diff options
Diffstat (limited to 'nixos')
42 files changed, 1150 insertions, 244 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index a368b16201f8f..5f51bb53ad7fc 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -105,7 +105,9 @@ in rec { mkdir -p $dst cp ${../../../doc/style.css} $dst/style.css - cp ${../../../doc/overrides.css} $dst/overrides.css + cp ${../../../doc/anchor.min.js} $dst/anchor.min.js + cp ${../../../doc/anchor-use.js} $dst/anchor-use.js + cp -r ${pkgs.documentation-highlighter} $dst/highlightjs ${prepareManualFromMD} @@ -115,10 +117,11 @@ in rec { --revision ${lib.escapeShellArg revision} \ --generator "nixos-render-docs ${lib.version}" \ --stylesheet style.css \ - --stylesheet overrides.css \ --stylesheet highlightjs/mono-blue.css \ --script ./highlightjs/highlight.pack.js \ --script ./highlightjs/loader.js \ + --script ./anchor.min.js \ + --script ./anchor-use.js \ --toc-depth 1 \ --chunk-toc-depth 1 \ ./manual.md \ diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index b4eea551d2703..1a86beaba73f7 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -103,6 +103,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [Monado](https://monado.freedesktop.org/), an open source XR runtime. Available as [services.monado](#opt-services.monado.enable). +- [Pretix](https://pretix.eu/about/en/), an open source ticketing software for events. Available as [services.pretix]($opt-services-pretix.enable). + - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). - [armagetronad](https://wiki.armagetronad.org), a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using `services.armagetronad.<server>.enable`. @@ -129,6 +131,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS. +- `pdns` was updated to version [v4.9.x](https://doc.powerdns.com/authoritative/changelog/4.9.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-9-0) for details. + - `unrar` was updated to v7. See [changelog](https://www.rarlab.com/unrar7notes.htm) for more information. - `k9s` was updated to v0.31. There have been various breaking changes in the config file format, @@ -320,7 +324,12 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `addDriverRunpath` has been added to facilitate the deprecation of the old `addOpenGLRunpath` setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration. -- Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release. +- Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions. + +- MATE has been updated to 1.28. + - To properly support panel plugins built with Wayland (in-process) support, we are introducing `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets. + - Similarly, please use `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions. + - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM for display manager. - New `boot.loader.systemd-boot.xbootldrMountPoint` allows setting up a separate [XBOOTLDR partition](https://uapi-group.org/specifications/specs/boot_loader_specification/) to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned. @@ -347,6 +356,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [Lilypond](https://lilypond.org/index.html) and [Denemo](https://www.denemo.org) are now compiled with Guile 3.0. +- The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default. + - The following options of the Nextcloud module were moved into [`services.nextcloud.settings`](#opt-services.nextcloud.settings) and renamed to match the name from Nextcloud's `config.php`: - `logLevel` -> [`loglevel`](#opt-services.nextcloud.settings.loglevel), - `logType` -> [`log_type`](#opt-services.nextcloud.settings.log_type), diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix index ef218e674ebf1..c00b2d0f207c6 100644 --- a/nixos/lib/systemd-lib.nix +++ b/nixos/lib/systemd-lib.nix @@ -73,13 +73,26 @@ in rec { optional (attr ? ${name} && (! isMacAddress attr.${name} && attr.${name} != "none")) "Systemd ${group} field `${name}` must be a valid MAC address or the special value `none`."; - + isNumberOrRangeOf = check: v: + if isInt v + then check v + else let + parts = splitString "-" v; + lower = toIntBase10 (head parts); + upper = if tail parts != [] then toIntBase10 (head (tail parts)) else lower; + in + length parts <= 2 && lower <= upper && check lower && check upper; isPort = i: i >= 0 && i <= 65535; + isPortOrPortRange = isNumberOrRangeOf isPort; assertPort = name: group: attr: optional (attr ? ${name} && ! isPort attr.${name}) "Error on the systemd ${group} field `${name}': ${attr.name} is not a valid port number."; + assertPortOrPortRange = name: group: attr: + optional (attr ? ${name} && ! isPortOrPortRange attr.${name}) + "Error on the systemd ${group} field `${name}': ${attr.name} is not a valid port number or range of port numbers."; + assertValueOneOf = name: values: group: attr: optional (attr ? ${name} && !elem attr.${name} values) "Systemd ${group} field `${name}' cannot have value `${toString attr.${name}}'."; diff --git a/nixos/modules/config/nix.nix b/nixos/modules/config/nix.nix index e6a74bbb73fcc..bce6fd5e50288 100644 --- a/nixos/modules/config/nix.nix +++ b/nixos/modules/config/nix.nix @@ -14,8 +14,10 @@ let concatStringsSep boolToString escape + filterAttrs floatToString getVersion + hasPrefix isBool isDerivation isFloat @@ -95,14 +97,19 @@ let mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + isExtra = key: hasPrefix "extra-" key; + in pkgs.writeTextFile { name = "nix.conf"; + # workaround for https://github.com/NixOS/nix/issues/9487 + # extra-* settings must come after their non-extra counterpart text = '' # WARNING: this file is generated from the nix.* options in # your NixOS configuration, typically # /etc/nixos/configuration.nix. Do not edit it! - ${mkKeyValuePairs cfg.settings} + ${mkKeyValuePairs (filterAttrs (key: value: !(isExtra key)) cfg.settings)} + ${mkKeyValuePairs (filterAttrs (key: value: isExtra key) cfg.settings)} ${cfg.extraOptions} ''; checkPhase = lib.optionalString cfg.checkConfig ( diff --git a/nixos/modules/config/resolvconf.nix b/nixos/modules/config/resolvconf.nix index e9ae4d651d264..3b8cc0cb8f42e 100644 --- a/nixos/modules/config/resolvconf.nix +++ b/nixos/modules/config/resolvconf.nix @@ -28,6 +28,8 @@ let '' + optionalString cfg.useLocalResolver '' # This hosts runs a full-blown DNS resolver. name_servers='127.0.0.1' + '' + optionalString (cfg.useLocalResolver && config.networking.enableIPv6) '' + name_servers='::1' '' + cfg.extraConfig; in diff --git a/nixos/modules/hardware/video/webcam/ipu6.nix b/nixos/modules/hardware/video/webcam/ipu6.nix index c2dbdc217bd60..a7767e446bd4f 100644 --- a/nixos/modules/hardware/video/webcam/ipu6.nix +++ b/nixos/modules/hardware/video/webcam/ipu6.nix @@ -30,7 +30,10 @@ in ipu6-drivers ]; - hardware.firmware = [ pkgs.ipu6-camera-bins ]; + hardware.firmware = with pkgs; [ + ipu6-camera-bins + ivsc-firmware + ]; services.udev.extraRules = '' SUBSYSTEM=="intel-ipu6-psys", MODE="0660", GROUP="video" diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 41e369ac1c650..2ccaea466c6a7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1358,6 +1358,7 @@ ./services/web-apps/plausible.nix ./services/web-apps/powerdns-admin.nix ./services/web-apps/pretalx.nix + ./services/web-apps/pretix.nix ./services/web-apps/prosody-filer.nix ./services/web-apps/rimgo.nix ./services/web-apps/sftpgo.nix diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index 