6Prefixes = mkOption { default = []; - example = [ { ipv6PrefixConfig = { AddressAutoconfiguration = true; OnLink = true; }; } ]; - type = with types; listOf (submodule ipv6PrefixOptions); + example = [ { AddressAutoconfiguration = true; OnLink = true; } ]; + type = types.listOf (mkSubsectionType "ipv6PrefixConfig" check.network.sectionIPv6Prefix); description = '' A list of ipv6Prefix sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2185,8 +2035,8 @@ let ipv6RoutePrefixes = mkOption { default = []; - example = [ { ipv6RoutePrefixConfig = { Route = "fd00::/64"; LifetimeSec = 3600; }; } ]; - type = with types; listOf (submodule ipv6RoutePrefixOptions); + example = [ { Route = "fd00::/64"; LifetimeSec = 3600; } ]; + type = types.listOf (mkSubsectionType "ipv6RoutePrefixConfig" check.network.sectionIPv6RoutePrefix); description = '' A list of ipv6RoutePrefix sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2206,8 +2056,8 @@ let bridgeFDBs = mkOption { default = []; - example = [ { bridgeFDBConfig = { MACAddress = "90:e2:ba:43:fc:71"; Destination = "192.168.100.4"; VNI = 3600; }; } ]; - type = with types; listOf (submodule bridgeFDBOptions); + example = [ { MACAddress = "90:e2:ba:43:fc:71"; Destination = "192.168.100.4"; VNI = 3600; } ]; + type = types.listOf (mkSubsectionType "bridgeFDBConfig" check.network.sectionBridgeFDB); description = '' A list of BridgeFDB sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2216,8 +2066,8 @@ let bridgeMDBs = mkOption { default = []; - example = [ { bridgeMDBConfig = { MulticastGroupAddress = "ff02::1:2:3:4"; VLANId = 10; } ; } ]; - type = with types; listOf (submodule bridgeMDBOptions); + example = [ { MulticastGroupAddress = "ff02::1:2:3:4"; VLANId = 10; } ]; + type = types.listOf (mkSubsectionType "bridgeMDBConfig" check.network.sectionBridgeMDB); description = '' A list of BridgeMDB sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2534,8 +2384,8 @@ let bridgeVLANs = mkOption { default = []; - example = [ { bridgeVLANConfig = { VLAN = "10-20"; }; } ]; - type = with types; listOf (submodule bridgeVLANOptions); + example = [ { VLAN = "10-20"; } ]; + type = types.listOf (mkSubsectionType "bridgeVLANConfig" check.network.sectionBridgeVLAN); description = '' A list of BridgeVLAN sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2685,7 +2535,8 @@ let addresses = mkOption { default = [ ]; - type = with types; listOf (submodule addressOptions); + example = [ { Address = "192.168.0.100/24"; } ]; + type = types.listOf (mkSubsectionType "addressConfig" check.network.sectionAddress); description = '' A list of address sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2694,7 +2545,8 @@ let routingPolicyRules = mkOption { default = [ ]; - type = with types; listOf (submodule routingPolicyRulesOptions); + example = [ { Table = 10; IncomingInterface = "eth1"; Family = "both"; } ]; + type = types.listOf (mkSubsectionType "routingPolicyRuleConfig" check.network.sectionRoutingPolicyRule); description = '' A list of routing policy rules sections to be added to the unit. See {manpage}`systemd.network(5)` for details. @@ -2703,7 +2555,8 @@ let routes = mkOption { default = [ ]; - type = with types; listOf (submodule routeOptions); + example = [ { Gateway = "192.168.0.1"; } ]; + type = types.listOf (mkSubsectionType "routeConfig" check.network.sectionRoute); description = '' A list of route sections to be added to the unit. See {manpage}`systemd.network(5)` for details. diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 64a15179438fe..b658a7a2dc05e 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -7,6 +7,20 @@ let dnsmasqResolve = config.services.dnsmasq.enable && config.services.dnsmasq.resolveLocalQueries; + resolvedConf = '' + [Resolve] + ${optionalString (config.networking.nameservers != []) + "DNS=${concatStringsSep " " config.networking.nameservers}"} + ${optionalString (cfg.fallbackDns != null) + "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"} + ${optionalString (cfg.domains != []) + "Domains=${concatStringsSep " " cfg.domains}"} + LLMNR=${cfg.llmnr} + DNSSEC=${cfg.dnssec} + DNSOverTLS=${cfg.dnsovertls} + ${config.services.resolved.extraConfig} + ''; + in { @@ -126,60 +140,87 @@ in ''; }; - }; - - config = mkIf cfg.enable { - - assertions = [ - { assertion = !config.networking.useHostResolvConf; - message = "Using host resolv.conf is not supported with systemd-resolved"; - } - ]; - - users.users.systemd-resolve.group = "systemd-resolve"; - - # add resolve to nss hosts database if enabled and nscd enabled - # system.nssModules is configured in nixos/modules/system/boot/systemd.nix - # added with order 501 to allow modules to go before with mkBefore - system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]); - - systemd.additionalUpstreamSystemUnits = [ - "systemd-resolved.service" - ]; - - systemd.services.systemd-resolved = { - wantedBy = [ "multi-user.target" ]; - aliases = [ "dbus-org.freedesktop.resolve1.service" ]; - restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ]; - }; - - environment.etc = { - "systemd/resolved.conf".text = '' - [Resolve] - ${optionalString (config.networking.nameservers != []) - "DNS=${concatStringsSep " " config.networking.nameservers}"} - ${optionalString (cfg.fallbackDns != null) - "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"} - ${optionalString (cfg.domains != []) - "Domains=${concatStringsSep " " cfg.domains}"} - LLMNR=${cfg.llmnr} - DNSSEC=${cfg.dnssec} - DNSOverTLS=${cfg.dnsovertls} - ${config.services.resolved.extraConfig} + boot.initrd.services.resolved.enable = mkOption { + default = config.boot.initrd.systemd.network.enable; + defaultText = "config.boot.initrd.systemd.network.enable"; + description = '' + Whether to enable resolved for stage 1 networking. + Uses the toplevel 'services.resolved' options for 'resolved.conf' ''; - - # symlink the dynamic stub resolver of resolv.conf as recommended by upstream: - # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf - "resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf"; - } // optionalAttrs dnsmasqResolve { - "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf"; }; - # If networkmanager is enabled, ask it to interface with resolved. - networking.networkmanager.dns = "systemd-resolved"; - - networking.resolvconf.package = pkgs.systemd; - }; + config = mkMerge [ + (mkIf cfg.enable { + + assertions = [ + { assertion = !config.networking.useHostResolvConf; + message = "Using host resolv.conf is not supported with systemd-resolved"; + } + ]; + + users.users.systemd-resolve.group = "systemd-resolve"; + + # add resolve to nss hosts database if enabled and nscd enabled + # system.nssModules is configured in nixos/modules/system/boot/systemd.nix + # added with order 501 to allow modules to go before with mkBefore + system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]); + + systemd.additionalUpstreamSystemUnits = [ + "systemd-resolved.service" + ]; + + systemd.services.systemd-resolved = { + wantedBy = [ "sysinit.target" ]; + aliases = [ "dbus-org.freedesktop.resolve1.service" ]; + restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ]; + }; + + environment.etc = { + "systemd/resolved.conf".text = resolvedConf; + + # symlink the dynamic stub resolver of resolv.conf as recommended by upstream: + # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf + "resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf"; + } // optionalAttrs dnsmasqResolve { + "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf"; + }; + + # If networkmanager is enabled, ask it to interface with resolved. + networking.networkmanager.dns = "systemd-resolved"; + + networking.resolvconf.package = pkgs.systemd; + + }) + + (mkIf config.boot.initrd.services.resolved.enable { + + assertions = [ + { + assertion = config.boot.initrd.systemd.enable; + message = "'boot.initrd.services.resolved.enable' can only be enabled with systemd stage 1."; + } + ]; + + boot.initrd.systemd = { + contents = { + "/etc/tmpfiles.d/resolv.conf".text = + "L /etc/resolv.conf - - - - /run/systemd/resolve/stub-resolv.conf"; + "/etc/systemd/resolved.conf".text = resolvedConf; + }; + + additionalUpstreamUnits = ["systemd-resolved.service"]; + users.systemd-resolve = {}; + groups.systemd-resolve = {}; + storePaths = ["${config.boot.initrd.systemd.package}/lib/systemd/systemd-resolved"]; + services.systemd-resolved = { + wantedBy = ["sysinit.target"]; + aliases = [ "dbus-org.freedesktop.resolve1.service" ]; + }; + }; + + }) + ]; + } diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 59cf1a47fb7f9..23e9df2189e78 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -576,6 +576,7 @@ while read -u 3 mountPoint; do mount -t "$fsType" /dev/root /tmp-iso mountFS tmpfs /iso size="$fsSize" tmpfs + echo "copying ISO contents to RAM..." cp -r /tmp-iso/* /mnt-root/iso/ umount /tmp-iso diff --git a/nixos/modules/system/boot/systemd/sysusers.nix b/nixos/modules/system/boot/systemd/sysusers.nix index de70009705973..476251e140456 100644 --- a/nixos/modules/system/boot/systemd/sysusers.nix +++ b/nixos/modules/system/boot/systemd/sysusers.nix @@ -12,7 +12,7 @@ let ${lib.concatLines (lib.mapAttrsToList (username: opts: let - uid = if opts.uid == null then "-" else toString opts.uid; + uid = if opts.uid == null then "/var/lib/nixos/uid/${username}" else toString opts.uid; in ''u ${username} ${uid}:${opts.group} "${opts.description}" ${opts.home} ${utils.toShellPath