diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/installation/installing.chapter.md | 4 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-generate-config.pl | 11 | ||||
-rw-r--r-- | nixos/modules/services/misc/autorandr.nix | 9 | ||||
-rw-r--r-- | nixos/modules/services/misc/ollama.nix | 76 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/envfs.nix | 4 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/zfs.nix | 39 | ||||
-rw-r--r-- | nixos/tests/docker-tools.nix | 22 | ||||
-rw-r--r-- | nixos/tests/forgejo.nix | 6 |
8 files changed, 110 insertions, 61 deletions
diff --git a/nixos/doc/manual/installation/installing.chapter.md b/nixos/doc/manual/installation/installing.chapter.md index c7deb07352f1c..b6db40878ba76 100644 --- a/nixos/doc/manual/installation/installing.chapter.md +++ b/nixos/doc/manual/installation/installing.chapter.md @@ -376,7 +376,7 @@ Use the following commands: ```ShellSession # mkdir -p /mnt/boot - # mount /dev/disk/by-label/boot /mnt/boot + # mount -o umask=077 /dev/disk/by-label/boot /mnt/boot ``` 3. If your machine has a limited amount of memory, you may want to @@ -572,7 +572,7 @@ With a partitioned disk. # mkfs.fat -F 32 -n boot /dev/sda3 # (for UEFI systems only) # mount /dev/disk/by-label/nixos /mnt # mkdir -p /mnt/boot # (for UEFI systems only) -# mount /dev/disk/by-label/boot /mnt/boot # (for UEFI systems only) +# mount -o umask=077 /dev/disk/by-label/boot /mnt/boot # (for UEFI systems only) # nixos-generate-config --root /mnt # nano /mnt/etc/nixos/configuration.nix # nixos-install diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 2f9edba4f0c9c..317b5e677d17e 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -453,6 +453,17 @@ EOF } } + # Preserve umask (fmask, dmask) settings for vfat filesystems. + # (The default is to mount these world-readable, but that's a security risk + # for the EFI System Partition.) + if ($fsType eq "vfat") { + for (@superOptions) { + if ($_ =~ /fmask|dmask/) { + push @extraOptions, $_; + } + } + } + # is this a stratis fs? my $stableDevPath = findStableDevPath $device; my $stratisPool; diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index aa96acb613067..22d1fb727477c 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -260,6 +260,12 @@ in { description = lib.mdDoc "Treat outputs as connected even if their lids are closed"; }; + matchEdid = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Match displays based on edid instead of name"; + }; + hooks = mkOption { type = hooksModule; description = lib.mdDoc "Global hook scripts"; @@ -351,7 +357,8 @@ in { --batch \ --change \ --default ${cfg.defaultTarget} \ - ${optionalString cfg.ignoreLid "--ignore-lid"} + ${optionalString cfg.ignoreLid "--ignore-lid"} \ + ${optionalString cfg.matchEdid "--match-edid"} ''; Type = "oneshot"; RemainAfterExit = false; diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index 3ac3beb4de078..30c2b26d8322e 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -13,48 +13,76 @@ in { options = { services.ollama = { - enable = lib.mkEnableOption ( - lib.mdDoc "Server for local large language models" - ); + enable = lib.mkEnableOption "ollama server for local large language models"; + package = lib.mkPackageOption pkgs "ollama" { }; + home = lib.mkOption { + type = types.str; + default = "%S/ollama"; + example = "/home/foo"; + description = '' + The home directory that the ollama service is started in. + ''; + }; + models = lib.mkOption { + type = types.str; + default = "%S/ollama/models"; + example = "/path/to/ollama/models"; + description = '' + The directory that the ollama service will read models from and download new models to. + ''; + }; listenAddress = lib.mkOption { type = types.str; default = "127.0.0.1:11434"; - description = lib.mdDoc '' - Specifies the bind address on which the ollama server HTTP interface listens. + example = "0.0.0.0:11111"; + description = '' + The address which the ollama server HTTP interface binds and listens to. ''; }; acceleration = lib.mkOption { type = types.nullOr (types.enum [ "rocm" "cuda" ]); default = null; example = "rocm"; - description = lib.mdDoc '' - Specifies the interface to use for hardware acceleration. + description = '' + What interface to use for hardware acceleration. - `rocm`: supported by modern AMD GPUs - `cuda`: supported by modern NVIDIA GPUs ''; }; - package = lib.mkPackageOption pkgs "ollama" { }; + environmentVariables = lib.mkOption { + type = types.attrsOf types.str; + default = { }; + example = { + HOME = "/tmp"; + OLLAMA_LLM_LIBRARY = "cpu"; + }; + description = '' + Set arbitrary environment variables for the ollama service. + + Be aware that these are only seen by the ollama server (systemd service), + not normal invocations like `ollama run`. + Since `ollama run` is mostly a shell around the ollama server, this is usually sufficient. + ''; + }; }; }; config = lib.mkIf cfg.enable { - systemd = { - services.ollama = { - wantedBy = [ "multi-user.target" ]; - description = "Server for local large language models"; - after = [ "network.target" ]; - environment = { - HOME = "%S/ollama"; - OLLAMA_MODELS = "%S/ollama/models"; - OLLAMA_HOST = cfg.listenAddress; - }; - serviceConfig = { - ExecStart = "${lib.getExe ollamaPackage} serve"; - WorkingDirectory = "/var/lib/ollama"; - StateDirectory = [ "ollama" ]; - DynamicUser = true; - }; + systemd.services.ollama = { + description = "Server for local large language