31803f061dce2..c93a34f618494 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -44,8 +44,8 @@ in { ''; apply = steam: steam.override (prev: { extraEnv = (lib.optionalAttrs (cfg.extraCompatPackages != [ ]) { - STEAM_EXTRA_COMPAT_TOOLS_PATHS = makeBinPath cfg.extraCompatPackages; - }) // (prev.extraEnv or {}); + STEAM_EXTRA_COMPAT_TOOLS_PATHS = makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; + }) // (prev.extraEnv or {}); extraLibraries = pkgs: let prevLibs = if prev ? extraLibraries then prev.extraLibraries pkgs else [ ]; additionalLibs = with config.hardware.opengl; @@ -74,10 +74,17 @@ in { extraCompatPackages = mkOption { type = types.listOf types.package; default = [ ]; + example = literalExpression '' + with pkgs; [ + proton-ge-bin + ] + ''; description = lib.mdDoc '' Extra packages to be used as compatibility tools for Steam on Linux. Packages will be included in the `STEAM_EXTRA_COMPAT_TOOLS_PATHS` environmental variable. For more information see - <https://github.com/ValveSoftware/steam-for-linux/issues/6310">. + https://github.com/ValveSoftware/steam-for-linux/issues/6310. + + These packages must be Steam compatibility tools that have a `steamcompattool` output. ''; }; diff --git a/nixos/modules/services/databases/postgresql.md b/nixos/modules/services/databases/postgresql.md index 7d141f12b5dea..3ff1f00fa9cfb 100644 --- a/nixos/modules/services/databases/postgresql.md +++ b/nixos/modules/services/databases/postgresql.md @@ -277,7 +277,7 @@ self: super: { Here's a recipe on how to override a particular plugin through an overlay: ``` self: super: { - postgresql_15 = super.postgresql_15.override { this = self.postgresql_15; } // { + postgresql_15 = super.postgresql_15// { pkgs = super.postgresql_15.pkgs // { pg_repack = super.postgresql_15.pkgs.pg_repack.overrideAttrs (_: { name = "pg_repack-v20181024"; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index c4e76c82ba5c7..c3f3b98ae5e75 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -14,7 +14,7 @@ let # package = pkgs.postgresql_<major>; # }; # works. - base = if cfg.enableJIT && !cfg.package.jitSupport then cfg.package.withJIT else cfg.package; + base = if cfg.enableJIT then cfg.package.withJIT else cfg.package; in if cfg.extraPlugins == [] then base diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 1710d28954d62..1cb7a7ea778b2 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -215,7 +215,7 @@ in { serif = ["Noto Serif"]; }; - programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; + programs.gnupg.agent.pinentryPackage = mkDefault pkgs.pinentry-qt; programs.ssh.askPassword = mkDefault "${kdePackages.ksshaskpass.out}/bin/ksshaskpass"; # Enable helpful DBus services. diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index e3f9c7742cc7d..7291c0fcbcdda 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -1232,7 +1232,8 @@ in { ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; - ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ]; + ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ] ++ + (map (listener: dirOf listener.path) (filter (listener: listener.path != null) cfg.settings.listeners)); RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; diff --git a/nixos/modules/services/misc/etebase-server.nix b/nixos/modules/services/misc/etebase-server.nix index f5a5e8a780d48..546d52b1a3b5f 100644 --- a/nixos/modules/services/misc/etebase-server.nix +++ b/nixos/modules/services/misc/etebase-server.nix @@ -177,6 +177,7 @@ in systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + "d '${builtins.dirOf cfg.unixSocket}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" ]; systemd.services.etebase-server = { diff --git a/nixos/modules/services/misc/llama-cpp.nix b/nixos/modules/services/misc/llama-cpp.nix index 4d76456fb2fd5..305d4538e89a0 100644 --- a/nixos/modules/services/misc/llama-cpp.nix +++ b/nixos/modules/services/misc/llama-cpp.nix @@ -56,7 +56,7 @@ in { serviceConfig = { Type = "idle"; KillSignal = "SIGINT"; - ExecStart = "${cfg.package}/bin/llama-cpp-server --log-disable --host ${cfg.host} --port ${builtins.toString cfg.port} -m ${cfg.model} ${utils.escapeSystemdExecArgs cfg.extraFlags}"; + ExecStart = "${cfg.package}/bin/llama-server --log-disable --host ${cfg.host} --port ${builtins.toString cfg.port} -m ${cfg.model} ${utils.escapeSystemdExecArgs cfg.extraFlags}"; Restart = "on-failure"; RestartSec = 300; diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index 3ac3beb4de078..7a5661510e251 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -13,48 +13,60 @@ in { options = { services.ollama = { - enable = lib.mkEnableOption ( - lib.mdDoc "Server for local large language models" - ); + enable = lib.mkEnableOption "ollama server for local large language models"; + package = lib.mkPackageOption pkgs "ollama" { }; listenAddress = lib.mkOption { type = types.str; default = "127.0.0.1:11434"; - description = lib.mdDoc '' - Specifies the bind address on which the ollama server HTTP interface listens. + example = "0.0.0.0:11111"; + description = '' + The address which the ollama server HTTP interface binds and listens to. ''; }; acceleration = lib.mkOption { type = types.nullOr (types.enum [ "rocm" "cuda" ]); default = null; example = "rocm"; - description = lib.mdDoc '' - Specifies the interface to use for hardware acceleration. + description = '' + What interface to use for hardware acceleration. - `rocm`: supported by modern AMD GPUs - `cuda`: supported by modern NVIDIA GPUs ''; }; - package = lib.mkPackageOption pkgs "ollama" { }; + environmentVariables = lib.mkOption { + type = types.attrsOf types.str; + default = { }; + example = { + HOME = "/tmp"; + OLLAMA_LLM_LIBRARY = "cpu"; + }; + description = '' + Set arbitrary environment variables for the ollama service. + + Be aware that these are only seen by the ollama server (systemd service), + not normal invocations like `ollama run`. + Since `ollama run` is mostly a shell around the ollama server, this is usually sufficient. + ''; + }; }; }; config = lib.mkIf cfg.enable { - systemd = { - services.ollama = { - wantedBy = [ "multi-user.target" ]; - description = "Server for local large language models"; - after = [ "network.target" ]; - environment = { - HOME = "%S/ollama"; - OLLAMA_MODELS = "%S/ollama/models"; - OLLAMA_HOST = cfg.listenAddress; - }; - serviceConfig = { - ExecStart = "${lib.getExe ollamaPackage} serve"; - WorkingDirectory = "/var/lib/ollama"; - StateDirectory = [ "ollama" ]; - DynamicUser = true; - }; + systemd.services.ollama = { + description = "Server for local large language models"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = cfg.environmentVariables // { + HOME = "%S/ollama"; + OLLAMA_MODELS = "%S/ollama/models"; + OLLAMA_HOST = cfg.listenAddress; + }; + serviceConfig = { + ExecStart = "${lib.getExe ollamaPackage} serve"; + WorkingDirectory = "%S/ollama"; + StateDirectory = [ "ollama" ]; + DynamicUser = true; }; }; diff --git a/nixos/modules/services/monitoring/scrutiny.nix b/nixos/modules/services/monitoring/scrutiny.nix index 2862cdd801281..fbe8ab25299e4 100644 --- a/nixos/modules/services/monitoring/scrutiny.nix +++ b/nixos/modules/services/monitoring/scrutiny.nix @@ -2,7 +2,7 @@ let inherit (lib) maintainers; inherit (lib.meta) getExe; - inherit (lib.modules) mkIf; + inherit (lib.modules) mkIf mkMerge; inherit (lib.options) literalExpression mkEnableOption mkOption