diff options
Diffstat (limited to 'nixos')
314 files changed, 7995 insertions, 2311 deletions
diff --git a/nixos/doc/manual/configuration/ipv6-config.xml b/nixos/doc/manual/configuration/ipv6-config.xml index 7b89b4092be7d..45e85dbf3dfdb 100644 --- a/nixos/doc/manual/configuration/ipv6-config.xml +++ b/nixos/doc/manual/configuration/ipv6-config.xml @@ -7,8 +7,12 @@ <para> IPv6 is enabled by default. Stateless address autoconfiguration is used to - automatically assign IPv6 addresses to all interfaces. You can disable IPv6 - support globally by setting: + automatically assign IPv6 addresses to all interfaces, and Privacy + Extensions (RFC 4946) are enabled by default. You can adjust the default + for this by setting <xref linkend="opt-networking.tempAddresses"/>. + This option may be overridden on a per-interface basis by + <xref linkend="opt-networking.interfaces._name_.tempAddress"/>. + You can disable IPv6 support globally by setting: <programlisting> <xref linkend="opt-networking.enableIPv6"/> = false; </programlisting> diff --git a/nixos/doc/manual/configuration/x-windows.xml b/nixos/doc/manual/configuration/x-windows.xml index 757174c526322..e72193897068e 100644 --- a/nixos/doc/manual/configuration/x-windows.xml +++ b/nixos/doc/manual/configuration/x-windows.xml @@ -25,7 +25,7 @@ <programlisting> <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> = true; <xref linkend="opt-services.xserver.desktopManager.xfce.enable"/> = true; -<xref linkend="opt-services.xserver.desktopManager.gnome3.enable"/> = true; +<xref linkend="opt-services.xserver.desktopManager.gnome.enable"/> = true; <xref linkend="opt-services.xserver.desktopManager.mate.enable"/> = true; <xref linkend="opt-services.xserver.windowManager.xmonad.enable"/> = true; <xref linkend="opt-services.xserver.windowManager.twm.enable"/> = true; diff --git a/nixos/doc/manual/contributing-to-this-manual.chapter.md b/nixos/doc/manual/contributing-to-this-manual.chapter.md new file mode 100644 index 0000000000000..26813d1042d69 --- /dev/null +++ b/nixos/doc/manual/contributing-to-this-manual.chapter.md @@ -0,0 +1,13 @@ +# Contributing to this manual {#chap-contributing} + +The DocBook and CommonMark sources of NixOS' manual are in the [nixos/doc/manual](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the [Nixpkgs](https://github.com/NixOS/nixpkgs) repository. + +You can quickly check your edits with the following: + +```ShellSession +$ cd /path/to/nixpkgs +$ ./nixos/doc/manual/md-to-db.sh +$ nix-build nixos/release.nix -A manual.x86_64-linux +``` + +If the build succeeds, the manual will be in `./result/share/doc/nixos/index.html`. diff --git a/nixos/doc/manual/contributing-to-this-manual.xml b/nixos/doc/manual/contributing-to-this-manual.xml deleted file mode 100644 index 137e04bb313b3..0000000000000 --- a/nixos/doc/manual/contributing-to-this-manual.xml +++ /dev/null @@ -1,22 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xml:id="chap-contributing"> - <title>Contributing to this manual</title> - <para> - The DocBook sources of NixOS' manual are in the <filename -xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual"> -nixos/doc/manual</filename> subdirectory of the <link -xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link> repository. - </para> - <para> - You can quickly check your edits with the following: - </para> -<screen> -<prompt>$ </prompt>cd /path/to/nixpkgs -<prompt>$ </prompt>nix-build nixos/release.nix -A manual.x86_64-linux -</screen> - <para> - If the build succeeds, the manual will be in - <filename>./result/share/doc/nixos/index.html</filename>. - </para> -</chapter> diff --git a/nixos/doc/manual/development/building-nixos.chapter.md b/nixos/doc/manual/development/building-nixos.chapter.md new file mode 100644 index 0000000000000..699a75f411522 --- /dev/null +++ b/nixos/doc/manual/development/building-nixos.chapter.md @@ -0,0 +1,18 @@ +# Building Your Own NixOS CD {#sec-building-cd} +Building a NixOS CD is as easy as configuring your own computer. The idea is to use another module which will replace your `configuration.nix` to configure the system that would be installed on the CD. + +Default CD/DVD configurations are available inside `nixos/modules/installer/cd-dvd` + +```ShellSession +$ git clone https://github.com/NixOS/nixpkgs.git +$ cd nixpkgs/nixos +$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix +``` + +Before burning your CD/DVD, you can check the content of the image by mounting anywhere like suggested by the following command: + +```ShellSession +# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> +``` + +If you want to customize your NixOS CD in more detail, or generate other kinds of images, you might want to check out [nixos-generators](https://github.com/nix-community/nixos-generators). This can also be a good starting point when you want to use Nix to build a 'minimal' image that doesn't include a NixOS installation. diff --git a/nixos/doc/manual/development/building-nixos.xml b/nixos/doc/manual/development/building-nixos.xml deleted file mode 100644 index d58b6354d1d36..0000000000000 --- a/nixos/doc/manual/development/building-nixos.xml +++ /dev/null @@ -1,33 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-building-cd"> - <title>Building Your Own NixOS CD</title> - <para> - Building a NixOS CD is as easy as configuring your own computer. The idea is - to use another module which will replace your - <filename>configuration.nix</filename> to configure the system that would be - installed on the CD. - </para> - <para> - Default CD/DVD configurations are available inside - <filename>nixos/modules/installer/cd-dvd</filename>. -<screen> -<prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs.git -<prompt>$ </prompt>cd nixpkgs/nixos -<prompt>$ </prompt>nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix</screen> - </para> - <para> - Before burning your CD/DVD, you can check the content of the image by - mounting anywhere like suggested by the following command: -<screen> -<prompt># </prompt>mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> - </para> - <para> - If you want to customize your NixOS CD in more detail, or generate other kinds - of images, you might want to check out <link - xlink:href="https://github.com/nix-community/nixos-generators">nixos-generators</link>. This can also be a good starting point when you want to use Nix to build a - 'minimal' image that doesn't include a NixOS installation. - </para> -</chapter> diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml index 43f511b3e96ba..78763a7350577 100644 --- a/nixos/doc/manual/development/development.xml +++ b/nixos/doc/manual/development/development.xml @@ -13,7 +13,7 @@ <xi:include href="writing-modules.xml" /> <xi:include href="building-parts.xml" /> <xi:include href="writing-documentation.xml" /> - <xi:include href="building-nixos.xml" /> + <xi:include href="../from_md/development/building-nixos.chapter.xml" /> <xi:include href="nixos-tests.xml" /> <xi:include href="testing-installer.xml" /> <xi:include href="releases.xml" /> diff --git a/nixos/doc/manual/development/settings-options.xml b/nixos/doc/manual/development/settings-options.xml index 7795d7c804454..7292cac62b707 100644 --- a/nixos/doc/manual/development/settings-options.xml +++ b/nixos/doc/manual/development/settings-options.xml @@ -50,7 +50,7 @@ </varlistentry> <varlistentry> <term> - <varname>pkgs.formats.ini</varname> { <replaceable>listsAsDuplicateKeys</replaceable> ? false, ... } + <varname>pkgs.formats.ini</varname> { <replaceable>listsAsDuplicateKeys</replaceable> ? false, <replaceable>listToValue</replaceable> ? null, ... } </term> <listitem> <para> @@ -66,6 +66,16 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <varname>listToValue</varname> + </term> + <listitem> + <para> + A function for turning a list of values into a single value. + </para> + </listitem> + </varlistentry> </variablelist> It returns a set with INI-specific attributes <varname>type</varname> and <varname>generate</varname> as specified <link linkend='pkgs-formats-result'>below</link>. </para> diff --git a/nixos/doc/manual/from_md/README.md b/nixos/doc/manual/from_md/README.md new file mode 100644 index 0000000000000..cc6d08ca0a15a --- /dev/null +++ b/nixos/doc/manual/from_md/README.md @@ -0,0 +1,5 @@ +This directory is temporarily needed while we transition the manual to CommonMark. It stores the output of the ../md-to-db.sh script that converts CommonMark files back to DocBook. + +We are choosing to convert the Markdown to DocBook at authoring time instead of manual building time, because we do not want the pandoc toolchain to become part of the NixOS closure. + +Do not edit the DocBook files inside this directory or its subdirectories. Instead, edit the corresponding .md file in the normal manual directories, and run ../md-to-db.sh to update the file here. diff --git a/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml new file mode 100644 index 0000000000000..a9b0c6a5eefa1 --- /dev/null +++ b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml @@ -0,0 +1,22 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="chap-contributing"> + <title>Contributing to this manual</title> + <para> + The DocBook and CommonMark sources of NixOS’ manual are in the + <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual">nixos/doc/manual</link> + subdirectory of the + <link xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link> + repository. + </para> + <para> + You can quickly check your edits with the following: + </para> + <programlisting> +$ cd /path/to/nixpkgs +$ ./nixos/doc/manual/md-to-db.sh +$ nix-build nixos/release.nix -A manual.x86_64-linux +</programlisting> + <para> + If the build succeeds, the manual will be in + <literal>./result/share/doc/nixos/index.html</literal>. + </para> +</chapter> diff --git a/nixos/doc/manual/from_md/development/building-nixos.chapter.xml b/nixos/doc/manual/from_md/development/building-nixos.chapter.xml new file mode 100644 index 0000000000000..ceb744447dab7 --- /dev/null +++ b/nixos/doc/manual/from_md/development/building-nixos.chapter.xml @@ -0,0 +1,33 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-building-cd"> + <title>Building Your Own NixOS CD</title> + <para> + Building a NixOS CD is as easy as configuring your own computer. The + idea is to use another module which will replace your + <literal>configuration.nix</literal> to configure the system that + would be installed on the CD. + </para> + <para> + Default CD/DVD configurations are available inside + <literal>nixos/modules/installer/cd-dvd</literal> + </para> + <programlisting> +$ git clone https://github.com/NixOS/nixpkgs.git +$ cd nixpkgs/nixos +$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix +</programlisting> + <para> + Before burning your CD/DVD, you can check the content of the image + by mounting anywhere like suggested by the following command: + </para> + <programlisting> +# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> +</programlisting> + <para> + If you want to customize your NixOS CD in more detail, or generate + other kinds of images, you might want to check out + <link xlink:href="https://github.com/nix-community/nixos-generators">nixos-generators</link>. + This can also be a good starting point when you want to use Nix to + build a <quote>minimal</quote> image that doesn’t include a NixOS + installation. + </para> +</chapter> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml new file mode 100644 index 0000000000000..abcf3406aa34c --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -0,0 +1,15 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="release-21.11"> + <title>Release 21.11 (<quote>?</quote>, 2021.11/??)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Support is planned until the end of April 2022, handing over to + 22.05. + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/installation/installing-from-other-distro.xml b/nixos/doc/manual/installation/installing-from-other-distro.xml index 43f69b923d14d..63d1d52b01b2f 100644 --- a/nixos/doc/manual/installation/installing-from-other-distro.xml +++ b/nixos/doc/manual/installation/installing-from-other-distro.xml @@ -84,12 +84,12 @@ nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen> </para> <para> You'll need <literal>nixos-generate-config</literal> and - <literal>nixos-install</literal> and we'll throw in some man pages and - <literal>nixos-enter</literal> just in case you want to chroot into your - NixOS partition. They are installed by default on NixOS, but you don't have + <literal>nixos-install</literal>, but this also makes some man pages + and <literal>nixos-enter</literal> available, just in case you want to chroot into your + NixOS partition. NixOS installs these by default, but you don't have NixOS yet.. </para> -<screen><prompt>$ </prompt>nix-env -f '<nixpkgs/nixos>' --arg configuration {} -iA config.system.build.{nixos-generate-config,nixos-install,nixos-enter,manual.manpages}</screen> + <screen><prompt>$ </prompt>nix-env -f '<nixpkgs>' -iA nixos-install-tools</screen> </listitem> <listitem> <note> diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index 02f6bd6bed4e1..f03b9443d23ba 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -46,6 +46,12 @@ to increase the font size. </para> + <para> + To install over a serial port connect with <literal>115200n8</literal> + (e.g. <command>picocom -b 115200 /dev/ttyUSB0</command>). When the + bootloader lists boot entries, select the serial console boot entry. + </para> + <section xml:id="sec-installation-booting-networking"> <title>Networking in the installer</title> diff --git a/nixos/doc/manual/manual.xml b/nixos/doc/manual/manual.xml index db9e7313831da..158b3507a58ea 100644 --- a/nixos/doc/manual/manual.xml +++ b/nixos/doc/manual/manual.xml @@ -19,6 +19,6 @@ <xi:include href="./generated/options-db.xml" xpointer="configuration-variable-list" /> </appendix> - <xi:include href="contributing-to-this-manual.xml" /> + <xi:include href="./from_md/contributing-to-this-manual.chapter.xml" /> <xi:include href="release-notes/release-notes.xml" /> </book> diff --git a/nixos/doc/manual/md-to-db.sh b/nixos/doc/manual/md-to-db.sh new file mode 100755 index 0000000000000..fc4be7da22ba8 --- /dev/null +++ b/nixos/doc/manual/md-to-db.sh @@ -0,0 +1,33 @@ +#! /usr/bin/env nix-shell +#! nix-shell -I nixpkgs=channel:nixpkgs-unstable -i bash -p pandoc + +# This script is temporarily needed while we transition the manual to +# CommonMark. It converts the .md files in the regular manual folder +# into DocBook files in the from_md folder. + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +pushd $DIR + +OUT="$DIR/from_md" +mapfile -t MD_FILES < <(find . -type f -regex '.*\.md$') + +for mf in ${MD_FILES[*]}; do + if [ "${mf: -11}" == ".section.md" ]; then + mkdir -p $(dirname "$OUT/$mf") + pandoc "$mf" -t docbook \ + --extract-media=media \ + -f markdown+smart \ + | cat > "$OUT/${mf%".section.md"}.section.xml" + fi + + if [ "${mf: -11}" == ".chapter.md" ]; then + mkdir -p $(dirname "$OUT/$mf") + pandoc "$mf" -t docbook \ + --top-level-division=chapter \ + --extract-media=media \ + -f markdown+smart \ + | cat > "$OUT/${mf%".chapter.md"}.chapter.xml" + fi +done + +popd diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index e083d51406c76..6d7899f6dcdb6 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -8,6 +8,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. </para> + <xi:include href="../from_md/release-notes/rl-2111.section.xml" /> <xi:include href="rl-2105.xml" /> <xi:include href="rl-2009.xml" /> <xi:include href="rl-2003.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 4102fe206e19d..0dae49c636f61 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -83,10 +83,10 @@ like games. <itemizedlist> <para>This can be achieved with the following options which the desktop manager default enables, excluding <literal>games</literal>.</para> - <listitem><para><xref linkend="opt-services.gnome3.core-os-services.enable"/></para></listitem> - <listitem><para><xref linkend="opt-services.gnome3.core-shell.enable"/></para></listitem> - <listitem><para><xref linkend="opt-services.gnome3.core-utilities.enable"/></para></listitem> - <listitem><para><xref linkend="opt-services.gnome3.games.enable"/></para></listitem> + <listitem><para><option>services.gnome3.core-os-services.enable</option></para></listitem> + <listitem><para><option>services.gnome3.core-shell.enable</option></para></listitem> + <listitem><para><option>services.gnome3.core-utilities.enable</option></para></listitem> + <listitem><para><option>services.gnome3.games.enable</option></para></listitem> </itemizedlist> With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use <option>environment.gnome3.excludePackages</option> which only excluded the optional applications. diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index 99e0110fdcbf9..9ce24700686a6 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -27,7 +27,7 @@ <para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para> </listitem> <listitem> - <para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para> + <para>GNOME desktop environment was upgraded to 40, see the release notes for <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link> and <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>. The <code>gnome3</code> attribute set has been renamed to <code>gnome</code> and so have been the NixOS options.</para> </listitem> <listitem> <para> @@ -78,7 +78,7 @@ </listitem> <listitem> <para> - <link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.0 "Matrix". See + <link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.1 "Matrix". See the <link xlink:href="https://kodi.tv/article/kodi-190-matrix-release">announcement</link> for further details. </para> @@ -100,6 +100,31 @@ Now nginx uses the zlib-ng library by default. </para> </listitem> + <listitem> + <para> + KDE Gear (formerly KDE Applications) is upgraded to 21.04, see its + <link xlink:href="https://kde.org/announcements/gear/21.04/">release + notes</link> for details. + </para> + <para> + The <code>kdeApplications</code> package set is now <code>kdeGear</code>, + in keeping with the new name. The old name remains for compatibility, but + it is deprecated. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://libreswan.org/">Libreswan</link> has been updated + to version 4.4. The package now includes example configurations and manual + pages by default. The NixOS module has been changed to use the upstream + systemd units and write the configuration in the <literal>/etc/ipsec.d/ + </literal> directory. In addition, two new options have been added to + specify connection policies + (<xref linkend="opt-services.libreswan.policies"/>) + and disable send/receive redirects + (<xref linkend="opt-services.libreswan.disableRedirects"/>). + </para> + </listitem> </itemizedlist> </section> @@ -145,6 +170,11 @@ section of the NixOS manual</link> for more information. </para> </listitem> + <listitem> + <para> + <xref linkend="opt-services.nebula.networks" /> <link xlink:href="https://github.com/slackhq/nebula">Nebula VPN</link> + </para> + </listitem> </itemizedlist> </section> @@ -178,6 +208,12 @@ It was broken since the switch to cgroups-v2. </para> </listitem> + <listitem> + <para> + The <literal>linuxPackages.ati_drivers_x11</literal> kernel modules have been removed. + The drivers only supported kernels prior to 4.2, and thus have become obsolete. + </para> + </listitem> <listitem> <para> The <literal>systemConfig</literal> kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them. @@ -330,7 +366,18 @@ </listitem> <listitem> <para> - <literal>vim</literal> switched to Python 3, dropping all Python 2 support. + <literal>vim</literal> and <literal>neovim</literal> switched to Python 3, dropping all Python 2 support. + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>, + which is off by default, had a <literal>chmod</literal> race condition + fixed. As an aside, the parent directory's permissions were widened, + and the key files were made owner-writable. + This only affects newly created keys. + However, if the exact permissions are important for your setup, read + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>. </para> </listitem> <listitem> @@ -697,10 +744,46 @@ environment.systemPackages = [ </listitem> <listitem> <para> + The <package>kbdKeymaps</package> package was removed since dvp and neo + are now included in <package>kbd</package>. + + If you want to use the Programmer Dvorak Keyboard Layout, you have to use + <literal>dvorak-programmer</literal> in <option>console.keyMap</option> + now instead of <literal>dvp</literal>. + In <option>services.xserver.xkbVariant</option> it's still <literal>dvp</literal>. + </para> + </listitem> + <listitem> + <para> The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well as for each interface in <varname>services.babeld.interfaces</varname>. </para> + </listitem> + <listitem> + <para> + The <option>services.zigbee2mqtt.config</option> option has been renamed to <option>services.zigbee2mqtt.settings</option> and + now follows <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC 0042</link>. + </para> + </listitem> + <listitem> + <para> + The <package>yadm</package> dotfile manager has been updated from 2.x to 3.x, which has new (XDG) default locations for some data/state files. Most yadm commands will fail and print a legacy path warning (which describes how to upgrade/migrate your repository). If you have scripts, daemons, scheduled jobs, shell profiles, etc. that invoke yadm, expect them to fail or misbehave until you perform this migration and prepare accordingly. + </para> + </listitem> + <listitem> + <para> + Instead of determining <option>services.radicale.package</option> + automatically based on <option>system.stateVersion</option>, the latest + version is always used because old versions are not officially supported. + </para> + <para> + Furthermore, Radicale's systemd unit was hardened which might break some + deployments. In particular, a non-default + <literal>filesystem_folder</literal> has to be added to + <option>systemd.services.radicale.serviceConfig.ReadWritePaths</option> if + the deprecated <option>services.radicale.config</option> is used. + </para> </listitem> </itemizedlist> </section> @@ -816,6 +899,23 @@ environment.systemPackages = [ default in the CLI tooling which in turn enables us to use <literal>unbound-control</literal> without passing a custom configuration location. </para> + + <para> + The module has also been reworked to be <link + xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> compliant. As such, + <option>sevices.unbound.extraConfig</option> has been removed and replaced + by <xref linkend="opt-services.unbound.settings"/>. <option>services.unbound.interfaces</option> + has been renamed to <option>services.unbound.settings.server.interface</option>. + </para> + + <para> + <option>services.unbound.forwardAddresses</option> and + <option>services.unbound.allowedAccess</option> have also been changed to + use the new settings interface. You can follow the instructions when + executing <literal>nixos-rebuild</literal> to upgrade your configuration to + use the new interface. + </para> </listitem> <listitem> <para> @@ -880,8 +980,25 @@ environment.systemPackages = [ </para> </listitem> <listitem> + <para> + The <literal>security.apparmor</literal> module, + for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link> + Mandatory Access Control system, + has been substantialy improved along with related tools, + so that module maintainers can now more easily write AppArmor profiles for NixOS. + The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>, + replacing the previous <literal>profiles</literal> option + to provide a way to disable a profile + and to select whether to confine in enforce mode (default) + or in complain mode (see <literal>journalctl -b --grep apparmor</literal>). + Security-minded users may also want to enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>, + at the cost of having some of their processes killed + when updating to a NixOS version introducing new AppArmor profiles. + </para> + </listitem> + <listitem> <para> - The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default. + The GNOME desktop manager once again installs <package>gnome.epiphany</package> by default. </para> </listitem> <listitem> @@ -987,6 +1104,35 @@ environment.systemPackages = [ PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle and has been removed. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://www.xfce.org/">Xfce4</link> relies on + GIO/GVfs for userspace virtual filesystem access in applications + like <link xlink:href="https://docs.xfce.org/xfce/thunar/">thunar</link> and + <link xlink:href="https://docs.xfce.org/apps/gigolo/">gigolo</link>. + For that to work, the gvfs nixos service is enabled by default, + and it can be configured with the specific package that provides + GVfs. Until now Xfce4 was setting it to use a lighter version of + GVfs (without support for samba). To avoid conflicts with other + desktop environments this setting has been dropped. Users that + still want it should add the following to their system + configuration: + <programlisting> +<xref linkend="opt-services.gvfs.package" /> = pkgs.gvfs.override { samba = null; }; + </programlisting> + </para> + </listitem> + <listitem> + <para> + The newly enabled <literal>systemd-pstore.service</literal> now automatically evacuates crashdumps and panic logs from the persistent storage to <literal>/var/lib/systemd/pstore</literal>. + This prevents NVRAM from filling up, which ensures the latest diagnostic data is always stored and alleviates problems with writing new boot configurations. + </para> + </listitem> + <listitem> + <para> + Nixpkgs now contains <link xlink:href="https://github.com/NixOS/nixpkgs/pull/118232">automatically packaged GNOME Shell extensions</link> from the <link xlink:href="https://extensions.gnome.org/">GNOME Extensions</link> portal. You can find them, filed by their UUID, under <literal>gnome38Extensions</literal> attribute for GNOME 3.38 and under <literal>gnome40Extensions</literal> for GNOME 40. Finally, the <literal>gnomeExtensions</literal> attribute contains extensions for the latest GNOME Shell version in Nixpkgs, listed under a more human-friendly name. The unqualified attribute scope also contains manually packaged extensions. Note that the automatically packaged extensions are provided for convenience and are not checked or guaranteed to work. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md new file mode 100644 index 0000000000000..1499249148fb1 --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -0,0 +1,5 @@ +# Release 21.11 (“?”, 2021.11/??) {#release-21.11} + +In addition to numerous new and upgraded packages, this release has the following highlights: + +* Support is planned until the end of April 2022, handing over to 22.05. diff --git a/nixos/doc/manual/shell.nix b/nixos/doc/manual/shell.nix index cc3609d750e03..e5ec9b8f97f7d 100644 --- a/nixos/doc/manual/shell.nix +++ b/nixos/doc/manual/shell.nix @@ -4,5 +4,5 @@ in pkgs.mkShell { name = "nixos-manual"; - buildInputs = with pkgs; [ xmlformat jing xmloscopy ruby ]; + packages = with pkgs; [ xmlformat jing xmloscopy ruby ]; } diff --git a/nixos/lib/build-vms.nix b/nixos/lib/build-vms.nix index ebbb0296bef63..064e44f643b2b 100644 --- a/nixos/lib/build-vms.nix +++ b/nixos/lib/build-vms.nix @@ -36,6 +36,13 @@ rec { [ ../modules/virtualisation/qemu-vm.nix ../modules/testing/test-instrumentation.nix # !!! should only get added for automated test runs { key = "no-manual"; documentation.nixos.enable = false; } + { key = "no-revision"; + # Make the revision metadata constant, in order to avoid needless retesting. + # The human version (e.g. 21.05-pre) is left as is, because it is useful + # for external modules that test with e.g. nixosTest and rely on that + # version number. + config.system.nixos.revision = "constant-nixos-revision"; + } { key = "nodes"; _module.args.nodes = nodes; } ] ++ optional minimal ../modules/testing/minimal-kernel.nix; }; diff --git a/nixos/lib/test-driver/test-driver.py b/nixos/lib/test-driver/test-driver.py index 7800a49e41074..e216e566f2867 100644 --- a/nixos/lib/test-driver/test-driver.py +++ b/nixos/lib/test-driver/test-driver.py @@ -3,6 +3,7 @@ from contextlib import contextmanager, _GeneratorContextManager from queue import Queue, Empty from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List, Iterable from xml.sax.saxutils import XMLGenerator +from colorama import Style import queue import io import _thread @@ -151,6 +152,8 @@ class Logger: self.xml.startDocument() self.xml.startElement("logfile", attrs={}) + self._print_serial_logs = True + def close(self) -> None: self.xml.endElement("logfile") self.xml.endDocument() @@ -174,15 +177,21 @@ class Logger: self.drain_log_queue() self.log_line(message, attributes) - def enqueue(self, message: Dict[str, str]) -> None: - self.queue.put(message) + def log_serial(self, message: str, machine: str) -> None: + self.enqueue({"msg": message, "machine": machine, "type": "serial"}) + if self._print_serial_logs: + eprint(Style.DIM + "{} # {}".format(machine, message) + Style.RESET_ALL) + + def enqueue(self, item: Dict[str, str]) -> None: + self.queue.put(item) def drain_log_queue(self) -> None: try: while True: item = self.queue.get_nowait() - attributes = {"machine": item["machine"], "type": "serial"} - self.log_line(self.sanitise(item["msg"]), attributes) + msg = self.sanitise(item["msg"]) + del item["msg"] + self.log_line(msg, item) except Empty: pass @@ -307,8 +316,9 @@ class Machine: start_command += "-cdrom " + args["cdrom"] + " " if "usb" in args: + # https://github.com/qemu/qemu/blob/master/docs/usb2.txt start_command += ( - "-device piix3-usb-uhci -drive " + "-device usb-ehci -drive " + "id=usbdisk,file=" + args["usb"] + ",if=none,readonly " @@ -327,6 +337,9 @@ class Machine: def log(self, msg: str) -> None: self.logger.log(msg, {"machine": self.name}) + def log_serial(self, msg: str) -> None: + self.logger.log_serial(msg, self.name) + def nested(self, msg: str, attrs: Dict[str, str] = {}) -> _GeneratorContextManager: my_attrs = {"machine": self.name} my_attrs.update(attrs) @@ -735,6 +748,7 @@ class Machine: shell_path = os.path.join(self.state_dir, "shell") self.shell_socket = create_socket(shell_path) + display_available = any(x in os.environ for x in ["DISPLAY", "WAYLAND_DISPLAY"]) qemu_options = ( " ".join( [ @@ -744,7 +758,7 @@ class Machine: "-device virtio-serial", "-device virtconsole,chardev=shell", "-device virtio-rng-pci", - "-serial stdio" if "DISPLAY" in os.environ else "-nographic", + "-serial stdio" if display_available else "-nographic", ] ) + " " @@ -783,8 +797,7 @@ class Machine: # Ignore undecodable bytes that may occur in boot menus line = _line.decode(errors="ignore").replace("\r", "").rstrip() self.last_lines.put(line) - eprint("{} # {}".format(self.name, line)) - self.logger.enqueue({"msg": line, "machine": self.name}) + self.log_serial(line) _thread.start_new_thread(process_serial_output, ()) @@ -926,6 +939,16 @@ def run_tests() -> None: machine.execute("sync") +def serial_stdout_on() -> None: + global log + log._print_serial_logs = True + + +def serial_stdout_off() -> None: + global log + log._print_serial_logs = False + + @contextmanager def subtest(name: str) -> Iterator[None]: with log.nested(name): diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index c7e45f55ce12a..c9d4f0f0861d8 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -25,13 +25,21 @@ rec { name = "nixos-test-driver"; nativeBuildInputs = [ makeWrapper ]; - buildInputs = [ (python3.withPackages (p: [ p.ptpython ])) ]; + buildInputs = [ (python3.withPackages (p: [ p.ptpython p.colorama ])) ]; checkInputs = with python3Packages; [ pylint black mypy ]; dontUnpack = true; preferLocalBuild = true; + buildPhase = '' + python <<EOF + from pydoc import importfile + with open('driver-exports', 'w') as fp: + fp.write(','.join(dir(importfile('${testDriverScript}')))) + EOF + ''; + doCheck = true; checkPhase = '' mypy --disallow-untyped-defs \ @@ -50,12 +58,19 @@ rec { wrapProgram $out/bin/nixos-test-driver \ --prefix PATH : "${lib.makeBinPath [ qemu_pkg vde2 netpbm coreutils ]}" \ + + install -m 0644 -vD driver-exports $out/nix-support/driver-exports ''; }; # Run an automated test suite in the given virtual network. - # `driver' is the script that runs the network. - runTests = driver: + runTests = { + # the script that runs the network + driver, + # a source position in the format of builtins.unsafeGetAttrPos + # for meta.position + pos, + }: stdenv.mkDerivation { name = "vm-test-run-${driver.testName}"; @@ -68,7 +83,11 @@ rec { LOGFILE=/dev/null tests='exec(os.environ["testScript"])' ${driver}/bin/nixos-test-driver ''; - passthru = driver.passthru; + passthru = driver.passthru // { + inherit driver; + }; + + inherit pos; }; @@ -79,6 +98,11 @@ rec { # Skip linting (mainly intended for faster dev cycles) , skipLint ? false , passthru ? {} + , # For meta.position + pos ? # position used in error messages and for meta.position + (if t.meta.description or null != null + then builtins.unsafeGetAttrPos "description" t.meta + else builtins.unsafeGetAttrPos "testScript" t) , ... } @ t: let @@ -134,7 +158,7 @@ rec { in lib.warnIf skipLint "Linting is disabled" (runCommand testDriverName { - buildInputs = [ makeWrapper ]; + nativeBuildInputs = [ makeWrapper ]; testScript = testScript'; preferLocalBuild = true; testName = name; @@ -147,7 +171,10 @@ rec { echo -n "$testScript" > $out/test-script ${lib.optionalString (!skipLint) '' - ${python3Packages.black}/bin/black --check --diff $out/test-script + PYFLAKES_BUILTINS="$( + echo -n ${lib.escapeShellArg (lib.concatStringsSep "," nodeHostNames)}, + < ${lib.escapeShellArg "${testDriver}/nix-support/driver-exports"} + )" ${python3Packages.pyflakes}/bin/pyflakes $out/test-script ''} ln -s ${testDriver}/bin/nixos-test-driver $out/bin/ @@ -174,13 +201,15 @@ rec { driver = mkDriver null; driverInteractive = mkDriver pkgs.qemu; - test = passMeta (runTests driver); + test = passMeta (runTests { inherit driver pos; }); nodeNames = builtins.attrNames driver.nodes; invalidNodeNames = lib.filter (node: builtins.match "^[A-z_]([A-z0-9_]+)?$" node == null) nodeNames; + nodeHostNames = map (c: c.config.system.name) (lib.attrValues driver.nodes); + in if lib.length invalidNodeNames > 0 then throw '' diff --git a/nixos/maintainers/scripts/ec2/amazon-image.nix b/nixos/maintainers/scripts/ec2/amazon-image.nix index 653744986d138..677aff4421e05 100644 --- a/nixos/maintainers/scripts/ec2/amazon-image.nix +++ b/nixos/maintainers/scripts/ec2/amazon-image.nix @@ -41,7 +41,7 @@ in { sizeMB = mkOption { type = with types; either (enum [ "auto" ]) int; - default = "auto"; + default = if config.ec2.hvm then 2048 else 8192; example = 8192; description = "The size in MB of the image"; }; diff --git a/nixos/modules/config/console.nix b/nixos/modules/config/console.nix index 84ad76246fdb7..5be7f06c05d93 100644 --- a/nixos/modules/config/console.nix +++ b/nixos/modules/config/console.nix @@ -82,8 +82,7 @@ in packages = mkOption { type = types.listOf types.package; - default = with pkgs.kbdKeymaps; [ dvp neo ]; - defaultText = "with pkgs.kbdKeymaps; [ dvp neo ]"; + default = [ ]; description = '' List of additional packages that provide console fonts, keymaps and other resources for virtual consoles use. diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 6e7b8c4b88a20..72827c5abaae8 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -448,6 +448,40 @@ in (mkIf cfg.enable { environment.systemPackages = [ pkgs.fontconfig ]; environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/"; + security.apparmor.includes."abstractions/fonts" = '' + # fonts.conf + r ${pkg.out}/etc/fonts/fonts.conf, + + # fontconfig default config files + r ${pkg.out}/etc/fonts/conf.d/*.conf, + + # 00-nixos-cache.conf + r ${cacheConf}, + + # 10-nixos-rendering.conf + r ${renderConf}, + + # 50-user.conf + ${optionalString cfg.includeUserConf '' + r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf, + ''} + + # local.conf (indirect priority 51) + ${optionalString (cfg.localConf != "") '' + r ${localConf}, + ''} + + # 52-nixos-default-fonts.conf + r ${defaultFontsConf}, + + # 53-no-bitmaps.conf + r ${rejectBitmaps}, + + ${optionalString (!cfg.allowType1) '' + # 53-nixos-reject-type1.conf + r ${rejectType1}, + ''} + ''; }) (mkIf cfg.enable { fonts.fontconfig.confPackages = [ confPkg ]; diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index a3eb55d8a42e8..fc35993b5a810 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -87,5 +87,12 @@ in environment.etc."ld-nix.so.preload".text = '' ${providerLibPath} ''; + security.apparmor.includes = { + "abstractions/base" = '' + r /etc/ld-nix.so.preload, + r ${config.environment.etc."ld-nix.so.preload".source}, + mr ${providerLibPath}, + ''; + }; }; } diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 061528f4b1b53..a50b5d32c3580 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -63,8 +63,7 @@ in description = '' On 64-bit systems, whether to support Direct Rendering for 32-bit applications (such as Wine). This is currently only - supported for the <literal>nvidia</literal> and - <literal>ati_unfree</literal> drivers, as well as + supported for the <literal>nvidia</literal> as well as <literal>Mesa</literal>. ''; }; diff --git a/nixos/modules/hardware/video/ati.nix b/nixos/modules/hardware/video/ati.nix deleted file mode 100644 index 06d3ea324d8d5..0000000000000 --- a/nixos/modules/hardware/video/ati.nix +++ /dev/null @@ -1,40 +0,0 @@ -# This module provides the proprietary ATI X11 / OpenGL drivers. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - drivers = config.services.xserver.videoDrivers; - - enabled = elem "ati_unfree" drivers; - - ati_x11 = config.boot.kernelPackages.ati_drivers_x11; - -in - -{ - - config = mkIf enabled { - - nixpkgs.config.xorg.abiCompat = "1.17"; - - services.xserver.drivers = singleton - { name = "fglrx"; modules = [ ati_x11 ]; display = true; }; - - hardware.opengl.package = ati_x11; - hardware.opengl.package32 = pkgs.pkgsi686Linux.linuxPackages.ati_drivers_x11.override { libsOnly = true; kernel = null; }; - hardware.opengl.setLdLibraryPath = true; - - environment.systemPackages = [ ati_x11 ]; - - boot.extraModulePackages = [ ati_x11 ]; - - boot.blacklistedKernelModules = [ "radeon" ]; - - environment.etc.ati.source = "${ati_x11}/etc/ati"; - - }; - -} diff --git a/nixos/modules/hardware/xpadneo.nix b/nixos/modules/hardware/xpadneo.nix index d504697e61fd9..dbc4ba2125604 100644 --- a/nixos/modules/hardware/xpadneo.nix +++ b/nixos/modules/hardware/xpadneo.nix @@ -24,6 +24,6 @@ in }; meta = { - maintainers = with maintainers; [ metadark ]; + maintainers = with maintainers; [ kira-bruneau ]; }; } diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 803bae4212ef7..12ad8a4ae0046 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -9,7 +9,7 @@ with lib; isoImage.edition = "gnome"; - services.xserver.desktopManager.gnome3 = { + services.xserver.desktopManager.gnome = { # Add firefox to favorite-apps favoriteAppsOverride = '' [org.gnome.shell] diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 1418420afcd98..c2836b5a9a1b7 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -162,12 +162,14 @@ let isolinuxCfg = concatStringsSep "\n" ([ baseIsolinuxCfg ] ++ optional config.boot.loader.grub.memtest86.enable isolinuxMemtest86Entry); + refindBinary = if targetArch == "x64" || targetArch == "aa64" then "refind_${targetArch}.efi" else null; + # Setup instructions for rEFInd. refind = - if targetArch == "x64" then + if refindBinary != null then '' # Adds rEFInd to the ISO. - cp -v ${pkgs.refind}/share/refind/refind_x64.efi $out/EFI/boot/ + cp -v ${pkgs.refind}/share/refind/${refindBinary} $out/EFI/boot/ '' else "# No refind for ${targetArch}" @@ -180,13 +182,32 @@ let # Menu configuration # + # Search using a "marker file" + search --set=root --file /EFI/nixos-installer-image + insmod gfxterm insmod png set gfxpayload=keep + set gfxmode=${concatStringsSep "," [ + # GRUB will use the first valid mode listed here. + # `auto` will sometimes choose the smallest valid mode it detects. + # So instead we'll list a lot of possibly valid modes :/ + #"3840x2160" + #"2560x1440" + "1920x1080" + "1366x768" + "1280x720" + "1024x768" + "800x600" + "auto" + ]} # Fonts can be loaded? # (This font is assumed to always be provided as a fallback by NixOS) - if loadfont (hd0)/EFI/boot/unicode.pf2; then + if loadfont (\$root)/EFI/boot/unicode.pf2; then + set with_fonts=true + fi + if [ "\$textmode" != "true" -a "\$with_fonts" == "true" ]; then # Use graphical term, it can be either with background image or a theme. # input is "console", while output is "gfxterm". # This enables "serial" input and output only when possible. @@ -207,11 +228,11 @@ let ${ # When there is a theme configured, use it, otherwise use the background image. if config.isoImage.grubTheme != null then '' # Sets theme. - set theme=(hd0)/EFI/boot/grub-theme/theme.txt + set theme=(\$root)/EFI/boot/grub-theme/theme.txt # Load theme fonts - $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (hd0)/EFI/boot/grub-theme/%P\n") + $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (\$root)/EFI/boot/grub-theme/%P\n") '' else '' - if background_image (hd0)/EFI/boot/efi-background.png; then + if background_image (\$root)/EFI/boot/efi-background.png; then # Black background means transparent background when there # is a background image set... This seems undocumented :( set color_normal=black/black @@ -228,9 +249,15 @@ let # Notes about grub: # * Yes, the grubMenuCfg has to be repeated in all submenus. Otherwise you # will get white-on-black console-like text on sub-menus. *sigh* - efiDir = pkgs.runCommand "efi-directory" {} '' + efiDir = pkgs.runCommand "efi-directory" { + nativeBuildInputs = [ pkgs.buildPackages.grub2_efi ]; + strictDeps = true; + } '' mkdir -p $out/EFI/boot/ + # Add a marker so GRUB can find the filesystem. + touch $out/EFI/nixos-installer-image + # ALWAYS required modules. MODULES="fat iso9660 part_gpt part_msdos \ normal boot linux configfile loopback chain halt \ @@ -258,12 +285,14 @@ let # Make our own efi program, we can't rely on "grub-install" since it seems to # probe for devices, even with --skip-fs-probe. - ${grubPkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${grubPkgs.grub2_efi.grubTarget} \ + grub-mkimage --directory=${grubPkgs.grub2_efi}/lib/grub/${grubPkgs.grub2_efi.grubTarget} -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${grubPkgs.grub2_efi.grubTarget} \ $MODULES cp ${grubPkgs.grub2_efi}/share/grub/unicode.pf2 $out/EFI/boot/ cat <<EOF > $out/EFI/boot/grub.cfg + set with_fonts=false + set textmode=false # If you want to use serial for "terminal_*" commands, you need to set one up: # Example manual configuration: # → serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 @@ -273,8 +302,28 @@ let export with_serial clear set timeout=10 + + # This message will only be viewable when "gfxterm" is not used. + echo "" + echo "Loading graphical boot menu..." + echo "" + echo "Press 't' to use the text boot menu on this console..." + echo "" + ${grubMenuCfg} + hiddenentry 'Text mode' --hotkey 't' { + loadfont (\$root)/EFI/boot/unicode.pf2 + set textmode=true + terminal_output gfxterm console + } + hiddenentry 'GUI mode' --hotkey 'g' { + $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (\$root)/EFI/boot/grub-theme/%P\n") + set textmode=false + terminal_output gfxterm + } + + # If the parameter iso_path is set, append the findiso parameter to the kernel # line. We need this to allow the nixos iso to be booted from grub directly. if [ \''${iso_path} ] ; then @@ -337,11 +386,17 @@ let } } - menuentry 'rEFInd' --class refind { - # UUID is hard-coded in the derivation. + ${lib.optionalString (refindBinary != null) '' + # GRUB apparently cannot do "chainloader" operations on "CD". + if [ "\$root" != "cd0" ]; then + # Force root to be the FAT partition + # Otherwise it breaks rEFInd's boot search --set=root --no-floppy --fs-uuid 1234-5678 - chainloader (\$root)/EFI/boot/refind_x64.efi - } + menuentry 'rEFInd' --class refind { + chainloader (\$root)/EFI/boot/${refindBinary} + } + fi + ''} menuentry 'Firmware Setup' --class settings { fwsetup clear @@ -357,7 +412,10 @@ let ${refind} ''; - efiImg = pkgs.runCommand "efi-image_eltorito" { buildInputs = [ pkgs.mtools pkgs.libfaketime ]; } + efiImg = pkgs.runCommand "efi-image_eltorito" { + nativeBuildInputs = [ pkgs.buildPackages.mtools pkgs.buildPackages.libfaketime pkgs.buildPackages.dosfstools ]; + strictDeps = true; + } # Be careful about determinism: du --apparent-size, # dates (cp -p, touch, mcopy -m, faketime for label), IDs (mkfs.vfat -i) '' @@ -366,7 +424,9 @@ let mkdir ./boot cp -p "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}" \ "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}" ./boot/ - touch --date=@0 ./EFI ./boot + + # Rewrite dates for everything in the FS + find . -exec touch --date=2000-01-01 {} + usage_size=$(du -sb --apparent-size . | tr -cd '[:digit:]') # Make the image 110% as big as the files need to make up for FAT overhead @@ -377,10 +437,10 @@ let echo "Usage size: $usage_size" echo "Image size: $image_size" truncate --size=$image_size "$out" - ${pkgs.libfaketime}/bin/faketime "2000-01-01 00:00:00" ${pkgs.dosfstools}/sbin/mkfs.vfat -i 12345678 -n EFIBOOT "$out" + faketime "2000-01-01 00:00:00" mkfs.vfat -i 12345678 -n EFIBOOT "$out" mcopy -psvm -i "$out" ./EFI ./boot :: # Verify the FAT partition. - ${pkgs.dosfstools}/sbin/fsck.vfat -vn "$out" + fsck.vfat -vn "$out" ''; # */ # Name used by UEFI for architectures. @@ -389,6 +449,8 @@ let "ia32" else if pkgs.stdenv.isx86_64 then "x64" + else if pkgs.stdenv.isAarch32 then + "arm" else if pkgs.stdenv.isAarch64 then "aa64" else diff --git a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix deleted file mode 100644 index 79db1fa29bc43..0000000000000 --- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, ... }: -{ - imports = [ - ../sd-card/sd-image-raspberrypi4-installer.nix - ]; - config = { - warnings = [ - '' - .../cd-dvd/sd-image-raspberrypi4.nix is deprecated and will eventually be removed. - Please switch to .../sd-card/sd-image-raspberrypi4-installer.nix, instead. - '' - ]; - }; -} diff --git a/nixos/modules/installer/sd-card/sd-image-aarch64.nix b/nixos/modules/installer/sd-card/sd-image-aarch64.nix index 96ebb7537da32..165e2aac27b49 100644 --- a/nixos/modules/installer/sd-card/sd-image-aarch64.nix +++ b/nixos/modules/installer/sd-card/sd-image-aarch64.nix @@ -18,13 +18,6 @@ # - ttyAMA0: for QEMU's -machine virt boot.kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; - boot.initrd.availableKernelModules = [ - # Allows early (earlier) modesetting for the Raspberry Pi - "vc4" "bcm2835_dma" "i2c_bcm2835" - # Allows early (earlier) modesetting for Allwinner SoCs - "sun4i_drm" "sun8i_drm_hdmi" "sun8i_mixer" - ]; - sdImage = { populateFirmwareCommands = let configTxt = pkgs.writeText "config.txt" '' diff --git a/nixos/modules/installer/sd-card/sd-image-raspberrypi4-installer.nix b/nixos/modules/installer/sd-card/sd-image-raspberrypi4-installer.nix deleted file mode 100644 index 59423e40b64c9..0000000000000 --- a/nixos/modules/installer/sd-card/sd-image-raspberrypi4-installer.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - imports = [ - ../../profiles/installation-device.nix - ./sd-image-raspberrypi4.nix - ]; - - # the installation media is also the installation target, - # so we don't want to provide the installation configuration.nix. - installer.cloneConfig = false; -} diff --git a/nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix b/nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix deleted file mode 100644 index 35a12c5382f7e..0000000000000 --- a/nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix +++ /dev/null @@ -1,8 +0,0 @@ -# To build, use: -# nix-build nixos -I nixos-config=nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix -A config.system.build.sdImage -{ config, lib, pkgs, ... }: - -{ - imports = [ ./sd-image-aarch64.nix ]; - boot.kernelPackages = pkgs.linuxPackages_rpi4; -} diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index b811ae07eb033..d0fe79903d345 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -29,6 +29,7 @@ in imports = [ (mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that partition's ID.") (mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 partition. The FAT partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.") + ../../profiles/all-hardware.nix ]; options.sdImage = { @@ -126,6 +127,13 @@ in ''; }; + expandOnBoot = mkOption { + type = types.bool; + default = true; + description = '' + Whether to configure the sd image to expand it's partition on boot. + ''; + }; }; config = { @@ -215,7 +223,7 @@ in ''; }) {}; - boot.postBootCommands = '' + boot.postBootCommands = lib.mkIf config.sdImage.expandOnBoot '' # On the first boot do some maintenance tasks if [ -f /nix-path-registration ]; then set -euo pipefail diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 6b1f54beee2ea..801e28cec44ae 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/iwfs2bfcy7lqwhri94p2i6jc87ih55zk-nix-2.3.10"; - i686-linux = "/nix/store/a3ccfvy9i5n418d5v0bir330kbcz3vj8-nix-2.3.10"; - aarch64-linux = "/nix/store/bh5g6cv7bv35iz853d3xv2sphn51ybmb-nix-2.3.10"; - x86_64-darwin = "/nix/store/8c98r6zlwn2d40qm7jnnrr2rdlqviszr-nix-2.3.10"; + x86_64-linux = "/nix/store/d1ppfhjhdwcsb4npfzyifv5z8i00fzsk-nix-2.3.11"; + i686-linux = "/nix/store/c6ikndcrzwpfn2sb5b9xb1f17p9b8iga-nix-2.3.11"; + aarch64-linux = "/nix/store/fb0lfrn0m8s197d264jzd64vhz9c8zbx-nix-2.3.11"; + x86_64-darwin = "/nix/store/qvb86ffv08q3r66qbd6nqifz425lyyhf-nix-2.3.11"; } diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix index af3e1aecca713..2768e17590b39 100644 --- a/nixos/modules/installer/virtualbox-demo.nix +++ b/nixos/modules/installer/virtualbox-demo.nix @@ -44,7 +44,7 @@ with lib; # Enable GDM/GNOME by uncommenting above two lines and two lines below. # services.xserver.displayManager.gdm.enable = true; - # services.xserver.desktopManager.gnome3.enable = true; + # services.xserver.desktopManager.gnome.enable = true; # Set your time zone. # time.timeZone = "Europe/Amsterdam"; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1fd56adfe103b..05cc5002aaf62 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -315,7 +315,7 @@ in restya-board = 284; mighttpd2 = 285; hass = 286; - monero = 287; + #monero = 287; # dynamically allocated as of 2021-05-08 ceph = 288; duplicati = 289; monetdb = 290; @@ -617,7 +617,7 @@ in restya-board = 284; mighttpd2 = 285; hass = 286; - monero = 287; + # monero = 287; # dynamically allocated as of 2021-05-08 ceph = 288; duplicati = 289; monetdb = 290; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index daa96e64f593e..aa4e2ccc46bce 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -76,7 +76,6 @@ ./hardware/wooting.nix ./hardware/uinput.nix ./hardware/video/amdgpu-pro.nix - ./hardware/video/ati.nix ./hardware/video/capture/mwprocapture.nix ./hardware/video/bumblebee.nix ./hardware/video/displaylink.nix @@ -114,6 +113,9 @@ ./programs/autojump.nix ./programs/bandwhich.nix ./programs/bash/bash.nix + ./programs/bash/bash-completion.nix + ./programs/bash/ls-colors.nix + ./programs/bash/undistract-me.nix ./programs/bash-my-aws.nix ./programs/bcc.nix ./programs/browserpass.nix @@ -130,6 +132,7 @@ ./programs/droidcam.nix ./programs/environment.nix ./programs/evince.nix + ./programs/feedbackd.nix ./programs/file-roller.nix ./programs/firejail.nix ./programs/fish.nix @@ -159,10 +162,12 @@ ./programs/neovim.nix ./programs/nm-applet.nix ./programs/npm.nix + ./programs/noisetorch.nix ./programs/oblogout.nix ./programs/partition-manager.nix ./programs/plotinus.nix ./programs/proxychains.nix + ./programs/phosh.nix ./programs/qt5ct.nix ./programs/screen.nix ./programs/sedutil.nix @@ -206,7 +211,6 @@ ./rename.nix ./security/acme.nix ./security/apparmor.nix - ./security/apparmor-suid.nix ./security/audit.nix ./security/auditd.nix ./security/ca.nix @@ -234,6 +238,7 @@ ./services/amqp/activemq/default.nix ./services/amqp/rabbitmq.nix ./services/audio/alsa.nix + ./services/audio/botamusique.nix ./services/audio/jack.nix ./services/audio/icecast.nix ./services/audio/jmusicbot.nix @@ -334,21 +339,21 @@ ./services/desktops/malcontent.nix ./services/desktops/pipewire/pipewire.nix ./services/desktops/pipewire/pipewire-media-session.nix - ./services/desktops/gnome3/at-spi2-core.nix - ./services/desktops/gnome3/chrome-gnome-shell.nix - ./services/desktops/gnome3/evolution-data-server.nix - ./services/desktops/gnome3/glib-networking.nix - ./services/desktops/gnome3/gnome-initial-setup.nix - ./services/desktops/gnome3/gnome-keyring.nix - ./services/desktops/gnome3/gnome-online-accounts.nix - ./services/desktops/gnome3/gnome-online-miners.nix - ./services/desktops/gnome3/gnome-remote-desktop.nix - ./services/desktops/gnome3/gnome-settings-daemon.nix - ./services/desktops/gnome3/gnome-user-share.nix - ./services/desktops/gnome3/rygel.nix - ./services/desktops/gnome3/sushi.nix - ./services/desktops/gnome3/tracker.nix - ./services/desktops/gnome3/tracker-miners.nix + ./services/desktops/gnome/at-spi2-core.nix + ./services/desktops/gnome/chrome-gnome-shell.nix + ./services/desktops/gnome/evolution-data-server.nix + ./services/desktops/gnome/glib-networking.nix + ./services/desktops/gnome/gnome-initial-setup.nix + ./services/desktops/gnome/gnome-keyring.nix + ./services/desktops/gnome/gnome-online-accounts.nix + ./services/desktops/gnome/gnome-online-miners.nix + ./services/desktops/gnome/gnome-remote-desktop.nix + ./services/desktops/gnome/gnome-settings-daemon.nix + ./services/desktops/gnome/gnome-user-share.nix + ./services/desktops/gnome/rygel.nix + ./services/desktops/gnome/sushi.nix + ./services/desktops/gnome/tracker.nix + ./services/desktops/gnome/tracker-miners.nix ./services/desktops/neard.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/system-config-printer.nix @@ -467,6 +472,7 @@ ./services/misc/cgminer.nix ./services/misc/confd.nix ./services/misc/couchpotato.nix + ./services/misc/dendrite.nix ./services/misc/devmon.nix ./services/misc/dictd.nix ./services/misc/duckling.nix @@ -632,6 +638,7 @@ ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/ceph.nix ./services/networking/3proxy.nix + ./services/networking/adguardhome.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -683,6 +690,7 @@ ./services/networking/gale.nix ./services/networking/gateone.nix ./services/networking/gdomap.nix + ./services/networking/ghostunnel.nix ./services/networking/git-daemon.nix ./services/networking/gnunet.nix ./services/networking/go-neb.nix @@ -798,6 +806,7 @@ ./services/networking/smartdns.nix ./services/networking/smokeping.nix ./services/networking/softether.nix + ./services/networking/solanum.nix ./services/networking/spacecookie.nix ./services/networking/spiped.nix ./services/networking/squid.nix @@ -889,6 +898,7 @@ ./services/system/kerberos/default.nix ./services/system/nscd.nix ./services/system/saslauthd.nix + ./services/system/self-deploy.nix ./services/system/uptimed.nix ./services/torrent/deluge.nix ./services/torrent/flexget.nix @@ -974,6 +984,7 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix + ./services/web-servers/trafficserver.nix ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index d460c52dbefd4..797fcddb8c90b 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -37,6 +37,9 @@ in # drives. "uas" + # SD cards. + "sdhci_pci" + # Firewire support. Not tested. "ohci1394" "sbp2" @@ -46,11 +49,66 @@ in # VMware support. "mptspi" "vmxnet3" "vsock" ] ++ lib.optional platform.isx86 "vmw_balloon" - ++ lib.optionals (!platform.isAarch64) [ # not sure where else they're missing + ++ lib.optionals (!platform.isAarch64 && !platform.isAarch32) [ # not sure where else they're missing "vmw_vmci" "vmwgfx" "vmw_vsock_vmci_transport" # Hyper-V support. "hv_storvsc" + ] ++ lib.optionals (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ + # Most of the following falls into two categories: + # - early KMS / early display + # - early storage (e.g. USB) support + + # Allows using framebuffer configured by the initial boot firmware + "simplefb" + + # Allwinner support + + # Required for early KMS + "sun4i-drm" + "sun8i-mixer" # Audio, but required for kms + + # PWM for the backlight + "pwm-sun4i" + + # Broadcom + + "vc4" + ] ++ lib.optionals pkgs.stdenv.isAarch64 [ + # Most of the following falls into two categories: + # - early KMS / early display + # - early storage (e.g. USB) support + + # Broadcom + + "pcie-brcmstb" + + # Rockchip + "dw-hdmi" + "dw-mipi-dsi" + "rockchipdrm" + "rockchip-rga" + "phy-rockchip-pcie" + "pcie-rockchip-host" + + # Misc. uncategorized hardware + + # Used for some platform's integrated displays + "panel-simple" + "pwm-bl" + + # Power supply drivers, some platforms need them for USB + "axp20x-ac-power" + "axp20x-battery" + "pinctrl-axp209" + "mp8859" + + # USB drivers + "xhci-pci-renesas" + + # Misc "weak" dependencies + "analogix-dp" + "analogix-anx6345" # For DP or eDP (e.g. integrated display) ]; # Include lots of firmware. diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 00aafc6831b25..3f8f78f012a70 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -36,6 +36,7 @@ with lib; security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; + security.apparmor.killUnconfinedConfinables = mkDefault true; boot.kernelParams = [ # Slab/slub sanity checks, redzoning, and poisoning diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 7dc493fb495da..8e3aa20daa65d 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -99,5 +99,13 @@ with lib; # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; + + # Prevent installation media from evacuating persistent storage, as their + # var directory is not persistent and it would thus result in deletion of + # those entries. + environment.etc."systemd/pstore.conf".text = '' + [PStore] + Unlink=no + ''; }; } diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index 7ef8d687ca17f..b45eb16e3eaf6 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -1,6 +1,6 @@ # Global configuration for atop. -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -12,11 +12,85 @@ in options = { - programs.atop = { + programs.atop = rec { + enable = mkEnableOption "Atop"; + + package = mkOption { + type = types.package; + default = pkgs.atop; + defaultText = "pkgs.atop"; + description = '' + Which package to use for Atop. + ''; + }; + + netatop = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install and enable the netatop kernel module. + Note: this sets the kernel taint flag "O" for loading out-of-tree modules. + ''; + }; + package = mkOption { + type = types.package; + default = config.boot.kernelPackages.netatop; + defaultText = "config.boot.kernelPackages.netatop"; + description = '' + Which package to use for netatop. + ''; + }; + }; + + atopgpu.