opts.shell}'' ) @@ -21,7 +21,7 @@ let # Groups ${lib.concatLines (lib.mapAttrsToList - (groupname: opts: ''g ${groupname} ${if opts.gid == null then "-" else toString opts.gid}'') userCfg.groups) + (groupname: opts: ''g ${groupname} ${if opts.gid == null then "/var/lib/nixos/gid/${groupname}" else toString opts.gid}'') userCfg.groups) } # Group membership @@ -106,6 +106,23 @@ in }; }) (lib.filterAttrs (_username: opts: opts.home != "/var/empty") userCfg.users); + + # Create uid/gid marker files for those without an explicit id + tmpfiles.settings.nixos-uid = lib.mapAttrs' + (username: opts: lib.nameValuePair "/var/lib/nixos/uid/${username}" { + f = { + user = username; + }; + }) + (lib.filterAttrs (_username: opts: opts.uid == null) userCfg.users); + + tmpfiles.settings.nixos-gid = lib.mapAttrs' + (groupname: opts: lib.nameValuePair "/var/lib/nixos/gid/${groupname}" { + f = { + group = groupname; + }; + }) + (lib.filterAttrs (_groupname: opts: opts.gid == null) userCfg.groups); }) (lib.mkIf config.users.mutableUsers { diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 2009c9a7e6e28..c1241d11de879 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -32,13 +32,13 @@ let optionalAttrs (gateway != null && gateway.interface != null) { networks."40-${gateway.interface}" = { matchConfig.Name = gateway.interface; - routes = [{ - routeConfig = { + routes = [ + ({ Gateway = gateway.address; } // optionalAttrs (gateway.metric != null) { Metric = gateway.metric; - }; - }]; + }) + ]; }; } )); @@ -95,65 +95,64 @@ let address = forEach (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); routes = forEach (interfaceRoutes i) - (route: { + (route: mkMerge [ # Most of these route options have not been tested. # Please fix or report any mistakes you may find. - routeConfig = - optionalAttrs (route.address != null && route.prefixLength != null) { - Destination = "${route.address}/${toString route.prefixLength}"; - } // - optionalAttrs (route.options ? fastopen_no_cookie) { - FastOpenNoCookie = route.options.fastopen_no_cookie; - } // - optionalAttrs (route.via != null) { - Gateway = route.via; - } // - optionalAttrs (route.type != null) { - Type = route.type; - } // - optionalAttrs (route.options ? onlink) { - GatewayOnLink = true; - } // - optionalAttrs (route.options ? initrwnd) { - InitialAdvertisedReceiveWindow = route.options.initrwnd; - } // - optionalAttrs (route.options ? initcwnd) { - InitialCongestionWindow = route.options.initcwnd; - } // - optionalAttrs (route.options ? pref) { - IPv6Preference = route.options.pref; - } // - optionalAttrs (route.options ? mtu) { - MTUBytes = route.options.mtu; - } // - optionalAttrs (route.options ? metric) { - Metric = route.options.metric; - } // - optionalAttrs (route.options ? src) { - PreferredSource = route.options.src; - } // - optionalAttrs (route.options ? protocol) { - Protocol = route.options.protocol; - } // - optionalAttrs (route.options ? quickack) { - QuickAck = route.options.quickack; - } // - optionalAttrs (route.options ? scope) { - Scope = route.options.scope; - } // - optionalAttrs (route.options ? from) { - Source = route.options.from; - } // - optionalAttrs (route.options ? table) { - Table = route.options.table; - } // - optionalAttrs (route.options ? advmss) { - TCPAdvertisedMaximumSegmentSize = route.options.advmss; - } // - optionalAttrs (route.options ? ttl-propagate) { - TTLPropagate = route.options.ttl-propagate == "enabled"; - }; - }); + (mkIf (route.address != null && route.prefixLength != null) { + Destination = "${route.address}/${toString route.prefixLength}"; + }) + (mkIf (route.options ? fastopen_no_cookie) { + FastOpenNoCookie = route.options.fastopen_no_cookie; + }) + (mkIf (route.via != null) { + Gateway = route.via; + }) + (mkIf (route.type != null) { + Type = route.type; + }) + (mkIf (route.options ? onlink) { + GatewayOnLink = true; + }) + (mkIf (route.options ? initrwnd) { + InitialAdvertisedReceiveWindow = route.options.initrwnd; + }) + (mkIf (route.options ? initcwnd) { + InitialCongestionWindow = route.options.initcwnd; + }) + (mkIf (route.options ? pref) { + IPv6Preference = route.options.pref; + }) + (mkIf (route.options ? mtu) { + MTUBytes = route.options.mtu; + }) + (mkIf (route.options ? metric) { + Metric = route.options.metric; + }) + (mkIf (route.options ? src) { + PreferredSource = route.options.src; + }) + (mkIf (route.options ? protocol) { + Protocol = route.options.protocol; + }) + (mkIf (route.options ? quickack) { + QuickAck = route.options.quickack; + }) + (mkIf (route.options ? scope) { + Scope = route.options.scope; + }) + (mkIf (route.options ? from) { + Source = route.options.from; + }) + (mkIf (route.options ? table) { + Table = route.options.table; + }) + (mkIf (route.options ? advmss) { + TCPAdvertisedMaximumSegmentSize = route.options.advmss; + }) + (mkIf (route.options ? ttl-propagate) { + TTLPropagate = route.options.ttl-propagate == "enabled"; + }) + ]); networkConfig.IPv6PrivacyExtensions = "kernel"; linkConfig = optionalAttrs (i.macAddress != null) { MACAddress = i.macAddress; diff --git a/nixos/modules/virtualisation/virtualbox-guest.nix b/nixos/modules/virtualisation/virtualbox-guest.nix index 649ff3abb9ae9..aadd04f28d484 100644 --- a/nixos/modules/virtualisation/virtualbox-guest.nix +++ b/nixos/modules/virtualisation/virtualbox-guest.nix @@ -52,7 +52,7 @@ in description = "Whether to enable seamless mode. When activated windows from the guest appear next to the windows of the host."; }; - draganddrop = mkOption { + dragAndDrop = mkOption { default = true; type = types.bool; description = "Whether to enable drag and drop support."; @@ -111,5 +111,10 @@ in systemd.user.services.virtualboxClientSeamless = mkVirtualBoxUserService "--seamless"; } ) + ( + mkIf cfg.dragAndDrop { + systemd.user.services.virtualboxClientDragAndDrop = mkVirtualBoxUserService "--draganddrop"; + } + ) ]); } diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 19223d46f6b9e..10834da35207e 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -50,7 +50,7 @@ in rec { (onFullSupported "nixos.dummy") (onAllSupported "nixos.iso_minimal") (onSystems ["x86_64-linux" "aarch64-linux"] "nixos.amazonImage") - (onFullSupported "nixos.iso_plasma5") + (onFullSupported "nixos.iso_plasma6") (onFullSupported "nixos.iso_gnome") (onFullSupported "nixos.manual") (onSystems ["x86_64-linux"] "nixos.ova") diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 10daa1bbf6d26..98ba04119ea51 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -312,6 +312,7 @@ in { fenics = handleTest ./fenics.nix {}; ferm = handleTest ./ferm.nix {}; ferretdb = handleTest ./ferretdb.nix {}; + filesender = handleTest ./filesender.nix {}; filesystems-overlayfs = runTest ./filesystems-overlayfs.nix; firefly-iii = handleTest ./firefly-iii.nix {}; firefox = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox; }; @@ -615,6 +616,7 @@ in { # TODO: put in networking.nix after the test becomes more complete networkingProxy = handleTest ./networking-proxy.nix {}; nextcloud = handleTest ./nextcloud {}; + nextjs-ollama-llm-ui = runTest ./web-apps/nextjs-ollama-llm-ui.nix; nexus = handleTest ./nexus.nix {}; # TODO: Test nfsv3 + Kerberos nfs3 = handleTest ./nfs { version = 3; }; @@ -781,7 +783,7 @@ in { qgis = handleTest ./qgis.nix { qgisPackage = pkgs.qgis; }; qgis-ltr = handleTest ./qgis.nix { qgisPackage = pkgs.qgis-ltr; }; qownnotes = handleTest ./qownnotes.nix {}; - qtile = handleTest ./qtile.nix {}; + qtile = handleTestOn ["x86_64-linux" "aarch64-linux"] ./qtile.nix {}; quake3 = handleTest ./quake3.nix {}; quicktun = handleTest ./quicktun.nix {}; quorum = handleTest ./quorum.nix {}; @@ -798,6 +800,7 @@ in { restic-rest-server = handleTest ./restic-rest-server.nix {}; restic = handleTest ./restic.nix {}; retroarch = handleTest ./retroarch.nix {}; + rke2 = handleTestOn ["aarch64-linux" "x86_64-linux"] ./rke2 {}; rkvm = handleTest ./rkvm {}; robustirc-bridge = handleTest ./robustirc-bridge.nix {}; roundcube = handleTest ./roundcube.nix {}; @@ -929,6 +932,7 @@ in { systemd-oomd = handleTest ./systemd-oomd.nix {}; systemd-portabled = handleTest ./systemd-portabled.nix {}; systemd-repart = handleTest ./systemd-repart.nix {}; + systemd-resolved = handleTest ./systemd-resolved.nix {}; systemd-shutdown = handleTest ./systemd-shutdown.nix {}; systemd-sysupdate = runTest ./systemd-sysupdate.nix; systemd-sysusers-mutable = runTest ./systemd-sysusers-mutable.nix; @@ -1007,7 +1011,7 @@ in { vault-dev = handleTest ./vault-dev.nix {}; vault-postgresql = handleTest ./vault-postgresql.nix {}; vaultwarden = handleTest ./vaultwarden.nix {}; - vector = handleTest ./vector.nix {}; + vector = handleTest ./vector {}; vengi-tools = handleTest ./vengi-tools.nix {}; victoriametrics = handleTest ./victoriametrics.nix {}; vikunja = handleTest ./vikunja.nix {}; diff --git a/nixos/tests/ayatana-indicators.nix b/nixos/tests/ayatana-indicators.nix index 5709ad2a1af69..ccb1e059a6973 100644 --- a/nixos/tests/ayatana-indicators.nix +++ b/nixos/tests/ayatana-indicators.nix @@ -28,11 +28,14 @@ in { enable = true; packages = with pkgs; [ ayatana-indicator-datetime + ayatana-indicator-display ayatana-indicator-messages + ayatana-indicator-power ayatana-indicator-session + ayatana-indicator-sound ] ++ (with pkgs.lomiri; [ lomiri-indicator-network - telephony-service + # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043 ]); }; @@ -40,6 +43,8 @@ in { services.accounts-daemon.enable = true; # messages + hardware.pulseaudio.enable = true; # sound + # Lomiri-ish setup for Lomiri indicators # TODO move into a Lomiri module, once the package set is far enough for the DE to start @@ -91,7 +96,7 @@ in { # Now check if all indicators were brought up successfully, and kill them for later '' + (runCommandOverAyatanaIndicators (service: let serviceExec = builtins.replaceStrings [ "." ] [ "-" ] service; in '' - machine.succeed("pgrep -u ${user} -f ${serviceExec}") + machine.wait_until_succeeds("pgrep -u ${user} -f ${serviceExec}") machine.succeed("pkill -f ${serviceExec}") '')) + '' diff --git a/nixos/tests/castopod.nix b/nixos/tests/castopod.nix index 3257cd3d363c7..57e035354d23e 100644 --- a/nixos/tests/castopod.nix +++ b/nixos/tests/castopod.nix @@ -98,6 +98,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: driver = Firefox(options=options, service=service) driver = Firefox(options=options) driver.implicitly_wait(30) + driver.set_page_load_timeout(60) # install ########################################################## @@ -207,7 +208,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: text = '' out=/tmp/podcast.mp3 sox -n -r 48000 -t wav - synth ${targetPodcastDuration} sine 440 ` - `| lame --noreplaygain -cbr -q 9 -b 320 - $out + `| lame --noreplaygain --cbr -q 9 -b 320 - $out FILESIZE="$(stat -c%s $out)" [ "$FILESIZE" -gt 0 ] [ "$FILESIZE" -le "${toString targetPodcastSize}" ] diff --git a/nixos/tests/clatd.nix b/nixos/tests/clatd.nix index 00021d87ba5f4..f4d2242ce54f4 100644 --- a/nixos/tests/clatd.nix +++ b/nixos/tests/clatd.nix @@ -59,7 +59,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: "100.64.0.2/24" ]; routes = [ - { routeConfig = { Destination = "192.0.2.0/24"; Gateway = "100.64.0.1"; }; } + { Destination = "192.0.2.0/24"; Gateway = "100.64.0.1"; } ]; }; }; @@ -149,7 +149,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: "2001:db8::2/64" ]; routes = [ - { routeConfig = { Destination = "::/0"; Gateway = "2001:db8::1"; }; } + { Destination = "::/0"; Gateway = "2001:db8::1"; } ]; }; }; diff --git a/nixos/tests/domination.nix b/nixos/tests/domination.nix index 409a7f3029c42..9e4badd2e369d 100644 --- a/nixos/tests/domination.nix +++ b/nixos/tests/domination.nix @@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { ]; services.xserver.enable = true; + sound.enable = true; environment.systemPackages = [ pkgs.domination ]; }; @@ -18,6 +19,9 @@ import ./make-test-python.nix ({ pkgs, ... }: { testScript = '' machine.wait_for_x() + # Add a dummy sound card, or an error reporting popup will appear, + # covering the main window and preventing OCR + machine.execute("modprobe snd-dummy") machine.execute("domination >&2 &") machine.wait_for_window("Menu") machine.wait_for_text(r"(New Game|Start Server|Load Game|Help Manual|Join Game|About|Play Online)") diff --git a/nixos/tests/filesender.nix b/nixos/tests/filesender.nix new file mode 100644 index 0000000000000..9274ddbf7e90e --- /dev/null +++ b/nixos/tests/filesender.nix @@ -0,0 +1,137 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "filesender"; + meta = { + maintainers = with lib.maintainers; [ nhnn ]; + broken = pkgs.stdenv.isAarch64; # selenium.common.exceptions.WebDriverException: Message: Unsupported platform/architecture combination: linux/aarch64 + }; + + nodes.filesender = { ... }: let + format = pkgs.formats.php { }; + in { + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.filesender.enable = true; + services.filesender.localDomain = "filesender"; + services.filesender.settings = { + auth_sp_saml_authentication_source = "default"; + auth_sp_saml_uid_attribute = "uid"; + storage_filesystem_path = "/tmp"; + site_url = "http://filesender"; + force_ssl = false; + admin = ""; + admin_email = "admin@localhost"; + email_reply_to = "noreply@localhost"; + }; + services.simplesamlphp.filesender = { + settings = { + baseurlpath = "http://filesender/saml"; + "module.enable".exampleauth = true; + }; + authSources = { + admin = [ "core:AdminPassword" ]; + default = format.lib.mkMixedArray [ "exampleauth:UserPass" ] { + "user:password" = { + uid = [ "user" ]; + cn = [ "user" ]; + mail = [ "user@nixos.org" ]; + }; + }; + }; + }; + }; + + nodes.client = + { pkgs + , nodes + , ... + }: + let + filesenderIP = (builtins.head (nodes.filesender.networking.interfaces.eth1.ipv4.addresses)).address; + in + { + networking.hosts.${filesenderIP} = [ "filesender" ]; + + environment.systemPackages = + let + username = "user"; + password = "password"; + browser-test = + pkgs.writers.writePython3Bin "browser-test" + { + libraries = [ pkgs.python3Packages.selenium ]; + flakeIgnore = [ "E124" "E501" ]; + } '' + from selenium.webdriver.common.by import By + from selenium.webdriver import Firefox + from selenium.webdriver.firefox.options import Options + from selenium.webdriver.firefox.firefox_profile import FirefoxProfile + from selenium.webdriver.firefox.service import Service + from selenium.webdriver.support.ui import WebDriverWait + from selenium.webdriver.support import expected_conditions as EC + from subprocess import STDOUT + import string + import random + import logging + import time + selenium_logger = logging.getLogger("selenium") + selenium_logger.setLevel(logging.DEBUG) + selenium_logger.addHandler(logging.StreamHandler()) + profile = FirefoxProfile() + profile.set_preference("browser.download.folderList", 2) + profile.set_preference("browser.download.manager.showWhenStarting", False) + profile.set_preference("browser.download.dir", "/tmp/firefox") + profile.set_preference("browser.helperApps.neverAsk.saveToDisk", "text/plain;text/txt") + options = Options() + options.profile = profile + options.add_argument('--headless') + service = Service(log_output=STDOUT) + driver = Firefox(options=options) + driver.set_window_size(1024, 768) + driver.implicitly_wait(30) + driver.get('http://filesender/') + wait = WebDriverWait(driver, 20) + wait.until(EC.title_contains("FileSender")) + driver.find_element(By.ID, "btn_logon").click() + wait.until(EC.title_contains("Enter your username and password")) + driver.find_element(By.ID, 'username').send_keys( + '${username}' + ) + driver.find_element(By.ID, 'password').send_keys( + '${password}' + ) + driver.find_element(By.ID, "submit_button").click() + wait.until(EC.title_contains("FileSender")) + wait.until(EC.presence_of_element_located((By.ID, "topmenu_logoff"))) + test_string = "".join(random.choices(string.ascii_uppercase + string.digits, k=20)) + with open("/tmp/test_file.txt", "w") as file: + file.write(test_string) + driver.find_element(By.ID, "files").send_keys("/tmp/test_file.txt") + time.sleep(2) + driver.find_element(By.CSS_SELECTOR, '.start').click() + wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, ".download_link"))) + download_link = driver.find_element(By.CSS_SELECTOR, '.download_link > textarea').get_attribute('value').strip() + driver.get(download_link) + wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, ".download"))) + driver.find_element(By.CSS_SELECTOR, '.download').click() + wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, ".ui-dialog-buttonset > button:nth-child(2)"))) + driver.find_element(By.CSS_SELECTOR, ".ui-dialog-buttonset > button:nth-child(2)").click() + driver.close() + driver.quit() + ''; + in + [ + pkgs.firefox-unwrapped + pkgs.geckodriver + browser-test + ]; + }; + + testScript = '' + start_all() + filesender.wait_for_file("/run/phpfpm/filesender.sock") + filesender.wait_for_open_port(80) + if "If you have received an invitation to access this site as a guest" not in client.wait_until_succeeds("curl -sS -f http://filesender"): + raise Exception("filesender returned invalid html") + client.succeed("browser-test") + ''; +}) diff --git a/nixos/tests/firefly-iii.nix b/nixos/tests/firefly-iii.nix index c93d799320a48..2373ba8360264 100644 --- a/nixos/tests/firefly-iii.nix +++ b/nixos/tests/firefly-iii.nix @@ -1,14 +1,19 @@ -import ./make-test-python.nix ({ lib, pkgs, ... }: { +import ./make-test-python.nix ({ lib, ... }: + +let + db-pass = "Test2Test2"; + app-key = "TestTestTestTestTestTestTestTest"; +in +{ name = "firefly-iii"; meta.maintainers = [ lib.maintainers.savyajha ]; - nodes.machine = { config, ... }: { + nodes.fireflySqlite = { config, ... }: { environment.etc = { - "firefly-iii-appkey".text = "TestTestTestTestTestTestTestTest"; + "firefly-iii-appkey".text = app-key; }; services.firefly-iii = { enable = true; - virtualHost = "http://localhost"; enableNginx = true; settings = { APP_KEY_FILE = "/etc/firefly-iii-appkey"; @@ -18,9 +23,87 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { }; }; + nodes.fireflyPostgresql = { config, pkgs, ... }: { + environment.etc = { + "firefly-iii-appkey".text = app-key; + "postgres-pass".text = db-pass; + }; + services.firefly-iii = { + enable = true; + enableNginx = true; + settings = { + APP_KEY_FILE = "/etc/firefly-iii-appkey"; + LOG_CHANNEL = "stdout"; + SITE_OWNER = "mail@example.com"; + DB_CONNECTION = "pgsql"; + DB_DATABASE = "firefly"; + DB_USERNAME = "firefly"; + DB_PASSWORD_FILE = "/etc/postgres-pass"; + }; + }; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_15; + authentication = '' + local all postgres peer + local firefly firefly password + ''; + initialScript = pkgs.writeText "firefly-init.sql" '' + CREATE USER "firefly" WITH LOGIN PASSWORD '${db-pass}'; + CREATE DATABASE "firefly" WITH OWNER "firefly"; + CREATE SCHEMA AUTHORIZATION firefly; + ''; + }; + }; + + nodes.fireflyMysql = { config, pkgs, ... }: { + environment.etc = { + "firefly-iii-appkey".text = app-key; + "mysql-pass".text = db-pass; + }; + services.firefly-iii = { + enable = true; + enableNginx = true; + settings = { + APP_KEY_FILE = "/etc/firefly-iii-appkey"; + LOG_CHANNEL = "stdout"; + SITE_OWNER = "mail@example.com"; + DB_CONNECTION = "mysql"; + DB_DATABASE = "firefly"; + DB_USERNAME = "firefly"; + DB_PASSWORD_FILE = "/etc/mysql-pass"; + DB_SOCKET = "/run/mysqld/mysqld.sock"; + }; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + initialScript = pkgs.writeText "firefly-init.sql" '' + create database firefly DEFAULT CHARACTER SET utf8mb4; + create user 'firefly'@'localhost' identified by '${db-pass}'; + grant all on firefly.