mkPackageOption; inherit (lib.types) bool enum nullOr port str submodule; @@ -156,42 +156,44 @@ in }; }; - config = mkIf (cfg.enable || cfg.collector.enable) { - services.influxdb2.enable = cfg.influxdb.enable; + config = mkMerge [ + (mkIf cfg.enable { + services.influxdb2.enable = cfg.influxdb.enable; - networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.settings.web.listen.port ]; - }; - - services.smartd = mkIf cfg.collector.enable { - enable = true; - extraOptions = [ - "-A /var/log/smartd/" - "--interval=600" - ]; - }; + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.settings.web.listen.port ]; + }; - systemd = { - services = { - scrutiny = mkIf cfg.enable { - description = "Hard Drive S.M.A.R.T Monitoring, Historical Trends & Real World Failure Thresholds"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - environment = { - SCRUTINY_VERSION = "1"; - SCRUTINY_WEB_DATABASE_LOCATION = "/var/lib/scrutiny/scrutiny.db"; - SCRUTINY_WEB_SRC_FRONTEND_PATH = "${cfg.package}/share/scrutiny"; - }; - serviceConfig = { - DynamicUser = true; - ExecStart = "${getExe cfg.package} start --config ${settingsFormat.generate "scrutiny.yaml" cfg.settings}"; - Restart = "always"; - StateDirectory = "scrutiny"; - StateDirectoryMode = "0750"; - }; + systemd.services.scrutiny = { + description = "Hard Drive S.M.A.R.T Monitoring, Historical Trends & Real World Failure Thresholds"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ] ++ lib.optional cfg.influxdb.enable "influxdb2.service"; + wants = lib.optional cfg.influxdb.enable "influxdb2.service"; + environment = { + SCRUTINY_VERSION = "1"; + SCRUTINY_WEB_DATABASE_LOCATION = "/var/lib/scrutiny/scrutiny.db"; + SCRUTINY_WEB_SRC_FRONTEND_PATH = "${cfg.package}/share/scrutiny"; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = "${getExe cfg.package} start --config ${settingsFormat.generate "scrutiny.yaml" cfg.settings}"; + Restart = "always"; + StateDirectory = "scrutiny"; + StateDirectoryMode = "0750"; }; + }; + }) + (mkIf cfg.collector.enable { + services.smartd = { + enable = true; + extraOptions = [ + "-A /var/log/smartd/" + "--interval=600" + ]; + }; - scrutiny-collector = mkIf cfg.collector.enable { + systemd = { + services.scrutiny-collector = { description = "Scrutiny Collector Service"; environment = { COLLECTOR_VERSION = "1"; @@ -203,13 +205,11 @@ in }; startAt = cfg.collector.schedule; }; - }; - timers = mkIf cfg.collector.enable { - scrutiny-collector.timerConfig.Persistent = true; + timers.scrutiny-collector.timerConfig.Persistent = true; }; - }; - }; + }) + ]; meta.maintainers = [ maintainers.jnsgruk ]; } diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 63804a3b1c543..b7f0d93736080 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -584,6 +584,7 @@ in description = "Ensure that NetworkManager declarative profiles are created"; wantedBy = [ "multi-user.target" ]; before = [ "network-online.target" ]; + after = [ "NetworkManager.service" ]; script = let path = id: "/run/NetworkManager/system-connections/${id}.nmconnection"; in '' @@ -593,9 +594,7 @@ in ${pkgs.envsubst}/bin/envsubst -i ${ini.generate (lib.escapeShellArg profile.n) profile.v} > ${path (lib.escapeShellArg profile.n)} '') (lib.mapAttrsToList (n: v: { inherit n v; }) cfg.ensureProfiles.profiles) + '' - if systemctl is-active --quiet NetworkManager; then - ${pkgs.networkmanager}/bin/nmcli connection reload - fi + ${pkgs.networkmanager}/bin/nmcli connection reload ''; serviceConfig = { EnvironmentFile = cfg.ensureProfiles.environmentFiles; diff --git a/nixos/modules/services/networking/tinyproxy.nix b/nixos/modules/services/networking/tinyproxy.nix index 8ff12b52f10ca..2b7509e99ca4d 100644 --- a/nixos/modules/services/networking/tinyproxy.nix +++ b/nixos/modules/services/networking/tinyproxy.nix @@ -7,6 +7,7 @@ let mkValueStringTinyproxy = with lib; v: if true == v then "yes" else if false == v then "no" + else if types.path.check v then ''"${v}"'' else generators.mkValueStringDefault {} v; mkKeyValueTinyproxy = { mkValueString ? mkValueStringDefault {} diff --git a/nixos/modules/services/web-apps/engelsystem.nix b/nixos/modules/services/web-apps/engelsystem.nix index 669620debce55..7fb9124156439 100644 --- a/nixos/modules/services/web-apps/engelsystem.nix +++ b/nixos/modules/services/web-apps/engelsystem.nix @@ -3,6 +3,8 @@ let inherit (lib) mkDefault mkEnableOption mkIf mkOption types mkPackageOption; cfg = config.services.engelsystem; + phpExt = pkgs.php.withExtensions + ({ enabled, all }: with all; [ filter mysqlnd mysqli pdo pdo_mysql mbstring ] ++ enabled); in { options = { services.engelsystem = { @@ -99,7 +101,7 @@ in { ''; services.phpfpm.pools.engelsystem = { - phpPackage = pkgs.php81; + phpPackage = phpExt; user = "engelsystem"; settings = { "listen.owner" = config.services.nginx.user; diff --git a/nixos/modules/services/web-apps/komga.nix b/nixos/modules/services/web-apps/komga.nix index 31f475fc7b048..d7ab2a9e612ef 100644 --- a/nixos/modules/services/web-apps/komga.nix +++ b/nixos/modules/services/web-apps/komga.nix @@ -1,99 +1,122 @@ -{ config, pkgs, lib, ... }: - -with lib; +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.komga; - -in { + inherit (lib) mkOption mkEnableOption maintainers; + inherit (lib.types) port str bool; +in +{ options = { services.komga = { - enable = mkEnableOption (lib.mdDoc "Komga, a free and open source comics/mangas media server"); + enable = mkEnableOption "Komga, a free and open source comics/mangas media server"; port = mkOption { - type = types.port; + type = port; default = 8080; - description = lib.mdDoc '' - The port that Komga will listen on. - ''; + description = "The port that Komga will listen on."; }; user = mkOption { - type = types.str; + type = str; default = "komga"; - description = lib.mdDoc '' - User account under which Komga runs. - ''; + description = "User account under which Komga runs."; }; group = mkOption { - type = types.str; + type = str; default = "komga"; - description = lib.mdDoc '' - Group under which Komga runs. - ''; + description = "Group under which Komga runs."; }; stateDir = mkOption { - type = types.str; + type = str; default = "/var/lib/komga"; - description = lib.mdDoc '' - State and configuration directory Komga will use. - ''; + description = "State and configuration directory Komga will use."; }; openFirewall = mkOption { - type = types.bool; + type = bool; default = false; - description = lib.mdDoc '' - Whether to open the firewall for the port in {option}`services.komga.port`. - ''; + description = "Whether to open the firewall for the port in {option}`services.komga.port`."; }; }; }; - config = mkIf cfg.enable { - - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + config = + let + inherit (lib) mkIf getExe; + in + mkIf cfg.enable { - users.groups = mkIf (cfg.group == "komga") { - komga = {}; - }; + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; - users.users = mkIf (cfg.user == "komga") { - komga = { - group = cfg.group; - home = cfg.stateDir; - description = "Komga Daemon user"; - isSystemUser = true; - }; - }; + users.groups = mkIf (cfg.group == "komga") { komga = { }; }; - systemd.services.komga = { - environment = { - SERVER_PORT = builtins.toString cfg.port; - KOMGA_CONFIGDIR = cfg.stateDir; + users.users = mkIf (cfg.user == "komga") { + komga = { + group = cfg.group; + home = cfg.stateDir; + description = "Komga Daemon