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install and enable the atopgpud daemon to get information about + NVIDIA gpus. + ''; + }; + + setuidWrapper.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install a setuid wrapper for Atop. This is required to use some of + the features as non-root user (e.g.: ipc information, netatop, atopgpu). + Atop tries to drop the root privileges shortly after starting. + ''; + }; + + atopService.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the atop service responsible for storing statistics for + long-term analysis. + ''; + }; + atopRotateTimer.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the atop-rotate timer, which restarts the atop service + daily to make sure the data files are rotate. + ''; + }; + atopacctService.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the atopacct service which manages process accounting. + This allows Atop to gather data about processes that disappeared in between + two refresh intervals. + ''; + }; settings = mkOption { type = types.attrs; - default = {}; + default = { }; example = { flags = "a1f"; interval = 5; @@ -25,12 +99,50 @@ in Parameters to be written to <filename>/etc/atoprc</filename>. ''; }; - }; }; - config = mkIf (cfg.settings != {}) { - environment.etc.atoprc.text = - concatStrings (mapAttrsToList (n: v: "${n} ${toString v}\n") cfg.settings); - }; + config = mkIf cfg.enable ( + let + atop = + if cfg.atopgpu.enable then + (cfg.package.override { withAtopgpu = true; }) + else + cfg.package; + in + { + environment.etc = mkIf (cfg.settings != { }) { + atoprc.text = concatStrings + (mapAttrsToList + (n: v: '' + ${n} ${toString v} + '') + cfg.settings); + }; + environment.systemPackages = [ atop (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; + boot.extraModulePackages = [ (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; + systemd = + let + mkSystemd = type: cond: name: restartTriggers: { + ${name} = lib.mkIf cond { + inherit restartTriggers; + wantedBy = [ (if type == "services" then "multi-user.target" else if type == "timers" then "timers.target" else null) ]; + }; + }; + mkService = mkSystemd "services"; + mkTimer = mkSystemd "timers"; + in + { + packages = [ atop (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; + services = + mkService cfg.atopService.enable "atop" [ atop ] + // mkService cfg.atopacctService.enable "atopacct" [ atop ] + // mkService cfg.netatop.enable "netatop" [ cfg.netatop.package ] + // mkService cfg.atopgpu.enable "atopgpu" [ atop ]; + timers = mkTimer cfg.atopRotateTimer.enable "atop-rotate" [ atop ]; + }; + security.wrappers = + lib.mkIf cfg.setuidWrapper.enable { atop = { source = "${atop}/bin/atop"; }; }; + } + ); } diff --git a/nixos/modules/programs/bash/bash-completion.nix b/nixos/modules/programs/bash/bash-completion.nix new file mode 100644 index 0000000000000..f07b1b636ef92 --- /dev/null +++ b/nixos/modules/programs/bash/bash-completion.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + enable = config.programs.bash.enableCompletion; +in +{ + options = { + programs.bash.enableCompletion = mkEnableOption "Bash completion for all interactive bash shells" // { + default = true; + }; + }; + + config = mkIf enable { + programs.bash.promptPluginInit = '' + # Check whether we're running a version of Bash that has support for + # programmable completion. If we do, enable all modules installed in + # the system and user profile in obsolete /etc/bash_completion.d/ + # directories. Bash loads completions in all + # $XDG_DATA_DIRS/bash-completion/completions/ + # on demand, so they do not need to be sourced here. + if shopt -q progcomp &>/dev/null; then + . "${pkgs.bash-completion}/etc/profile.d/bash_completion.sh" + nullglobStatus=$(shopt -p nullglob) + shopt -s nullglob + for p in $NIX_PROFILES; do + for m in "$p/etc/bash_completion.d/"*; do + . $m + done + done + eval "$nullglobStatus" + unset nullglobStatus p m + fi + ''; + }; +} diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1b3254b54a598..908ab34b08d0b 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -11,31 +11,6 @@ let cfg = config.programs.bash; - bashCompletion = optionalString cfg.enableCompletion '' - # Check whether we're running a version of Bash that has support for - # programmable completion. If we do, enable all modules installed in - # the system and user profile in obsolete /etc/bash_completion.d/ - # directories. Bash loads completions in all - # $XDG_DATA_DIRS/bash-completion/completions/ - # on demand, so they do not need to be sourced here. - if shopt -q progcomp &>/dev/null; then - . "${pkgs.bash-completion}/etc/profile.d/bash_completion.sh" - nullglobStatus=$(shopt -p nullglob) - shopt -s nullglob - for p in $NIX_PROFILES; do - for m in "$p/etc/bash_completion.d/"*; do - . $m - done - done - eval "$nullglobStatus" - unset nullglobStatus p m - fi - ''; - - lsColors = optionalString cfg.enableLsColors '' - eval "$(${pkgs.coreutils}/bin/dircolors -b)" - ''; - bashAliases = concatStringsSep "\n" ( mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) @@ -123,20 +98,13 @@ in type = types.lines; }; - enableCompletion = mkOption { - default = true; - description = '' - Enable Bash completion for all interactive bash shells. - ''; - type = types.bool; - }; - - enableLsColors = mkOption { - default = true; + promptPluginInit = mkOption { + default = ""; description = '' - Enable extra colors in directory listings. + Shell script code used to initialise bash prompt plugins. ''; - type = types.bool; + type = types.lines; + internal = true; }; }; @@ -167,8 +135,7 @@ in set +h ${cfg.promptInit} - ${bashCompletion} - ${lsColors} + ${cfg.promptPluginInit} ${bashAliases} ${cfge.interactiveShellInit} diff --git a/nixos/modules/programs/bash/ls-colors.nix b/nixos/modules/programs/bash/ls-colors.nix new file mode 100644 index 0000000000000..254ee14c477d6 --- /dev/null +++ b/nixos/modules/programs/bash/ls-colors.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + enable = config.programs.bash.enableLsColors; +in +{ + options = { + programs.bash.enableLsColors = mkEnableOption "extra colors in directory listings" // { + default = true; + }; + }; + + config = mkIf enable { + programs.bash.promptPluginInit = '' + eval "$(${pkgs.coreutils}/bin/dircolors -b)" + ''; + }; +} diff --git a/nixos/modules/programs/bash/undistract-me.nix b/nixos/modules/programs/bash/undistract-me.nix new file mode 100644 index 0000000000000..0e6465e048a10 --- /dev/null +++ b/nixos/modules/programs/bash/undistract-me.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.bash.undistractMe; +in +{ + options = { + programs.bash.undistractMe = { + enable = mkEnableOption "notifications when long-running terminal commands complete"; + + playSound = mkEnableOption "notification sounds when long-running terminal commands complete"; + + timeout = mkOption { + default = 10; + description = '' + Number of seconds it would take for a command to be considered long-running. + ''; + type = types.int; + }; + }; + }; + + config = mkIf cfg.enable { + programs.bash.promptPluginInit = '' + export LONG_RUNNING_COMMAND_TIMEOUT=${toString cfg.timeout} + export UDM_PLAY_SOUND=${if cfg.playSound then "1" else "0"} + . "${pkgs.undistract-me}/etc/profile.d/undistract-me.sh" + ''; + }; + + meta = { + maintainers = with maintainers; [ kira-bruneau ]; + }; +} diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index ec85cb9d18c91..298abac8afa98 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -54,6 +54,8 @@ in services.dbus.packages = [ pkgs.dconf ]; + systemd.packages = [ pkgs.dconf ]; + # For dconf executable environment.systemPackages = [ pkgs.dconf ]; diff --git a/nixos/modules/programs/feedbackd.nix b/nixos/modules/programs/feedbackd.nix new file mode 100644 index 0000000000000..bb14489a6f4dc --- /dev/null +++ b/nixos/modules/programs/feedbackd.nix @@ -0,0 +1,32 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.programs.feedbackd; +in { + options = { + programs.feedbackd = { + enable = mkEnableOption '' + Whether to enable the feedbackd D-BUS service and udev rules. + + Your user needs to be in the `feedbackd` group to trigger effects. + ''; + package = mkOption { + description = '' + Which feedbackd package to use. + ''; + type = types.package; + default = pkgs.feedbackd; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + services.dbus.packages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + + users.groups.feedbackd = {}; + }; +} diff --git a/nixos/modules/programs/file-roller.nix b/nixos/modules/programs/file-roller.nix index 64f6a94e7641b..b939d59909c0d 100644 --- a/nixos/modules/programs/file-roller.nix +++ b/nixos/modules/programs/file-roller.nix @@ -30,9 +30,9 @@ with lib; config = mkIf config.programs.file-roller.enable { - environment.systemPackages = [ pkgs.gnome3.file-roller ]; + environment.systemPackages = [ pkgs.gnome.file-roller ]; - services.dbus.packages = [ pkgs.gnome3.file-roller ]; + services.dbus.packages = [ pkgs.gnome.file-roller ]; }; diff --git a/nixos/modules/programs/geary.nix b/nixos/modules/programs/geary.nix index 5e441a75cb602..407680c30dc3d 100644 --- a/nixos/modules/programs/geary.nix +++ b/nixos/modules/programs/geary.nix @@ -15,10 +15,10 @@ in { }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.gnome3.geary ]; + environment.systemPackages = [ pkgs.gnome.geary ]; programs.dconf.enable = true; - services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-online-accounts.enable = true; + services.gnome.gnome-keyring.enable = true; + services.gnome.gnome-online-accounts.enable = true; }; } diff --git a/nixos/modules/programs/gnome-disks.nix b/nixos/modules/programs/gnome-disks.nix index 80dc2983ea504..4b128b4712650 100644 --- a/nixos/modules/programs/gnome-disks.nix +++ b/nixos/modules/programs/gnome-disks.nix @@ -41,9 +41,9 @@ with lib; config = mkIf config.programs.gnome-disks.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-disk-utility ]; + environment.systemPackages = [ pkgs.gnome.gnome-disk-utility ]; - services.dbus.packages = [ pkgs.gnome3.gnome-disk-utility ]; + services.dbus.packages = [ pkgs.gnome.gnome-disk-utility ]; }; diff --git a/nixos/modules/programs/gnome-documents.nix b/nixos/modules/programs/gnome-documents.nix index 9dd53483055cd..43ad3163efd85 100644 --- a/nixos/modules/programs/gnome-documents.nix +++ b/nixos/modules/programs/gnome-documents.nix @@ -13,7 +13,7 @@ with lib; # Added 2019-08-09 imports = [ (mkRenamedOptionModule - [ "services" "gnome3" "gnome-documents" "enable" ] + [ "services" "gnome" "gnome-documents" "enable" ] [ "programs" "gnome-documents" "enable" ]) ]; @@ -41,13 +41,13 @@ with lib; config = mkIf config.programs.gnome-documents.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-documents ]; + environment.systemPackages = [ pkgs.gnome.gnome-documents ]; - services.dbus.packages = [ pkgs.gnome3.gnome-documents ]; + services.dbus.packages = [ pkgs.gnome.gnome-documents ]; - services.gnome3.gnome-online-accounts.enable = true; + services.gnome.gnome-online-accounts.enable = true; - services.gnome3.gnome-online-miners.enable = true; + services.gnome.gnome-online-miners.enable = true; }; diff --git a/nixos/modules/programs/gnome-terminal.nix b/nixos/modules/programs/gnome-terminal.nix index f2617e5bc0385..71a6b217880c5 100644 --- a/nixos/modules/programs/gnome-terminal.nix +++ b/nixos/modules/programs/gnome-terminal.nix @@ -28,9 +28,9 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-terminal ]; - services.dbus.packages = [ pkgs.gnome3.gnome-terminal ]; - systemd.packages = [ pkgs.gnome3.gnome-terminal ]; + environment.systemPackages = [ pkgs.gnome.gnome-terminal ]; + services.dbus.packages = [ pkgs.gnome.gnome-terminal ]; + systemd.packages = [ pkgs.gnome.gnome-terminal ]; programs.bash.vteIntegration = true; programs.zsh.vteIntegration = true; diff --git a/nixos/modules/programs/gpaste.nix b/nixos/modules/programs/gpaste.nix index 8bc52c28d814b..cff2fb8d00348 100644 --- a/nixos/modules/programs/gpaste.nix +++ b/nixos/modules/programs/gpaste.nix @@ -27,10 +27,10 @@ with lib; ###### implementation config = mkIf config.programs.gpaste.enable { - environment.systemPackages = [ pkgs.gnome3.gpaste ]; - services.dbus.packages = [ pkgs.gnome3.gpaste ]; - systemd.packages = [ pkgs.gnome3.gpaste ]; + environment.systemPackages = [ pkgs.gnome.gpaste ]; + services.dbus.packages = [ pkgs.gnome.gpaste ]; + systemd.packages = [ pkgs.gnome.gpaste ]; # gnome-control-center crashes in Keyboard Shortcuts pane without the GSettings schemas. - services.xserver.desktopManager.gnome3.sessionPath = [ pkgs.gnome3.gpaste ]; + services.xserver.desktopManager.gnome.sessionPath = [ pkgs.gnome.gpaste ]; }; } diff --git a/nixos/modules/programs/noisetorch.nix b/nixos/modules/programs/noisetorch.nix new file mode 100644 index 0000000000000..5f3b0c8f5d1ee --- /dev/null +++ b/nixos/modules/programs/noisetorch.nix @@ -0,0 +1,25 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let cfg = config.programs.noisetorch; +in { + options.programs.noisetorch = { + enable = mkEnableOption "noisetorch + setcap wrapper"; + + package = mkOption { + type = types.package; + default = pkgs.noisetorch; + description = '' + The noisetorch package to use. + ''; + }; + }; + + config = mkIf cfg.enable { + security.wrappers.noisetorch = { + source = "${cfg.package}/bin/noisetorch"; + capabilities = "cap_sys_resource=+ep"; + }; + }; +} diff --git a/nixos/modules/programs/phosh.nix b/nixos/modules/programs/phosh.nix new file mode 100644 index 0000000000000..1f50065f78187 --- /dev/null +++ b/nixos/modules/programs/phosh.nix @@ -0,0 +1,159 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.phosh; + + # Based on https://source.puri.sm/Librem5/librem5-base/-/blob/4596c1056dd75ac7f043aede07887990fd46f572/default/sm.puri.OSK0.desktop + oskItem = pkgs.makeDesktopItem { + name = "sm.puri.OSK0"; + type = "Application"; + desktopName = "On-screen keyboard"; + exec = "${pkgs.squeekboard}/bin/squeekboard"; + categories = "GNOME;Core;"; + extraEntries = '' + OnlyShowIn=GNOME; + NoDisplay=true + X-GNOME-Autostart-Phase=Panel + X-GNOME-Provides=inputmethod + X-GNOME-Autostart-Notify=true + X-GNOME-AutoRestart=true + ''; + }; + + phocConfigType = types.submodule { + options = { + xwayland = mkOption { + description = '' + Whether to enable XWayland support. + + To start XWayland immediately, use `immediate`. + ''; + type = types.enum [ "true" "false" "immediate" ]; + default = "false"; + }; + cursorTheme = mkOption { + description = '' + Cursor theme to use in Phosh. + ''; + type = types.str; + default = "default"; + }; + outputs = mkOption { + description = '' + Output configurations. + ''; + type = types.attrsOf phocOutputType; + default = { + DSI-1 = { + scale = 2; + }; + }; + }; + }; + }; + + phocOutputType = types.submodule { + options = { + modeline = mkOption { + description = '' + One or more modelines. + ''; + type = types.either types.str (types.listOf types.str); + default = []; + example = [ + "87.25 720 776 848 976 1440 1443 1453 1493 -hsync +vsync" + "65.13 768 816 896 1024 1024 1025 1028 1060 -HSync +VSync" + ]; + }; + mode = mkOption { + description = '' + Default video mode. + ''; + type = types.nullOr types.str; + default = null; + example = "768x1024"; + }; + scale = mkOption { + description = '' + Display scaling factor. + ''; + type = types.nullOr types.ints.unsigned; + default = null; + example = 2; + }; + rotate = mkOption { + description = '' + Screen transformation. + ''; + type = types.enum [ + "90" "180" "270" "flipped" "flipped-90" "flipped-180" "flipped-270" null + ]; + default = null; + }; + }; + }; + + optionalKV = k: v: if v == null then "" else "${k} = ${builtins.toString v}"; + + renderPhocOutput = name: output: let + modelines = if builtins.isList output.modeline + then output.modeline + else [ output.modeline ]; + renderModeline = l: "modeline = ${l}"; + in '' + [output:${name}] + ${concatStringsSep "\n" (map renderModeline modelines)} + ${optionalKV "mode" output.mode} + ${optionalKV "scale" output.scale} + ${optionalKV "rotate" output.rotate} + ''; + + renderPhocConfig = phoc: let + outputs = mapAttrsToList renderPhocOutput phoc.outputs; + in '' + [core] + xwayland = ${phoc.xwayland} + ${concatStringsSep "\n" outputs} + [cursor] + theme = ${phoc.cursorTheme} + ''; +in { + options = { + programs.phosh = { + enable = mkEnableOption '' + Whether to enable, Phosh, related packages and default configurations. + ''; + phocConfig = mkOption { + description = '' + Configurations for the Phoc compositor. + ''; + type = types.oneOf [ types.lines types.path phocConfigType ]; + default = {}; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ + pkgs.phoc + pkgs.phosh + pkgs.squeekboard + oskItem + ]; + + programs.feedbackd.enable = true; + + security.pam.services.phosh = {}; + + services.gnome.core-shell.enable = true; + services.gnome.core-os-services.enable = true; + services.xserver.displayManager.sessionPackages = [ pkgs.phosh ]; + + environment.etc."phosh/phoc.ini".source = + if builtins.isPath cfg.phocConfig then cfg.phocConfig + else if builtins.isString cfg.phocConfig then pkgs.writeText "phoc.ini" cfg.phocConfig + else pkgs.writeText "phoc.ini" (renderPhocConfig cfg.phocConfig); + }; +} diff --git a/nixos/modules/programs/seahorse.nix b/nixos/modules/programs/seahorse.nix index b229d2a2c0db0..c0a356bff57c1 100644 --- a/nixos/modules/programs/seahorse.nix +++ b/nixos/modules/programs/seahorse.nix @@ -31,14 +31,14 @@ with lib; config = mkIf config.programs.seahorse.enable { - programs.ssh.askPassword = mkDefault "${pkgs.gnome3.seahorse}/libexec/seahorse/ssh-askpass"; + programs.ssh.askPassword = mkDefault "${pkgs.gnome.seahorse}/libexec/seahorse/ssh-askpass"; environment.systemPackages = [ - pkgs.gnome3.seahorse + pkgs.gnome.seahorse ]; services.dbus.packages = [ - pkgs.gnome3.seahorse + pkgs.gnome.seahorse ]; }; diff --git a/nixos/modules/programs/sway.nix b/nixos/modules/programs/sway.nix index 107e783c0c212..3c09d9f00fd5d 100644 --- a/nixos/modules/programs/sway.nix +++ b/nixos/modules/programs/sway.nix @@ -31,6 +31,7 @@ let extraOptions = cfg.extraOptions; withBaseWrapper = cfg.wrapperFeatures.base; withGtkWrapper = cfg.wrapperFeatures.gtk; + isNixOS = true; }; in { options.programs.sway = { @@ -38,9 +39,8 @@ in { Sway, the i3-compatible tiling Wayland compositor. You can manually launch Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to ~/.config/sway/config to modify the default configuration. See - https://github.com/swaywm/sway/wiki and "man 5 sway" for more information. - Please have a look at the "extraSessionCommands" example for running - programs natively under Wayland''; + <link xlink:href="https://github.com/swaywm/sway/wiki" /> and + "man 5 sway" for more information''; wrapperFeatures = mkOption { type = wrapperOptions; @@ -55,16 +55,20 @@ in { type = types.lines; default = ""; example = '' + # SDL: export SDL_VIDEODRIVER=wayland - # needs qt5.qtwayland in systemPackages - export QT_QPA_PLATFORM=wayland + # QT (needs qt5.qtwayland in systemPackages): + export QT_QPA_PLATFORM=wayland-egl export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" # Fix for some Java AWT applications (e.g. Android Studio), # use this if they aren't displayed properly: export _JAVA_AWT_WM_NONREPARENTING=1 ''; description = '' - Shell commands executed just before Sway is started. + Shell commands executed just before Sway is started. See + <link xlink:href="https://github.com/swaywm/sway/wiki/Running-programs-natively-under-wayland" /> + and <link xlink:href="https://github.com/swaywm/wlroots/blob/master/docs/env_vars.md" /> + for some useful environment variables. ''; }; @@ -94,13 +98,15 @@ in { ''; example = literalExample '' with pkgs; [ - xwayland i3status i3status-rust termite rofi light ] ''; description = '' - Extra packages to be installed system wide. + Extra packages to be installed system wide. See + <link xlink:href="https://github.com/swaywm/sway/wiki/Useful-add-ons-for-sway" /> and + <link xlink:href="https://github.com/swaywm/sway/wiki/i3-Migration-Guide#common-x11-apps-used-on-i3-with-wayland-alternatives" /> + for a list of useful software. ''; }; @@ -120,8 +126,11 @@ in { systemPackages = [ swayPackage ] ++ cfg.extraPackages; etc = { "sway/config".source = mkOptionDefault "${swayPackage}/etc/sway/config"; - #"sway/security.d".source = mkOptionDefault "${swayPackage}/etc/sway/security.d/"; - #"sway/config.d".source = mkOptionDefault "${swayPackage}/etc/sway/config.d/"; + "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' + # Import the most important environment variables into the D-Bus and systemd + # user environments (e.g. required for screen sharing and Pinentry prompts): + exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP + ''; }; }; security.pam.services.swaylock = {}; @@ -131,7 +140,9 @@ in { # To make a Sway session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = [ swayPackage ]; programs.xwayland.enable = mkDefault true; + # For screen sharing (this option only has an effect with xdg.portal.enable): + xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-wlr ]; }; - meta.maintainers = with lib.maintainers; [ gnidorah primeos colemickens ]; + meta.maintainers = with lib.maintainers; [ primeos colemickens ]; } diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix deleted file mode 100644 index 6c479e070e2b2..0000000000000 --- a/nixos/modules/security/apparmor-suid.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.security.apparmor; -in -with lib; -{ - imports = [ - (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - ]; - - options.security.apparmor.confineSUIDApplications = mkOption { - type = types.bool; - default = true; - description = '' - Install AppArmor profiles for commonly-used SUID application - to mitigate potential privilege escalation attacks due to bugs - in such applications. - - Currently available profiles: ping - ''; - }; - - config = mkIf (cfg.confineSUIDApplications) { - security.apparmor.profiles = [ (pkgs.writeText "ping" '' - #include <tunables/global> - /run/wrappers/bin/ping { - #include <abstractions/base> - #include <abstractions/consoles> - #include <abstractions/nameservice> - - capability net_raw, - capability setuid, - network inet raw, - - ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, - ${pkgs.libcap.lib}/lib/libcap.so* mr, - ${pkgs.attr.out}/lib/libattr.so* mr, - - ${pkgs.iputils}/bin/ping mixr, - - #/etc/modules.conf r, - - ## Site-specific additions and overrides. See local/README for details. - ##include <local/bin.ping> - } - '') ]; - }; - -} diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index cfc65b347bc69..be1b0362fc131 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,59 +1,216 @@ { config, lib, pkgs, ... }: +with lib; + let - inherit (lib) mkIf mkOption types concatMapStrings; + inherit (builtins) attrNames head map match readFile; + inherit (lib) types; + inherit (config.environment) etc; cfg = config.security.apparmor; + mkDisableOption = name: mkEnableOption name // { + default = true; + example = false; + }; + enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies; in { - options = { - security.apparmor = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the AppArmor Mandatory Access Control system."; - }; - profiles = mkOption { - type = types.listOf types.path; - default = []; - description = "List of files containing AppArmor profiles."; - }; - packages = mkOption { - type = types.listOf types.package; - default = []; - description = "List of packages to be added to apparmor's include path"; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.apparmor-utils ]; - - boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; - - systemd.services.apparmor = let - paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") - ([ pkgs.apparmor-profiles ] ++ cfg.packages); - in { - after = [ "local-fs.target" ]; - before = [ "sysinit.target" ]; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - DefaultDependencies = "no"; - }; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' - ) cfg.profiles; - ExecStop = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' - ) cfg.profiles; - ExecReload = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' - ) cfg.profiles; - }; - }; - }; + imports = [ + (mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.") + (mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") + apparmor/includes.nix + apparmor/profiles.nix + ]; + + options = { + security.apparmor = { + enable = mkEnableOption '' + the AppArmor Mandatory Access Control system. + + If you're enabling this module on a running system, + note that a reboot will be required to activate AppArmor in the kernel. + + Also, beware that enabling this module privileges stability over security + by not trying to kill unconfined but newly confinable running processes by default, + though it would be needed because AppArmor can only confine new + or already confined processes of an executable. + This killing would for instance be necessary when upgrading to a NixOS revision + introducing for the first time an AppArmor profile for the executable + of a running process. + + Enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/> + if you want this service to do such killing + by sending a <literal>SIGTERM</literal> to those running processes''; + policies = mkOption { + description = '' + AppArmor policies. + ''; + type = types.attrsOf (types.submodule ({ name, config, ... }: { + options = { + enable = mkDisableOption "loading of the profile into the kernel"; + enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; + profile = mkOption { + description = "The policy of the profile."; + type = types.lines; + apply = pkgs.writeText name; + }; + }; + })); + default = {}; + }; + includes = mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + List of paths to be added to AppArmor's searched paths + when resolving <literal>include</literal> directives. + ''; + apply = mapAttrs pkgs.writeText; + }; + packages = mkOption { + type = types.listOf types.package; + default = []; + description = "List of packages to be added to AppArmor's include path"; + }; + enableCache = mkEnableOption '' + caching of AppArmor policies + in <literal>/var/cache/apparmor/</literal>. + + Beware that AppArmor policies almost always contain Nix store paths, + and thus produce at each change of these paths + a new cached version accumulating in the cache''; + killUnconfinedConfinables = mkEnableOption '' + killing of processes which have an AppArmor profile enabled + (in <xref linkend="opt-security.apparmor.policies"/>) + but are not confined (because AppArmor can only confine new processes). + + This is only sending a gracious <literal>SIGTERM</literal> signal to the processes, + not a <literal>SIGKILL</literal>. + + Beware that due to a current limitation of AppArmor, + only profiles with exact paths (and no name) can enable such kills''; + }; + }; + + config = mkIf cfg.enable { + assertions = map (policy: + { assertion = match ".*/.*" policy == null; + message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; + # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions + # which does not recurse into sub-directories. + } + ) (attrNames cfg.policies); + + environment.systemPackages = [ + pkgs.apparmor-utils + pkgs.apparmor-bin-utils + ]; + environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( + # It's important to put only enabledPolicies here and not all cfg.policies + # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* + mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++ + mapAttrsToList (name: path: { inherit name path; }) cfg.includes + ); + environment.etc."apparmor/parser.conf".text = '' + ${if cfg.enableCache then "write-cache" else "skip-cache"} + cache-loc /var/cache/apparmor + Include /etc/apparmor.d + '' + + concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; + # For aa-logprof + environment.etc."apparmor/apparmor.conf".text = '' + ''; + # For aa-logprof + environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; + environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" { + header = '' + [settings] + # /etc/apparmor.d/ is read-only on NixOS + profiledir = /var/cache/apparmor/logprof + inactive_profiledir = /etc/apparmor.d/disable + # Use: journalctl -b --since today --grep audit: | aa-logprof + logfiles = /dev/stdin + + parser = ${pkgs.apparmor-parser}/bin/apparmor_parser + ldd = ${pkgs.glibc.bin}/bin/ldd + logger = ${pkgs.util-linux}/bin/logger + + # customize how file ownership permissions are presented + # 0 - off + # 1 - default of what ever mode the log reported + # 2 - force the new permissions to be user + # 3 - force all perms on the rule to be user + default_owner_prompt = 1 + + custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + + [qualifiers] + ${pkgs.runtimeShell} = icnu + ${pkgs.bashInteractive}/bin/sh = icnu + ${pkgs.bashInteractive}/bin/bash = icnu + ${config.users.defaultUserShell} = icnu + ''; + footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; + passAsFile = [ "header" ]; + } '' + cp $headerPath $out + sed '1,/\[qualifiers\]/d' $footer >> $out + ''; + + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; + + systemd.services.apparmor = { + after = [ + "local-fs.target" + "systemd-journald-audit.socket" + ]; + before = [ "sysinit.