* to 'firefly'@'localhost'; + ''; + settings.mysqld.character-set-server = "utf8mb4"; + }; + }; + testScript = '' - machine.wait_for_unit("phpfpm-firefly-iii.service") - machine.wait_for_unit("nginx.service") - machine.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'") + fireflySqlite.wait_for_unit("phpfpm-firefly-iii.service") + fireflySqlite.wait_for_unit("nginx.service") + fireflySqlite.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'") + fireflySqlite.succeed("curl -fvvv -Ls http://localhost/v1/js/app.js") + fireflySqlite.succeed("systemctl start firefly-iii-cron.service") + fireflyPostgresql.wait_for_unit("phpfpm-firefly-iii.service") + fireflyPostgresql.wait_for_unit("nginx.service") + fireflyPostgresql.wait_for_unit("postgresql.service") + fireflyPostgresql.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'") + fireflyPostgresql.succeed("systemctl start firefly-iii-cron.service") + fireflyMysql.wait_for_unit("phpfpm-firefly-iii.service") + fireflyMysql.wait_for_unit("nginx.service") + fireflyMysql.wait_for_unit("mysql.service") + fireflyMysql.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'") + fireflyMysql.succeed("systemctl start firefly-iii-cron.service") ''; }) diff --git a/nixos/tests/gnome-extensions.nix b/nixos/tests/gnome-extensions.nix index 51ccabd7e6a65..332cf44b0ed4f 100644 --- a/nixos/tests/gnome-extensions.nix +++ b/nixos/tests/gnome-extensions.nix @@ -84,7 +84,6 @@ import ./make-test-python.nix ( "dash-to-dock" "dash-to-panel" "ddterm" - "emoji-selector" "gsconnect" "system-monitor-next" "desktop-icons-ng-ding" @@ -138,11 +137,11 @@ import ./make-test-python.nix ( # Enable and optionally disable machine.succeed(f"${run "gnome-extensions enable {extension}"}") - checkState("ENABLED", extension) + checkState("ACTIVE", extension) if disable: machine.succeed(f"${run "gnome-extensions disable {extension}"}") - checkState("DISABLED", extension) + checkState("INACTIVE", extension) '' + lib.concatLines (map (e: ''checkExtension("${e}", False)'') alwaysOnExtensions) + lib.concatLines (map (e: ''checkExtension("${e}", True)'') testExtensions) diff --git a/nixos/tests/grafana/provision/default.nix b/nixos/tests/grafana/provision/default.nix index d33d16ce12099..f9dd8b2961ac7 100644 --- a/nixos/tests/grafana/provision/default.nix +++ b/nixos/tests/grafana/provision/default.nix @@ -1,7 +1,7 @@ import ../../make-test-python.nix ({ lib, pkgs, ... }: let - inherit (lib) mkMerge nameValuePair maintainers; + inherit (lib) mkMerge maintainers; baseGrafanaConf = { services.grafana = { @@ -33,35 +33,6 @@ let }; extraNodeConfs = { - provisionLegacyNotifiers = { - services.grafana.provision = { - datasources.settings = { - apiVersion = 1; - datasources = [{ - name = "Test Datasource"; - type = "testdata"; - access = "proxy"; - uid = "test_datasource"; - }]; - }; - dashboards.settings = { - apiVersion = 1; - providers = [{ - name = "default"; - options.path = "/var/lib/grafana/dashboards"; - }]; - }; - notifiers = [{ - uid = "test_notifiers"; - name = "Test Notifiers"; - type = "email"; - settings = { - singleEmail = true; - addresses = "test@test.com"; - }; - }]; - }; - }; provisionNix = { services.grafana.provision = { datasources.settings = { @@ -242,15 +213,5 @@ in { machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/mute-timings | grep Test\ Mute\ Timing" ) - - with subtest("Successful notifiers provision"): - provisionLegacyNotifiers.wait_for_unit("grafana.service") - provisionLegacyNotifiers.wait_for_open_port(3000) - print(provisionLegacyNotifiers.succeed( - "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers" - )) - provisionLegacyNotifiers.succeed( - "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers | grep Test\ Notifiers" - ) ''; }) diff --git a/nixos/tests/kea.nix b/nixos/tests/kea.nix index 98a8e93a07609..653e280ec8b7e 100644 --- a/nixos/tests/kea.nix +++ b/nixos/tests/kea.nix @@ -57,6 +57,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: { }; subnet4 = [ { + id = 1; subnet = "10.0.0.0/29"; pools = [ { pool = "10.0.0.3 - 10.0.0.3"; diff --git a/nixos/tests/keepalived.nix b/nixos/tests/keepalived.nix index 16564511d85dc..052b36266d037 100644 --- a/nixos/tests/keepalived.nix +++ b/nixos/tests/keepalived.nix @@ -4,8 +4,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { nodes = { node1 = { pkgs, ... }: { - networking.firewall.extraCommands = "iptables -A INPUT -p vrrp -j ACCEPT"; services.keepalived.enable = true; + services.keepalived.openFirewall = true; services.keepalived.vrrpInstances.test = { interface = "eth1"; state = "MASTER"; @@ -16,8 +16,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { environment.systemPackages = [ pkgs.tcpdump ]; }; node2 = { pkgs, ... }: { - networking.firewall.extraCommands = "iptables -A INPUT -p vrrp -j ACCEPT"; services.keepalived.enable = true; + services.keepalived.openFirewall = true; services.keepalived.vrrpInstances.test = { interface = "eth1"; state = "MASTER"; diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 07e15a380b6d5..6a8633808702f 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -32,10 +32,12 @@ let linux_6_1_hardened linux_6_6_hardened linux_6_8_hardened + linux_6_9_hardened linux_rt_5_4 linux_rt_5_10 linux_rt_5_15 linux_rt_6_1 + linux_rt_6_6 linux_libre linux_testing; diff --git a/nixos/tests/lomiri.nix b/nixos/tests/lomiri.nix index c5889d27133f4..99f04a303be31 100644 --- a/nixos/tests/lomiri.nix +++ b/nixos/tests/lomiri.nix @@ -290,20 +290,38 @@ in { # There's a test app we could use that also displays their contents, but it's abit inconsistent. with subtest("ayatana indicators work"): mouse_click(735, 0) # the cog in the top-right, for the session indicator - machine.wait_for_text(r"(Notifications|Time|Date|System)") + machine.wait_for_text(r"(Notifications|Rotation|Battery|Sound|Time|Date|System)") machine.screenshot("indicators_open") # Indicator order within the menus *should* be fixed based on per-indicator order setting # Session is the one we clicked, but the last we should test (logout). Go as far left as we can test. machine.send_key("left") machine.send_key("left") + machine.send_key("left") + machine.send_key("left") + machine.send_key("left") # Notifications are usually empty, nothing to check there - with subtest("lomiri indicator network works"): + with subtest("ayatana indicator display works"): # We start on this, don't go right + machine.wait_for_text("Lock") + machine.screenshot("indicators_display") + + with subtest("lomiri indicator network works"): + machine.send_key("right") machine.wait_for_text(r"(Flight|Wi-Fi)") machine.screenshot("indicators_network") + with subtest("ayatana indicator sound works"): + machine.send_key("right") + machine.wait_for_text(r"(Silent|Volume)") + machine.screenshot("indicators_sound") + + with subtest("ayatana indicator power works"): + machine.send_key("right") + machine.wait_for_text(r"(Charge|Battery settings)") + machine.screenshot("indicators_power") + with subtest("ayatana indicator datetime works"): machine.send_key("right") machine.wait_for_text("Time and Date Settings") diff --git a/nixos/tests/mealie.nix b/nixos/tests/mealie.nix index 88f749c712948..810d47ecd2ec4 100644 --- a/nixos/tests/mealie.nix +++ b/nixos/tests/mealie.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "mealie"; meta = with pkgs.lib.maintainers; { - maintainers = [ litchipi ]; + maintainers = [ litchipi anoa ]; }; nodes = { diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index 83e0f46be3ecf..451bd8d4e3197 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -73,16 +73,19 @@ let with subtest("nix-db"): - info = get_path_info("${foo}") + out = "${foo}" + info = get_path_info(out) print(info) + pathinfo = info[0] if isinstance(info, list) else info[out] + if ( - info[0]["narHash"] + pathinfo["narHash"] != "sha256-BdMdnb/0eWy3EddjE83rdgzWWpQjfWPAj3zDIFMD3Ck=" ): raise Exception("narHash not set") - if info[0]["narSize"] != 128: + if pathinfo["narSize"] != 128: raise Exception("narSize not set") with subtest("nixos-version"): diff --git a/nixos/tests/ollama.nix b/nixos/tests/ollama.nix index 4b21f445cdbd3..30e475553eb1a 100644 --- a/nixos/tests/ollama.nix +++ b/nixos/tests/ollama.nix @@ -1,10 +1,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let - mainPort = "11434"; - altPort = "11435"; + mainPort = 11434; + altPort = 11435; curlRequest = port: request: - "curl http://127.0.0.1:${port}/api/generate -d '${builtins.toJSON request}'"; + "curl http://127.0.0.1:${toString port}/api/generate -d '${builtins.toJSON request}'"; prompt = { model = "tinydolphin"; @@ -38,7 +38,7 @@ in altAddress = { ... }: { services.ollama.enable = true; - services.ollama.listenAddress = "127.0.0.1:${altPort}"; + services.ollama.port = altPort; }; }; diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 140723a2df810..3929522a39e73 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -111,11 +111,11 @@ in { server-no-openssl = { ... }: { - programs.ssh.package = pkgs.opensshPackages.openssh.override { - linkOpenssl = false; - }; services.openssh = { enable = true; + package = pkgs.opensshPackages.openssh.override { + linkOpenssl = false; + }; hostKeys = [ { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; @@ -136,11 +136,11 @@ in { server-no-pam = { pkgs, ... }: { - programs.ssh.package = pkgs.opensshPackages.openssh.override { - withPAM = false; - }; services.openssh = { enable = true; + package = pkgs.opensshPackages.openssh.override { + withPAM = false; + }; settings = { UsePAM = false; }; diff --git a/nixos/tests/phosh.nix b/nixos/tests/phosh.nix index d505f0ffc5245..64d6889aaf741 100644 --- a/nixos/tests/phosh.nix +++ b/nixos/tests/phosh.