user"; + isSystemUser = true; + }; }; - description = "Komga is a free and open source comics/mangas media server"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - serviceConfig = { - User = cfg.user; - Group = cfg.group; - - Type = "simple"; - Restart = "on-failure"; - ExecStart = "${pkgs.komga}/bin/komga"; - - StateDirectory = mkIf (cfg.stateDir == "/var/lib/komga") "komga"; + systemd.services.komga = { + environment = { + SERVER_PORT = builtins.toString cfg.port; + KOMGA_CONFIGDIR = cfg.stateDir; + }; + + description = "Komga is a free and open source comics/mangas media server"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + + Type = "simple"; + Restart = "on-failure"; + ExecStart = getExe pkgs.komga; + + StateDirectory = mkIf (cfg.stateDir == "/var/lib/komga") "komga"; + + RemoveIPC = true; + NoNewPrivileges = true; + CapabilityBoundingSet = ""; + SystemCallFilter = [ "@system-service" ]; + ProtectSystem = "full"; + PrivateTmp = true; + ProtectProc = "invisible"; + ProtectClock = true; + ProcSubset = "pid"; + PrivateUsers = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + LockPersonality = true; + RestrictNamespaces = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + SystemCallArchitectures = "native"; + RestrictSUIDSGID = true; + RestrictRealtime = true; + }; }; - }; - }; meta.maintainers = with maintainers; [ govanify ]; } diff --git a/nixos/modules/services/web-apps/pretix.nix b/nixos/modules/services/web-apps/pretix.nix new file mode 100644 index 0000000000000..500b2eb5416b0 --- /dev/null +++ b/nixos/modules/services/web-apps/pretix.nix @@ -0,0 +1,580 @@ +{ config +, lib +, pkgs +, utils +, ... +}: + +let + inherit (lib) + concatMapStringsSep + escapeShellArgs + filter + filterAttrs + getExe + getExe' + isAttrs + isList + literalExpression + mapAttrs + mkDefault + mkEnableOption + mkIf + mkOption + mkPackageOption + optionals + optionalString + recursiveUpdate + types + ; + + filterRecursiveNull = o: + if isAttrs o then + mapAttrs (_: v: filterRecursiveNull v) (filterAttrs (_: v: v != null) o) + else if isList o then + map filterRecursiveNull (filter (v: v != null) o) + else + o; + + cfg = config.services.pretix; + format = pkgs.formats.ini { }; + + configFile = format.generate "pretix.cfg" (filterRecursiveNull cfg.settings); + + finalPackage = cfg.package.override { + inherit (cfg) plugins; + }; + + pythonEnv = cfg.package.python.buildEnv.override { + extraLibs = with cfg.package.python.pkgs; [ + (toPythonModule finalPackage) + gunicorn + ] + ++ lib.optionals (cfg.settings.memcached.location != null) + cfg.package.optional-dependencies.memcached + ; + }; + + withRedis = cfg.settings.redis.location != null; +in +{ + meta = with lib; { + maintainers = with maintainers; [ hexa ]; + }; + + options.services.pretix = { + enable = mkEnableOption "pretix"; + + package = mkPackageOption pkgs "pretix" { }; + + group = mkOption { + type = types.str; + default = "pretix"; + description = '' + Group under which pretix should run. + ''; + }; + + user = mkOption { + type = types.str; + default = "pretix"; + description = '' + User under which pretix should run. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/pretix-secrets.env"; + description = '' + Environment file to pass secret configuration values. + + Each line must follow the `PRETIX_SECTION_KEY=value` pattern. + ''; + }; + + plugins = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression '' + with config.services.pretix.package.plugins; [ + passbook + pages + ]; + ''; + description = '' + Pretix plugins to install into the Python environment. + ''; + }; + + gunicorn.extraArgs = mkOption { + type = with types; listOf str; + default = [ + "--name=pretix" + ]; + example = [ + "--name=pretix" + "--workers=4" + "--max-requests=1200" + "--max-requests-jitter=50" + "--log-level=info" + ]; + description = '' + Extra arguments to pass to gunicorn. + See <https://docs.pretix.eu/en/latest/admin/installation/manual_smallscale.html#start-pretix-as-a-service> for details. + ''; + apply = escapeShellArgs; + }; + + celery = { + extraArgs = mkOption { + type = with types; listOf str; + default = [ ]; + description = '' + Extra arguments to pass to celery. + + See <https://docs.celeryq.dev/en/stable/reference/cli.html#celery-worker> for more info. + ''; + apply = utils.escapeSystemdExecArgs; + }; + }; + + nginx = { + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = '' + Whether to set up an nginx virtual host. + ''; + }; + + domain = mkOption { + type = types.str; + example = "talks.example.com"; + description = '' + The domain name under which to set up the virtual host. + ''; + }; + }; + + database.createLocally = mkOption { + type = types.bool; + default = true; + example = false; + description = '' + Whether to automatically set up the database on the local DBMS instance. + + Only supported for PostgreSQL. Not required for sqlite. + ''; + }; + + settings = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + pretix = { + instance_name = mkOption { + type = types.str; + example = "tickets.example.com"; + description = '' + The name of this installation. + ''; + }; + + url = mkOption { + type = types.str; + example = "https://tickets.example.com"; + description = '' + The installation’s full URL, without a trailing slash. + ''; + }; + + cachedir = mkOption { + type = types.path; + default = "/var/cache/pretix"; + description = '' + Directory for storing temporary files. + ''; + }; + + datadir = mkOption { + type = types.path; + default = "/var/lib/pretix"; + description = '' + Directory for storing user uploads and similar data. + ''; + }; + + logdir = mkOption { + type = types.path; + default = "/var/log/pretix"; + description = '' + Directory for storing log files. + ''; + }; + + currency = mkOption { + type = types.str; + default = "EUR"; + example = "USD"; + description = '' + Default currency for events in its ISO 4217 three-letter code. + ''; + }; + + registration = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether to allow registration of new admin users. + ''; + }; + }; + + database = { + backend = mkOption { + type = types.enum [ + "sqlite3" + "postgresql" + ]; + default = "postgresql"; + description = '' + Database backend to use. + + Only postgresql is recommended for production setups. + ''; + }; + + host = mkOption { + type = with types; nullOr types.path; + default = if cfg.settings.database.backend == "postgresql" then "/run/postgresql" else null; + defaultText = literalExpression '' + if config.services.pretix.settings..database.backend == "postgresql" then "/run/postgresql" + else null + ''; + description = '' + Database host or socket path. + ''; + }; + + name = mkOption { + type = types.str; + default = "pretix"; + description = '' + Database name. + ''; + }; + + user = mkOption { + type = types.str; + default = "pretix"; + description = '' + Database username. + ''; + }; + }; + + mail = { + from = mkOption { + type = types.str; + example = "tickets@example.com"; + description = '' + E-Mail address used in the `FROM` header of outgoing mails. + ''; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + example = "mail.example.com"; + description = '' + Hostname of the SMTP server use for mail delivery. + ''; + }; + + port = mkOption { + type = types.port; + default = 25; + example = 587; + description = '' + Port of the SMTP server to use for mail delivery. + ''; + }; + }; + + celery = { + backend = mkOption { + type = types.str; + default = "redis+socket://${config.services.redis.servers.pretix.unixSocket}?virtual_host=1"; + defaultText = literalExpression '' + optionalString config.services.pretix.celery.enable "redis+socket://''${config.services.redis.servers.pretix.unixSocket}?virtual_host=1" + ''; + description = '' + URI to the celery backend used for the asynchronous job queue. + ''; + }; + + broker = mkOption { + type = types.str; + default = "redis+socket://${config.services.redis.servers.pretix.unixSocket}?virtual_host=2"; + defaultText = literalExpression '' + optionalString config.services.pretix.celery.enable "redis+socket://''${config.services.redis.servers.pretix.unixSocket}?virtual_host=2" + ''; + description = '' + URI to the celery broker used for the asynchronous job queue. + ''; + }; + }; + + redis = { + location = mkOption { + type = with types; nullOr str; + default = "unix://${config.services.redis.servers.pretix.unixSocket}?db=0"; + defaultText = literalExpression '' + "unix://''${config.services.redis.servers.pretix.unixSocket}?db=0" + ''; + description = '' + URI to the redis server, used to speed up locking, caching and session storage. + ''; + }; + + sessions = mkOption { + type = types.bool; + default = true; + example = false; + description = '' + Whether to use redis as the session storage. + ''; + }; + }; + + memcached = { + location = mkOption { + type = with types; nullOr str; + default = null; + example = "127.0.0.1:11211"; + description = '' + The `host:port` combination or the path to the UNIX socket of a memcached instance. + + Can be used instead of Redis for caching. + ''; + }; + }; + + tools = { + pdftk = mkOption { + type = types.path; + default = getExe pkgs.pdftk; + defaultText = literalExpression '' + lib.getExe pkgs.pdftk + ''; + description = '' + Path to the pdftk executable. + ''; + }; + }; + }; + }; + default = { }; + description = '' + pretix configuration as a Nix attribute set. All settings can also be passed + from the environment. + + See <https://docs.pretix.eu/en/latest/admin/config.html> for possible options. + ''; + }; + }; + + config = mkIf cfg.enable { + # https://docs.pretix.eu/en/latest/admin/installation/index.html + + environment.systemPackages = [ + (pkgs.writeScriptBin "pretix-manage" '' + cd ${cfg.settings.pretix.datadir} + sudo=exec + if [[ "$USER" != ${cfg.user} ]]; then + sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} ${optionalString withRedis "-g redis-pretix"} --preserve-env=PRETIX_CONFIG_FILE' + fi + export PRETIX_CONFIG_FILE=${configFile} + $sudo ${getExe' pythonEnv "pretix-manage"} "$@" + '') + ]; + + services = { + nginx = mkIf cfg.nginx.enable { + enable = true; + recommendedGzipSettings = mkDefault true; + recommendedOptimisation = mkDefault true; + recommendedProxySettings = mkDefault true; + recommendedTlsSettings = mkDefault true; + upstreams.pretix.servers."unix:/run/pretix/pretix.sock" = { }; + virtualHosts.${cfg.nginx.domain} = { + # https://docs.pretix.eu/en/latest/admin/installation/manual_smallscale.html#ssl + extraConfig = '' + more_set_headers Referrer-Policy same-origin; + more_set_headers X-Content-Type-Options nosniff; + ''; + locations = { + "/".proxyPass = "http://pretix"; + "/media/" = { + alias = "${cfg.settings.pretix.datadir}/media/"; + extraConfig = '' + access_log off; + expires 7d; + ''; + }; + "^~ /media/(cachedfiles|invoices)" = { + extraConfig = '' + deny all; + return 404; + ''; + }; + "/static/" = { + alias = "${finalPackage}/${cfg.package.python.sitePackages}/pretix/static.dist/"; + extraConfig = '' + access_log off; + more_set_headers Cache-Control "public"; + expires 365d; + ''; + }; + }; + }; + }; + + postgresql = mkIf (cfg.database.createLocally && cfg.settings.database.backend == "postgresql") { + enable = true; + ensureUsers = [ { + name = cfg.settings.database.user; + ensureDBOwnership = true; + } ]; + ensureDatabases = [ cfg.settings.database.name ]; + }; + + redis.servers.pretix.enable = withRedis; + }; + + systemd.services = let + commonUnitConfig = { + environment.PRETIX_CONFIG_FILE = configFile; + serviceConfig = { + User = "pretix"; + Group = "pretix"; + EnvironmentFile = optionals (cfg.environmentFile != null) [ + cfg.environmentFile + ]; + StateDirectory = [ + "pretix" + ]; + StateDirectoryMode = "0755"; + CacheDirectory = "pretix"; + LogsDirectory = "pretix"; + WorkingDirectory = cfg.settings.pretix.datadir; + SupplementaryGroups = optionals withRedis [ + "redis-pretix" + ]; + AmbientCapabilities = ""; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "@chown" + ]; + UMask = "0022"; + }; + }; + in { + pretix-web = recursiveUpdate commonUnitConfig { + description = "pretix web service"; + after = [ + "network.target" + "redis-pretix.service" + "postgresql.service" + ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + versionFile="${cfg.settings.pretix.datadir}/.version" + version=$(cat "$versionFile" 2>/dev/null || echo 0) + + pluginsFile="${cfg.settings.pretix.datadir}/.plugins" + plugins=$(cat "$pluginsFile" 2>/dev/null || echo "") + configuredPlugins="${concatMapStringsSep "|" (package: package.name) cfg.plugins}" + + if [[ $version != ${cfg.package.version} || $plugins != $configuredPlugins ]]; then + ${getExe' pythonEnv "pretix-manage"} migrate + + echo "${cfg.package.version}" > "$versionFile" + echo "$configuredPlugins" > "$pluginsFile" + fi + ''; + serviceConfig = { + ExecStart = "${getExe' pythonEnv "gunicorn"} --bind unix:/run/pretix/pretix.sock ${cfg.gunicorn.extraArgs} pretix.wsgi"; + RuntimeDirectory = "pretix"; + }; + }; + + pretix-periodic = recursiveUpdate commonUnitConfig { + description = "pretix periodic task runner"; + # every 15 minutes + startAt = [ "*:3,18,33,48" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${getExe' pythonEnv "pretix-manage"} runperiodic"; + }; + }; + + pretix-worker = recursiveUpdate commonUnitConfig { + description = "pretix asynchronous job runner"; + after = [ + "network.target" + "redis-pretix.service" + "postgresql.service" + ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; + }; + }; + + systemd.sockets.pretix-web.socketConfig = { + ListenStream = "/run/pretix/pretix.sock"; + SocketUser = "nginx"; + }; + + users = { + groups."${cfg.group}" = {}; + users."${cfg.user}" = { + isSystemUser = true; + createHome = true; + home = cfg.settings.pretix.datadir; + inherit (cfg) group; + }; + }; + }; +} diff --git a/nixos/modules/services/x11/desktop-managers/deepin.nix b/nixos/modules/services/x11/desktop-managers/deepin.nix index e6f221201013e..902e3a9317dd1 100644 --- a/nixos/modules/services/x11/desktop-managers/deepin.nix +++ b/nixos/modules/services/x11/desktop-managers/deepin.nix @@ -66,7 +66,7 @@ in services.upower.enable = mkDefault config.powerManagement.enable; networking.networkmanager.enable = mkDefault true; programs.dconf.enable = mkDefault true; - programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; + programs.gnupg.agent.pinentryPackage = mkDefault pkgs.pinentry-qt; fonts.packages = with pkgs; [ noto-fonts ]; xdg.mime.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index d3bdc4326a908..3d02deba6fc79 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -62,7 +62,7 @@ in # Link some extra directories in /run/current-system/software/share environment.pathsToLink = [ "/share" ]; - programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; + programs.gnupg.agent.pinentryPackage = mkDefault pkgs.pinentry-qt; # virtual file systems support for PCManFM-QT services.gvfs.