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Description="Load AppArmor policies"; + DefaultDependencies = "no"; + ConditionSecurity = "apparmor"; + }; + # Reloading instead of restarting enables to load new AppArmor profiles + # without necessarily restarting all services which have Requires=apparmor.service + reloadIfChanged = true; + restartTriggers = [ + etc."apparmor/parser.conf".source + etc."apparmor.d".source + ]; + serviceConfig = let + killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' + set -eu + ${pkgs.apparmor-bin-utils}/bin/aa-status --json | + ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | + xargs --verbose --no-run-if-empty --delimiter='\n' \ + kill + ''; + commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}"; + in { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; + ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; + ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecReload = + # Add or replace into the kernel profiles in enabledPolicies + # (because AppArmor can do that without stopping the processes already confined). + mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ + # Remove from the kernel any profile whose name is not + # one of the names within the content of the profiles in enabledPolicies + # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). + # Note that this does not remove profiles dynamically generated by libvirt. + [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ + # Optionaly kill the processes which are unconfined but now have a profile loaded + # (because AppArmor can only start to confine new processes). + optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; + CacheDirectory = [ "apparmor" "apparmor/logprof" ]; + CacheDirectoryMode = "0700"; + }; + }; + }; + + meta.maintainers = with maintainers; [ julm ]; } diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix new file mode 100644 index 0000000000000..e3dd410b3bb57 --- /dev/null +++ b/nixos/modules/security/apparmor/includes.nix @@ -0,0 +1,317 @@ +{ config, lib, pkgs, ... }: +let + inherit (builtins) attrNames hasAttr isAttrs; + inherit (lib) getLib; + inherit (config.environment) etc; + # Utility to generate an AppArmor rule + # only when the given path exists in config.environment.etc + etcRule = arg: + let go = { path ? null, mode ? "r", trail ? "" }: + lib.optionalString (hasAttr path etc) + "${mode} ${config.environment.etc.${path}.source}${trail},"; + in if isAttrs arg + then go arg + else go { path = arg; }; +in +{ +# FIXME: most of the etcRule calls below have been +# written systematically by converting from apparmor-profiles's profiles +# without testing nor deep understanding of their uses, +# and thus may need more rules or can have less rules; +# this remains to be determined case by case, +# some may even be completely useless. +config.security.apparmor.includes = { + # This one is included by <tunables/global> + # which is usualy included before any profile. + "abstractions/tunables/alias" = '' + alias /bin -> /run/current-system/sw/bin, + alias /lib/modules -> /run/current-system/kernel/lib/modules, + alias /sbin -> /run/current-system/sw/sbin, + alias /usr -> /run/current-system/sw, + ''; + "abstractions/audio" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" + '' + lib.concatMapStringsSep "\n" etcRule [ + "asound.conf" + "esound/esd.conf" + "libao.conf" + { path = "pulse"; trail = "/"; } + { path = "pulse"; trail = "/**"; } + { path = "sound"; trail = "/"; } + { path = "sound"; trail = "/**"; } + { path = "alsa/conf.d"; trail = "/"; } + { path = "alsa/conf.d"; trail = "/*"; } + "openal/alsoft.conf" + "wildmidi/wildmidi.conf" + ]; + "abstractions/authentication" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" + # Defined in security.pam + include <abstractions/pam> + '' + lib.concatMapStringsSep "\n" etcRule [ + "nologin" + "securetty" + { path = "security"; trail = "/*"; } + "shadow" + "gshadow" + "pwdb.conf" + "default/passwd" + "login.defs" + ]; + "abstractions/base" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" + r ${pkgs.stdenv.cc.libc}/share/locale/**, + r ${pkgs.stdenv.cc.libc}/share/locale.alias, + ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} + ${etcRule "localtime"} + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, + ''; + "abstractions/bash" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" + + # bash inspects filesystems at startup + # and /etc/mtab is linked to /proc/mounts + @{PROC}/mounts + + # system-wide bash configuration + '' + lib.concatMapStringsSep "\n" etcRule [ + "profile.dos" + "profile" + "profile.d" + { path = "profile.d"; trail = "/*"; } + "bashrc" + "bash.bashrc" + "bash.bashrc.local" + "bash_completion" + "bash_completion.d" + { path = "bash_completion.d"; trail = "/*"; } + # bash relies on system-wide readline configuration + "inputrc" + # run out of /etc/bash.bashrc + "DIR_COLORS" + ]; + "abstractions/consoles" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" + ''; + "abstractions/cups-client" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" + ${etcRule "cups/cups-client.conf"} + ''; + "abstractions/dbus-session-strict" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" + ${etcRule "machine-id"} + ''; + "abstractions/dconf" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" + ${etcRule { path = "dconf"; trail = "/**"; }} + ''; + "abstractions/dri-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" + ${etcRule "drirc"} + ''; + # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ + # by symlinking them but without exporting them outside of its NixOS module, + # those are therefore added there to this "abstractions/fonts". + "abstractions/fonts" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" + ${etcRule { path = "fonts"; trail = "/**"; }} + ''; + "abstractions/gnome" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" + include <abstractions/fonts> + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "gnome"; trail = "/gtkrc*"; } + { path = "gtk"; trail = "/*"; } + { path = "gtk-2.0"; trail = "/*"; } + { path = "gtk-3.0"; trail = "/*"; } + "orbitrc" + { path = "pango"; trail = "/*"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/*"; } + "papersize" + { path = "cups"; trail = "/lpoptions"; } + { path = "gnome"; trail = "/defaults.list"; } + { path = "xdg"; trail = "/{,*-}mimeapps.list"; } + "xdg/mimeapps.list" + ]; + "abstractions/kde" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "qt3"; trail = "/kstylerc"; } + { path = "qt3"; trail = "/qt_plugins_3.3rc"; } + { path = "qt3"; trail = "/qtrc"; } + "kderc" + { path = "kde3"; trail = "/*"; } + "kde4rc" + { path = "xdg"; trail = "/kdeglobals"; } + { path = "xdg"; trail = "/Trolltech.conf"; } + ]; + "abstractions/kerberosclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "krb5.keytab"; mode="rk"; } + "krb5.conf" + "krb5.conf.d" + { path = "krb5.conf.d"; trail = "/*"; } + + # config files found via strings on libs + "krb.conf" + "krb.realms" + "srvtab" + ]; + "abstractions/ldapclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" + '' + lib.concatMapStringsSep "\n" etcRule [ + "ldap.conf" + "ldap.secret" + { path = "openldap"; trail = "/*"; } + { path = "openldap"; trail = "/cacerts/*"; } + { path = "sasl2"; trail = "/*"; } + ]; + "abstractions/likewise" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" + ''; + "abstractions/mdns" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" + ${etcRule "nss_mdns.conf"} + ''; + "abstractions/nameservice" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" + + # Many programs wish to perform nameservice-like operations, such as + # looking up users by name or id, groups by name or id, hosts by name + # or IP, etc. These operations may be performed through files, dns, + # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. + mr ${getLib pkgs.nss}/lib/libnss_*.so*, + mr ${getLib pkgs.nss}/lib64/libnss_*.so*, + '' + lib.concatMapStringsSep "\n" etcRule [ + "group" + "host.conf" + "hosts" + "nsswitch.conf" + "gai.conf" + "passwd" + "protocols" + + # libtirpc (used for NIS/YP login) needs this + "netconfig" + + "resolv.conf" + + { path = "samba"; trail = "/lmhosts"; } + "services" + + "default/nss" + + # libnl-3-200 via libnss-gw-name + { path = "libnl"; trail = "/classid"; } + { path = "libnl-3"; trail = "/classid"; } + ]; + "abstractions/nis" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" + ''; + "abstractions/nvidia" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" + ${etcRule "vdpau_wrapper.cfg"} + ''; + "abstractions/opencl-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" + ${etcRule { path = "OpenCL"; trail = "/**"; }} + ''; + "abstractions/opencl-mesa" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" + ${etcRule "default/drirc"} + ''; + "abstractions/openssl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" + ${etcRule { path = "ssl"; trail = "/openssl.cnf"; }} + ''; + "abstractions/p11-kit" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "pkcs11"; trail = "/"; } + { path = "pkcs11"; trail = "/pkcs11.conf"; } + { path = "pkcs11"; trail = "/modules/"; } + { path = "pkcs11"; trail = "/modules/*"; } + ]; + "abstractions/perl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" + ${etcRule { path = "perl"; trail = "/**"; }} + ''; + "abstractions/php" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "php"; trail = "/**/"; } + { path = "php5"; trail = "/**/"; } + { path = "php7"; trail = "/**/"; } + { path = "php"; trail = "/**.ini"; } + { path = "php5"; trail = "/**.ini"; } + { path = "php7"; trail = "/**.ini"; } + ]; + "abstractions/postfix-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" + '' + lib.concatMapStringsSep "\n" etcRule [ + "mailname" + { path = "postfix"; trail = "/*.cf"; } + "postfix/main.cf" + "postfix/master.cf" + ]; + "abstractions/python" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" + ''; + "abstractions/qt5" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "xdg"; trail = "/QtProject/qtlogging.ini"; } + { path = "xdg/QtProject"; trail = "/qtlogging.ini"; } + "xdg/QtProject/qtlogging.ini" + ]; + "abstractions/samba" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" + ${etcRule { path = "samba"; trail = "/*"; }} + ''; + "abstractions/ssl_certs" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" + + # For the NixOS module: security.acme + r /var/lib/acme/*/cert.pem, + r /var/lib/acme/*/chain.pem, + r /var/lib/acme/*/fullchain.pem, + + '' + lib.concatMapStringsSep "\n" etcRule [ + "ssl/certs/ca-certificates.crt" + "ssl/certs/ca-bundle.crt" + "pki/tls/certs/ca-bundle.crt" + + { path = "ssl/trust"; trail = "/"; } + { path = "ssl/trust"; trail = "/*"; } + { path = "ssl/trust/anchors"; trail = "/"; } + { path = "ssl/trust/anchors"; trail = "/**"; } + { path = "pki/trust"; trail = "/"; } + { path = "pki/trust"; trail = "/*"; } + { path = "pki/trust/anchors"; trail = "/"; } + { path = "pki/trust/anchors"; trail = "/**"; } + ]; + "abstractions/ssl_keys" = '' + # security.acme NixOS module + r /var/lib/acme/*/full.pem, + r /var/lib/acme/*/key.pem, + ''; + "abstractions/vulkan" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" + ${etcRule { path = "vulkan/icd.d"; trail = "/"; }} + ${etcRule { path = "vulkan/icd.d"; trail = "/*.json"; }} + ''; + "abstractions/winbind" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" + ${etcRule { path = "samba"; trail = "/smb.conf"; }} + ${etcRule { path = "samba"; trail = "/dhcp.conf"; }} + ''; + "abstractions/X" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" + ${etcRule { path = "X11/cursors"; trail = "/"; }} + ${etcRule { path = "X11/cursors"; trail = "/**"; }} + ''; +}; +} diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix new file mode 100644 index 0000000000000..8eb630b5a48a5 --- /dev/null +++ b/nixos/modules/security/apparmor/profiles.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: +let apparmor = config.security.apparmor; in +{ +config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; +config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' + include "${pkgs.iputils.apparmor}/bin.ping" + include "${pkgs.inetutils.apparmor}/bin.ping" + # Note that including those two profiles in the same profile + # would not work if the second one were to re-include <tunables/global>. +''; +} diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 1c4ee421fc56a..7df86e71423f3 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -10,15 +10,10 @@ let blacklist = cfg.caCertificateBlacklist; }; - caCertificates = pkgs.runCommand "ca-certificates.crt" - { files = - cfg.certificateFiles ++ - [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; - preferLocalBuild = true; - } - '' - cat $files > $out - ''; + caCertificates = pkgs.runCommand "ca-certificates.crt" { + files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; + preferLocalBuild = true; + } "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files in diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index d51dbbb77f718..e7abc1e0d597c 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -7,6 +7,10 @@ with lib; maintainers = [ maintainers.joachifm ]; }; + imports = [ + (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; + options = { security.allowUserNamespaces = mkOption { type = types.bool; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 103cf20501237..b5bd22f6ba7b8 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -433,7 +433,7 @@ let ("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring - "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + "auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"} ${optionalString cfg.gnupg.enable "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + optionalString cfg.gnupg.storeOnly " store-only" @@ -471,7 +471,7 @@ let ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ${optionalString cfg.enableGnomeKeyring - "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} + "password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} # Session management. ${optionalString cfg.setEnvironment '' @@ -512,7 +512,7 @@ let ("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} ${optionalString (cfg.enableGnomeKeyring) - "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + "session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString cfg.gnupg.enable "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + optionalString cfg.gnupg.noAutostart " no-autostart" @@ -895,6 +895,81 @@ in runuser-l = { rootOK = true; unixAuth = false; }; }; + security.apparmor.includes."abstractions/pam" = let + isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); + in + lib.concatMapStringsSep "\n" + (name: "r ${config.environment.etc."pam.d/${name}".source},") + (attrNames config.security.pam.services) + + '' + mr ${getLib pkgs.pam}/lib/security/pam_filter/*, + mr ${getLib pkgs.pam}/lib/security/pam_*.so, + r ${getLib pkgs.pam}/lib/security/, + '' + + optionalString use_ldap '' + mr ${pam_ldap}/lib/security/pam_ldap.so, + '' + + optionalString config.services.sssd.enable '' + mr ${pkgs.sssd}/lib/security/pam_sss.so, + '' + + optionalString config.krb5.enable '' + mr ${pam_krb5}/lib/security/pam_krb5.so, + mr ${pam_ccreds}/lib/security/pam_ccreds.so, + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + '' + + optionalString (config.security.pam.enableSSHAgentAuth + && isEnabled (cfg: cfg.sshAgentAuth)) '' + mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so, + '' + + optionalString (isEnabled (cfg: cfg.fprintAuth)) '' + mr ${pkgs.fprintd}/lib/security/pam_fprintd.so, + '' + + optionalString (isEnabled (cfg: cfg.u2fAuth)) '' + mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so, + '' + + optionalString (isEnabled (cfg: cfg.usbAuth)) '' + mr ${pkgs.pam_usb}/lib/security/pam_usb.so, + '' + + optionalString (isEnabled (cfg: cfg.oathAuth)) '' + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, + '' + + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' + mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, + '' + + optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) '' + mr ${pkgs.duo-unix}/lib/security/pam_duo.so, + '' + + optionalString (isEnabled (cfg: cfg.otpwAuth)) '' + mr ${pkgs.otpw}/lib/security/pam_otpw.so, + '' + + optionalString config.security.pam.enableEcryptfs '' + mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, + '' + + optionalString (isEnabled (cfg: cfg.pamMount)) '' + mr ${pkgs.pam_mount}/lib/security/pam_mount.so, + '' + + optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) '' + mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so, + '' + + optionalString (isEnabled (cfg: cfg.startSession)) '' + mr ${pkgs.systemd}/lib/security/pam_systemd.so, + '' + + optionalString (isEnabled (cfg: cfg.enableAppArmor) + && config.security.apparmor.enable) '' + mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so, + '' + + optionalString (isEnabled (cfg: cfg.enableKwallet)) '' + mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so, + '' + + optionalString config.virtualisation.lxc.lxcfs.enable '' + mr ${pkgs.lxc}/lib/security/pam_cgfs.so + ''; }; } diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index cc3ff3d11b917..2e73f8f4f311d 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -61,6 +61,17 @@ in ''; }; + security.sudo.execWheelOnly = mkOption { + type = types.bool; + default = false; + description = '' + Only allow members of the <code>wheel</code> group to execute sudo by + setting the executable's permissions accordingly. + This prevents users that are not members of <code>wheel</code> from + exploiting vulnerabilities in sudo such as CVE-2021-3156. + ''; + }; + security.sudo.configFile = mkOption { type = types.lines; # Note: if syntax errors are detected in this file, the NixOS @@ -216,9 +227,20 @@ in ${cfg.extraConfig} ''; - security.wrappers = { - sudo.source = "${cfg.package.out}/bin/sudo"; - sudoedit.source = "${cfg.package.out}/bin/sudoedit"; + security.wrappers = let + owner = "root"; + group = if cfg.execWheelOnly then "wheel" else "root"; + setuid = true; + permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x"; + in { + sudo = { + source = "${cfg.package.out}/bin/sudo"; + inherit owner group setuid permissions; + }; + sudoedit = { + source = "${cfg.package.out}/bin/sudoedit"; + inherit owner group setuid permissions; + }; }; environment.systemPackages = [ sudo ]; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 3cbf22fea7a96..1e65f45151555 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -171,6 +171,14 @@ in export PATH="${wrapperDir}:$PATH" ''; + security.apparmor.includes."nixos/security.wrappers" = '' + include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [ + securityWrapper + pkgs.stdenv.cc.cc + pkgs.stdenv.cc.libc + ]}" + ''; + ###### setcap activation script system.activationScripts.wrappers = lib.stringAfter [ "specialfs" "users" ] diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix new file mode 100644 index 0000000000000..14614d2dd1613 --- /dev/null +++ b/nixos/modules/services/audio/botamusique.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.botamusique; + + format = pkgs.formats.ini {}; + configFile = format.generate "botamusique.ini" cfg.settings; +in +{ + meta.maintainers = with lib.maintainers; [ hexa ]; + + options.services.botamusique = { + enable = mkEnableOption "botamusique, a bot to play audio streams on mumble"; + + package = mkOption { + type = types.package; + default = pkgs.botamusique; + description = "The botamusique package to use."; + }; + + settings = mkOption { + type = with types; submodule { + freeformType = format.type; + options = { + server.host = mkOption { + type = types.str; + default = "localhost"; + example = "mumble.example.com"; + description = "Hostname of the mumble server to connect to."; + }; + + server.port = mkOption { + type = types.port; + default = 64738; + description = "Port of the mumble server to connect to."; + }; + + bot.username = mkOption { + type = types.str; + default = "botamusique"; + description = "Name the bot should appear with."; + }; + + bot.comment = mkOption { + type = types.str; + default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!"; + description = "Comment displayed for the bot."; + }; + }; + }; + default = {}; + description = '' + Your <filename>configuration.ini</filename> as a Nix attribute set. Look up + possible options in the <link xlink:href="https://github.com/azlux/botamusique/blob/master/configuration.example.ini">configuration.example.ini</link>. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.botamusique = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki"; + + environment.HOME = "/var/lib/botamusique"; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}"; + Restart = "always"; # the bot exits when the server connection is lost + + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + IPAddressDeny = [ + "link-local" + "multicast" + ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + StateDirectory = "botamusique"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + WorkingDirectory = "/var/lib/botamusique"; + }; + }; + }; +} diff --git a/nixos/modules/services/audio/jack.nix b/nixos/modules/services/audio/jack.nix index bee97dbfc6b3d..f341b432f7586 100644 --- a/nixos/modules/services/audio/jack.nix +++ b/nixos/modules/services/audio/jack.nix @@ -290,5 +290,5 @@ in { ]; - meta.maintainers = [ maintainers.gnidorah ]; + meta.maintainers = [ ]; } diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index eee6c5f423d5d..e33e860d883da 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -233,14 +233,15 @@ in { { User = "${cfg.user}"; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf"; - ExecStartPre = pkgs.writeShellScript "mpd-start-pre" '' + ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ('' set -euo pipefail install -m 600 ${mpdConf} /run/mpd/mpd.conf - ${optionalString (cfg.credentials != []) - "${pkgs.replace}/bin/replace-literal -fe ${ - concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials) - } /run/mpd/mpd.conf"} - ''; + '' + optionalString (cfg.credentials != []) + (concatStringsSep "\n" + (imap0 + (i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'') + cfg.credentials)) + ); RuntimeDirectory = "mpd"; Type = "notify"; LimitRTPRIO = 50; diff --git a/nixos/modules/services/audio/mpdscribble.nix b/nixos/modules/services/audio/mpdscribble.nix index 642d8743935f1..1368543ae1a4a 100644 --- a/nixos/modules/services/audio/mpdscribble.nix +++ b/nixos/modules/services/audio/mpdscribble.nix @@ -59,7 +59,7 @@ let replaceSecret = secretFile: placeholder: targetFile: optionalString (secretFile != null) '' - ${pkgs.replace}/bin/replace-literal -ef ${placeholder} "$(cat ${secretFile})" ${targetFile}''; + ${pkgs.replace-secret}/bin/replace-secret '${placeholder}' '${secretFile}' '${targetFile}' ''; preStart = pkgs.writeShellScript "mpdscribble-pre-start" '' cp -f "${cfgTemplate}" "${cfgFile}" diff --git a/nixos/modules/services/backup/duplicity.nix b/nixos/modules/services/backup/duplicity.nix index a8d5642486235..1f6883ed02b79 100644 --- a/nixos/modules/services/backup/duplicity.nix +++ b/nixos/modules/services/backup/duplicity.nix @@ -1,16 +1,17 @@ -{ config, lib, pkgs, ...}: +{ config, lib, pkgs, ... }: with lib; - let cfg = config.services.duplicity; stateDirectory = "/var/lib/duplicity"; - localTarget = if hasPrefix "file://" cfg.targetUrl + localTarget = + if hasPrefix "file://" cfg.targetUrl then removePrefix "file://" cfg.targetUrl else null; -in { +in +{ options.services.duplicity = { enable = mkEnableOption "backups with duplicity"; @@ -24,7 +25,7 @@ in { include = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "/home" ]; description = '' List of paths to include into the backups. See the FILE SELECTION @@ -35,7 +36,7 @@ in { exclude = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' List of paths to exclude from backups. See the FILE SELECTION section in <citerefentry><refentrytitle>duplicity</refentrytitle> @@ -82,14 +83,60 @@ in { extraFlags = mkOption { type = types.listOf types.str; - default = []; - example = [ "--full-if-older-than" "1M" ]; + default = [ ]; + example = [ "--backend-retry-delay" "100" ]; description = '' Extra command-line flags passed to duplicity. See <citerefentry><refentrytitle>duplicity</refentrytitle> <manvolnum>1</manvolnum></citerefentry>. ''; }; + + fullIfOlderThan = mkOption { + type = types.str; + default = "never"; + example = "1M"; + description = '' + If <literal>"never"</literal> (the default) always do incremental + backups (the first backup will be a full backup, of course). If + <literal>"always"</literal> always do full backups. Otherwise, this + must be a string representing a duration. Full backups will be made + when the latest full backup is older than this duration. If this is not + the case, an incremental backup is performed. + ''; + }; + + cleanup = { + maxAge = mkOption { + type = types.nullOr types.str; + default = null; + example = "6M"; + description = '' + If non-null, delete all backup sets older than the given time. Old backup sets + will not be deleted if backup sets newer than time depend on them. + ''; + }; + maxFull = mkOption { + type = types.nullOr types.int; + default = null; + example = 2; + description = '' + If non-null, delete all backups sets that are older than the count:th last full + backup (in other words, keep the last count full backups and + associated incremental sets). + ''; + }; + maxIncr = mkOption { + type = types.nullOr types.int; + default = null; + example = 1; + description = '' + If non-null, delete incremental sets of all backups sets that are + older than the count:th last full backup (in other words, keep only + old full backups and not their increments). + ''; + }; + }; }; config = mkIf cfg.enable { @@ -99,18 +146,26 @@ in { environment.HOME = stateDirectory; - serviceConfig = { - ExecStart = '' - ${pkgs.duplicity}/bin/duplicity ${escapeShellArgs ( - [ - cfg.root - cfg.targetUrl - "--archive-dir" stateDirectory - ] + script = + let + target = escapeShellArg cfg.targetUrl; + extra = escapeShellArgs ([ "--archive-dir" stateDirectory ] ++ cfg.extraFlags); + dup = "${pkgs.duplicity}/bin/duplicity"; + in + '' + set -x + ${dup} cleanup ${target} --force ${extra} + ${lib.optionalString (cfg.cleanup.maxAge != null) "${dup} remove-older-than ${lib.escapeShellArg cfg.cleanup.maxAge} ${target} --force ${extra}"} + ${lib.optionalString (cfg.cleanup.maxFull != null) "${dup} remove-all-but-n-full ${toString cfg.cleanup.maxFull} ${target} --force ${extra}"} + ${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-incr-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"} + exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArgs ( + [ cfg.root cfg.targetUrl ] ++ concatMap (p: [ "--include" p ]) cfg.include ++ concatMap (p: [ "--exclude" p ]) cfg.exclude - ++ cfg.extraFlags)} + ++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ]) + )} ${extra} ''; + serviceConfig = { PrivateTmp = true; ProtectSystem = "strict"; ProtectHome = "read-only"; @@ -130,7 +185,7 @@ in { assertions = singleton { # Duplicity will fail if the last file selection option is an include. It # is not always possible to detect but this simple case can be caught. - assertion = cfg.include != [] -> cfg.exclude != [] || cfg.extraFlags != []; + assertion = cfg.include != [ ] -> cfg.exclude != [ ] || cfg.extraFlags != [ ]; message = '' Duplicity will fail if you only specify included paths ("Because the default is to include all files, the expression is redundant. Exiting diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index f4bd3aa447e5e..9da2d522a68d6 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -48,7 +48,7 @@ in { startAt = mkOption { default = "*-*-* 01:15:00"; - type = types.str; + type = with types; either (listOf str) str; description = '' This option defines (see <literal>systemd.time</literal> for format) when the databases should be dumped. diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index e72e3fa59cf92..b764db1f14e4a 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -197,14 +197,14 @@ in { ])) (attrValues cfg.commands); after = [ "zfs.target" ]; serviceConfig = { - ExecStartPre = (map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "hold,send" pool - ]) (getPools "source")) ++ - (map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "create,mount,receive,rollback" pool - ]) (getPools "target")); + ExecStartPre = let + allowCmd = permissions: pool: lib.escapeShellArgs [ + "+/run/booted-system/sw/bin/zfs" "allow" + cfg.user (concatStringsSep "," permissions) pool + ]; + in + (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++ + (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target")); User = cfg.user; Group = cfg.group; }; diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index f55079300b15e..1378b5ccfb7a4 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -62,7 +62,7 @@ in ''; }; - enable = mkEnableOption "Whether to enable Kubernetes addon manager."; + enable = mkEnableOption "Kubernetes addon manager."; }; ###### implementation diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index a5b1321547668..f1531caa75443 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -145,7 +145,7 @@ in extraOpts = mkOption { description = "Kubernetes apiserver extra command line options."; default = ""; - type = str; + type = separatedString " "; }; extraSANs = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index a99ef6640e974..0c81fa9ae492f 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -38,7 +38,7 @@ in extraOpts = mkOption { description = "Kubernetes controller manager extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 19edc338bba1b..0dc3649237b7f 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -7,12 +7,12 @@ let defaultContainerdConfigFile = pkgs.writeText "containerd.toml" '' version = 2 - root = "/var/lib/containerd/daemon" - state = "/var/run/containerd/daemon" + root = "/var/lib/containerd" + state = "/run/containerd" oom_score = 0 [grpc] - address = "/var/run/containerd/containerd.sock" + address = "/run/containerd/containerd.sock" [plugins."io.containerd.grpc.v1.cri"] sandbox_image = "pause:latest" diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index b5346b1cd44d8..fcfcc84354772 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -134,7 +134,7 @@ in containerRuntimeEndpoint = mkOption { description = "Endpoint at which to find the container runtime api interface/socket"; type = str; - default = "unix:///var/run/containerd/containerd.sock"; + default = "unix:///run/containerd/containerd.sock"; }; enable = mkEnableOption "Kubernetes kubelet."; @@ -142,7 +142,7 @@ in extraOpts = mkOption { description = "Kubernetes kubelet extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 86d1dc2439bd9..7aa449f9aa21a 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -25,7 +25,7 @@ in extraOpts = mkOption { description = "Kubernetes proxy extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 5f6113227d9db..454c689759df1 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -21,7 +21,7 @@ in extraOpts = mkOption { description = "Kubernetes scheduler extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/computing/foldingathome/client.nix b/nixos/modules/services/computing/foldingathome/client.nix index 9f99af48c48a6..fbef6a04b16d0 100644 --- a/nixos/modules/services/computing/foldingathome/client.nix +++ b/nixos/modules/services/computing/foldingathome/client.nix @@ -49,6 +49,15 @@ in ''; }; + daemonNiceLevel = mkOption { + type = types.ints.between (-20) 19; + default = 0; + description = '' + Daemon process priority for FAHClient. + 0 is the default Unix process priority, 19 is the lowest. + ''; + }; + extraArgs = mkOption { type = types.listOf types.str; default = []; @@ -70,6 +79,7 @@ in serviceConfig = { DynamicUser = true; StateDirectory = "foldingathome"; + Nice = cfg.daemonNiceLevel; WorkingDirectory = "%S/foldingathome"; }; }; diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 0b52f8afed831..a3dee94e2dc5d 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -403,9 +403,7 @@ in requires = [ "munged.service" "mysql.service" ]; preStart = '' - cp ${slurmdbdConf} ${configPath} - chmod 600 ${configPath} - chown ${cfg.user} ${configPath} + install -m 600 -o ${cfg.user} -T ${slurmdbdConf} ${configPath} ${optionalString (cfg.dbdserver.storagePassFile != null) '' echo "StoragePass=$(cat ${cfg.dbdserver.storagePassFile})" \ >> ${configPath} diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index a49f5f8100dc9..f668e69e5df7b 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -283,5 +283,5 @@ in { '') ]; - meta.maintainers = with lib.maintainers; [ nand0p mic92 lopsided98 ]; + meta.maintainers = with lib.maintainers; [ mic92 lopsided98 ]; } diff --git a/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixos/modules/services/continuous-integration/buildbot/worker.nix index 7b8a35f54bfa3..708b3e1cc1825 100644 --- a/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -191,6 +191,6 @@ in { }; }; - meta.maintainers = with lib.maintainers; [ nand0p ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixos/modules/services/continuous-integration/buildkite-agents.nix index b0045409ae609..3dd1c40aaa4b2 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -76,7 +76,7 @@ let }; tags = mkOption { - type = types.attrsOf types.str; + type = types.attrsOf (types.either types.str (types.listOf types.str)); default = {}; example = { queue = "default"; docker = "true"; ruby2 ="true"; }; description = '' @@ -230,7 +230,11 @@ in ## don't end up in the Nix store. preStart = let sshDir = "${cfg.dataDir}/.ssh"; - tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags); + tagStr = name: value: + if lib.isList value + then lib.concatStringsSep "," (builtins.map (v: "${name}=${v}") value) + else "${name}=${value}"; + tagsStr = lib.concatStringsSep "," (lib.mapAttrsToList tagStr cfg.tags); in optionalString (cfg.privateSshKeyPath != null) '' mkdir -m 0700 -p "${sshDir}" @@ -241,7 +245,7 @@ in token="$(cat ${toString cfg.tokenPath})" name="${cfg.name}" shell="${cfg.shell}" - tags="${tagStr}" + tags="${tagsStr}" build-path="${cfg.dataDir}/builds" hooks-path="${cfg.hooksPath}" ${cfg.extraConfig} diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix index 9f9b86ee61cbb..2f0b573e87210 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix @@ -37,15 +37,22 @@ let description = '' Number of tasks to perform simultaneously. - A task is a single derivation build or an evaluation. + A task is a single derivation build, an evaluation or an effect run. At minimum, you need 2 concurrent tasks for <literal>x86_64-linux</literal> in your cluster, to allow for import from derivation. <literal>concurrentTasks</literal> can be around the CPU core count or lower if memory is the bottleneck. + + The optimal value depends on the resource consumption characteristics of your workload, + including memory usage and in-task parallelism. This is typically determined empirically. + + When scaling, it is generally better to have a double-size machine than two machines, + because each split of resources causes inefficiencies; particularly with regards + to build latency because of extra downloads. ''; - type = types.int; - default = 4; + type = types.either types.ints.positive (types.enum [ "auto" ]); + default = "auto"; }; workDirectory = mkOption { description = '' @@ -186,7 +193,18 @@ in # even shortly after the previous lookup. This *also* applies to the daemon. narinfo-cache-negative-ttl = 0 ''; - services.hercules-ci-agent.tomlFile = - format.generate "hercules-ci-agent.toml" cfg.settings; + services.hercules-ci-agent = { + tomlFile = + format.generate "hercules-ci-agent.toml" cfg.settings; + + settings.labels = { + agent.source = + if options.services.hercules-ci-agent.package.highestPrio == (lib.modules.mkOptionDefault { }).priority + then "nixpkgs" + else lib.mkOptionDefault "override"; + pkgs.version = pkgs.lib.version; + lib.version = lib.version; + }; + }; }; } diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix index e8a42e59de0d0..06c174e7d376e 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix @@ -68,7 +68,23 @@ in # Trusted user allows simplified configuration and better performance # when operating in a cluster. nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ]; - services.hercules-ci-agent.settings.nixUserIsTrusted = true; + services.hercules-ci-agent = { + settings = { + nixUserIsTrusted = true; + labels = + let + mkIfNotNull = x: mkIf (x != null) x; + in + { + nixos.configurationRevision = mkIfNotNull config.system.configurationRevision; + nixos.release = config.system.nixos.release; + nixos.label = mkIfNotNull config.system.nixos.label; + nixos.codeName = config.system.nixos.codeName; + nixos.tags = config.system.nixos.tags; + nixos.systemName = mkIfNotNull config.system.name; + }; + }; + }; users.users.hercules-ci-agent = { home = cfg.settings.baseDirectory; diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index d55a7db39150f..820be5085de9f 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -1,79 +1,108 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + concatStringsSep + flip + literalExample + optionalAttrs + optionals + recursiveUpdate + mkEnableOption + mkIf + mkOption + types + versionAtLeast + ; + cfg = config.services.cassandra; + defaultUser = "cassandra"; - cassandraConfig = flip recursiveUpdate cfg.extraConfig - ({ commitlog_sync = "batch"; - commitlog_sync_batch_window_in_ms = 2; - start_native_transport = cfg.allowClients; - cluster_name = cfg.clusterName; - partitioner = "org.apache.cassandra.dht.Murmur3Partitioner"; - endpoint_snitch = "SimpleSnitch"; - data_file_directories = [ "${cfg.homeDir}/data" ]; - commitlog_directory = "${cfg.homeDir}/commitlog"; - saved_caches_directory = "${cfg.homeDir}/saved_caches"; - } // (lib.optionalAttrs (cfg.seedAddresses != []) { - seed_provider = [{ - class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; - parameters = [ { seeds = concatStringsSep "," cfg.seedAddresses; } ]; - }]; - }) // (lib.optionalAttrs (lib.versionAtLeast cfg.package.version "3") { - hints_directory = "${cfg.homeDir}/hints"; - }) - ); - cassandraConfigWithAddresses = cassandraConfig // - ( if cfg.listenAddress == null - then { listen_interface = cfg.listenInterface; } - else { listen_address = cfg.listenAddress; } - ) // ( - if cfg.rpcAddress == null - then { rpc_interface = cfg.rpcInterface; } - else { rpc_address = cfg.rpcAddress; } - ); - cassandraEtc = pkgs.stdenv.mkDerivation - { name = "cassandra-etc"; - cassandraYaml = builtins.toJSON cassandraConfigWithAddresses; - cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh"; - cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; - passAsFile = [ "extraEnvSh" ]; - inherit (cfg) extraEnvSh; - buildCommand = '' - mkdir -p "$out" - - echo "$cassandraYaml" > "$out/cassandra.yaml" - ln -s "$cassandraLogbackConfig" "$out/logback.xml" - - ( cat "$cassandraEnvPkg" - echo "# lines from services.cassandra.extraEnvSh: " - cat "$extraEnvShPath" - ) > "$out/cassandra-env.sh" - - # Delete default JMX Port, otherwise we can't set it using env variable - sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" - - # Delete default password file - sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" - ''; - }; - defaultJmxRolesFile = builtins.foldl' - (left: right: left + right) "" - (map (role: "${role.username} ${role.password}") cfg.jmxRoles); - fullJvmOptions = cfg.jvmOpts - ++ lib.optionals (cfg.jmxRoles != []) [ + + cassandraConfig = flip recursiveUpdate cfg.extraConfig ( + { + commitlog_sync = "batch"; + commitlog_sync_batch_window_in_ms = 2; + start_native_transport = cfg.allowClients; + cluster_name = cfg.clusterName; + partitioner = "org.apache.cassandra.dht.Murmur3Partitioner"; + endpoint_snitch = "SimpleSnitch"; + data_file_directories = [ "${cfg.homeDir}/data" ]; + commitlog_directory = "${cfg.homeDir}/commitlog"; + saved_caches_directory = "${cfg.homeDir}/saved_caches"; + } // optionalAttrs (cfg.seedAddresses != [ ]) { + seed_provider = [ + { + class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; + parameters = [{ seeds = concatStringsSep "," cfg.seedAddresses; }]; + } + ]; + } // optionalAttrs (versionAtLeast cfg.package.version "3") { + hints_directory = "${cfg.homeDir}/hints"; + } + ); + + cassandraConfigWithAddresses = cassandraConfig // ( + if cfg.listenAddress == null + then { listen_interface = cfg.listenInterface; } + else { listen_address = cfg.listenAddress; } + ) // ( + if cfg.rpcAddress == null + then { rpc_interface = cfg.rpcInterface; } + else { rpc_address = cfg.rpcAddress; } + ); + + cassandraEtc = pkgs.stdenv.mkDerivation { + name = "cassandra-etc"; + + cassandraYaml = builtins.toJSON cassandraConfigWithAddresses; + cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh"; + cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; + + passAsFile = [ "extraEnvSh" ]; + inherit (cfg) extraEnvSh; + + buildCommand = '' + mkdir -p "$out" + + echo "$cassandraYaml" > "$out/cassandra.yaml" + ln -s "$cassandraLogbackConfig" "$out/logback.xml" + + ( cat "$cassandraEnvPkg" + echo "# lines from services.cassandra.extraEnvSh: " + cat "$extraEnvShPath" + ) > "$out/cassandra-env.sh" + + # Delete default JMX Port, otherwise we can't set it using env variable + sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" + + # Delete default password file + sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" + ''; + }; + + defaultJmxRolesFile = + builtins.foldl' + (left: right: left + right) "" + (map (role: "${role.username} ${role.password}") cfg.jmxRoles); + + fullJvmOptions = + cfg.jvmOpts + ++ optionals (cfg.jmxRoles != [ ]) [ "-Dcom.sun.management.jmxremote.authenticate=true" "-Dcom.sun.management.jmxremote.password.file=${cfg.jmxRolesFile}" - ] - ++ lib.optionals cfg.remoteJmx [ + ] ++ optionals cfg.remoteJmx [ "-Djava.rmi.server.hostname=${cfg.rpcAddress}" ]; -in { + +in +{ options.services.cassandra = { + enable = mkEnableOption '' Apache Cassandra – Scalable and highly available database. ''; + clusterName = mkOption { type = types.str; default = "Test Cluster"; @@ -83,16 +112,19 @@ in { another. All nodes in a cluster must have the same value. ''; }; + user = mkOption { type = types.str; default = defaultUser; description = "Run Apache Cassandra under this user."; }; + group = mkOption { type = types.str; default = defaultUser; description = "Run Apache Cassandra under this group."; }; + homeDir = mkOption { type = types.path; default = "/var/lib/cassandra"; @@ -100,6 +132,7 @@ in { Home directory for Apache Cassandra. ''; }; + package = mkOption { type = types.package; default = pkgs.cassandra; @@ -109,17 +142,19 @@ in { The Apache Cassandra package to use. ''; }; + jvmOpts = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' Populate the JVM_OPT environment variable. ''; }; + listenAddress = mkOption { type = types.nullOr types.str; default = "127.0.0.1"; - example = literalExample "null"; + example = null; description = '' Address or interface to bind to and tell other Cassandra nodes to connect to. You _must_ change this if you want multiple @@ -136,6 +171,7 @@ in { Setting listen_address to 0.0.0.0 is always wrong. ''; }; + listenInterface = mkOption { type = types.nullOr types.str; default = null; @@ -146,10 +182,11 @@ in { supported. ''; }; + rpcAddress = mkOption { type = types.nullOr types.str; default = "127.0.0.1"; - example = literalExample "null"; + example = null; description = '' The address or interface to bind the native transport server to. @@ -167,6 +204,7 @@ in { internet. Firewall it if needed. ''; }; + rpcInterface = mkOption { type = types.nullOr types.str; default = null; @@ -176,6 +214,7 @@ in { correspond to a single address, IP aliasing is not supported. ''; }; + logbackConfig = mkOption { type = types.lines; default = '' @@ -197,6 +236,7 @@ in { XML logback configuration for cassandra ''; }; + seedAddresses = mkOption { type = types.listOf types.str; default = [ "127.0.0.1" ]; @@ -207,6 +247,7 @@ in { Set to 127.0.0.1 for a single node cluster. ''; }; + allowClients = mkOption { type = types.bool; default = true; @@ -219,16 +260,19 @@ in { <literal>extraConfig</literal>. ''; }; + extraConfig = mkOption { type = types.attrs; - default = {}; + default = { }; example = - { commitlog_sync_batch_window_in_ms = 3; + { + commitlog_sync_batch_window_in_ms = 3; }; description = '' Extra options to be merged into cassandra.yaml as nix attribute set. ''; }; + extraEnvSh = mkOption { type = types.lines; default = ""; @@ -237,48 +281,53 @@ in { Extra shell lines to be appended onto cassandra-env.sh. ''; }; + fullRepairInterval = mkOption { type = types.nullOr types.str; default = "3w"; - example = literalExample "null"; + example = null; description = '' - Set the interval how often full repairs are run, i.e. - <literal>nodetool repair --full</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html - for more information. + Set the interval how often full repairs are run, i.e. + <literal>nodetool repair --full</literal> is executed. See + https://cassandra.apache.org/doc/latest/operating/repair.html + for more information. - Set to <literal>null</literal> to disable full repairs. - ''; + Set to <literal>null</literal> to disable full repairs. + ''; }; + fullRepairOptions = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "--partitioner-range" ]; description = '' - Options passed through to the full repair command. - ''; + Options passed through to the full repair command. + ''; }; + incrementalRepairInterval = mkOption { type = types.nullOr types.str; default = "3d"; - example = literalExample "null"; + example = null; description = '' - Set the interval how often incremental repairs are run, i.e. - <literal>nodetool repair</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html - for more information. + Set the interval how often incremental repairs are run, i.e. + <literal>nodetool repair</literal> is executed. See + https://cassandra.apache.org/doc/latest/operating/repair.html + for more information. - Set to <literal>null</literal> to disable incremental repairs. - ''; + Set to <literal>null</literal> to disable incremental repairs. + ''; }; + incrementalRepairOptions = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "--partitioner-range" ]; description = '' - Options passed through to the incremental repair command. - ''; + Options passed through to the incremental repair command. + ''; }; + maxHeapSize = mkOption { type = types.nullOr types.str; default = null; @@ -299,6 +348,7 @@ in { expensive GC will be (usually). ''; }; + heapNewSize = mkOption { type = types.nullOr types.str; default = null; @@ -322,6 +372,7 @@ in { 100 MB per physical CPU core. ''; }; + mallocArenaMax = mkOption { type = types.nullOr types.int; default = null; @@ -330,6 +381,7 @@ in { Set this to control the amount of arenas per-thread in glibc. ''; }; + remoteJmx = mkOption { type = types.bool; default = false; @@ -341,6 +393,7 @@ in { See: https://wiki.apache.org/cassandra/JmxSecurity ''; }; + jmxPort = mkOption { type = types.int; default = 7199; @@ -351,8 +404,9 @@ in { Firewall it if needed. ''; }; + jmxRoles = mkOption { - default = []; + default = [ ]; description = '' Roles that are allowed to access the JMX (e.g. nodetool) BEWARE: The passwords will be stored world readable in the nix-store. @@ -375,11 +429,13 @@ in { }; }); }; + jmxRolesFile = mkOption { type = types.nullOr types.path; - default = if (lib.versionAtLeast cfg.package.version "3.11") - then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile - else null; + default = + if versionAtLeast cfg.package.version "3.11" + then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile + else null; example = "/var/lib/cassandra/jmx.password"; description = '' Specify your own jmx roles file. @@ -391,102 +447,115 @@ in { }; config = mkIf cfg.enable { - assertions = - [ { assertion = (cfg.listenAddress == null) != (cfg.listenInterface == null); - message = "You have to set either listenAddress or listenInterface"; - } - { assertion = (cfg.rpcAddress == null) != (cfg.rpcInterface == null); - message = "You have to set either rpcAddress or rpcInterface"; - } - { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); - message = "If you set either of maxHeapSize or heapNewSize you have to set both"; - } - { assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; - message = '' - If you want JMX available remotely you need to set a password using - <literal>jmxRoles</literal> or <literal>jmxRolesFile</literal> if - using Cassandra older than v3.11. - ''; - } - ]; + assertions = [ + { + assertion = (cfg.listenAddress == null) != (cfg.listenInterface == null); + message = "You have to set either listenAddress or listenInterface"; + } + { + assertion = (cfg.rpcAddress == null) != (cfg.rpcInterface == null); + message = "You have to set either rpcAddress or rpcInterface"; + } + { + assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); + message = "If you set either of maxHeapSize or heapNewSize you have to set both"; + } + { + assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; + message = '' + If you want JMX available remotely you need to set a password using + <literal>jmxRoles</literal> or <literal>jmxRolesFile</literal> if + using Cassandra older than v3.11. + ''; + } + ]; users = mkIf (cfg.user == defaultUser) { - extraUsers.${defaultUser} = - { group = cfg.group; - home = cfg.homeDir; - createHome = true; - uid = config.ids.uids.cassandra; - description = "Cassandra service user"; - }; - extraGroups.${defaultUser}.gid = config.ids.gids.cassandra; + users.${defaultUser} = { + group = cfg.group; + home = cfg.homeDir; + createHome = true; + uid = config.ids.uids.cassandra; + description = "Cassandra service user"; + }; + groups.${defaultUser}.gid = config.ids.gids.cassandra; }; - systemd.services.cassandra = - { description = "Apache Cassandra service"; - after = [ "network.target" ]; - environment = - { CASSANDRA_CONF = "${cassandraEtc}"; - JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; - MAX_HEAP_SIZE = toString cfg.maxHeapSize; - HEAP_NEWSIZE = toString cfg.heapNewSize; - MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; - LOCAL_JMX = if cfg.remoteJmx then "no" else "yes"; - JMX_PORT = toString cfg.jmxPort; - }; - wantedBy = [ "multi-user.target" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = "${cfg.package}/bin/cassandra -f"; - SuccessExitStatus = 143; - }; + systemd.services.cassandra = { + description = "Apache Cassandra service"; + after = [ "network.target" ]; + environment = { + CASSANDRA_CONF = "${cassandraEtc}"; + JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; + MAX_HEAP_SIZE = toString cfg.maxHeapSize; + HEAP_NEWSIZE = toString cfg.heapNewSize; + MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; + LOCAL_JMX = if cfg.remoteJmx then "no" else "yes"; + JMX_PORT = toString cfg.jmxPort; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/cassandra -f"; + SuccessExitStatus = 143; }; + }; - systemd.services.cassandra-full-repair = - { description = "Perform a full repair on this Cassandra node"; - after = [ "cassandra.service" ]; - requires = [ "cassandra.service" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = - lib.concatStringsSep " " - ([ "${cfg.package}/bin/nodetool" "repair" "--full" - ] ++ cfg.fullRepairOptions); - }; + systemd.services.cassandra-full-repair = { + description = "Perform a full repair on this Cassandra node"; + after = [ "cassandra.service" ]; + requires = [ "cassandra.service" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = + concatStringsSep " " + ([ + "${cfg.package}/bin/nodetool" + "repair" + "--full" + ] ++ cfg.fullRepairOptions); }; + }; + systemd.timers.cassandra-full-repair = mkIf (cfg.fullRepairInterval != null) { description = "Schedule full repairs on Cassandra"; wantedBy = [ "timers.target" ]; - timerConfig = - { OnBootSec = cfg.fullRepairInterval; - OnUnitActiveSec = cfg.fullRepairInterval; - Persistent = true; - }; + timerConfig = { + OnBootSec = cfg.fullRepairInterval; + OnUnitActiveSec = cfg.fullRepairInterval; + Persistent = true; + }; }; - systemd.services.cassandra-incremental-repair = - { description = "Perform an incremental repair on this cassandra node."; - after = [ "cassandra.service" ]; - requires = [ "cassandra.service" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = - lib.concatStringsSep " " - ([ "${cfg.package}/bin/nodetool" "repair" - ] ++ cfg.incrementalRepairOptions); - }; + systemd.services.cassandra-incremental-repair = { + description = "Perform an incremental repair on this cassandra node."; + after = [ "cassandra.service" ]; + requires = [ "cassandra.service" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = + concatStringsSep " " + ([ + "${cfg.package}/bin/nodetool" + "repair" + ] ++ cfg.incrementalRepairOptions); }; + }; + systemd.timers.cassandra-incremental-repair = mkIf (cfg.incrementalRepairInterval != null) { description = "Schedule incremental repairs on Cassandra"; wantedBy = [ "timers.target" ]; - timerConfig = - { OnBootSec = cfg.incrementalRepairInterval; - OnUnitActiveSec = cfg.incrementalRepairInterval; - Persistent = true; - }; + timerConfig = { + OnBootSec = cfg.incrementalRepairInterval; + OnUnitActiveSec = cfg.incrementalRepairInterval; + Persistent = true; + }; }; }; + + meta.maintainers = with lib.maintainers; [ roberth ]; } diff --git a/nixos/modules/services/databases/clickhouse.nix b/nixos/modules/services/databases/clickhouse.nix index 27440fec4e10b..f2f4e9d25542d 100644 --- a/nixos/modules/services/databases/clickhouse.nix +++ b/nixos/modules/services/databases/clickhouse.nix @@ -42,6 +42,7 @@ with lib; User = "clickhouse"; Group = "clickhouse"; ConfigurationDirectory = "clickhouse-server"; + AmbientCapabilities = "CAP_SYS_NICE"; StateDirectory = "clickhouse"; LogsDirectory = "clickhouse"; ExecStart = "${pkgs.clickhouse}/bin/clickhouse-server --config-file=${pkgs.clickhouse}/etc/clickhouse-server/config.xml"; diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index c99a7529213d7..6cc29cd717ecb 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -4,24 +4,17 @@ with lib; let cfg = config.services.couchdb; - useVersion2 = strings.versionAtLeast (strings.getVersion cfg.package) "2.0"; configFile = pkgs.writeText "couchdb.ini" ( '' [couchdb] database_dir = ${cfg.databaseDir} uri_file = ${cfg.uriFile} view_index_dir = ${cfg.viewIndexDir} - '' + (if cfg.adminPass != null then - '' + '' + (optionalString (cfg.adminPass != null) '' [admins] ${cfg.adminUser} = ${cfg.adminPass} - '' else - "") + (if useVersion2 then - '' + '' + '' [chttpd] - '' else - '' - [httpd] '') + '' port = ${toString cfg.port} @@ -30,8 +23,7 @@ let [log] file = ${cfg.logFile} ''); - executable = if useVersion2 then "${cfg.package}/bin/couchdb" - else ''${cfg.package}/bin/couchdb -a ${configFile} -a ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} -a ${cfg.configFile}''; + executable = "${cfg.package}/bin/couchdb"; in { @@ -177,8 +169,7 @@ in { environment.systemPackages = [ cfg.package ]; - services.couchdb.configFile = mkDefault - (if useVersion2 then "/var/lib/couchdb/local.ini" else "/var/lib/couchdb/couchdb.ini"); + services.couchdb.configFile = mkDefault "/var/lib/couchdb/local.ini"; systemd.tmpfiles.rules = [ "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -" @@ -195,7 +186,7 @@ in { touch ${cfg.configFile} ''; - environment = mkIf useVersion2 { + environment = { # we are actually specifying 4 configuration files: # 1. the preinstalled default.ini # 2. the module configuration diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index fdc05312ece01..effc9182472e2 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -159,7 +159,7 @@ in For more information on how to specify the target and on which privileges exist, see the <link xlink:href="https://www.postgresql.org/docs/current/sql-grant.html">GRANT syntax</link>. - The attributes are used as <code>GRANT ''${attrName} ON ''${attrValue}</code>. + The attributes are used as <code>GRANT ''${attrValue} ON ''${attrName}</code>. ''; example = literalExample '' { diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 7ec10c0eb5ab6..c4d51958e239b 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -331,7 +331,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid"; }; }; }; diff --git a/nixos/modules/services/desktops/bamf.nix b/nixos/modules/services/desktops/bamf.nix index 4b35146d08449..37121c219a377 100644 --- a/nixos/modules/services/desktops/bamf.nix +++ b/nixos/modules/services/desktops/bamf.nix @@ -6,7 +6,7 @@ with lib; { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; ###### interface diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index d0f6b66328a4c..7da92cc9f2649 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -15,18 +15,6 @@ in { options = { services.flatpak = { enable = mkEnableOption "flatpak"; - - guiPackages = mkOption { - internal = true; - type = types.listOf types.package; - default = []; - example = literalExample "[ pkgs.gnome3.gnome-software ]"; - description = '' - Packages that provide an interface for flatpak - (like gnome-software) that will be automatically available - to all users when flatpak is enabled. - ''; - }; }; }; @@ -40,7 +28,7 @@ in { } ]; - environment.systemPackages = [ pkgs.flatpak ] ++ cfg.guiPackages; + environment.systemPackages = [ pkgs.flatpak ]; services.dbus.packages = [ pkgs.flatpak ]; diff --git a/nixos/modules/services/desktops/geoclue2.nix b/nixos/modules/services/desktops/geoclue2.nix index 0dc0643afbc9c..e9ec787e5adae 100644 --- a/nixos/modules/services/desktops/geoclue2.nix +++ b/nixos/modules/services/desktops/geoclue2.nix @@ -266,5 +266,5 @@ in } // mapAttrs' appConfigToINICompatible cfg.appConfig); }; - meta.maintainers = with lib.maintainers; [ worldofpeace ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix b/nixos/modules/services/desktops/gnome/at-spi2-core.nix index 492242e3296da..1268a9d49b82d 100644 --- a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix +++ b/nixos/modules/services/desktops/gnome/at-spi2-core.nix @@ -12,9 +12,17 @@ with lib; ###### interface + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "at-spi2-core" "enable" ] + [ "services" "gnome" "at-spi2-core" "enable" ] + ) + ]; + options = { - services.gnome3.at-spi2-core = { + services.gnome.at-spi2-core = { enable = mkOption { type = types.bool; @@ -36,13 +44,13 @@ with lib; ###### implementation config = mkMerge [ - (mkIf config.services.gnome3.at-spi2-core.enable { + (mkIf config.services.gnome.at-spi2-core.enable { environment.systemPackages = [ pkgs.at-spi2-core ]; services.dbus.packages = [ pkgs.at-spi2-core ]; systemd.packages = [ pkgs.at-spi2-core ]; }) - (mkIf (!config.services.gnome3.at-spi2-core.enable) { + (mkIf (!config.services.gnome.at-spi2-core.enable) { environment.variables.NO_AT_BRIDGE = "1"; }) ]; diff --git a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix b/nixos/modules/services/desktops/gnome/chrome-gnome-shell.nix index 3c7f217b18df0..15c5bfbd82109 100644 --- a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix +++ b/nixos/modules/services/desktops/gnome/chrome-gnome-shell.nix @@ -8,9 +8,17 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "chrome-gnome-shell" "enable" ] + [ "services" "gnome" "chrome-gnome-shell" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.chrome-gnome-shell.enable = mkEnableOption '' + services.gnome.chrome-gnome-shell.enable = mkEnableOption '' Chrome GNOME Shell native host connector, a DBus service allowing to install GNOME Shell extensions from a web browser. ''; @@ -18,7 +26,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.chrome-gnome-shell.enable { + config = mkIf config.services.gnome.chrome-gnome-shell.enable { environment.etc = { "chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; "opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; diff --git a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix b/nixos/modules/services/desktops/gnome/evolution-data-server.nix index 749f12b86bc8a..ef5ad797c2781 100644 --- a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix +++ b/nixos/modules/services/desktops/gnome/evolution-data-server.nix @@ -10,11 +10,23 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "evolution-data-server" "enable" ] + [ "services" "gnome" "evolution-data-server" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "evolution-data-server" "plugins" ] + [ "services" "gnome" "evolution-data-server" "plugins" ] + ) + ]; + ###### interface options = { - services.gnome3.evolution-data-server = { + services.gnome.evolution-data-server = { enable = mkEnableOption "Evolution Data Server, a collection of services for storing addressbooks and calendars."; plugins = mkOption { type = types.listOf types.package; @@ -38,10 +50,10 @@ with lib; config = let - bundle = pkgs.evolutionWithPlugins.override { inherit (config.services.gnome3.evolution-data-server) plugins; }; + bundle = pkgs.evolutionWithPlugins.override { inherit (config.services.gnome.evolution-data-server) plugins; }; in mkMerge [ - (mkIf config.services.gnome3.evolution-data-server.enable { + (mkIf config.services.gnome.evolution-data-server.enable { environment.systemPackages = [ bundle ]; services.dbus.packages = [ bundle ]; @@ -49,11 +61,11 @@ with lib; systemd.packages = [ bundle ]; }) (mkIf config.programs.evolution.enable { - services.gnome3.evolution-data-server = { + services.gnome.evolution-data-server = { enable = true; plugins = [ pkgs.evolution ] ++ config.programs.evolution.plugins; }; - services.gnome3.gnome-keyring.enable = true; + services.gnome.gnome-keyring.enable = true; }) ]; } diff --git a/nixos/modules/services/desktops/gnome3/glib-networking.nix b/nixos/modules/services/desktops/gnome/glib-networking.nix index 7e667b6b1f047..4288b6b5de616 100644 --- a/nixos/modules/services/desktops/gnome3/glib-networking.nix +++ b/nixos/modules/services/desktops/gnome/glib-networking.