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ...}: let in { name = "phosh"; meta = with pkgs.lib.maintainers; { - maintainers = [ tomfitzhenry zhaofengli ]; + maintainers = [ zhaofengli ]; }; nodes = { diff --git a/nixos/tests/rke2/default.nix b/nixos/tests/rke2/default.nix new file mode 100644 index 0000000000000..e8a5f382b735f --- /dev/null +++ b/nixos/tests/rke2/default.nix @@ -0,0 +1,13 @@ +{ system ? builtins.currentSystem +, pkgs ? import ../../.. { inherit system; } +, lib ? pkgs.lib +}: +let + allRKE2 = lib.filterAttrs (n: _: lib.strings.hasPrefix "rke2" n) pkgs; +in +{ + # Run a single node rke2 cluster and verify a pod can run + singleNode = lib.mapAttrs (_: rke2: import ./single-node.nix { inherit system pkgs rke2; }) allRKE2; + # Run a multi-node rke2 cluster and verify pod networking works across nodes + multiNode = lib.mapAttrs (_: rke2: import ./multi-node.nix { inherit system pkgs rke2; }) allRKE2; +} diff --git a/nixos/tests/rke2/multi-node.nix b/nixos/tests/rke2/multi-node.nix new file mode 100644 index 0000000000000..ddf0b60f6fba4 --- /dev/null +++ b/nixos/tests/rke2/multi-node.nix @@ -0,0 +1,176 @@ +import ../make-test-python.nix ({ pkgs, lib, rke2, ... }: + let + pauseImage = pkgs.dockerTools.streamLayeredImage { + name = "test.local/pause"; + tag = "local"; + contents = pkgs.buildEnv { + name = "rke2-pause-image-env"; + paths = with pkgs; [ tini bashInteractive coreutils socat ]; + }; + config.Entrypoint = [ "/bin/tini" "--" "/bin/sleep" "inf" ]; + }; + # A daemonset that responds 'server' on port 8000 + networkTestDaemonset = pkgs.writeText "test.yml" '' + apiVersion: apps/v1 + kind: DaemonSet + metadata: + name: test + labels: + name: test + spec: + selector: + matchLabels: + name: test + template: + metadata: + labels: + name: test + spec: + containers: + - name: test + image: test.local/pause:local + imagePullPolicy: Never + resources: + limits: + memory: 20Mi + command: ["socat", "TCP4-LISTEN:8000,fork", "EXEC:echo server"] + ''; + tokenFile = pkgs.writeText "token" "p@s$w0rd"; + agentTokenFile = pkgs.writeText "agent-token" "p@s$w0rd"; + in + { + name = "${rke2.name}-multi-node"; + meta.maintainers = rke2.meta.maintainers; + + nodes = { + server1 = { pkgs, ... }: { + networking.firewall.enable = false; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.1"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.rke2 = { + enable = true; + role = "server"; + inherit tokenFile; + inherit agentTokenFile; + nodeName = "${rke2.name}-server1"; + package = rke2; + nodeIP = "192.168.1.1"; + disable = [ + "rke2-coredns" + "rke2-metrics-server" + "rke2-ingress-nginx" + ]; + extraFlags = [ + "--cluster-reset" + ]; + }; + }; + + server2 = { pkgs, ... }: { + networking.firewall.enable = false; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.2"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { address = "192.168.1.2"; prefixLength = 24; } + ]; + + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.rke2 = { + enable = true; + role = "server"; + serverAddr = "https://192.168.1.1:6443"; + inherit tokenFile; + inherit agentTokenFile; + nodeName = "${rke2.name}-server2"; + package = rke2; + nodeIP = "192.168.1.2"; + disable = [ + "rke2-coredns" + "rke2-metrics-server" + "rke2-ingress-nginx" + ]; + }; + }; + + agent1 = { pkgs, ... }: { + networking.firewall.enable = false; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.3"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { address = "192.168.1.3"; prefixLength = 24; } + ]; + + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.rke2 = { + enable = true; + role = "agent"; + tokenFile = agentTokenFile; + serverAddr = "https://192.168.1.2:6443"; + nodeName = "${rke2.name}-agent1"; + package = rke2; + nodeIP = "192.168.1.3"; + }; + }; + }; + + testScript = let + kubectl = "${pkgs.kubectl}/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml"; + ctr = "${pkgs.containerd}/bin/ctr -a /run/k3s/containerd/containerd.sock"; + jq = "${pkgs.jq}/bin/jq"; + ping = "${pkgs.iputils}/bin/ping"; + in '' + machines = [server1, server2, agent1] + + for machine in machines: + machine.start() + machine.wait_for_unit("rke2") + + # wait for the agent to show up + server1.succeed("${kubectl} get node ${rke2.name}-agent1") + + for machine in machines: + machine.succeed("${pauseImage} | ${ctr} image import -") + + server1.succeed("${kubectl} cluster-info") + server1.wait_until_succeeds("${kubectl} get serviceaccount default") + + # Now create a pod on each node via a daemonset and verify they can talk to each other. + server1.succeed("${kubectl} apply -f ${networkTestDaemonset}") + server1.wait_until_succeeds( + f'[ "$(${kubectl} get ds test -o json | ${jq} .status.numberReady)" -eq {len(machines)} ]' + ) + + # Get pod IPs + pods = server1.succeed("${kubectl} get po -o json | ${jq} '.items[].metadata.name' -r").splitlines() + pod_ips = [ + server1.succeed(f"${kubectl} get po {n} -o json | ${jq} '.status.podIP' -cr").strip() for n in pods + ] + + # Verify each server can ping each pod ip + for pod_ip in pod_ips: + server1.succeed(f"${ping} -c 1 {pod_ip}") + agent1.succeed(f"${ping} -c 1 {pod_ip}") + + # Verify the pods can talk to each other + resp = server1.wait_until_succeeds(f"${kubectl} exec {pods[0]} -- socat TCP:{pod_ips[1]}:8000 -") + assert resp.strip() == "server" + resp = server1.wait_until_succeeds(f"${kubectl} exec {pods[1]} -- socat TCP:{pod_ips[0]}:8000 -") + assert resp.strip() == "server" + + # Cleanup + server1.succeed("${kubectl} delete -f ${networkTestDaemonset}") + for machine in machines: + machine.shutdown() + ''; + }) diff --git a/nixos/tests/rke2/single-node.nix b/nixos/tests/rke2/single-node.nix new file mode 100644 index 0000000000000..5a512eacca0f1 --- /dev/null +++ b/nixos/tests/rke2/single-node.nix @@ -0,0 +1,75 @@ +import ../make-test-python.nix ({ pkgs, lib, rke2, ... }: + let + pauseImage = pkgs.dockerTools.streamLayeredImage { + name = "test.local/pause"; + tag = "local"; + contents = pkgs.buildEnv { + name = "rke2-pause-image-env"; + paths = with pkgs; [ tini (hiPrio coreutils) busybox ]; + }; + config.Entrypoint = [ "/bin/tini" "--" "/bin/sleep" "inf" ]; + }; + testPodYaml = pkgs.writeText "test.yaml" '' + apiVersion: v1 + kind: Pod + metadata: + name: test + spec: + containers: + - name: test + image: test.local/pause:local + imagePullPolicy: Never + command: ["sh", "-c", "sleep inf"] + ''; + in + { + name = "${rke2.name}-single-node"; + meta.maintainers = rke2.meta.maintainers; + + nodes.machine = { pkgs, ... }: { + networking.firewall.enable = false; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.1"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.rke2 = { + enable = true; + role = "server"; + package = rke2; + nodeIP = "192.168.1.1"; + disable = [ + "rke2-coredns" + "rke2-metrics-server" + "rke2-ingress-nginx" + ]; + extraFlags = [ + "--cluster-reset" + ]; + }; + }; + + testScript = let + kubectl = "${pkgs.kubectl}/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml"; + ctr = "${pkgs.containerd}/bin/ctr -a /run/k3s/containerd/containerd.sock"; + in '' + start_all() + + machine.wait_for_unit("rke2") + machine.succeed("${kubectl} cluster-info") + machine.wait_until_succeeds( + "${pauseImage} | ${ctr} -n k8s.io image import -" + ) + + machine.wait_until_succeeds("${kubectl} get serviceaccount default") + machine.succeed("${kubectl} apply -f ${testPodYaml}") + machine.succeed("${kubectl} wait --for 'condition=Ready' pod/test") + machine.succeed("${kubectl} delete -f ${testPodYaml}") + + machine.shutdown() + ''; + }) diff --git a/nixos/tests/rosenpass.nix b/nixos/tests/rosenpass.nix index ec4046c8c035b..8765fd201c0e5 100644 --- a/nixos/tests/rosenpass.nix +++ b/nixos/tests/rosenpass.nix @@ -74,10 +74,8 @@ in wireguardConfig.ListenPort = server.wg.listen; wireguardPeers = [ { - wireguardPeerConfig = { - AllowedIPs = [ "::/0" ]; - PublicKey = client.wg.public; - }; + AllowedIPs = [ "::/0" ]; + PublicKey = client.wg.public; } ]; }; @@ -97,11 +95,9 @@ in systemd.network.netdevs."10-${deviceName}".wireguardPeers = [ { - wireguardPeerConfig = { - AllowedIPs = [ "::/0" ]; - PublicKey = server.wg.public; - Endpoint = "server:${builtins.toString server.wg.listen}"; - }; + AllowedIPs = [ "::/0" ]; + PublicKey = server.wg.public; + Endpoint = "server:${builtins.toString server.wg.listen}"; } ]; diff --git a/nixos/tests/stalwart-mail.nix b/nixos/tests/stalwart-mail.nix index 581090cd70f48..173b4fce4ad5d 100644 --- a/nixos/tests/stalwart-mail.nix +++ b/nixos/tests/stalwart-mail.nix @@ -18,8 +18,8 @@ in import ./make-test-python.nix ({ lib, ... }: { server.hostname = domain; certificate."snakeoil" = { - cert = "file://${certs.