models"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = cfg.environmentVariables // { + HOME = cfg.home; + OLLAMA_MODELS = cfg.models; + OLLAMA_HOST = cfg.listenAddress; + }; + serviceConfig = { + ExecStart = "${lib.getExe ollamaPackage} serve"; + WorkingDirectory = "%S/ollama"; + StateDirectory = [ "ollama" ]; + DynamicUser = true; }; }; diff --git a/nixos/modules/tasks/filesystems/envfs.nix b/nixos/modules/tasks/filesystems/envfs.nix index 365cb46ff2fe3..6719a03610d10 100644 --- a/nixos/modules/tasks/filesystems/envfs.nix +++ b/nixos/modules/tasks/filesystems/envfs.nix @@ -7,6 +7,7 @@ let device = "none"; fsType = "envfs"; options = [ + "bind-mount=/bin" "fallback-path=${pkgs.runCommand "fallback-path" {} ('' mkdir -p $out ln -s ${config.environment.usrbinenv} $out/env @@ -15,6 +16,9 @@ let "nofail" ]; }; + # We need to bind-mount /bin to /usr/bin, because otherwise upgrading + # from envfs < 1.0.5 will cause having the old envs with no /bin bind mount. + # Systemd is smart enough to not mount /bin if it's already mounted. "/bin" = { device = "/usr/bin"; fsType = "none"; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 72bc79f31b68a..a9aaf84877117 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -340,24 +340,12 @@ in removeLinuxDRM = lib.mkOption { type = types.bool; default = false; - description = lib.mdDoc '' - Linux 6.2 dropped some kernel symbols required on aarch64 required by zfs. - Enabling this option will bring them back to allow this kernel version. - Note that in some jurisdictions this may be illegal as it might be considered - removing copyright protection from the code. - See https://www.ifross.org/?q=en/artikel/ongoing-dispute-over-value-exportsymbolgpl-function for further information. - - If configure your kernel package with `zfs.latestCompatibleLinuxPackages`, you will need to also pass removeLinuxDRM to that package like this: + description = '' + Patch the kernel to change symbols needed by ZFS from + EXPORT_SYMBOL_GPL to EXPORT_SYMBOL. - ``` - { pkgs, ... }: { - boot.kernelPackages = (pkgs.zfs.override { - removeLinuxDRM = pkgs.hostPlatform.isAarch64; - }).latestCompatibleLinuxPackages; - - boot.zfs.removeLinuxDRM = true; - } - ``` + Currently has no effect, but may again in future if a kernel + update breaks ZFS due to symbols being newly changed to GPL. ''; }; }; @@ -583,7 +571,7 @@ in kernelParams = lib.optionals (!config.boot.zfs.allowHibernation) [ "nohibernate" ]; extraModulePackages = [ - (cfgZfs.modulePackage.override { inherit (cfgZfs) removeLinuxDRM; }) + cfgZfs.modulePackage ]; }; @@ -710,21 +698,6 @@ in services.udev.packages = [ cfgZfs.package ]; # to hook zvol naming, etc. systemd.packages = [ cfgZfs.package ]; - # Export kernel_neon_* symbols again. - # This change is necessary until ZFS figures out a solution - # with upstream or in their build system to fill the gap for - # this symbol. - # In the meantime, we restore what was once a working piece of code - # in the kernel. - boot.kernelPatches = lib.optional (cfgZfs.removeLinuxDRM && pkgs.stdenv.hostPlatform.system == "aarch64-linux") { - name = "export-neon-symbols-as-gpl"; - patch = pkgs.fetchpatch { - url = "https://github.com/torvalds/linux/commit/aaeca98456431a8d9382ecf48ac4843e252c07b3.patch"; - hash = "sha256-L2g4G1tlWPIi/QRckMuHDcdWBcKpObSWSRTvbHRIwIk="; - revert = true; - }; - }; - systemd.services = let createImportService' = pool: createImportService { inherit pool; diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 5b2759c84ff07..dcf91cb9ce4dc 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -58,6 +58,20 @@ let ''; config.Cmd = [ "${pkgs.coreutils}/bin/stat" "-c" "%u:%g" "/testfile" ]; }; + + nonRootTestImage = + pkgs.dockerTools.streamLayeredImage rec { + name = "non-root-test"; + tag = "latest"; + uid = 1000; + gid = 1000; + uname = "user"; + gname = "user"; + config = { + User = "user"; + Cmd = [ "${pkgs.coreutils}/bin/stat" "-c" "%u:%g" "${pkgs.coreutils}/bin/stat" ]; + }; + }; in { name = "docker-tools"; meta = with pkgs.lib.maintainers; { @@ -172,7 +186,7 @@ in { ): docker.succeed( "docker load --input='${examples.bashLayeredWithUser}'", - "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 555 == $(stat --format=%a /nix) && test 555 == $(stat --format=%a /nix/store)'", + "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 755 == $(stat --format=%a /nix) && test 755 == $(stat --format=%a /nix/store)'", "docker rmi ${examples.bashLayeredWithUser.imageName}", ) @@ -583,5 +597,11 @@ in { "${chownTestImage} | docker load", "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)" ) + + with subtest("streamLayeredImage: with non-root user"): + docker.succeed( + "${nonRootTestImage} | docker load", + "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)" + ) ''; }) diff --git a/nixos/tests/forgejo.nix b/nixos/tests/forgejo.nix index 6acd6acb50fa9..b14df0a2c74f9 100644 --- a/nixos/tests/forgejo.nix +++ b/nixos/tests/forgejo.nix @@ -108,6 +108,12 @@ let assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg") + api_version = json.loads(server.succeed("curl http://localhost:3000/api/forgejo/v1/version")).get("version") + assert "development" != api_version and "-gitea-" in api_version, ( + "/api/forgejo/v1/version should not return 'development' " + + f"but should contain a gitea compatibility version string. Got '{api_version}' instead." + ) + server.succeed( "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. " + "Please contact your site administrator.'" |