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "glib-networking" "enable" ] + [ "services" "gnome" "glib-networking" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.glib-networking = { + services.gnome.glib-networking = { enable = mkEnableOption "network extensions for GLib"; @@ -24,7 +32,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.glib-networking.enable { + config = mkIf config.services.gnome.glib-networking.enable { services.dbus.packages = [ pkgs.glib-networking ]; diff --git a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix b/nixos/modules/services/desktops/gnome/gnome-initial-setup.nix index c391ad9694c9c..9e9771cf54159 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix +++ b/nixos/modules/services/desktops/gnome/gnome-initial-setup.nix @@ -48,11 +48,19 @@ in maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-initial-setup" "enable" ] + [ "services" "gnome" "gnome-initial-setup" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-initial-setup = { + services.gnome.gnome-initial-setup = { enable = mkEnableOption "GNOME Initial Setup, a Simple, easy, and safe way to prepare a new system"; @@ -63,16 +71,16 @@ in ###### implementation - config = mkIf config.services.gnome3.gnome-initial-setup.enable { + config = mkIf config.services.gnome.gnome-initial-setup.enable { environment.systemPackages = [ - pkgs.gnome3.gnome-initial-setup + pkgs.gnome.gnome-initial-setup ] ++ optional (versionOlder config.system.stateVersion "20.03") createGisStampFilesAutostart ; systemd.packages = [ - pkgs.gnome3.gnome-initial-setup + pkgs.gnome.gnome-initial-setup ]; systemd.user.targets."gnome-session".wants = [ diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome/gnome-keyring.nix index 2916a3c82b343..cda44bab8bfaa 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome/gnome-keyring.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-keyring" "enable" ] + [ "services" "gnome" "gnome-keyring" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-keyring = { + services.gnome.gnome-keyring = { enable = mkOption { type = types.bool; @@ -33,18 +41,18 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-keyring.enable { + config = mkIf config.services.gnome.gnome-keyring.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-keyring ]; + environment.systemPackages = [ pkgs.gnome.gnome-keyring ]; - services.dbus.packages = [ pkgs.gnome3.gnome-keyring pkgs.gcr ]; + services.dbus.packages = [ pkgs.gnome.gnome-keyring pkgs.gcr ]; - xdg.portal.extraPortals = [ pkgs.gnome3.gnome-keyring ]; + xdg.portal.extraPortals = [ pkgs.gnome.gnome-keyring ]; security.pam.services.login.enableGnomeKeyring = true; security.wrappers.gnome-keyring-daemon = { - source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon"; + source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon"; capabilities = "cap_ipc_lock=ep"; }; diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix b/nixos/modules/services/desktops/gnome/gnome-online-accounts.nix index 3f9ced5e86b18..01f7e3695cf04 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix +++ b/nixos/modules/services/desktops/gnome/gnome-online-accounts.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-online-accounts" "enable" ] + [ "services" "gnome" "gnome-online-accounts" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-online-accounts = { + services.gnome.gnome-online-accounts = { enable = mkOption { type = types.bool; @@ -32,7 +40,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-online-accounts.enable { + config = mkIf config.services.gnome.gnome-online-accounts.enable { environment.systemPackages = [ pkgs.gnome-online-accounts ]; diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix b/nixos/modules/services/desktops/gnome/gnome-online-miners.nix index 39d669e8b30f6..5f9039f68c4ee 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix +++ b/nixos/modules/services/desktops/gnome/gnome-online-miners.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-online-miners" "enable" ] + [ "services" "gnome" "gnome-online-miners" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-online-miners = { + services.gnome.gnome-online-miners = { enable = mkOption { type = types.bool; @@ -32,11 +40,11 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-online-miners.enable { + config = mkIf config.services.gnome.gnome-online-miners.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-online-miners ]; + environment.systemPackages = [ pkgs.gnome.gnome-online-miners ]; - services.dbus.packages = [ pkgs.gnome3.gnome-online-miners ]; + services.dbus.packages = [ pkgs.gnome.gnome-online-miners ]; }; diff --git a/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix b/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix new file mode 100644 index 0000000000000..b5573d2fc21bc --- /dev/null +++ b/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix @@ -0,0 +1,32 @@ +# Remote desktop daemon using Pipewire. +{ config, lib, pkgs, ... }: + +with lib; + +{ + meta = { + maintainers = teams.gnome.members; + }; + + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-remote-desktop" "enable" ] + [ "services" "gnome" "gnome-remote-desktop" "enable" ] + ) + ]; + + ###### interface + options = { + services.gnome.gnome-remote-desktop = { + enable = mkEnableOption "Remote Desktop support using Pipewire"; + }; + }; + + ###### implementation + config = mkIf config.services.gnome.gnome-remote-desktop.enable { + services.pipewire.enable = true; + + systemd.packages = [ pkgs.gnome.gnome-remote-desktop ]; + }; +} diff --git a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix b/nixos/modules/services/desktops/gnome/gnome-settings-daemon.nix index 1c33ed064a19a..05b5c86ddcb39 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix +++ b/nixos/modules/services/desktops/gnome/gnome-settings-daemon.nix @@ -6,7 +6,7 @@ with lib; let - cfg = config.services.gnome3.gnome-settings-daemon; + cfg = config.services.gnome.gnome-settings-daemon; in @@ -20,13 +20,19 @@ in (mkRemovedOptionModule ["services" "gnome3" "gnome-settings-daemon" "package"] "") + + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-settings-daemon" "enable" ] + [ "services" "gnome" "gnome-settings-daemon" "enable" ] + ) ]; ###### interface options = { - services.gnome3.gnome-settings-daemon = { + services.gnome.gnome-settings-daemon = { enable = mkEnableOption "GNOME Settings Daemon"; @@ -40,15 +46,15 @@ in config = mkIf cfg.enable { environment.systemPackages = [ - pkgs.gnome3.gnome-settings-daemon + pkgs.gnome.gnome-settings-daemon ]; services.udev.packages = [ - pkgs.gnome3.gnome-settings-daemon + pkgs.gnome.gnome-settings-daemon ]; systemd.packages = [ - pkgs.gnome3.gnome-settings-daemon + pkgs.gnome.gnome-settings-daemon ]; systemd.user.targets."gnome-session-initialized".wants = [ diff --git a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix b/nixos/modules/services/desktops/gnome/gnome-user-share.nix index f2fe8b41a9e2d..38256af309cc5 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix +++ b/nixos/modules/services/desktops/gnome/gnome-user-share.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-user-share" "enable" ] + [ "services" "gnome" "gnome-user-share" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-user-share = { + services.gnome.gnome-user-share = { enable = mkEnableOption "GNOME User Share, a user-level file sharing service for GNOME"; @@ -25,14 +33,14 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-user-share.enable { + config = mkIf config.services.gnome.gnome-user-share.enable { environment.systemPackages = [ - pkgs.gnome3.gnome-user-share + pkgs.gnome.gnome-user-share ]; systemd.packages = [ - pkgs.gnome3.gnome-user-share + pkgs.gnome.gnome-user-share ]; }; diff --git a/nixos/modules/services/desktops/gnome3/rygel.nix b/nixos/modules/services/desktops/gnome/rygel.nix index 917a1d6541e06..7ea9778fc408d 100644 --- a/nixos/modules/services/desktops/gnome3/rygel.nix +++ b/nixos/modules/services/desktops/gnome/rygel.nix @@ -8,9 +8,17 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "rygel" "enable" ] + [ "services" "gnome" "rygel" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.rygel = { + services.gnome.rygel = { enable = mkOption { default = false; description = '' @@ -24,13 +32,13 @@ with lib; }; ###### implementation - config = mkIf config.services.gnome3.rygel.enable { - environment.systemPackages = [ pkgs.gnome3.rygel ]; + config = mkIf config.services.gnome.rygel.enable { + environment.systemPackages = [ pkgs.gnome.rygel ]; - services.dbus.packages = [ pkgs.gnome3.rygel ]; + services.dbus.packages = [ pkgs.gnome.rygel ]; - systemd.packages = [ pkgs.gnome3.rygel ]; + systemd.packages = [ pkgs.gnome.rygel ]; - environment.etc."rygel.conf".source = "${pkgs.gnome3.rygel}/etc/rygel.conf"; + environment.etc."rygel.conf".source = "${pkgs.gnome.rygel}/etc/rygel.conf"; }; } diff --git a/nixos/modules/services/desktops/gnome3/sushi.nix b/nixos/modules/services/desktops/gnome/sushi.nix index 83b17365d5dd7..3133a3a0d9854 100644 --- a/nixos/modules/services/desktops/gnome3/sushi.nix +++ b/nixos/modules/services/desktops/gnome/sushi.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "sushi" "enable" ] + [ "services" "gnome" "sushi" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.sushi = { + services.gnome.sushi = { enable = mkOption { type = types.bool; @@ -31,11 +39,11 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.sushi.enable { + config = mkIf config.services.gnome.sushi.enable { - environment.systemPackages = [ pkgs.gnome3.sushi ]; + environment.systemPackages = [ pkgs.gnome.sushi ]; - services.dbus.packages = [ pkgs.gnome3.sushi ]; + services.dbus.packages = [ pkgs.gnome.sushi ]; }; diff --git a/nixos/modules/services/desktops/gnome3/tracker-miners.nix b/nixos/modules/services/desktops/gnome/tracker-miners.nix index f2af402492719..c9101f0caa63d 100644 --- a/nixos/modules/services/desktops/gnome3/tracker-miners.nix +++ b/nixos/modules/services/desktops/gnome/tracker-miners.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "tracker-miners" "enable" ] + [ "services" "gnome" "tracker-miners" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.tracker-miners = { + services.gnome.tracker-miners = { enable = mkOption { type = types.bool; @@ -31,7 +39,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.tracker-miners.enable { + config = mkIf config.services.gnome.tracker-miners.enable { environment.systemPackages = [ pkgs.tracker-miners ]; diff --git a/nixos/modules/services/desktops/gnome3/tracker.nix b/nixos/modules/services/desktops/gnome/tracker.nix index cd196e385539b..29d9662b0b8fe 100644 --- a/nixos/modules/services/desktops/gnome3/tracker.nix +++ b/nixos/modules/services/desktops/gnome/tracker.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "tracker" "enable" ] + [ "services" "gnome" "tracker" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.tracker = { + services.gnome.tracker = { enable = mkOption { type = types.bool; @@ -32,7 +40,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.tracker.enable { + config = mkIf config.services.gnome.tracker.enable { environment.systemPackages = [ pkgs.tracker ]; diff --git a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix deleted file mode 100644 index 164a0a44f8c81..0000000000000 --- a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix +++ /dev/null @@ -1,24 +0,0 @@ -# Remote desktop daemon using Pipewire. -{ config, lib, pkgs, ... }: - -with lib; - -{ - meta = { - maintainers = teams.gnome.members; - }; - - ###### interface - options = { - services.gnome3.gnome-remote-desktop = { - enable = mkEnableOption "Remote Desktop support using Pipewire"; - }; - }; - - ###### implementation - config = mkIf config.services.gnome3.gnome-remote-desktop.enable { - services.pipewire.enable = true; - - systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ]; - }; -} diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix index 250ea6d4575fc..966a4d38662bd 100644 --- a/nixos/modules/services/desktops/gvfs.nix +++ b/nixos/modules/services/desktops/gvfs.nix @@ -34,7 +34,7 @@ in # gvfs can be built with multiple configurations package = mkOption { type = types.package; - default = pkgs.gnome3.gvfs; + default = pkgs.gnome.gvfs; description = "Which GVfs package to use."; }; diff --git a/nixos/modules/services/desktops/telepathy.nix b/nixos/modules/services/desktops/telepathy.nix index 8c50d860e5bb2..b5f6a5fcbcfdd 100644 --- a/nixos/modules/services/desktops/telepathy.nix +++ b/nixos/modules/services/desktops/telepathy.nix @@ -39,7 +39,7 @@ with lib; services.dbus.packages = [ pkgs.telepathy-mission-control ]; # Enable runtime optional telepathy in gnome-shell - services.xserver.desktopManager.gnome3.sessionPath = with pkgs; [ + services.xserver.desktopManager.gnome.sessionPath = with pkgs; [ telepathy-glib telepathy-logger ]; diff --git a/nixos/modules/services/desktops/tumbler.nix b/nixos/modules/services/desktops/tumbler.nix index a09079517f042..8d9248cb98398 100644 --- a/nixos/modules/services/desktops/tumbler.nix +++ b/nixos/modules/services/desktops/tumbler.nix @@ -19,7 +19,7 @@ in ]; meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; ###### interface diff --git a/nixos/modules/services/desktops/zeitgeist.nix b/nixos/modules/services/desktops/zeitgeist.nix index cf7dd5fe3a13c..fb0218da3045e 100644 --- a/nixos/modules/services/desktops/zeitgeist.nix +++ b/nixos/modules/services/desktops/zeitgeist.nix @@ -7,7 +7,7 @@ with lib; { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; ###### interface diff --git a/nixos/modules/services/development/jupyter/default.nix b/nixos/modules/services/development/jupyter/default.nix index 6a5fd6b2940e8..21b84b3bcdaa8 100644 --- a/nixos/modules/services/development/jupyter/default.nix +++ b/nixos/modules/services/development/jupyter/default.nix @@ -131,7 +131,7 @@ in { env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ ipykernel pandas - scikitlearn + scikit-learn ])); in { displayName = "Python 3 for machine learning"; diff --git a/nixos/modules/services/development/jupyterhub/default.nix b/nixos/modules/services/development/jupyterhub/default.nix index f1dcab68b0002..a1df4468cfff6 100644 --- a/nixos/modules/services/development/jupyterhub/default.nix +++ b/nixos/modules/services/development/jupyterhub/default.nix @@ -117,7 +117,7 @@ in { env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ ipykernel pandas - scikitlearn + scikit-learn ])); in { displayName = "Python 3 for machine learning"; diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index a1aa5739d06b2..3cb1427579273 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -35,10 +35,10 @@ let auto_pause = true; only_admins_can_pause_the_game = true; autosave_only_on_server = true; - admins = []; non_blocking_saving = cfg.nonBlockingSaving; } // cfg.extraSettings; serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings)); + serverAdminsFile = pkgs.writeText "server-adminlist.json" (builtins.toJSON cfg.admins); modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods; in { @@ -52,6 +52,16 @@ in The port to which the service should bind. ''; }; + + admins = mkOption { + type = types.listOf types.str; + default = []; + example = [ "username" ]; + description = '' + List of player names which will be admin. + ''; + }; + openFirewall = mkOption { type = types.bool; default = false; @@ -234,6 +244,7 @@ in "--start-server=${mkSavePath cfg.saveName}" "--server-settings=${serverSettingsFile}" (optionalString (cfg.mods != []) "--mod-directory=${modDir}") + (optionalString (cfg.admins != []) "--server-adminlist=${serverAdminsFile}") ]; # Sandboxing diff --git a/nixos/modules/services/games/terraria.nix b/nixos/modules/services/games/terraria.nix index 34c8ff137d6a2..9e8e5ae8759aa 100644 --- a/nixos/modules/services/games/terraria.nix +++ b/nixos/modules/services/games/terraria.nix @@ -111,6 +111,13 @@ in default = false; description = "Disables automatic Universal Plug and Play."; }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Wheter to open ports in the firewall"; + }; + dataDir = mkOption { type = types.str; default = "/var/lib/terraria"; @@ -151,5 +158,11 @@ in ${pkgs.coreutils}/bin/chgrp terraria ${cfg.dataDir}/terraria.sock ''; }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + }; } diff --git a/nixos/modules/services/hardware/brltty.nix b/nixos/modules/services/hardware/brltty.nix index 1266e8f81e5b4..730560175327e 100644 --- a/nixos/modules/services/hardware/brltty.nix +++ b/nixos/modules/services/hardware/brltty.nix @@ -5,6 +5,19 @@ with lib; let cfg = config.services.brltty; + targets = [ + "default.target" "multi-user.target" + "rescue.target" "emergency.target" + ]; + + genApiKey = pkgs.writers.writeDash "generate-brlapi-key" '' + if ! test -f /etc/brlapi.key; then + echo -n generating brlapi key... + ${pkgs.brltty}/bin/brltty-genkey -f /etc/brlapi.key + echo done + fi + ''; + in { options = { @@ -18,33 +31,27 @@ in { }; config = mkIf cfg.enable { - - systemd.services.brltty = { - description = "Braille Device Support"; - unitConfig = { - Documentation = "http://mielke.cc/brltty/"; - DefaultDependencies = "no"; - RequiresMountsFor = "${pkgs.brltty}/var/lib/brltty"; - }; - serviceConfig = { - ExecStart = "${pkgs.brltty}/bin/brltty --no-daemon"; - Type = "notify"; - TimeoutStartSec = 5; - TimeoutStopSec = 10; - Restart = "always"; - RestartSec = 30; - Nice = -10; - OOMScoreAdjust = -900; - ProtectHome = "read-only"; - ProtectSystem = "full"; - SystemCallArchitectures = "native"; - }; - wants = [ "systemd-udev-settle.service" ]; - after = [ "local-fs.target" "systemd-udev-settle.service" ]; - before = [ "sysinit.target" ]; - wantedBy = [ "sysinit.target" ]; + users.users.brltty = { + description = "BRLTTY daemon user"; + group = "brltty"; + }; + users.groups = { + brltty = { }; + brlapi = { }; }; + systemd.services."brltty@".serviceConfig = + { ExecStartPre = "!${genApiKey}"; }; + + # Install all upstream-provided files + systemd.packages = [ pkgs.brltty ]; + systemd.tmpfiles.packages = [ pkgs.brltty ]; + services.udev.packages = [ pkgs.brltty ]; + environment.systemPackages = [ pkgs.brltty ]; + + # Add missing WantedBys (see issue #81138) + systemd.paths.brltty.wantedBy = targets; + systemd.paths."brltty@".wantedBy = targets; }; } diff --git a/nixos/modules/services/hardware/fancontrol.nix b/nixos/modules/services/hardware/fancontrol.nix index e1ce11a5aef62..5574c5a132e59 100644 --- a/nixos/modules/services/hardware/fancontrol.nix +++ b/nixos/modules/services/hardware/fancontrol.nix @@ -6,21 +6,21 @@ let cfg = config.hardware.fancontrol; configFile = pkgs.writeText "fancontrol.conf" cfg.config; -in{ +in +{ options.hardware.fancontrol = { enable = mkEnableOption "software fan control (requires fancontrol.config)"; config = mkOption { - default = null; - type = types.nullOr types.lines; - description = "Fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; + type = types.lines; + description = "Required fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; example = '' # Configuration file generated by pwmconfig INTERVAL=10 DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656 DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input - FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input + FCFANS=hwmon4/device/pwm1=hwmon4/device/fan1_input MINTEMP=hwmon4/device/pwm1=35 MAXTEMP=hwmon4/device/pwm1=65 MINSTART=hwmon4/device/pwm1=150 @@ -30,16 +30,18 @@ in{ }; config = mkIf cfg.enable { + systemd.services.fancontrol = { - unitConfig.Documentation = "man:fancontrol(8)"; + documentation = [ "man:fancontrol(8)" ]; description = "software fan control"; wantedBy = [ "multi-user.target" ]; after = [ "lm_sensors.service" ]; serviceConfig = { - Type = "simple"; ExecStart = "${pkgs.lm_sensors}/sbin/fancontrol ${configFile}"; }; }; }; + + meta.maintainers = [ maintainers.evils ]; } diff --git a/nixos/modules/services/hardware/pcscd.nix b/nixos/modules/services/hardware/pcscd.nix index 59c12ee12ca59..4fc1e351f5037 100644 --- a/nixos/modules/services/hardware/pcscd.nix +++ b/nixos/modules/services/hardware/pcscd.nix @@ -50,6 +50,7 @@ in environment.etc."reader.conf".source = cfgFile; + environment.systemPackages = [ pkgs.pcsclite ]; systemd.packages = [ (getBin pkgs.pcsclite) ]; systemd.sockets.pcscd.wantedBy = [ "sockets.target" ]; diff --git a/nixos/modules/services/hardware/spacenavd.nix b/nixos/modules/services/hardware/spacenavd.nix index cecc4d6f029bf..74725dd23d25c 100644 --- a/nixos/modules/services/hardware/spacenavd.nix +++ b/nixos/modules/services/hardware/spacenavd.nix @@ -13,13 +13,12 @@ in { }; config = mkIf cfg.enable { - systemd.services.spacenavd = { + systemd.user.services.spacenavd = { description = "Daemon for the Spacenavigator 6DOF mice by 3Dconnexion"; after = [ "syslog.target" ]; wantedBy = [ "graphical.target" ]; serviceConfig = { ExecStart = "${pkgs.spacenavd}/bin/spacenavd -d -l syslog"; - StandardError = "syslog"; }; }; }; diff --git a/nixos/modules/services/mail/mailman.xml b/nixos/modules/services/mail/mailman.xml index 8da491ccbe9f6..27247fb064f20 100644 --- a/nixos/modules/services/mail/mailman.xml +++ b/nixos/modules/services/mail/mailman.xml @@ -31,11 +31,11 @@ <link linkend="opt-services.mailman.enable">enable</link> = true; <link linkend="opt-services.mailman.serve.enable">serve.enable</link> = true; <link linkend="opt-services.mailman.hyperkitty.enable">hyperkitty.enable</link> = true; - <link linkend="opt-services.mailman.hyperkitty.enable">webHosts</link> = ["lists.example.org"]; - <link linkend="opt-services.mailman.hyperkitty.enable">siteOwner</link> = "mailman@example.org"; + <link linkend="opt-services.mailman.webHosts">webHosts</link> = ["lists.example.org"]; + <link linkend="opt-services.mailman.siteOwner">siteOwner</link> = "mailman@example.org"; }; <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">services.nginx.virtualHosts."lists.example.org".enableACME</link> = true; - <link linkend="opt-services.mailman.hyperkitty.enable">networking.firewall.allowedTCPPorts</link> = [ 25 80 443 ]; + <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 25 80 443 ]; }</programlisting> </para> <para> diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 9bf6f338d93ed..beff57613afc5 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -134,7 +134,7 @@ in { ReadWritePaths = [ cfg.keyPath ]; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 8e5bed5fcb876..35639e1bbc837 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -773,7 +773,7 @@ in }; services.postfix.config = (mapAttrs (_: v: mkDefault v) { - compatibility_level = "9999"; + compatibility_level = pkgs.postfix.version; mail_owner = cfg.user; default_privs = "nobody"; diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 2f9d28195bd83..473ddd52357dd 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -410,7 +410,7 @@ in StateDirectoryMode = "0700"; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; NoNewPrivileges = true; diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 5cc2ff7f4bd12..a572f1f6d6f5a 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -118,7 +118,7 @@ in { ''; serviceConfig = { ExecStart = '' - ${pkgs.jre}/bin/java -Xmx${toString cfg.maxMemory}m \ + ${pkgs.jre8}/bin/java -Xmx${toString cfg.maxMemory}m \ -Dairsonic.home=${cfg.home} \ -Dserver.address=${cfg.listenAddress} \ -Dserver.port=${toString cfg.port} \ diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index dfb418af6edeb..95cee5046e819 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -48,5 +48,5 @@ in { }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/misc/dendrite.nix b/nixos/modules/services/misc/dendrite.nix new file mode 100644 index 0000000000000..c967fc3a362a7 --- /dev/null +++ b/nixos/modules/services/misc/dendrite.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.dendrite; + settingsFormat = pkgs.formats.yaml { }; + configurationYaml = settingsFormat.generate "dendrite.yaml" cfg.settings; + workingDir = "/var/lib/dendrite"; +in +{ + options.services.dendrite = { + enable = lib.mkEnableOption "matrix.org dendrite"; + httpPort = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = 8008; + description = '' + The port to listen for HTTP requests on. + ''; + }; + httpsPort = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = null; + description = '' + The port to listen for HTTPS requests on. + ''; + }; + tlsCert = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/dendrite/server.cert"; + default = null; + description = '' + The path to the TLS certificate. + + <programlisting> + nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + </programlisting> + ''; + }; + tlsKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/dendrite/server.key"; + default = null; + description = '' + The path to the TLS key. + + <programlisting> + nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + </programlisting> + ''; + }; + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/dendrite/registration_secret"; + default = null; + description = '' + Environment file as defined in <citerefentry> + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. + Secrets may be passed to the service without adding them to the world-readable + Nix store, by specifying placeholder variables as the option value in Nix and + setting these variables accordingly in the environment file. Currently only used + for the registration secret to allow secure registration when + client_api.registration_disabled is true. + + <programlisting> + # snippet of dendrite-related config + services.dendrite.settings.client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; + </programlisting> + + <programlisting> + # content of the environment file + REGISTRATION_SHARED_SECRET=verysecretpassword + </programlisting> + + Note that this file needs to be available on the host on which + <literal>dendrite</literal> is running. + ''; + }; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options.global = { + server_name = lib.mkOption { + type = lib.types.str; + example = "example.com"; + description = '' + The domain name of the server, with optional explicit port. + This is used by remote servers to connect to this server. + This is also the last part of your UserID. + ''; + }; + private_key = lib.mkOption { + type = lib.types.path; + example = "${workingDir}/matrix_key.pem"; + description = '' + The path to the signing private key file, used to sign + requests and events. + + <programlisting> + nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem" + </programlisting> + ''; + }; + trusted_third_party_id_servers = lib.mkOption { + type = lib.types.listOf lib.types.str; + example = [ "matrix.org" ]; + default = [ "matrix.org" "vector.im" ]; + description = '' + Lists of domains that the server will trust as identity + servers to verify third party identifiers such as phone + numbers and email addresses + ''; + }; + }; + options.client_api = { + registration_disabled = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to disable user registration to the server + without the shared secret. + ''; + }; + }; + }; + default = { }; + description = '' + Configuration for dendrite, see: + <link xlink:href="https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml"/> + for available options with which to populate settings. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [{ + assertion = cfg.httpsPort != null -> (cfg.tlsCert != null && cfg.tlsKey != null); + message = '' + If Dendrite is configured to use https, tlsCert and tlsKey must be provided. + + nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + ''; + }]; + + systemd.services.dendrite = { + description = "Dendrite Matrix homeserver"; + after = [ + "network.target" + ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = "dendrite"; + WorkingDirectory = workingDir; + RuntimeDirectory = "dendrite"; + RuntimeDirectoryMode = "0700"; + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStartPre = + if (cfg.environmentFile != null) then '' + ${pkgs.envsubst}/bin/envsubst \ + -i ${configurationYaml} \ + -o /run/dendrite/dendrite.yaml + '' else '' + ${pkgs.coreutils}/bin/cp ${configurationYaml} /run/dendrite/dendrite.yaml + ''; + ExecStart = lib.strings.concatStringsSep " " ([ + "${pkgs.dendrite}/bin/dendrite-monolith-server" + "--config /run/dendrite/dendrite.yaml" + ] ++ lib.optionals (cfg.httpPort != null) [ + "--http-bind-address :${builtins.toString cfg.httpPort}" + ] ++ lib.optionals (cfg.httpsPort != null) [ + "--https-bind-address :${builtins.toString cfg.httpsPort}" + "--tls-cert ${cfg.tlsCert}" + "--tls-key ${cfg.tlsKey}" + ]); + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + }; + }; + }; + meta.maintainers = lib.teams.matrix.members; +} diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index 41483d80a2ddb..24a259bb4d2bd 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -37,7 +37,7 @@ in enableProfilePath = mkEnableOption "exposing the Disnix profiles in the system's PATH"; profiles = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "default" ]; example = [ "default" ]; description = "Names of the Disnix profiles to expose in the system's PATH"; @@ -53,6 +53,7 @@ in environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles); + environment.variables.DISNIX_REMOTE_CLIENT = lib.optionalString (cfg.enableMultiUser) "disnix-client"; services.dbus.enable = true; services.dbus.packages = [ pkgs.disnix ]; diff --git a/nixos/modules/services/misc/fstrim.nix b/nixos/modules/services/misc/fstrim.nix index 5258f5acb410c..a9fc04b46f0ab 100644 --- a/nixos/modules/services/misc/fstrim.nix +++ b/nixos/modules/services/misc/fstrim.nix @@ -42,5 +42,5 @@ in { }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 434e2d2429b5b..95369ff7ee481 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -477,47 +477,49 @@ in in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' - cp -f ${configFile} ${runConfig} - - if [ ! -e ${secretKey} ]; then - ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} - fi - - # Migrate LFS_JWT_SECRET filename - if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then - mv ${oldLfsJwtSecret} ${lfsJwtSecret} - fi - - if [ ! -e ${oauth2JwtSecret} ]; then - ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} - fi - - if [ ! -e ${lfsJwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} - fi - - if [ ! -e ${internalToken} ]; then - ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} - fi - - SECRETKEY="$(head -n1 ${secretKey})" - DBPASS="$(head -n1 ${cfg.database.passwordFile})" - OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" - LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" - INTERNALTOKEN="$(head -n1 ${internalToken})" - ${if (cfg.mailerPasswordFile == null) then '' - MAILERPASSWORD="#mailerpass#" - '' else '' - MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" - ''} - sed -e "s,#secretkey#,$SECRETKEY,g" \ - -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ - -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ - -e "s,#internaltoken#,$INTERNALTOKEN,g" \ - -e "s,#mailerpass#,$MAILERPASSWORD,g" \ - -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken} + function gitea_setup { + cp -f ${configFile} ${runConfig} + + if [ ! -e ${secretKey} ]; then + ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} + fi + + # Migrate LFS_JWT_SECRET filename + if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then + mv ${oldLfsJwtSecret} ${lfsJwtSecret} + fi + + if [ ! -e ${oauth2JwtSecret} ]; then + ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + fi + + if [ ! -e ${lfsJwtSecret} ]; then + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + fi + + if [ ! -e ${internalToken} ]; then + ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} + fi + + SECRETKEY="$(head -n1 ${secretKey})" + DBPASS="$(head -n1 ${cfg.database.passwordFile})" + OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" + LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" + INTERNALTOKEN="$(head -n1 ${internalToken})" + ${if (cfg.mailerPasswordFile == null) then '' + MAILERPASSWORD="#mailerpass#" + '' else '' + MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" + ''} + sed -e "s,#secretkey#,$SECRETKEY,g" \ + -e "s,#dbpass#,$DBPASS,g" \ + -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ + -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ + -e "s,#internaltoken#,$INTERNALTOKEN,g" \ + -e "s,#mailerpass#,$MAILERPASSWORD,g" \ + -i ${runConfig} + } + (umask 027; gitea_setup) ''} # update all hooks' binary paths diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 8153754af0ff6..253d87537cfe0 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -952,7 +952,7 @@ in { path = with pkgs; [ jq openssl - replace + replace-secret git ]; serviceConfig = { @@ -994,8 +994,7 @@ in { ${optionalString cfg.smtp.enable '' install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb ${optionalString (cfg.smtp.passwordFile != null) '' - smtp_password=$(<'${cfg.smtp.passwordFile}') - replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' + replace-secret '@smtpPassword@' '${cfg.smtp.passwordFile}' '${cfg.statePath}/config/initializers/smtp_settings.rb' ''} ''} diff --git a/nixos/modules/services/misc/gitweb.nix b/nixos/modules/services/misc/gitweb.nix index ca21366b7796e..13396bf2eb028 100644 --- a/nixos/modules/services/misc/gitweb.nix +++ b/nixos/modules/services/misc/gitweb.nix @@ -54,6 +54,6 @@ in }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 0590f54ae60e8..1e33381de24c5 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -245,22 +245,86 @@ in { rm -f "${cfg.configDir}/ui-lovelace.yaml" ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" ''); - serviceConfig = { - ExecStart = "${package}/bin/hass --config '${cfg.configDir}'"; + serviceConfig = let + # List of capabilities to equip home-assistant with, depending on configured components + capabilities = [ + # Empty string first, so we will never accidentally have an empty capability bounding set + # https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115 + "" + ] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + # Required for interaction with hci devices and bluetooth sockets + # https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ] ++ lib.optionals (useComponent "emulated_hue") [ + # Alexa looks for the service on port 80 + # https://www.home-assistant.io/integrations/emulated_hue + "CAP_NET_BIND_SERVICE" + ] ++ lib.optionals (useComponent "nmap_tracker") [ + # https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities + "CAP_NET_ADMIN" + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ])); + in { + ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "hass"; Group = "hass"; Restart = "on-failure"; + RestartForceExitStatus = "100"; + SuccessExitStatus = "100"; + KillSignal = "SIGINT"; + + # Hardening + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + DeviceAllow = [ + "char-ttyACM rw" + "char-ttyAMA rw" + "char-ttyUSB rw" + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateUsers = false; # prevents gaining capabilities in the host namespace + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "all"; ProtectSystem = "strict"; + RemoveIPC = true; ReadWritePaths = let + # Allow rw access to explicitly configured paths cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ]; value = attrByPath cfgPath [] cfg; allowPaths = if isList value then value else singleton value; in [ "${cfg.configDir}" ] ++ allowPaths; - KillSignal = "SIGINT"; - PrivateTmp = true; - RemoveIPC = true; - AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + "AF_BLUETOOTH" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ "dialout" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; }; path = [ "/run/wrappers" # needed for ping @@ -278,7 +342,6 @@ in { home = cfg.configDir; createHome = true; group = "hass"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.hass; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index c1b45864041b1..6d64acc029101 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -92,9 +92,7 @@ in SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" - "~@obsolete" "~@privileged" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/misc/mame.nix b/nixos/modules/services/misc/mame.nix index 34a471ea4fe05..4b9a04be7c297 100644 --- a/nixos/modules/services/misc/mame.nix +++ b/nixos/modules/services/misc/mame.nix @@ -63,5 +63,5 @@ in }; }; - meta.maintainers = with lib.maintainers; [ gnidorah ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 8e3fa60206c2d..dff587453042d 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -86,7 +86,9 @@ account_threepid_delegates: ${optionalString (cfg.account_threepid_delegates.email != null) "email: ${cfg.account_threepid_delegates.email}"} ${optionalString (cfg.account_threepid_delegates.msisdn != null) "msisdn: ${cfg.account_threepid_delegates.msisdn}"} -room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types} +room_prejoin_state: + disable_default_event_types: ${boolToString cfg.room_prejoin_state.disable_default_event_types} + additional_event_types: ${builtins.toJSON cfg.room_prejoin_state.additional_event_types} ${optionalString (cfg.macaroon_secret_key != null) '' macaroon_secret_key: "${cfg.macaroon_secret_key}" ''} @@ -577,11 +579,28 @@ in { Delegate SMS sending to this local process (https://localhost:8090) ''; }; - room_invite_state_types = mkOption { + room_prejoin_state.additional_event_types = mkOption { + default = []; type = types.listOf types.str; - default = ["m.room.join_rules" "m.room.canonical_alias" "m.room.avatar" "m.room.name"]; description = '' - A list of event types that will be included in the room_invite_state + Additional events to share with users who received an invite. + ''; + }; + room_prejoin_state.disable_default_event_types = mkOption { + default = false; + type = types.bool; + description = '' + Whether to disable the default state-event types for users invited to a room. + These are: + + <itemizedlist> + <listitem><para>m.room.join_rules</para></listitem> + <listitem><para>m.room.canonical_alias</para></listitem> + <listitem><para>m.room.avatar</para></listitem> + <listitem><para>m.room.encryption</para></listitem> + <listitem><para>m.room.name</para></listitem> + <listitem><para>m.room.create</para></listitem> + </itemizedlist> ''; }; macaroon_secret_key = mkOption { @@ -680,12 +699,12 @@ in { ]; users.users.matrix-synapse = { - group = "matrix-synapse"; - home = cfg.dataDir; - createHome = true; - shell = "${pkgs.bash}/bin/bash"; - uid = config.ids.uids.matrix-synapse; - }; + group = "matrix-synapse"; + home = cfg.dataDir; + createHome = true; + shell = "${pkgs.bash}/bin/bash"; + uid = config.ids.uids.matrix-synapse; + }; users.groups.matrix-synapse = { gid = config.ids.gids.matrix-synapse; @@ -707,6 +726,10 @@ in { User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; + ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" '' + chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key + chmod 0600 ${cfg.dataDir}/homeserver.signing.key + '')) ]; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } @@ -714,6 +737,7 @@ in { ''; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; + UMask = "0077"; }; }; }; @@ -728,6 +752,12 @@ in { <nixpkgs/nixos/tests/matrix-synapse.nix> '') (mkRemovedOptionModule [ "services" "matrix-synapse" "web_client" ] "") + (mkRemovedOptionModule [ "services" "matrix-synapse" "room_invite_state_types" ] '' + You may add additional event types via + `services.matrix-synapse.room_prejoin_state.additional_event_types` and + disable the default events via + `services.matrix-synapse.room_prejoin_state.disable_default_event_types`. + '') ]; meta.doc = ./matrix-synapse.xml; diff --git a/nixos/modules/services/misc/pinnwand.nix b/nixos/modules/services/misc/pinnwand.nix index aa1ee5cfaa77d..cbc796c9a7c88 100644 --- a/nixos/modules/services/misc/pinnwand.nix +++ b/nixos/modules/services/misc/pinnwand.nix @@ -24,55 +24,80 @@ in Your <filename>pinnwand.toml</filename> as a Nix attribute set. Look up possible options in the <link xlink:href="https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example">pinnwand.toml-example</link>. ''; - default = { - # https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example - database_uri = "sqlite:///var/lib/pinnwand/pinnwand.db"; - preferred_lexeres = []; - paste_size = 262144; - paste_help = '' - <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> - ''; - footer = '' - View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. - ''; - }; + default = {}; }; }; config = mkIf cfg.enable { - systemd.services.pinnwand = { - description = "Pinnwannd HTTP Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + services.pinnwand.settings = { + database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db"; + paste_size = mkDefault 262144; + paste_help = mkDefault '' + <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> + ''; + footer = mkDefault '' + View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. + ''; + }; + + systemd.services = let + hardeningOptions = { + User = "pinnwand"; + DynamicUser = true; - unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; - serviceConfig = { - ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString(cfg.port)}"; StateDirectory = "pinnwand"; StateDirectoryMode = "0700"; AmbientCapabilities = []; CapabilityBoundingSet = ""; DevicePolicy = "closed"; - DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateUsers = true; + ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; - ProtectKernelLogs = true; ProtectHome = true; ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; UMask = "0077"; }; + + command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}"; + in { + pinnwand = { + description = "Pinnwannd HTTP Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; + + serviceConfig = { + ExecStart = "${command} http --port ${toString(cfg.port)}"; + } // hardeningOptions; + }; + + pinnwand-reaper = { + description = "Pinnwand Reaper"; + startAt = "daily"; + + serviceConfig = { + ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes + } // hardeningOptions; + }; }; }; } diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/ssm-agent.nix index e50b07e0b862a..c29d03d199bf4 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/ssm-agent.nix @@ -22,8 +22,8 @@ in { package = mkOption { type = types.path; description = "The SSM agent package to use"; - default = pkgs.ssm-agent; - defaultText = "pkgs.ssm-agent"; + default = pkgs.ssm-agent.override { overrideEtc = false; }; + defaultText = "pkgs.ssm-agent.override { overrideEtc = false; }"; }; }; @@ -37,8 +37,10 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/amazon-ssm-agent"; KillMode = "process"; - Restart = "on-failure"; - RestartSec = "15min"; + # We want this restating pretty frequently. It could be our only means + # of accessing the instance. + Restart = "always"; + RestartSec = "1min"; }; }; @@ -62,5 +64,10 @@ in { isNormalUser = true; group = "ssm-user"; }; + + environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/seelog.xml.template"; + + environment.etc."amazon/ssm/amazon-ssm-agent.json".source = "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template"; + }; } diff --git a/nixos/modules/services/misc/zigbee2mqtt.nix b/nixos/modules/services/misc/zigbee2mqtt.nix index cd987eb76c76c..4458da1346b7d 100644 --- a/nixos/modules/services/misc/zigbee2mqtt.nix +++ b/nixos/modules/services/misc/zigbee2mqtt.nix @@ -5,29 +5,17 @@ with lib; let cfg = config.services.zigbee2mqtt; - configJSON = pkgs.writeText "configuration.json" - (builtins.toJSON (recursiveUpdate defaultConfig cfg.config)); - configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - ''; + format = pkgs.formats.yaml { }; + configFile = format.generate "zigbee2mqtt.yaml" cfg.settings; - # the default config contains all required settings, - # so the service starts up without crashing. - defaultConfig = { - homeassistant = false; - permit_join = false; - mqtt = { - base_topic = "zigbee2mqtt"; - server = "mqtt://localhost:1883"; - }; - serial.port = "/dev/ttyACM0"; - # put device configuration into separate file because configuration.yaml - # is copied from the store on startup - devices = "devices.yaml"; - }; in { - meta.maintainers = with maintainers; [ sweber ]; + meta.maintainers = with maintainers; [ sweber hexa ]; + + imports = [ + # Remove warning before the 21.11 release + (mkRenamedOptionModule [ "services" "zigbee2mqtt" "config" ] [ "services" "zigbee2mqtt" "settings" ]) + ]; options.services.zigbee2mqtt = { enable = mkEnableOption "enable zigbee2mqtt service"; @@ -37,7 +25,11 @@ in default = pkgs.zigbee2mqtt.override { dataDir = cfg.dataDir; }; - defaultText = "pkgs.zigbee2mqtt"; + defaultText = literalExample '' + pkgs.zigbee2mqtt { + dataDir = services.zigbee2mqtt.dataDir + } + ''; type = types.package; }; @@ -47,9 +39,9 @@ in type = types.path; }; - config = mkOption { + settings = mkOption { + type = format.type; default = {}; - type = with types; nullOr attrs; example = literalExample '' { homeassistant = config.services.home-assistant.enable; @@ -61,11 +53,28 @@ in ''; description = '' Your <filename>configuration.yaml</filename> as a Nix attribute set. + Check the <link xlink:href="https://www.zigbee2mqtt.io/information/configuration.html">documentation</link> + for possible options. ''; }; }; config = mkIf (cfg.enable) { + + # preset config values + services.zigbee2mqtt.settings = { + homeassistant = mkDefault config.services.home-assistant.enable; + permit_join = mkDefault false; + mqtt = { + base_topic = mkDefault "zigbee2mqtt"; + server = mkDefault "mqtt://localhost:1883"; + }; + serial.port = mkDefault "/dev/ttyACM0"; + # reference device configuration, that is kept in a separate file + # to prevent it being overwritten in the units ExecStartPre script + devices = mkDefault "devices.yaml"; + }; + systemd.services.zigbee2mqtt = { description = "Zigbee2mqtt Service"; wantedBy = [ "multi-user.target" ]; @@ -76,10 +85,48 @@ in User = "zigbee2mqtt"; WorkingDirectory = cfg.dataDir; Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + DeviceAllow = [ + config.services.zigbee2mqtt.settings.serial.port + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateDevices = false; # prevents access to /dev/serial, because it is set 0700 root:root + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; ProtectSystem = "strict"; ReadWritePaths = cfg.dataDir; - PrivateTmp = true; RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ + "dialout" + ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml" @@ -90,7 +137,6 @@ in home = cfg.dataDir; createHome = true; group = "zigbee2mqtt"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.zigbee2mqtt; }; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 86e306ab404a9..4ebde6f9b107b 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -42,6 +42,9 @@ let AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; + AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable; + AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp; + AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId; ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable; @@ -528,23 +531,46 @@ in { }; }; - auth.anonymous = { - enable = mkOption { - description = "Whether to allow anonymous access."; - default = false; - type = types.bool; - }; - org_name = mkOption { - description = "Which organization to allow anonymous access to."; - default = "Main Org."; - type = types.str; + auth = { + anonymous = { + enable = mkOption { + description = "Whether to allow anonymous access."; + default = false; + type = types.bool; + }; + org_name = mkOption { + description = "Which organization to allow anonymous access to."; + default = "Main Org."; + type = types.str; + }; + org_role = mkOption { + description = "Which role anonymous users have in the organization."; + default = "Viewer"; + type = types.str; + }; }; - org_role = mkOption { - description = "Which role anonymous users have in the organization."; - default = "Viewer"; - type = types.str; + google = { + enable = mkOption { + description = "Whether to allow Google OAuth2."; + default = false; + type = types.bool; + }; + allowSignUp = mkOption { + description = "Whether to allow sign up with Google OAuth2."; + default = false; + type = types.bool; + }; + clientId = mkOption { + description = "Google OAuth2 client ID."; + default = ""; + type = types.str; + }; + clientSecretFile = mkOption { + description = "Google OAuth2 client secret."; + default = null; + type = types.nullOr types.path; + }; }; - }; analytics.reporting = { @@ -609,6 +635,9 @@ in { QT_QPA_PLATFORM = "offscreen"; } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions; script = '' + ${optionalString (cfg.auth.google.clientSecretFile != null) '' + export GF_AUTH_GOOGLE_CLIENT_SECRET="$(cat ${escapeShellArg cfg.auth.google.clientSecretFile})" + ''} ${optionalString (cfg.database.passwordFile != null) '' export GF_DATABASE_PASSWORD="$(cat ${escapeShellArg cfg.database.passwordFile})" ''} diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 007024c04ce5a..561ce3eec6255 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -8,6 +8,7 @@ let wrappedPlugins = pkgs.runCommand "wrapped-plugins" { preferLocalBuild = true; } '' mkdir -p $out/libexec/netdata/plugins.d ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin + ln -s /run/wrappers/bin/cgroup-network $out/libexec/netdata/plugins.d/cgroup-network ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin @@ -26,6 +27,10 @@ let "web files owner" = "root"; "web files group" = "root"; }; + "plugin:cgroups" = { + "script to get cgroup network interfaces" = "${wrappedPlugins}/libexec/netdata/plugins.d/cgroup-network"; + "use unified cgroups" = "yes"; + }; }; mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config); configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig); @@ -149,8 +154,9 @@ in { description = "Real time performance monitoring"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable - (pkgs.python3.withPackages cfg.python.extraPackages); + path = (with pkgs; [ curl gawk iproute2 which ]) + ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages) + ++ lib.optional config.virtualisation.libvirtd.enable (config.virtualisation.libvirtd.package); environment = { PYTHONPATH = "${cfg.package}/libexec/netdata/python.d/python_modules"; } // lib.optionalAttrs (!cfg.enableAnalyticsReporting) { @@ -191,6 +197,8 @@ in { "CAP_SYS_PTRACE" # is required for apps plugin "CAP_SYS_RESOURCE" # is required for ebpf plugin "CAP_NET_RAW" # is required for fping app + "CAP_SYS_CHROOT" # is required for cgroups plugin + "CAP_SETUID" # is required for cgroups and cgroups-network plugins ]; # Sandboxing ProtectSystem = "full"; @@ -208,7 +216,15 @@ in { capabilities = "cap_dac_read_search,cap_sys_ptrace+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rwx"; + permissions = "u+rx,g+x,o-rwx"; + }; + + security.wrappers."cgroup-network" = { + source = "${cfg.package}/libexec/netdata/plugins.d/cgroup-network.org"; + capabilities = "cap_setuid+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; }; security.wrappers."freeipmi.plugin" = { @@ -216,7 +232,7 @@ in { capabilities = "cap_dac_override,cap_fowner+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rwx"; + permissions = "u+rx,g+x,o-rwx"; }; security.wrappers."perf.plugin" = { @@ -224,7 +240,7 @@ in { capabilities = "cap_sys_admin+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rx"; + permissions = "u+rx,g+x,o-rwx"; }; security.wrappers."slabinfo.plugin" = { @@ -232,7 +248,7 @@ in { capabilities = "cap_dac_override+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rx"; + permissions = "u+rx,g+x,o-rwx"; }; security.pam.loginLimits = [ diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index bd74e1a9cdb54..e08f23d8eb04d 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -112,7 +112,7 @@ let http://tools.ietf.org/html/rfc4366#section-3.1 ''; }; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote read config, which if specified must be unique among remote read configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote read configs. @@ -174,7 +174,7 @@ let write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' List of remote write relabel configurations. ''; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote write config, which if specified must be unique among remote write configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote write configs. @@ -386,6 +386,10 @@ let List of relabel configurations. ''; + metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' + List of metric relabel configurations. + ''; + sample_limit = mkDefOpt types.int "0" '' Per-scrape limit on number of scraped samples that will be accepted. If more than this number of samples are present after metric relabelling diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index ce7c215fd1491..9fcfe7b52e08a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -34,6 +34,7 @@ let "fritzbox" "json" "jitsi" + "kea" "keylight" "knot" "lnd" @@ -47,6 +48,7 @@ let "node" "openldap" "openvpn" + "pihole" "postfix" "postgres" "py-air-control" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix index 972632b5a24a4..16c2920751d95 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix @@ -41,12 +41,12 @@ in serviceConfig = { ExecStart = '' ${pkgs.prometheus-bind-exporter}/bin/bind_exporter \ - -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - -bind.pid-file /var/run/named/named.pid \ - -bind.timeout ${toString cfg.bindTimeout} \ - -bind.stats-url ${cfg.bindURI} \ - -bind.stats-version ${cfg.bindVersion} \ - -bind.stats-groups ${concatStringsSep "," cfg.bindGroups} \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --bind.pid-file /var/run/named/named.pid \ + --bind.timeout ${toString cfg.bindTimeout} \ + --bind.stats-url ${cfg.bindURI} \ + --bind.stats-version ${cfg.bindVersion} \ + --bind.stats-groups ${concatStringsSep "," cfg.bindGroups} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix index a3b2b92bc3479..a7f4d3e096fea 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -41,11 +41,11 @@ in }; logFormat = mkOption { - type = types.str; - default = "logger:stderr"; - example = "logger:syslog?appname=bob&local=7 or logger:stdout?json=true"; + type = types.enum [ "logfmt" "json" ]; + default = "logfmt"; + example = "json"; description = '' - Set the log target and format. + Set the log format. ''; }; @@ -59,16 +59,16 @@ in }; serviceOpts = let collectSettingsArgs = if (cfg.collectdBinary.enable) then '' - -collectd.listen-address ${cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \ - -collectd.security-level ${cfg.collectdBinary.securityLevel} \ + --collectd.listen-address ${cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \ + --collectd.security-level ${cfg.collectdBinary.securityLevel} \ '' else ""; in { serviceConfig = { ExecStart = '' ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \ - -log.format ${escapeShellArg cfg.logFormat} \ - -log.level ${cfg.logLevel} \ - -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --log.format ${escapeShellArg cfg.logFormat} \ + --log.level ${cfg.logLevel} \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ ${collectSettingsArgs} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix new file mode 100644 index 0000000000000..b6cd89c3866b7 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -0,0 +1,38 @@ +{ config +, lib +, pkgs +, options +}: + +with lib; + +let + cfg = config.services.prometheus.exporters.kea; +in { + port = 9547; + extraOpts = { + controlSocketPaths = mkOption { + type = types.listOf types.str; + example = literalExample '' + [ + "/run/kea/kea-dhcp4.socket" + "/run/kea/kea-dhcp6.socket" + ] + ''; + description = '' + Paths to kea control sockets + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \ + --address ${cfg.listenAddress} \ + --port ${toString cfg.port} \ + ${concatStringsSep " \\n" cfg.controlSocketPaths} + ''; + SupplementaryGroups = [ "kea" ]; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/pihole.nix b/nixos/modules/services/monitoring/prometheus/exporters/pihole.nix new file mode 100644 index 0000000000000..21c2e5eab4ca1 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/pihole.