${domain}.cert}"; - private-key = "file://${certs.${domain}.key}"; + cert = "%{file:${certs.${domain}.cert}}%"; + private-key = "%{file:${certs.${domain}.key}}%"; }; server.tls = { @@ -40,8 +40,6 @@ in import ./make-test-python.nix ({ lib, ... }: { }; }; - resolver.public-suffix = [ ]; # do not fetch from web in sandbox - session.auth.mechanisms = "[plain]"; session.auth.directory = "'in-memory'"; storage.directory = "in-memory"; @@ -53,13 +51,13 @@ in import ./make-test-python.nix ({ lib, ... }: { type = "memory"; principals = [ { - type = "individual"; + class = "individual"; name = "alice"; secret = "foobar"; email = [ "alice@${domain}" ]; } { - type = "individual"; + class = "individual"; name = "bob"; secret = "foobar"; email = [ "bob@${domain}" ]; @@ -117,6 +115,6 @@ in import ./make-test-python.nix ({ lib, ... }: { ''; meta = { - maintainers = with lib.maintainers; [ happysalada pacien ]; + maintainers = with lib.maintainers; [ happysalada pacien onny ]; }; }) diff --git a/nixos/tests/step-ca.nix b/nixos/tests/step-ca.nix index c4d8168e5c515..184c35f6b85cc 100644 --- a/nixos/tests/step-ca.nix +++ b/nixos/tests/step-ca.nix @@ -89,7 +89,7 @@ import ./make-test-python.nix ({ pkgs, ... }: '' catester.start() caserver.wait_for_unit("step-ca.service") - caserver.succeed("journalctl -o cat -u step-ca.service | grep '${pkgs.step-ca.version}'") + caserver.wait_until_succeeds("journalctl -o cat -u step-ca.service | grep '${pkgs.step-ca.version}'") caclient.wait_for_unit("acme-finished-caclient.target") catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"") diff --git a/nixos/tests/systemd-initrd-luks-fido2.nix b/nixos/tests/systemd-initrd-luks-fido2.nix index f9f75ab7f301c..207f51f4dd9b4 100644 --- a/nixos/tests/systemd-initrd-luks-fido2.nix +++ b/nixos/tests/systemd-initrd-luks-fido2.nix @@ -9,7 +9,6 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { # Booting off the encrypted disk requires having a Nix store available for the init script mountHostNixStore = true; useEFIBoot = true; - qemu.package = lib.mkForce (pkgs.qemu_test.override { canokeySupport = true; }); qemu.options = [ "-device canokey,file=/tmp/canokey-file" ]; }; boot.loader.systemd-boot.enable = true; diff --git a/nixos/tests/systemd-networkd-dhcpserver-static-leases.nix b/nixos/tests/systemd-networkd-dhcpserver-static-leases.nix index f6d5411aa5cad..fda9f35cbe104 100644 --- a/nixos/tests/systemd-networkd-dhcpserver-static-leases.nix +++ b/nixos/tests/systemd-networkd-dhcpserver-static-leases.nix @@ -24,14 +24,14 @@ import ./make-test-python.nix ({ lib, ... }: { "01-eth1" = { name = "eth1"; networkConfig = { + # IPForward prevents dynamic address configuration + IPForward = true; DHCPServer = true; Address = "10.0.0.1/24"; }; dhcpServerStaticLeases = [{ - dhcpServerStaticLeaseConfig = { - MACAddress = "02:de:ad:be:ef:01"; - Address = "10.0.0.10"; - }; + MACAddress = "02:de:ad:be:ef:01"; + Address = "10.0.0.10"; }]; }; }; @@ -41,20 +41,30 @@ import ./make-test-python.nix ({ lib, ... }: { client = { virtualisation.vlans = [ 1 ]; systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; + systemd.network = { + enable = true; + links."10-eth1" = { + matchConfig.OriginalName = "eth1"; + linkConfig.MACAddress = "02:de:ad:be:ef:01"; + }; + networks."40-eth1" = { + matchConfig.Name = "eth1"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = false; + }; + # This setting is important to have the router assign the + # configured lease based on the client's MAC address. Also see: + # https://github.com/systemd/systemd/issues/21368#issuecomment-982193546 + dhcpV4Config.ClientIdentifier = "mac"; + linkConfig.RequiredForOnline = "routable"; + }; + }; networking = { - useNetworkd = true; useDHCP = false; firewall.enable = false; - interfaces.eth1 = { - useDHCP = true; - macAddress = "02:de:ad:be:ef:01"; - }; + interfaces.eth1 = lib.mkForce {}; }; - - # This setting is important to have the router assign the - # configured lease based on the client's MAC address. Also see: - # https://github.com/systemd/systemd/issues/21368#issuecomment-982193546 - systemd.network.networks."40-eth1".dhcpV4Config.ClientIdentifier = "mac"; }; }; testScript = '' diff --git a/nixos/tests/systemd-networkd-dhcpserver.nix b/nixos/tests/systemd-networkd-dhcpserver.nix index 665d8b5a05291..fda0c9d641938 100644 --- a/nixos/tests/systemd-networkd-dhcpserver.nix +++ b/nixos/tests/systemd-networkd-dhcpserver.nix @@ -54,7 +54,7 @@ import ./make-test-python.nix ({pkgs, ...}: { name = "eth1"; networkConfig.Bridge = "br0"; bridgeVLANs = [ - { bridgeVLANConfig = { PVID = 2; EgressUntagged = 2; }; } + { PVID = 2; EgressUntagged = 2; } ]; }; "02-br0" = { @@ -69,8 +69,8 @@ import ./make-test-python.nix ({pkgs, ...}: { PoolSize = 1; }; bridgeVLANs = [ - { bridgeVLANConfig = { PVID = 1; EgressUntagged = 1; }; } - { bridgeVLANConfig = { VLAN = 2; }; } + { PVID = 1; EgressUntagged = 1; } + { VLAN = 2; } ]; }; "02-vlan2" = { diff --git a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix index 1e55341657bdb..6c056d9a10183 100644 --- a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix +++ b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix @@ -66,6 +66,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { settings = { interfaces-config.interfaces = [ "eth1" ]; subnet6 = [ { + id = 1; interface = "eth1"; subnet = "2001:DB8::/32"; pd-pools = [ { @@ -258,7 +259,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { "01-lo" = { name = "lo"; addresses = [ - { addressConfig.Address = "FD42::1/128"; } + { Address = "FD42::1/128"; } ]; }; }; diff --git a/nixos/tests/systemd-networkd-vrf.nix b/nixos/tests/systemd-networkd-vrf.nix index d4227526a30d4..4f2a45577c169 100644 --- a/nixos/tests/systemd-networkd-vrf.nix +++ b/nixos/tests/systemd-networkd-vrf.nix @@ -59,14 +59,14 @@ in { matchConfig.Name = "vrf1"; networkConfig.IPForward = "yes"; routes = [ - { routeConfig = { Destination = "192.168.1.2"; Metric = 100; }; } + { Destination = "192.168.1.2"; Metric = 100; } ]; }; networks."10-vrf2" = { matchConfig.Name = "vrf2"; networkConfig.IPForward = "yes"; routes = [ - { routeConfig = { Destination = "192.168.2.3"; Metric = 100; }; } + { Destination = "192.168.2.3"; Metric = 100; } ]; }; diff --git a/nixos/tests/systemd-networkd.nix b/nixos/tests/systemd-networkd.nix index 6b241b93d5118..44ad713cd6dfc 100644 --- a/nixos/tests/systemd-networkd.nix +++ b/nixos/tests/systemd-networkd.nix @@ -23,13 +23,13 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { ListenPort = 51820; FirewallMark = 42; }; - wireguardPeers = [ {wireguardPeerConfig={ + wireguardPeers = [ { Endpoint = "192.168.1.${peerId}:51820"; PublicKey = pubk; PresharedKeyFile = pkgs.writeText "psk.key" "yTL3sCOL33Wzi6yCnf9uZQl/Z8laSE+zwpqOHC4HhFU="; AllowedIPs = [ "10.0.0.${peerId}/32" ]; PersistentKeepalive = 15; - };}]; + } ]; }; }; networks = { @@ -41,8 +41,8 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { matchConfig = { Name = "wg0"; }; address = [ "10.0.0.${nodeId}/32" ]; routes = [ - { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; } - { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; Table = "custom"; }; } + { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; } + { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; Table = "custom"; } ]; }; "30-eth1" = { @@ -52,11 +52,11 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { "fe80::${nodeId}/64" ]; routingPolicyRules = [ - { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; };} - { routingPolicyRuleConfig = { Table = 20; OutgoingInterface = "eth1"; };} - { routingPolicyRuleConfig = { Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; };} - { routingPolicyRuleConfig = { Table = 40; IPProtocol = "tcp"; InvertRule = true; };} - { routingPolicyRuleConfig = { Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; };} + { Table = 10; IncomingInterface = "eth1"; Family = "both"; } + { Table = 20; OutgoingInterface = "eth1"; } + { Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; } + { Table = 40; IPProtocol = "tcp"; InvertRule = true; } + { Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; } ]; }; }; diff --git a/nixos/tests/systemd-resolved.nix b/nixos/tests/systemd-resolved.nix new file mode 100644 index 0000000000000..3eedc17f4b34f --- /dev/null +++ b/nixos/tests/systemd-resolved.nix @@ -0,0 +1,75 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "systemd-resolved"; + meta.maintainers = [ lib.maintainers.elvishjerricco ]; + + nodes.server = { lib, config, ... }: let + exampleZone = pkgs.writeTextDir "example.com.zone" '' + @ SOA ns.example.com. noc.example.com. 2019031301 86400 7200 3600000 172800 + @ A ${(lib.head config.networking.interfaces.eth1.ipv4.addresses).address} + @ AAAA ${(lib.head config.networking.interfaces.eth1.ipv6.addresses).address} + ''; + in { + networking.firewall.enable = false; + networking.useDHCP = false; + + networking.interfaces.eth1.ipv6.addresses = lib.mkForce [ + { address = "fd00::1"; prefixLength = 64; } + ]; + + services.knot = { + enable = true; + settings = { + server.listen = [ + "0.0.0.0@53" + "::@53" + ]; + template.default.storage = exampleZone; + zone."example.com".file = "example.com.zone"; + }; + }; + }; + + nodes.client = { nodes, ... }: let + inherit (lib.head nodes.server.networking.interfaces.eth1.ipv4.addresses) address; + in { + networking.nameservers = [ address ]; + networking.interfaces.eth1.ipv6.addresses = lib.mkForce [ + { address = "fd00::2"; prefixLength = 64; } + ]; + services.resolved.enable = true; + services.resolved.fallbackDns = [ ]; + networking.useNetworkd = true; + networking.useDHCP = false; + systemd.network.networks."40-eth0".enable = false; + + testing.initrdBackdoor = true; + boot.initrd = { + systemd.enable = true; + systemd.initrdBin = [ pkgs.iputils ]; + network.enable = true; + services.resolved.enable = true; + }; + }; + + testScript = { nodes, ... }: let + address4 = (lib.head nodes.server.networking.interfaces.eth1.ipv4.addresses).address; + address6 = (lib.head nodes.server.networking.interfaces.eth1.ipv6.addresses).address; + in '' + start_all() + server.wait_for_unit("multi-user.target") + + def test_client(): + query = client.succeed("resolvectl query example.com") + assert "${address4}" in query + assert "${address6}" in query + client.succeed("ping -4 -c 1 example.com") + client.succeed("ping -6 -c 1 example.com") + + client.wait_for_unit("initrd.target") + test_client() + client.switch_root() + + client.wait_for_unit("multi-user.target") + test_client() + ''; +}) diff --git a/nixos/tests/tayga.nix b/nixos/tests/tayga.nix index 204391d1312f2..e3c57b7d58feb 100644 --- a/nixos/tests/tayga.nix +++ b/nixos/tests/tayga.nix @@ -55,7 +55,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: "100.64.0.2/24" ]; routes = [ - { routeConfig = { Destination = "192.0.2.0/24"; Gateway = "100.64.0.1"; }; } + { Destination = "192.0.2.0/24"; Gateway = "100.64.0.1"; } ]; }; }; @@ -202,7 +202,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: "2001:db8::2/64" ]; routes = [ - { routeConfig = { Destination = "64:ff9b::/96"; Gateway = "2001:db8::1"; }; } + { Destination = "64:ff9b::/96"; Gateway = "2001:db8::1"; } ]; }; }; diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix index 2fb347155759a..3621cce0599e1 100644 --- a/nixos/tests/teleport.nix +++ b/nixos/tests/teleport.nix @@ -9,7 +9,6 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; let packages = with pkgs; { "default" = teleport; - "13" = teleport_13; "14" = teleport_14; }; diff --git a/nixos/tests/tigervnc.nix b/nixos/tests/tigervnc.nix index ed575682d9338..b80cb49519c45 100644 --- a/nixos/tests/tigervnc.nix +++ b/nixos/tests/tigervnc.nix @@ -38,16 +38,18 @@ makeTest { server.succeed("Xvnc -geometry 720x576 :1 -PasswordFile vncpasswd >&2 &") server.wait_until_succeeds("nc -z localhost 5901", timeout=10) server.succeed("DISPLAY=:1 xwininfo -root | grep 720x576") - server.execute("DISPLAY=:1 display -size 360x200 -font sans -gravity south label:'HELLO VNC WORLD' >&2 &") + server.execute("DISPLAY=:1 display -size 360x200 -font sans -gravity south label:'HELLO VNC' >&2 &") client.wait_for_x() client.execute("vncviewer server:1 -PasswordFile vncpasswd >&2 &") client.wait_for_window(r"VNC") client.screenshot("screenshot") text = client.get_screen_text() + # Displayed text - assert 'HELLO VNC WORLD' in text + assert 'HELLO VNC' in text # Client window title - assert 'TigerVNC' in text + # get_screen_text can't get correct string from screenshot + # assert 'TigerVNC' in text ''; } diff --git a/nixos/tests/turbovnc-headless-server.nix b/nixos/tests/turbovnc-headless-server.nix index a155f9f907b25..e4eff4f078447 100644 --- a/nixos/tests/turbovnc-headless-server.nix +++ b/nixos/tests/turbovnc-headless-server.nix @@ -24,11 +24,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { }; # So that we can ssh into the VM, see e.g. - # http://blog.patapon.info/nixos-local-vm/#accessing-the-vm-with-ssh + # https://nixos.org/manual/nixos/stable/#sec-nixos-test-port-forwarding services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - users.extraUsers.root.password = ""; users.mutableUsers = false; + # `test-instrumentation.nix` already sets an empty root password. + # The following have to all be set to allow an empty SSH login password. + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.settings.PermitEmptyPasswords = "yes"; + security.pam.services.sshd.allowNullPassword = true; # the default `UsePam yes` makes this necessary }; testScript = '' @@ -124,7 +127,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_until_succeeds("test -f /tmp/glxgears-should-fail.stderr") wait_until_terminated_or_succeeds( termination_check_shell_command="pidof glxgears", - success_check_shell_command="grep 'libGL error: failed to load driver: swrast' /tmp/glxgears-should-fail.stderr", + success_check_shell_command="grep 'MESA-LOADER: failed to open swrast' /tmp/glxgears-should-fail.stderr", get_detail_message_fn=lambda: "Contents of /tmp/glxgears-should-fail.stderr:\n" + machine.succeed("cat /tmp/glxgears-should-fail.stderr"), ) diff --git a/nixos/tests/vector.nix b/nixos/tests/vector.nix deleted file mode 100644 index 9c0d7e84fab33..0000000000000 --- a/nixos/tests/vector.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ system ? builtins.currentSystem, config ? { } -, pkgs ? import ../.. { inherit system config; } }: - -with import ../lib/testing-python.nix { inherit system pkgs; }; -with pkgs.lib; - -{ - test1 = makeTest { - name = "vector-test1"; - meta.maintainers = [ pkgs.lib.maintainers.happysalada ]; - - nodes.machine = { config, pkgs, ... }: { - services.vector = { - enable = true; - journaldAccess = true; - settings = { - sources = { - journald.type = "journald"; - - vector_metrics.type = "internal_metrics"; - - vector_logs.type = "internal_logs"; - }; - - sinks = { - file = { - type = "file"; - inputs = [ "journald" "vector_logs" ]; - path = "/var/lib/vector/logs.log"; - encoding = { codec = "json"; }; - }; - - prometheus_exporter = { - type = "prometheus_exporter"; - inputs = [ "vector_metrics" ]; - address = "[::]:9598"; - }; - }; - }; - }; - }; - - # ensure vector is forwarding the messages appropriately - testScript = '' - machine.wait_for_unit("vector.service") - machine.wait_for_open_port(9598) - machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_build_info") - machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_component_received_bytes_total | grep journald") - machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_utilization | grep prometheus_exporter") - machine.wait_for_file("/var/lib/vector/logs.log") - ''; - }; -} diff --git a/nixos/tests/vector/api.nix b/nixos/tests/vector/api.nix new file mode 100644 index 0000000000000..8aa3a0c1b771f --- /dev/null +++ b/nixos/tests/vector/api.nix @@ -0,0 +1,39 @@ +import ../make-test-python.nix ({ lib, pkgs, ... }: + +{ + name = "vector-api"; + meta.maintainers = [ pkgs.lib.maintainers.happysalada ]; + + nodes.machineapi = { config, pkgs, ... }: { + services.vector = { + enable = true; + journaldAccess = false; + settings = { + api.enabled = true; + + sources = { + demo_logs = { + type = "demo_logs"; + format = "json"; + }; + }; + + sinks = { + file = { + type = "file"; + inputs = [ "demo_logs" ]; + path = "/var/lib/vector/logs.log"; + encoding = { codec = "json"; }; + }; + }; + }; + }; + }; + + testScript = '' + machineapi.wait_for_unit("vector") + machineapi.wait_for_open_port(8686) + machineapi.succeed("journalctl -o cat -u vector.service | grep 'API server running'") + machineapi.wait_until_succeeds("curl -sSf http://localhost:8686/health") + ''; +}) diff --git a/nixos/tests/vector/default.nix b/nixos/tests/vector/default.nix new file mode 100644 index 0000000000000..990b067e81774 --- /dev/null +++ b/nixos/tests/vector/default.nix @@ -0,0 +1,11 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../../.. { inherit system config; } +}: + +{ + file-sink = import ./file-sink.nix { inherit system pkgs; }; + api = import ./api.nix { inherit system pkgs; }; + dnstap = import ./dnstap.nix { inherit system pkgs; }; + nginx-clickhouse = import ./nginx-clickhouse.nix { inherit system pkgs; }; +} diff --git a/nixos/tests/vector/dnstap.nix b/nixos/tests/vector/dnstap.nix new file mode 100644 index 0000000000000..15d643311b604 --- /dev/null +++ b/nixos/tests/vector/dnstap.nix @@ -0,0 +1,118 @@ +import ../make-test-python.nix ({ lib, pkgs, ... }: + +let + dnstapSocket = "/var/run/vector/dnstap.sock"; +in +{ + name = "vector-dnstap"; + meta.maintainers = [ pkgs.lib.maintainers.happysalada ]; + + nodes = { + unbound = { config, pkgs, ... }: { + networking.firewall.allowedUDPPorts = [ 53 ]; + + services.vector = { + enable = true; + + settings = { + sources = { + dnstap = { + type = "dnstap"; + multithreaded = true; + mode = "unix"; + lowercase_hostnames = true; + socket_file_mode = 504; + socket_path = "${dnstapSocket}"; + }; + }; + + sinks = { + file = { + type = "file"; + inputs = [ "dnstap" ]; + path = "/var/lib/vector/logs.log"; + encoding = { codec = "json"; }; + }; + }; + }; + }; + + systemd.services.vector.serviceConfig = { + RuntimeDirectory = "vector"; + RuntimeDirectoryMode = "0770"; + }; + + services.unbound = { + enable = true; + enableRootTrustAnchor = false; + package = pkgs.unbound-full; + settings = { + server = { + interface = [ "0.0.0.0" "::" ]; + access-control = [ "192.168.1.0/24 allow" ]; + + domain-insecure = "local"; + private-domain = "local"; + + local-zone = "local. static"; + local-data = [ + ''"test.local. 