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index f535a1d298b9f..957eac7848e7f 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -20,6 +20,22 @@ in }; debug = mkEnableOption (lib.mdDoc "mate-session debug messages"); + + extraPanelApplets = mkOption { + default = [ ]; + example = literalExpression "with pkgs.mate; [ mate-applets ]"; + type = types.listOf types.package; + description = lib.mdDoc "Extra applets to add to mate-panel."; + }; + + extraCajaExtensions = mkOption { + default = [ ]; + example = lib.literalExpression "with pkgs.mate; [ caja-extensions ]"; + type = types.listOf types.package; + description = lib.mdDoc "Extra extensions to add to caja."; + }; + + enableWaylandSession = mkEnableOption (lib.mdDoc "MATE Wayland session"); }; environment.mate.excludePackages = mkOption { @@ -31,55 +47,63 @@ in }; - config = mkIf cfg.enable { - - services.xserver.displayManager.sessionPackages = [ - pkgs.mate.mate-session-manager - ]; - - # Let caja find extensions - environment.sessionVariables.CAJA_EXTENSION_DIRS = [ "${config.system.path}/lib/caja/extensions-2.0" ]; - - # Let mate-panel find applets - environment.sessionVariables."MATE_PANEL_APPLETS_DIR" = "${config.system.path}/share/mate-panel/applets"; - environment.sessionVariables."MATE_PANEL_EXTRA_MODULES" = "${config.system.path}/lib/mate-panel/applets"; - - # Debugging - environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1"; - - environment.systemPackages = utils.removePackagesByName - (pkgs.mate.basePackages ++ - pkgs.mate.extraPackages ++ - [ - pkgs.desktop-file-utils - pkgs.glib - pkgs.gtk3.out - pkgs.shared-mime-info - pkgs.xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ - pkgs.yelp # for 'Contents' in 'Help' menus - ]) - config.environment.mate.excludePackages; - - programs.dconf.enable = true; - # Shell integration for VTE terminals - programs.bash.vteIntegration = mkDefault true; - programs.zsh.vteIntegration = mkDefault true; - - # Mate uses this for printing - programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - - services.gnome.at-spi2-core.enable = true; - services.gnome.gnome-keyring.enable = true; - services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; - services.gvfs.enable = true; - services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; - - security.pam.services.mate-screensaver.unixAuth = true; - - xdg.portal.configPackages = mkDefault [ pkgs.mate.mate-desktop ]; - - environment.pathsToLink = [ "/share" ]; - }; - + config = mkMerge [ + (mkIf (cfg.enable || cfg.enableWaylandSession) { + services.xserver.displayManager.sessionPackages = [ + pkgs.mate.mate-session-manager + ]; + + # Debugging + environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1"; + + environment.systemPackages = utils.removePackagesByName + (pkgs.mate.basePackages ++ + pkgs.mate.extraPackages ++ + [ + (pkgs.mate.caja-with-extensions.override { + extensions = cfg.extraCajaExtensions; + }) + (pkgs.mate.mate-panel-with-applets.override { + applets = cfg.extraPanelApplets; + }) + pkgs.desktop-file-utils + pkgs.glib + pkgs.gtk3.out + pkgs.shared-mime-info + pkgs.xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ + pkgs.yelp # for 'Contents' in 'Help' menus + ]) + config.environment.mate.excludePackages; + + programs.dconf.enable = true; + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Mate uses this for printing + programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + + services.gnome.at-spi2-core.enable = true; + services.gnome.gnome-keyring.enable = true; + services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; + services.gvfs.enable = true; + services.upower.enable = config.powerManagement.enable; + services.xserver.libinput.enable = mkDefault true; + + security.pam.services.mate-screensaver.unixAuth = true; + + xdg.portal.configPackages = mkDefault [ pkgs.mate.mate-desktop ]; + + environment.pathsToLink = [ "/share" ]; + }) + (mkIf cfg.enableWaylandSession { + programs.wayfire.enable = true; + programs.wayfire.plugins = [ pkgs.wayfirePlugins.firedecor ]; + + environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${pkgs.mate.mate-gsettings-overrides}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; + + environment.systemPackages = [ pkgs.mate.mate-wayland-session ]; + services.xserver.displayManager.sessionPackages = [ pkgs.mate.mate-wayland-session ]; + }) + ]; } diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index c884b4487e240..f516a29fb5db3 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -336,7 +336,7 @@ in serif = [ "Noto Serif" ]; }; - programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; + programs.gnupg.agent.pinentryPackage = mkDefault pkgs.pinentry-qt; programs.ssh.askPassword = mkDefault "${pkgs.plasma5Packages.ksshaskpass.out}/bin/ksshaskpass"; # Enable helpful DBus services. diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 6bc964f4c6ed7..3ba27b2015075 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -131,7 +131,7 @@ in xfdesktop ] ++ optional cfg.enableScreensaver xfce4-screensaver) excludePackages; - programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2; + programs.gnupg.agent.pinentryPackage = mkDefault pkgs.pinentry-gtk2; programs.xfconf.enable = true; programs.thunar.enable = true; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index b6b0f64b94c81..9b0d750d12ce2 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -729,8 +729,8 @@ let (assertInt "FirewallMark") (assertRange "FirewallMark" 1 4294967295) (assertInt "Priority") - (assertPort "SourcePort") - (assertPort "DestinationPort") + (assertPortOrPortRange "SourcePort") + (assertPortOrPortRange "DestinationPort") (assertValueOneOf "InvertRule" boolValues) (assertValueOneOf "Family" ["ipv4" "ipv6" "both"]) (assertInt "SuppressPrefixLength") diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index c7fe1bed51592..77730178422c3 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -79,6 +79,10 @@ in serviceConfig.StandardOutput = "journal+console"; }; + # Amazon-issued AMIs include the SSM Agent by default, so we do the same. + # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html + services.amazon-ssm-agent.enable = true; + # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index b2e8246420920..dd6c744a79cea 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -464,7 +464,7 @@ in { keymap = handleTest ./keymap.nix {}; knot = handleTest ./knot.nix {}; komga = handleTest ./komga.nix {}; - krb5 = discoverTests (import ./krb5 {}); + krb5 = discoverTests (import ./krb5); ksm = handleTest ./ksm.nix {}; kthxbye = handleTest ./kthxbye.nix {}; kubernetes = handleTestOn ["x86_64-linux"] ./kubernetes {}; @@ -513,6 +513,7 @@ in { mastodon = discoverTests (import ./web-apps/mastodon { inherit handleTestOn; }); pixelfed = discoverTests (import ./web-apps/pixelfed { inherit handleTestOn; }); mate = handleTest ./mate.nix {}; + mate-wayland = handleTest ./mate-wayland.nix {}; matter-server = handleTest ./matter-server.nix {}; matomo = handleTest ./matomo.nix {}; matrix-appservice-irc = handleTest ./matrix/appservice-irc.nix {}; @@ -613,6 +614,7 @@ in { nginx-variants = handleTest ./nginx-variants.nix {}; nifi = handleTestOn ["x86_64-linux"] ./web-apps/nifi.nix {}; nitter = handleTest ./nitter.nix {}; + nix-config = handleTest ./nix-config.nix {}; nix-ld = handleTest ./nix-ld.nix {}; nix-serve = handleTest ./nix-serve.nix {}; nix-serve-ssh = handleTest ./nix-serve-ssh.nix {}; @@ -728,6 +730,7 @@ in { pppd = handleTest ./pppd.nix {}; predictable-interface-names = handleTest ./predictable-interface-names.nix {}; pretalx = runTest ./web-apps/pretalx.nix; + pretix = runTest ./web-apps/pretix.nix; printing-socket = handleTest ./printing.nix { socket = true; }; printing-service = handleTest ./printing.nix { socket = false; }; privoxy = handleTest ./privoxy.nix {}; diff --git a/nixos/tests/budgie.nix b/nixos/tests/budgie.nix index ca898bba1bc4a..99804303e3977 100644 --- a/nixos/tests/budgie.nix +++ b/nixos/tests/budgie.nix @@ -29,6 +29,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { testScript = { nodes, ... }: let user = nodes.machine.users.users.alice; + env = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/${toString user.uid}/bus DISPLAY=:0"; + su = command: "su - ${user.name} -c '${env} ${command}'"; in '' with subtest("Wait for login"): @@ -47,21 +49,45 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") with subtest("Check if Budgie session components actually start"): - machine.wait_until_succeeds("pgrep budgie-daemon") + for i in ["budgie-daemon", "budgie-panel", "budgie-wm", "budgie-desktop-view", "gsd-media-keys"]: + machine.wait_until_succeeds(f"pgrep -f {i}") + # We don't check xwininfo for budgie-wm. + # See https://github.com/NixOS/nixpkgs/pull/216737#discussion_r1155312754 machine.wait_for_window("budgie-daemon") - machine.wait_until_succeeds("pgrep budgie-panel") machine.wait_for_window("budgie-panel") - # We don't check xwininfo for this one. - # See https://github.com/NixOS/nixpkgs/pull/216737#discussion_r1155312754 - machine.wait_until_succeeds("pgrep budgie-wm") + + with subtest("Check if various environment variables are set"): + cmd = "xargs --null --max-args=1 echo < /proc/$(pgrep -xf /run/current-system/sw/bin/budgie-wm)/environ" + machine.succeed(f"{cmd} | grep 'XDG_CURRENT_DESKTOP' | grep 'Budgie:GNOME'") + machine.succeed(f"{cmd} | grep 'BUDGIE_PLUGIN_DATADIR' | grep '${pkgs.budgie.budgie-desktop-with-plugins.pname}'") + + with subtest("Open Budgie Control Center"): + machine.send_key("alt-f2") + machine.wait_until_succeeds("pgrep -f budgie-run-dialog") + machine.wait_for_window("budgie-run-dialog") + machine.sleep(3) + machine.send_chars("Budgie Control Center", delay=0.5) + machine.screenshot("quick_search") + machine.send_chars("\n") + machine.wait_for_window("Budgie Control Center") + + with subtest("Lock the screen"): + machine.succeed("${su "budgie-screensaver-command -l >&2 &"}") + machine.wait_until_succeeds("${su "budgie-screensaver-command -q"} | grep 'The screensaver is active'") + machine.sleep(2) + machine.send_chars("${user.password}", delay=0.5) + machine.screenshot("budgie_screensaver") + machine.send_chars("\n") + machine.wait_until_succeeds("${su "budgie-screensaver-command -q"} | grep 'The screensaver is inactive'") + machine.sleep(2) with subtest("Open MATE terminal"): - machine.succeed("su - ${user.name} -c 'DISPLAY=:0 mate-terminal >&2 &'") + machine.succeed("${su "mate-terminal >&2 &"}") machine.wait_for_window("Terminal") - with subtest("Check if budgie-wm has ever coredumped"): - machine.fail("coredumpctl --json=short | grep budgie-wm") - machine.sleep(20) + with subtest("Check if Budgie has ever coredumped"): + machine.fail("coredumpctl --json=short | grep budgie") + machine.sleep(10) machine.screenshot("screen") ''; }) diff --git a/nixos/tests/freetube.nix b/nixos/tests/freetube.nix index faa5349382270..10f0773cb884c 100644 --- a/nixos/tests/freetube.nix +++ b/nixos/tests/freetube.nix @@ -40,4 +40,4 @@ let ''; }); in -builtins.mapAttrs (k: v: mkTest k v { }) tests +builtins.mapAttrs (k: v: mkTest k v) tests diff --git a/nixos/tests/incus/default.nix b/nixos/tests/incus/default.nix index 474a621c5ce91..32bc5396a1647 100644 --- a/nixos/tests/incus/default.nix +++ b/nixos/tests/incus/default.nix @@ -14,6 +14,7 @@ openvswitch = import ./openvswitch.nix { inherit system pkgs; }; preseed = import ./preseed.nix { inherit system pkgs; }; socket-activated = import ./socket-activated.nix { inherit system pkgs; }; + storage = import ./storage.nix { inherit system pkgs; }; ui = import ./ui.nix {inherit system pkgs;}; virtual-machine = handleTestOn [ "x86_64-linux" ] ./virtual-machine.nix { inherit system pkgs; }; } diff --git a/nixos/tests/incus/storage.nix b/nixos/tests/incus/storage.nix new file mode 100644 index 0000000000000..190f4f7451c20 --- /dev/null +++ b/nixos/tests/incus/storage.nix @@ -0,0 +1,46 @@ +import ../make-test-python.nix ( + { pkgs, lib, ... }: + + { + name = "incus-storage"; + + meta = { + maintainers = lib.teams.lxc.members; + }; + + nodes.machine = + { lib, ... }: + { + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.forceImportRoot = false; + environment.systemPackages = [ pkgs.parted ]; + networking.hostId = "01234567"; + networking.nftables.enable = true; + + virtualisation = { + emptyDiskImages = [ 2048 ]; + incus.enable = true; + }; + }; + + testScript = '' + machine.wait_for_unit("incus.service") + + with subtest("Verify zfs pool created and usable"): + machine.succeed( + "zpool status", + "parted --script /dev/vdb mklabel gpt", + "zpool create zfs_pool /dev/vdb", + ) + + machine.succeed("incus storage create zfs_pool zfs source=zfs_pool/incus") + machine.succeed("zfs list zfs_pool/incus") + machine.succeed("incus storage volume create zfs_pool test_fs --type filesystem") + machine.succeed("incus storage volume create zfs_pool test_vol --type block") + machine.succeed("incus storage show zfs_pool") + machine.succeed("incus storage volume list zfs_pool") + machine.succeed("incus storage volume show zfs_pool test_fs") + machine.succeed("incus storage volume show zfs_pool test_vol") + ''; + } +) diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 228e57d1cdd6f..67b412c80961d 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -6,8 +6,8 @@ let certs = import ./common/acme/server/snakeoil-certs.nix; frontendUrl = "https://${certs.domain}"; - keycloakTest = import ./make-test-python.nix ( - { pkgs, databaseType, ... }: + keycloakTest = databaseType: import ./make-test-python.nix ( + { pkgs, ... }: let initialAdminPassword = "h4Iho\"JFn't2>iQIR9"; adminPasswordFile = pkgs.writeText "admin-password" "${initialAdminPassword}"; @@ -76,16 +76,18 @@ let enabled = true; realm = "test-realm"; clients = [ client ]; - users = [( - user // { - enabled = true; - credentials = [{ - type = "password"; - temporary = false; - value = password; - }]; - } - )]; + users = [ + ( + user // { + enabled = true; + credentials = [{ + type = "password"; + temporary = false; + value = password; + }]; + } + ) + ]; }; realmDataJson = pkgs.writeText "realm-data.json" (builtins.toJSON realm); @@ -177,7 +179,7 @@ let ); in { - postgres = keycloakTest { databaseType = "postgresql"; }; - mariadb = keycloakTest { databaseType = "mariadb"; }; - mysql = keycloakTest { databaseType = "mysql"; }; + postgres = keycloakTest "postgresql"; + mariadb = keycloakTest "mariadb"; + mysql = keycloakTest "mysql"; } diff --git a/nixos/tests/krb5/default.nix b/nixos/tests/krb5/default.nix index ede085632c634..274ad580cebc9 100644 --- a/nixos/tests/krb5/default.nix +++ b/nixos/tests/krb5/default.nix @@ -1,4 +1,3 @@ -{ system ? builtins.currentSystem }: { - example-config = import ./example-config.nix { inherit system; }; + example-config = import ./example-config.nix; } diff --git a/nixos/tests/make-test-python.nix b/nixos/tests/make-test-python.nix index 28569f1d2955a..32531fffd2bf3 100644 --- a/nixos/tests/make-test-python.nix +++ b/nixos/tests/make-test-python.nix @@ -1,5 +1,5 @@ f: { - system ? builtins.currentSystem, + system, pkgs ? import ../.. { inherit system; config = {}; overlays = []; }, ... } @ args: diff --git a/nixos/tests/mate-wayland.nix b/nixos/tests/mate-wayland.nix new file mode 100644 index 0000000000000..df39ead286e15 --- /dev/null +++ b/nixos/tests/mate-wayland.nix @@ -0,0 +1,63 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "mate-wayland"; + + meta.maintainers = lib.teams.mate.members; + + nodes.machine = { ... }: { + imports = [ + ./common/user-account.nix + ]; + + services.xserver.enable = true; + services.xserver.displayManager = { + sddm.enable = true; # https://github.com/canonical/lightdm/issues/63 + sddm.wayland.enable = true; + defaultSession = "MATE"; + autoLogin = { + enable = true; + user = "alice"; + }; + }; + services.xserver.desktopManager.mate.enableWaylandSession = true; + + hardware.pulseaudio.enable = true; + + # Need to switch to a different GPU driver than the default one (-vga std) so that wayfire can launch: + virtualisation.qemu.options = [ "-vga none -device virtio-gpu-pci" ]; + }; + + enableOCR = true; + + testScript = { nodes, ... }: + let + user = nodes.machine.users.users.alice; + in + '' + machine.wait_for_unit("display-manager.service") + + with subtest("Wait for Wayland server"): + machine.wait_for_file("/run/user/${toString user.uid}/wayland-1") + + with subtest("Check if MATE session components actually start"): + for i in ["wayfire", "mate-panel", "mate-wayland.sh", "mate-wayland-components.sh"]: + machine.wait_until_succeeds(f"pgrep -f {i}") + machine.wait_for_text('(Applications|Places|System)') + # It is expected that this applet doesn't work in Wayland + machine.wait_for_text('WorkspaceSwitcherApplet') + + with subtest("Check if various environment variables are set"): + cmd = "xargs --null --max-args=1 echo < /proc/$(pgrep -xf mate-panel)/environ" + machine.succeed(f"{cmd} | grep 'XDG_SESSION_TYPE' | grep 'wayland'") + machine.succeed(f"{cmd} | grep 'XDG_SESSION_DESKTOP' | grep 'MATE'") + machine.succeed(f"{cmd} | grep 'MATE_PANEL_APPLETS_DIR' | grep '${pkgs.mate.mate-panel-with-applets.pname}'") + + with subtest("Check if Wayfire config is properly configured"): + for i in ["button_style = mate", "firedecor", "mate-wayland-components.sh"]: + machine.wait_until_succeeds(f"cat /home/${user.name}/.config/mate/wayfire.ini | grep '{i}'") + + with subtest("Check if Wayfire has ever coredumped"): + machine.fail("coredumpctl --json=short | grep wayfire") + machine.sleep(10) + machine.screenshot("screen") + ''; +}) diff --git a/nixos/tests/mate.nix b/nixos/tests/mate.nix index 48582e18d520c..1252ec43cf3d5 100644 --- a/nixos/tests/mate.nix +++ b/nixos/tests/mate.nix @@ -54,6 +54,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_for_text('(Applications|Places|System)') machine.wait_for_text('(Computer|Home|Trash)') + with subtest("Check if various environment variables are set"): + machine.succeed("xargs --null --max-args=1 echo < /proc/$(pgrep -xf marco)/environ | grep 'XDG_CURRENT_DESKTOP' | grep 'MATE'") + # From mate-panel-with-applets packaging + machine.succeed("xargs --null --max-args=1 echo < /proc/$(pgrep -xf mate-panel)/environ | grep 'MATE_PANEL_APPLETS_DIR' | grep '${pkgs.mate.mate-panel-with-applets.pname}'") + + with subtest("Check if applets are built with in-process support"): + # This is needed for Wayland support + machine.fail("pgrep -fa clock-applet") + with subtest("Lock the screen"): machine.wait_until_succeeds("su - ${user.name} -c '${env} mate-screensaver-command -q' | grep 'The screensaver is inactive'") machine.succeed("su - ${user.name} -c '${env} mate-screensaver-command -l >&2 &'") diff --git a/nixos/tests/nix-config.nix b/nixos/tests/nix-config.nix new file mode 100644 index 0000000000000..907e886def351 --- /dev/null +++ b/nixos/tests/nix-config.nix @@ -0,0 +1,18 @@ +import ./make-test-python.nix ({ pkgs, ... }: +{ + name = "nix-config"; + nodes.machine = { pkgs, ... }: { + nix.settings = { + nix-path = [ "nonextra=/etc/value.nix" ]; + extra-nix-path = [ "extra=/etc/value.nix" ]; + }; + environment.etc."value.nix".text = "42"; + }; + testScript = '' + start_all() + machine.wait_for_unit("nix-daemon.socket") + # regression test for the workaround for https://github.com/NixOS/nix/issues/9487 + print(machine.succeed("nix-instantiate --find-file extra")) + print(machine.succeed("nix-instantiate --find-file nonextra")) + ''; +}) diff --git a/nixos/tests/opensearch.nix b/nixos/tests/opensearch.nix index 2887ac9677656..7d37583464cb0 100644 --- a/nixos/tests/opensearch.nix +++ b/nixos/tests/opensearch.nix @@ -1,7 +1,7 @@ let - opensearchTest = + opensearchTest = extraSettings: import ./make-test-python.nix ( - { pkgs, lib, extraSettings ? {} }: { + { pkgs, lib, ... }: { name = "opensearch"; meta.maintainers = with pkgs.lib.maintainers; [ shyim ]; @@ -27,20 +27,18 @@ in { opensearch = opensearchTest {}; opensearchCustomPathAndUser = opensearchTest { - extraSettings = { - services.opensearch.dataDir = "/var/opensearch_test"; - services.opensearch.user = "open_search"; - services.opensearch.group = "open_search"; - systemd.tmpfiles.rules = [ - "d /var/opensearch_test 0700 open_search open_search -" - ]; - users = { - groups.open_search = {}; - users.open_search = { - description = "OpenSearch daemon user"; - group = "open_search"; - isSystemUser = true; - }; + services.opensearch.dataDir = "/var/opensearch_test"; + services.opensearch.user = "open_search"; + services.opensearch.group = "open_search"; + systemd.tmpfiles.rules = [ + "d /var/opensearch_test 0700 open_search open_search -" + ]; + users = { + groups.open_search = { }; + users.open_search = { + description = "OpenSearch daemon user"; + group = "open_search"; + isSystemUser = true; }; }; }; diff --git a/nixos/tests/vscodium.nix b/nixos/tests/vscodium.nix index d817ce927ff8d..76d5244b3ee34 100644 --- a/nixos/tests/vscodium.nix +++ b/nixos/tests/vscodium.nix @@ -76,4 +76,4 @@ let }); in -builtins.mapAttrs (k: v: mkTest k v { }) tests +builtins.mapAttrs (k: v: mkTest k v) tests diff --git a/nixos/tests/web-apps/pretix.nix b/nixos/tests/web-apps/pretix.nix new file mode 100644 index 0000000000000..559316f9b85cb --- /dev/null +++ b/nixos/tests/web-apps/pretix.nix @@ -0,0 +1,47 @@ +{ + lib, + pkgs, + ... +}: + +{ + name = "pretix"; + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + pretix = { + networking.extraHosts = '' + 127.0.0.1 tickets.local + ''; + + services.pretix = { + enable = true; + nginx.domain = "tickets.local"; + plugins = with pkgs.pretix.plugins; [ + passbook + pages + ]; + settings = { + pretix = { + instance_name = "NixOS Test"; + url = "http://tickets.local"; + }; + mail.from = "hello@tickets.local"; + }; + }; + }; + }; + + testScript = '' + start_all() + + pretix.wait_for_unit("pretix-web.service") + pretix.wait_for_unit("pretix-worker.service") + + pretix.wait_until_succeeds("curl -q --fail http://tickets.local") + + pretix.succeed("pretix-manage --help") + + pretix.log(pretix.succeed("systemd-analyze security pretix-web.service")) + ''; +} |