10800 IN A 192.168.123.5"'' + ]; + }; + + dnstap = { + dnstap-enable = "yes"; + dnstap-socket-path = "${dnstapSocket}"; + dnstap-send-identity = "yes"; + dnstap-send-version = "yes"; + dnstap-log-client-query-messages = "yes"; + dnstap-log-client-response-messages = "yes"; + }; + }; + }; + + systemd.services.unbound = { + after = [ "vector.service" ]; + wants = [ "vector.service" ]; + serviceConfig = { + # DNSTAP access + ReadWritePaths = [ "/var/run/vector" ]; + SupplementaryGroups = [ "vector" ]; + }; + }; + }; + + dnsclient = { config, pkgs, ... }: { + environment.systemPackages = [ pkgs.dig ]; + }; + }; + + testScript = '' + unbound.wait_for_unit("unbound") + unbound.wait_for_unit("vector") + + unbound.wait_until_succeeds( + "journalctl -o cat -u vector.service | grep 'Socket permissions updated to 0o770'" + ) + unbound.wait_until_succeeds( + "journalctl -o cat -u vector.service | grep 'component_type=dnstap' | grep 'Listening... path=\"${dnstapSocket}\"'" + ) + + unbound.wait_for_file("${dnstapSocket}") + unbound.succeed("test 770 -eq $(stat -c '%a' ${dnstapSocket})") + + dnsclient.wait_for_unit("network-online.target") + dnsclient.succeed( + "dig @unbound test.local" + ) + + unbound.wait_for_file("/var/lib/vector/logs.log") + + unbound.wait_until_succeeds( + "grep ClientQuery /var/lib/vector/logs.log | grep '\"domainName\":\"test.local.\"' | grep '\"rcodeName\":\"NoError\"'" + ) + unbound.wait_until_succeeds( + "grep ClientResponse /var/lib/vector/logs.log | grep '\"domainName\":\"test.local.\"' | grep '\"rData\":\"192.168.123.5\"'" + ) + ''; +}) diff --git a/nixos/tests/vector/file-sink.nix b/nixos/tests/vector/file-sink.nix new file mode 100644 index 0000000000000..2220d20ac55c3 --- /dev/null +++ b/nixos/tests/vector/file-sink.nix @@ -0,0 +1,49 @@ +import ../make-test-python.nix ({ lib, pkgs, ... }: + +{ + name = "vector-test1"; + meta.maintainers = [ pkgs.lib.maintainers.happysalada ]; + + nodes.machine = { config, pkgs, ... }: { + services.vector = { + enable = true; + journaldAccess = true; + settings = { + sources = { + journald.type = "journald"; + + vector_metrics.type = "internal_metrics"; + + vector_logs.type = "internal_logs"; + }; + + sinks = { + file = { + type = "file"; + inputs = [ "journald" "vector_logs" ]; + path = "/var/lib/vector/logs.log"; + encoding = { codec = "json"; }; + }; + + prometheus_exporter = { + type = "prometheus_exporter"; + inputs = [ "vector_metrics" ]; + address = "[::]:9598"; + }; + }; + }; + }; + }; + + # ensure vector is forwarding the messages appropriately + testScript = '' + machine.wait_for_unit("vector.service") + machine.wait_for_open_port(9598) + machine.wait_until_succeeds("journalctl -o cat -u vector.service | grep 'version=\"${pkgs.vector.version}\"'") + machine.wait_until_succeeds("journalctl -o cat -u vector.service | grep 'API is disabled'") + machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_build_info") + machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_component_received_bytes_total | grep journald") + machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_utilization | grep prometheus_exporter") + machine.wait_for_file("/var/lib/vector/logs.log") + ''; +}) diff --git a/nixos/tests/vector/nginx-clickhouse.nix b/nixos/tests/vector/nginx-clickhouse.nix new file mode 100644 index 0000000000000..3d99bac6ac161 --- /dev/null +++ b/nixos/tests/vector/nginx-clickhouse.nix @@ -0,0 +1,168 @@ +import ../make-test-python.nix ({ lib, pkgs, ... }: + +{ + name = "vector-nginx-clickhouse"; + meta.maintainers = [ pkgs.lib.maintainers.happysalada ]; + + nodes = { + clickhouse = { config, pkgs, ... }: { + virtualisation.memorySize = 4096; + + # Clickhouse module can't listen on a non-loopback IP. + networking.firewall.allowedTCPPorts = [ 6000 ]; + services.clickhouse.enable = true; + + # Exercise Vector sink->source for now. + services.vector = { + enable = true; + + settings = { + sources = { + vector_source = { + type = "vector"; + address = "[::]:6000"; + }; + }; + + sinks = { + clickhouse = { + type = "clickhouse"; + inputs = [ "vector_source" ]; + endpoint = "http://localhost:8123"; + database = "nginxdb"; + table = "access_logs"; + skip_unknown_fields = true; + }; + }; + }; + }; + }; + + nginx = { config, pkgs, ... }: { + services.nginx = { + enable = true; + virtualHosts.localhost = {}; + }; + + services.vector = { + enable = true; + + settings = { + sources = { + nginx_logs = { + type = "file"; + include = [ "/var/log/nginx/access.log" ]; + read_from = "end"; + }; + }; + + sinks = { + vector_sink = { + type = "vector"; + inputs = [ "nginx_logs" ]; + address = "clickhouse:6000"; + }; + }; + }; + }; + + systemd.services.vector.serviceConfig = { + SupplementaryGroups = [ "nginx" ]; + }; + }; + }; + + testScript = + let + # work around quote/substitution complexity by Nix, Perl, bash and SQL. + databaseDDL = pkgs.writeText "database.sql" "CREATE DATABASE IF NOT EXISTS nginxdb"; + + tableDDL = pkgs.writeText "table.sql" '' + CREATE TABLE IF NOT EXISTS nginxdb.access_logs ( + message String + ) + ENGINE = MergeTree() + ORDER BY tuple() + ''; + + # Graciously taken from https://clickhouse.com/docs/en/integrations/vector + tableView = pkgs.writeText "table-view.sql" '' + CREATE MATERIALIZED VIEW nginxdb.access_logs_view + ( + RemoteAddr String, + Client String, + RemoteUser String, + TimeLocal DateTime, + RequestMethod String, + Request String, + HttpVersion String, + Status Int32, + BytesSent Int64, + UserAgent String + ) + ENGINE = MergeTree() + ORDER BY RemoteAddr + POPULATE AS + WITH + splitByWhitespace(message) as split, + splitByRegexp('\S \d+ "([^"]*)"', message) as referer + SELECT + split[1] AS RemoteAddr, + split[2] AS Client, + split[3] AS RemoteUser, + parseDateTimeBestEffort(replaceOne(trim(LEADING '[' FROM split[4]), ':', ' ')) AS TimeLocal, + trim(LEADING '"' FROM split[6]) AS RequestMethod, + split[7] AS Request, + trim(TRAILING '"' FROM split[8]) AS HttpVersion, + split[9] AS Status, + split[10] AS BytesSent, + trim(BOTH '"' from referer[2]) AS UserAgent + FROM + (SELECT message FROM nginxdb.access_logs) + ''; + + selectQuery = pkgs.writeText "select.sql" "SELECT * from nginxdb.access_logs_view"; + in + '' + clickhouse.wait_for_unit("clickhouse") + clickhouse.wait_for_open_port(8123) + + clickhouse.wait_until_succeeds( + "journalctl -o cat -u clickhouse.service | grep 'Started ClickHouse server'" + ) + + clickhouse.wait_for_unit("vector") + clickhouse.wait_for_open_port(6000) + + clickhouse.succeed( + "cat ${databaseDDL} | clickhouse-client" + ) + + clickhouse.succeed( + "cat ${tableDDL} | clickhouse-client" + ) + + clickhouse.succeed( + "cat ${tableView} | clickhouse-client" + ) + + nginx.wait_for_unit("nginx") + nginx.wait_for_open_port(80) + nginx.wait_for_unit("vector") + nginx.wait_until_succeeds( + "journalctl -o cat -u vector.service | grep 'Starting file server'" + ) + + nginx.succeed("curl http://localhost/") + nginx.succeed("curl http://localhost/") + + nginx.wait_for_file("/var/log/nginx/access.log") + nginx.wait_until_succeeds( + "journalctl -o cat -u vector.service | grep 'Found new file to watch. file=/var/log/nginx/access.log'" + ) + + clickhouse.wait_until_succeeds( + "cat ${selectQuery} | clickhouse-client | grep 'curl'" + ) + ''; +}) diff --git a/nixos/tests/web-apps/nextjs-ollama-llm-ui.nix b/nixos/tests/web-apps/nextjs-ollama-llm-ui.nix new file mode 100644 index 0000000000000..3bb9d1e62aefe --- /dev/null +++ b/nixos/tests/web-apps/nextjs-ollama-llm-ui.nix @@ -0,0 +1,22 @@ +{ lib, ... }: + +{ + name = "nextjs-ollama-llm-ui"; + meta.maintainers = with lib.maintainers; [ malteneuss ]; + + nodes.machine = + { pkgs, ... }: + { + services.nextjs-ollama-llm-ui = { + enable = true; + port = 8080; + }; + }; + + testScript = '' + # Ensure the service is started and reachable + machine.wait_for_unit("nextjs-ollama-llm-ui.service") + machine.wait_for_open_port(8080) + machine.succeed("curl --fail http://127.0.0.1:8080") + ''; +} diff --git a/nixos/tests/web-servers/stargazer.nix b/nixos/tests/web-servers/stargazer.nix index f56d1b8c94545..52bc93af17194 100644 --- a/nixos/tests/web-servers/stargazer.nix +++ b/nixos/tests/web-servers/stargazer.nix @@ -1,9 +1,9 @@ { pkgs, lib, ... }: let - test_script = pkgs.stdenv.mkDerivation rec { + test_script = pkgs.stdenv.mkDerivation { pname = "stargazer-test-script"; inherit (pkgs.stargazer) version src; - buildInputs = with pkgs; [ (python3.withPackages (ps: with ps; [ cryptography ])) ]; + buildInputs = with pkgs; [ (python3.withPackages (ps: with ps; [ cryptography urllib3 ])) ]; dontBuild = true; doCheck = false; installPhase = '' @@ -11,7 +11,7 @@ let cp scripts/gemini-diagnostics $out/bin/test ''; }; - test_env = pkgs.stdenv.mkDerivation rec { + test_env = pkgs.stdenv.mkDerivation { pname = "stargazer-test-env"; inherit (pkgs.stargazer) version src; buildPhase = '' @@ -23,7 +23,7 @@ let cp -r * $out/ ''; }; - scgi_server = pkgs.stdenv.mkDerivation rec { + scgi_server = pkgs.stdenv.mkDerivation { pname = "stargazer-test-scgi-server"; inherit (pkgs.stargazer) version src; buildInputs = with pkgs; [ python3 ]; @@ -100,7 +100,12 @@ in } { route = "localhost:/no-exist"; - root = "./does_not_exist"; + root = "${test_env}/does_not_exist"; + } + { + route = "localhost=/rss.xml"; + root = "${test_env}/test_data/test_site"; + mime-override = "application/atom+xml"; } ]; }; |