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.pihole; +in +{ + port = 9617; + extraOpts = { + apiToken = mkOption { + type = types.str; + default = ""; + example = "580a770cb40511eb85290242ac130003580a770cb40511eb85290242ac130003"; + description = '' + pi-hole API token which can be used instead of a password + ''; + }; + interval = mkOption { + type = types.str; + default = "10s"; + example = "30s"; + description = '' + How often to scrape new data + ''; + }; + password = mkOption { + type = types.str; + default = ""; + example = "password"; + description = '' + The password to login into pihole. An api token can be used instead. + ''; + }; + piholeHostname = mkOption { + type = types.str; + default = "pihole"; + example = "127.0.0.1"; + description = '' + Hostname or address where to find the pihole webinterface + ''; + }; + piholePort = mkOption { + type = types.port; + default = "80"; + example = "443"; + description = '' + The port pihole webinterface is reachable on + ''; + }; + protocol = mkOption { + type = types.enum [ "http" "https" ]; + default = "http"; + example = "https"; + description = '' + The protocol which is used to connect to pihole + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.bash}/bin/bash -c "${pkgs.prometheus-pihole-exporter}/bin/pihole-exporter \ + -interval ${cfg.interval} \ + ${optionalString (cfg.apiToken != "") "-pihole_api_token ${cfg.apiToken}"} \ + -pihole_hostname ${cfg.piholeHostname} \ + ${optionalString (cfg.password != "") "-pihole_password ${cfg.password}"} \ + -pihole_port ${toString cfg.piholePort} \ + -pihole_protocol ${cfg.protocol} \ + -port ${toString cfg.port}" + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix b/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix index 78fe120e4d932..d95e5ed9e83c1 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix @@ -13,7 +13,7 @@ let generateConfig = extraLabels: { metrics = (map (path: { name = "rspamd_${replaceStrings [ "." " " ] [ "_" "_" ] path}"; - path = "$.${path}"; + path = "{ .${path} }"; labels = extraLabels; }) [ "actions.'add header'" diff --git a/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix b/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix index 44b15cb2034c2..980c93c9c4788 100644 --- a/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix +++ b/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix @@ -4,21 +4,29 @@ with lib; let cfg = config.services.prometheus.xmpp-alerts; - - configFile = pkgs.writeText "prometheus-xmpp-alerts.yml" (builtins.toJSON cfg.configuration); - + settingsFormat = pkgs.formats.yaml {}; + configFile = settingsFormat.generate "prometheus-xmpp-alerts.yml" cfg.settings; in - { - options.services.prometheus.xmpp-alerts = { + imports = [ + (mkRenamedOptionModule + [ "services" "prometheus" "xmpp-alerts" "configuration" ] + [ "services" "prometheus" "xmpp-alerts" "settings" ]) + ]; + options.services.prometheus.xmpp-alerts = { enable = mkEnableOption "XMPP Web hook service for Alertmanager"; - configuration = mkOption { - type = types.attrs; - description = "Configuration as attribute set which will be converted to YAML"; - }; + settings = mkOption { + type = settingsFormat.type; + default = {}; + description = '' + Configuration for prometheus xmpp-alerts, see + <link xlink:href="https://github.com/jelmer/prometheus-xmpp-alerts/blob/master/xmpp-alerts.yml.example"/> + for supported values. + ''; + }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/network-filesystems/netatalk.nix b/nixos/modules/services/network-filesystems/netatalk.nix index 33e851210bc6f..06a36eb30c29c 100644 --- a/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixos/modules/services/network-filesystems/netatalk.nix @@ -3,43 +3,10 @@ with lib; let - cfg = config.services.netatalk; - - extmapFile = pkgs.writeText "extmap.conf" cfg.extmap; - - afpToString = x: if builtins.typeOf x == "bool" - then boolToString x - else toString x; - - volumeConfig = name: - let vol = getAttr name cfg.volumes; in - "[${name}]\n " + (toString ( - map - (key: "${key} = ${afpToString (getAttr key vol)}\n") - (attrNames vol) - )); - - afpConf = ''[Global] - extmap file = ${extmapFile} - afp port = ${toString cfg.port} - - ${cfg.extraConfig} - - ${if cfg.homes.enable then ''[Homes] - ${optionalString (cfg.homes.path != "") "path = ${cfg.homes.path}"} - basedir regex = ${cfg.homes.basedirRegex} - ${cfg.homes.extraConfig} - '' else ""} - - ${toString (map volumeConfig (attrNames cfg.volumes))} - ''; - - afpConfFile = pkgs.writeText "afp.conf" afpConf; - -in - -{ + settingsFormat = pkgs.formats.ini { }; + afpConfFile = settingsFormat.generate "afp.conf" cfg.settings; +in { options = { services.netatalk = { @@ -51,61 +18,24 @@ in description = "TCP port to be used for AFP."; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - example = "uam list = uams_guest.so"; - description = '' - Lines of configuration to add to the <literal>[Global]</literal> section. - See <literal>man apf.conf</literal> for more information. - ''; - }; - - homes = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable sharing of the UNIX server user home directories."; - }; - - path = mkOption { - type = types.str; - default = ""; - example = "afp-data"; - description = "Share not the whole user home but this subdirectory path."; - }; - - basedirRegex = mkOption { - example = "/home"; - type = types.str; - description = "Regex which matches the parent directory of the user homes."; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Lines of configuration to add to the <literal>[Homes]</literal> section. - See <literal>man apf.conf</literal> for more information. - ''; - }; - }; - - volumes = mkOption { + settings = mkOption { + inherit (settingsFormat) type; default = { }; - type = types.attrsOf (types.attrsOf types.unspecified); - description = - '' - Set of AFP volumes to export. - See <literal>man apf.conf</literal> for more information. - ''; - example = literalExample '' - { srv = - { path = "/srv"; - "read only" = true; - "hosts allow" = "10.1.0.0/16 10.2.1.100 2001:0db8:1234::/48"; - }; - } + example = { + Global = { "uam list" = "uams_guest.so"; }; + Homes = { + path = "afp-data"; + "basedir regex" = "/home"; + }; + example-volume = { + path = "/srv/volume"; + "read only" = true; + }; + }; + description = '' + Configuration for Netatalk. See + <citerefentry><refentrytitle>afp.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. ''; }; @@ -114,18 +44,33 @@ in default = ""; description = '' File name extension mappings. - See <literal>man extmap.conf</literal> for more information. + See <citerefentry><refentrytitle>extmap.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. for more information. ''; }; }; }; + imports = (map (option: + mkRemovedOptionModule [ "services" "netatalk" option ] + "This option was removed in favor of `services.netatalk.settings`.") [ + "extraConfig" + "homes" + "volumes" + ]); + config = mkIf cfg.enable { + services.netatalk.settings.Global = { + "afp port" = toString cfg.port; + "extmap file" = "${pkgs.writeText "extmap.conf" cfg.extmap}"; + }; + systemd.services.netatalk = { description = "Netatalk AFP fileserver for Macintosh clients"; - unitConfig.Documentation = "man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8)"; + unitConfig.Documentation = + "man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8)"; after = [ "network.target" "avahi-daemon.service" ]; wantedBy = [ "multi-user.target" ]; @@ -135,12 +80,12 @@ in Type = "forking"; GuessMainPID = "no"; PIDFile = "/run/lock/netatalk"; - ExecStartPre = "${pkgs.coreutils}/bin/mkdir -m 0755 -p /var/lib/netatalk/CNID"; - ExecStart = "${pkgs.netatalk}/sbin/netatalk -F ${afpConfFile}"; + ExecStart = "${pkgs.netatalk}/sbin/netatalk -F ${afpConfFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; Restart = "always"; RestartSec = 1; + StateDirectory = [ "netatalk/CNID" ]; }; }; diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index c68039c79e2b7..800ef448d3769 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -117,7 +117,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources"; }; }; }; diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix new file mode 100644 index 0000000000000..4388ef2b7e576 --- /dev/null +++ b/nixos/modules/services/networking/adguardhome.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.adguardhome; + + args = concatStringsSep " " ([ + "--no-check-update" + "--pidfile /run/AdGuardHome/AdGuardHome.pid" + "--work-dir /var/lib/AdGuardHome/" + "--config /var/lib/AdGuardHome/AdGuardHome.yaml" + "--host ${cfg.host}" + "--port ${toString cfg.port}" + ] ++ cfg.extraArgs); + +in +{ + options.services.adguardhome = with types; { + enable = mkEnableOption "AdGuard Home network-wide ad blocker"; + + host = mkOption { + default = "0.0.0.0"; + type = str; + description = '' + Host address to bind HTTP server to. + ''; + }; + + port = mkOption { + default = 3000; + type = port; + description = '' + Port to serve HTTP pages on. + ''; + }; + + openFirewall = mkOption { + default = false; + type = bool; + description = '' + Open ports in the firewall for the AdGuard Home web interface. Does not + open the port needed to access the DNS resolver. + ''; + }; + + extraArgs = mkOption { + default = [ ]; + type = listOf str; + description = '' + Extra command line parameters to be passed to the adguardhome binary. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.adguardhome = { + description = "AdGuard Home: Network-level blocker"; + after = [ "syslog.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + StartLimitIntervalSec = 5; + StartLimitBurst = 10; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.adguardhome}/bin/adguardhome ${args}"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + Restart = "always"; + RestartSec = 10; + RuntimeDirectory = "AdGuardHome"; + StateDirectory = "AdGuardHome"; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + }; +} diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index 97dca002a007e..5e14283179ac3 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -32,6 +32,8 @@ in { + meta.maintainers = with maintainers; [ hexa ]; + ###### interface options = { diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index e507e8ce9eebc..20eef2c3455b6 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -8,32 +8,37 @@ let bindUser = "named"; - bindZoneOptions = { - name = mkOption { - type = types.str; - description = "Name of the zone."; - }; - master = mkOption { - description = "Master=false means slave server"; - type = types.bool; - }; - file = mkOption { - type = types.either types.str types.path; - description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; - }; - masters = mkOption { - type = types.listOf types.str; - description = "List of servers for inclusion in stub and secondary zones."; - }; - slaves = mkOption { - type = types.listOf types.str; - description = "Addresses who may request zone transfers."; - default = []; - }; - extraConfig = mkOption { - type = types.str; - description = "Extra zone config to be appended at the end of the zone section."; - default = ""; + bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; })); + + bindZoneOptions = { name, config, ... }: { + options = { + name = mkOption { + type = types.str; + default = name; + description = "Name of the zone."; + }; + master = mkOption { + description = "Master=false means slave server"; + type = types.bool; + }; + file = mkOption { + type = types.either types.str types.path; + description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; + }; + masters = mkOption { + type = types.listOf types.str; + description = "List of servers for inclusion in stub and secondary zones."; + }; + slaves = mkOption { + type = types.listOf types.str; + description = "Addresses who may request zone transfers."; + default = [ ]; + }; + extraConfig = mkOption { + type = types.str; + description = "Extra zone config to be appended at the end of the zone section."; + default = ""; + }; }; }; @@ -84,7 +89,7 @@ let ${extraConfig} }; '') - cfg.zones } + (attrValues cfg.zones) } ''; in @@ -100,7 +105,7 @@ in enable = mkEnableOption "BIND domain name server"; cacheNetworks = mkOption { - default = ["127.0.0.0/24"]; + default = [ "127.0.0.0/24" ]; type = types.listOf types.str; description = " What networks are allowed to use us as a resolver. Note @@ -112,7 +117,7 @@ in }; blockedNetworks = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = " What networks are just blocked. @@ -136,7 +141,7 @@ in }; listenOn = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Interfaces to listen on. @@ -144,7 +149,7 @@ in }; listenOnIpv6 = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Ipv6 interfaces to listen on. @@ -152,19 +157,20 @@ in }; zones = mkOption { - default = []; - type = types.listOf (types.submodule [ { options = bindZoneOptions; } ]); + default = [ ]; + type = with types; coercedTo (listOf attrs) bindZoneCoerce (attrsOf (types.submodule bindZoneOptions)); description = " List of zones we claim authority over. "; - example = [{ - name = "example.com"; - master = false; - file = "/var/dns/example.com"; - masters = ["192.168.0.1"]; - slaves = []; - extraConfig = ""; - }]; + example = { + "example.com" = { + master = false; + file = "/var/dns/example.com"; + masters = [ "192.168.0.1" ]; + slaves = [ ]; + extraConfig = ""; + }; + }; }; extraConfig = mkOption { @@ -206,7 +212,8 @@ in networking.resolvconf.useLocalResolver = mkDefault true; users.users.${bindUser} = - { uid = config.ids.uids.bind; + { + uid = config.ids.uids.bind; description = "BIND daemon user"; }; @@ -226,9 +233,9 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; ExecReload = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; - ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; + ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; }; unitConfig.Documentation = "man:named(8)"; diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index e9a0e5af1a473..f1a504b3e3f42 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -12,8 +12,18 @@ let { ... }: { options = { password = mkOption { - type = types.str; - description = "Authorized password to the opposite end of the tunnel."; + type = types.str; + description = "Authorized password to the opposite end of the tunnel."; + }; + login = mkOption { + default = ""; + type = types.str; + description = "(optional) name your peer has for you"; + }; + peerName = mkOption { + default = ""; + type = types.str; + description = "(optional) human-readable name for peer"; }; publicKey = mkOption { type = types.str; diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix index b218fab2196d0..9466adf71d8c2 100644 --- a/nixos/modules/services/networking/croc.nix +++ b/nixos/modules/services/networking/croc.nix @@ -72,9 +72,7 @@ in RuntimeDirectoryMode = "700"; SystemCallFilter = [ "@system-service" - "~@aio" "~@chown" "~@keyring" "~@memlock" - "~@privileged" "~@resources" "~@setuid" - "~@sync" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" ]; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; diff --git a/nixos/modules/services/networking/ghostunnel.nix b/nixos/modules/services/networking/ghostunnel.nix new file mode 100644 index 0000000000000..58a51df6cca2a --- /dev/null +++ b/nixos/modules/services/networking/ghostunnel.nix @@ -0,0 +1,242 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) + attrValues + concatMap + concatStringsSep + escapeShellArg + literalExample + mapAttrs' + mkDefault + mkEnableOption + mkIf + mkOption + nameValuePair + optional + types + ; + + mainCfg = config.services.ghostunnel; + + module = { config, name, ... }: + { + options = { + + listen = mkOption { + description = '' + Address and port to listen on (can be HOST:PORT, unix:PATH). + ''; + type = types.str; + }; + + target = mkOption { + description = '' + Address to forward connections to (can be HOST:PORT or unix:PATH). + ''; + type = types.str; + }; + + keystore = mkOption { + description = '' + Path to keystore (combined PEM with cert/key, or PKCS12 keystore). + + NB: storepass is not supported because it would expose credentials via <code>/proc/*/cmdline</code>. + + Specify this or <code>cert</code> and <code>key</code>. + ''; + type = types.nullOr types.str; + default = null; + }; + + cert = mkOption { + description = '' + Path to certificate (PEM with certificate chain). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + key = mkOption { + description = '' + Path to certificate private key (PEM with private key). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + cacert = mkOption { + description = '' + Path to CA bundle file (PEM/X509). Uses system trust store if <code>null</code>. + ''; + type = types.nullOr types.str; + }; + + disableAuthentication = mkOption { + description = '' + Disable client authentication, no client certificate will be required. + ''; + type = types.bool; + default = false; + }; + + allowAll = mkOption { + description = '' + If true, allow all clients, do not check client cert subject. + ''; + type = types.bool; + default = false; + }; + + allowCN = mkOption { + description = '' + Allow client if common name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowOU = mkOption { + description = '' + Allow client if organizational unit name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowDNS = mkOption { + description = '' + Allow client if DNS subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowURI = mkOption { + description = '' + Allow client if URI subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + extraArguments = mkOption { + description = "Extra arguments to pass to <code>ghostunnel server</code>"; + type = types.separatedString " "; + default = ""; + }; + + unsafeTarget = mkOption { + description = '' + If set, does not limit target to localhost, 127.0.0.1, [::1], or UNIX sockets. + + This is meant to protect against accidental unencrypted traffic on + untrusted networks. + ''; + type = types.bool; + default = false; + }; + + # Definitions to apply at the root of the NixOS configuration. + atRoot = mkOption { + internal = true; + }; + }; + + # Clients should not be authenticated with the public root certificates + # (afaict, it doesn't make sense), so we only provide that default when + # client cert auth is disabled. + config.cacert = mkIf config.disableAuthentication (mkDefault null); + + config.atRoot = { + assertions = [ + { message = '' + services.ghostunnel.servers.${name}: At least one access control flag is required. + Set at least one of: + - services.ghostunnel.servers.${name}.disableAuthentication + - services.ghostunnel.servers.${name}.allowAll + - services.ghostunnel.servers.${name}.allowCN + - services.ghostunnel.servers.${name}.allowOU + - services.ghostunnel.servers.${name}.allowDNS + - services.ghostunnel.servers.${name}.allowURI + ''; + assertion = config.disableAuthentication + || config.allowAll + || config.allowCN != [] + || config.allowOU != [] + || config.allowDNS != [] + || config.allowURI != [] + ; + } + ]; + + systemd.services."ghostunnel-server-${name}" = { + after = [ "network.target" ]; + wants = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Restart = "always"; + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + DynamicUser = true; + LoadCredential = optional (config.keystore != null) "keystore:${config.keystore}" + ++ optional (config.cert != null) "cert:${config.cert}" + ++ optional (config.key != null) "key:${config.key}" + ++ optional (config.cacert != null) "cacert:${config.cacert}"; + }; + script = concatStringsSep " " ( + [ "${mainCfg.package}/bin/ghostunnel" ] + ++ optional (config.keystore != null) "--keystore=$CREDENTIALS_DIRECTORY/keystore" + ++ optional (config.cert != null) "--cert=$CREDENTIALS_DIRECTORY/cert" + ++ optional (config.key != null) "--key=$CREDENTIALS_DIRECTORY/key" + ++ optional (config.cacert != null) "--cacert=$CREDENTIALS_DIRECTORY/cacert" + ++ [ + "server" + "--listen ${config.listen}" + "--target ${config.target}" + ] ++ optional config.allowAll "--allow-all" + ++ map (v: "--allow-cn=${escapeShellArg v}") config.allowCN + ++ map (v: "--allow-ou=${escapeShellArg v}") config.allowOU + ++ map (v: "--allow-dns=${escapeShellArg v}") config.allowDNS + ++ map (v: "--allow-uri=${escapeShellArg v}") config.allowURI + ++ optional config.disableAuthentication "--disable-authentication" + ++ optional config.unsafeTarget "--unsafe-target" + ++ [ config.extraArguments ] + ); + }; + }; + }; + +in +{ + + options = { + services.ghostunnel.enable = mkEnableOption "ghostunnel"; + + services.ghostunnel.package = mkOption { + description = "The ghostunnel package to use."; + type = types.package; + default = pkgs.ghostunnel; + defaultText = literalExample ''pkgs.ghostunnel''; + }; + + services.ghostunnel.servers = mkOption { + description = '' + Server mode ghostunnels (TLS listener -> plain TCP/UNIX target) + ''; + type = types.attrsOf (types.submodule module); + default = {}; + }; + }; + + config = mkIf mainCfg.enable { + assertions = lib.mkMerge (map (v: v.atRoot.assertions) (attrValues mainCfg.servers)); + systemd = lib.mkMerge (map (v: v.atRoot.systemd) (attrValues mainCfg.servers)); + }; + + meta.maintainers = with lib.maintainers; [ + roberth + ]; +} diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index 8334dc68d623f..84147db00f619 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -141,5 +141,5 @@ in }; }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/networking/hylafax/faxq-wait.sh b/nixos/modules/services/networking/hylafax/faxq-wait.sh index 8c39e9d20c182..1826aa30e6275 100755 --- a/nixos/modules/services/networking/hylafax/faxq-wait.sh +++ b/nixos/modules/services/networking/hylafax/faxq-wait.sh @@ -1,4 +1,4 @@ -#! @shell@ -e +#! @runtimeShell@ -e # skip this if there are no modems at all if ! stat -t "@spoolAreaPath@"/etc/config.* >/dev/null 2>&1 diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix index 7f18c0d39ab4d..74960e69b9ac2 100644 --- a/nixos/modules/services/networking/hylafax/options.nix +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -3,7 +3,7 @@ let inherit (lib.options) literalExample mkEnableOption mkOption; - inherit (lib.types) bool enum int lines attrsOf nullOr path str submodule; + inherit (lib.types) bool enum ints lines attrsOf nullOr path str submodule; inherit (lib.modules) mkDefault mkIf mkMerge; commonDescr = '' @@ -18,7 +18,6 @@ let ''; str1 = lib.types.addCheck str (s: s!=""); # non-empty string - int1 = lib.types.addCheck int (i: i>0); # positive integer configAttrType = # Options in HylaFAX configuration files can be @@ -27,7 +26,7 @@ let # This type definition resolves all # those types into a list of strings. let - inherit (lib.types) attrsOf coercedTo listOf; + inherit (lib.types) attrsOf coercedTo int listOf; innerType = coercedTo bool (x: if x then "Yes" else "No") (coercedTo int (toString) str); in @@ -290,7 +289,7 @@ in ''; }; faxcron.infoDays = mkOption { - type = int1; + type = ints.positive; default = 30; description = '' Set the expiration time for data in the @@ -298,7 +297,7 @@ in ''; }; faxcron.logDays = mkOption { - type = int1; + type = ints.positive; default = 30; description = '' Set the expiration time for @@ -306,7 +305,7 @@ in ''; }; faxcron.rcvDays = mkOption { - type = int1; + type = ints.positive; default = 7; description = '' Set the expiration time for files in @@ -343,7 +342,7 @@ in ''; }; faxqclean.doneqMinutes = mkOption { - type = int1; + type = ints.positive; default = 15; example = literalExample "24*60"; description = '' @@ -353,7 +352,7 @@ in ''; }; faxqclean.docqMinutes = mkOption { - type = int1; + type = ints.positive; default = 60; example = literalExample "24*60"; description = '' diff --git a/nixos/modules/services/networking/hylafax/spool.sh b/nixos/modules/services/networking/hylafax/spool.sh index 31e930e8c5976..8b723df77df9a 100755 --- a/nixos/modules/services/networking/hylafax/spool.sh +++ b/nixos/modules/services/networking/hylafax/spool.sh @@ -1,4 +1,4 @@ -#! @shell@ -e +#! @runtimeShell@ -e # The following lines create/update the HylaFAX spool directory: # Subdirectories/files with persistent data are kept, @@ -80,7 +80,7 @@ touch clientlog faxcron.lastrun xferfaxlog chown @faxuser@:@faxgroup@ clientlog faxcron.lastrun xferfaxlog # create symlinks for frozen directories/files -lnsym --target-directory=. "@hylafax@"/spool/{COPYRIGHT,bin,config} +lnsym --target-directory=. "@hylafaxplus@"/spool/{COPYRIGHT,bin,config} # create empty temporary directories update --mode=0700 -d client dev status @@ -93,7 +93,7 @@ install -d "@spoolAreaPath@/etc" cd "@spoolAreaPath@/etc" # create symlinks to all files in template's etc -lnsym --target-directory=. "@hylafax@/spool/etc"/* +lnsym --target-directory=. "@hylafaxplus@/spool/etc"/* # set LOCKDIR in setup.cache sed --regexp-extended 's|^(UUCP_LOCKDIR=).*$|\1'"'@lockPath@'|g" --in-place setup.cache diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index f63f7c97ad1ca..4506bbbc5eb73 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -13,11 +13,10 @@ let # creates hylafax config file, # makes sure "Include" is listed *first* let - mkLines = conf: - (lib.concatLists - (lib.flip lib.mapAttrsToList conf - (k: map (v: "${k}: ${v}") - ))); + mkLines = lib.flip lib.pipe [ + (lib.mapAttrsToList (key: map (val: "${key}: ${val}"))) + lib.concatLists + ]; include = mkLines { Include = conf.Include or []; }; other = mkLines ( conf // { Include = []; } ); in @@ -48,13 +47,12 @@ let name = "hylafax-setup-spool.sh"; src = ./spool.sh; isExecutable = true; - inherit (pkgs.stdenv) shell; - hylafax = pkgs.hylafaxplus; faxuser = "uucp"; faxgroup = "uucp"; lockPath = "/var/lock"; inherit globalConfigPath modemConfigPath; inherit (cfg) sendmailPath spoolAreaPath userAccessFile; + inherit (pkgs) hylafaxplus runtimeShell; }; waitFaxqScript = pkgs.substituteAll { @@ -64,8 +62,8 @@ let src = ./faxq-wait.sh; isExecutable = true; timeoutSec = toString 10; - inherit (pkgs.stdenv) shell; inherit (cfg) spoolAreaPath; + inherit (pkgs) runtimeShell; }; sockets.hylafax-hfaxd = { @@ -108,8 +106,10 @@ let PrivateDevices = true; # breaks /dev/tty... PrivateNetwork = true; PrivateTmp = true; + #ProtectClock = true; # breaks /dev/tty... (why?) ProtectControlGroups = true; #ProtectHome = true; # breaks custom spool dirs + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; #ProtectSystem = "strict"; # breaks custom spool dirs diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 81bc4e1cf95cc..1f0423ac3d843 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -9,21 +9,22 @@ let libexec = "${pkgs.libreswan}/libexec/ipsec"; ipsec = "${pkgs.libreswan}/sbin/ipsec"; - trim = chars: str: let - nonchars = filter (x : !(elem x.value chars)) - (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); - in - if length nonchars == 0 then "" - else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; + trim = chars: str: + let + nonchars = filter (x : !(elem x.value chars)) + (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); + in + if length nonchars == 0 then "" + else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); configText = indent (toString cfg.configSetup); connectionText = concatStrings (mapAttrsToList (n: v: '' conn ${n} ${indent v} - '') cfg.connections); - configFile = pkgs.writeText "ipsec.conf" + + configFile = pkgs.writeText "ipsec-nixos.conf" '' config setup ${configText} @@ -31,6 +32,11 @@ let ${connectionText} ''; + policyFiles = mapAttrs' (name: text: + { name = "ipsec.d/policies/${name}"; + value.source = pkgs.writeText "ipsec-policy-${name}" text; + }) cfg.policies; + in { @@ -41,41 +47,71 @@ in services.libreswan = { - enable = mkEnableOption "libreswan ipsec service"; + enable = mkEnableOption "Libreswan IPsec service"; configSetup = mkOption { type = types.lines; default = '' protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; example = '' secretsfile=/root/ipsec.secrets protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; - description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; + description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration"; }; connections = mkOption { type = types.attrsOf types.lines; default = {}; - example = { - myconnection = '' - auto=add - left=%defaultroute - leftid=@user - - right=my.vpn.com - - ikev2=no - ikelifetime=8h - ''; - }; - description = "A set of connections to define for the libreswan ipsec service"; + example = literalExample '' + { myconnection = ''' + auto=add + left=%defaultroute + leftid=@user + + right=my.vpn.com + + ikev2=no + ikelifetime=8h + '''; + } + ''; + description = "A set of connections to define for the Libreswan IPsec service"; + }; + + policies = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = literalExample '' + { private-or-clear = ''' + # Attempt opportunistic IPsec for the entire Internet + 0.0.0.0/0 + ::/0 + '''; + } + ''; + description = '' + A set of policies to apply to the IPsec connections. + + <note><para> + The policy name must match the one of connection it needs to apply to. + </para></note> + ''; }; + + disableRedirects = mkOption { + type = types.bool; + default = true; + description = '' + Whether to disable send and accept redirects for all nework interfaces. + See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F"> + FAQ</link> page for why this is recommended. + ''; + }; + }; }; @@ -85,43 +121,38 @@ in config = mkIf cfg.enable { + # Install package, systemd units, etc. environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; + systemd.packages = [ pkgs.libreswan ]; + systemd.tmpfiles.packages = [ pkgs.libreswan ]; + + # Install configuration files + environment.etc = { + "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets"; + "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf"; + "ipsec.d/01-nixos.conf".source = configFile; + } // policyFiles; + + # Create NSS database directory + systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; - path = [ - "${pkgs.libreswan}" - "${pkgs.iproute2}" - "${pkgs.procps}" - "${pkgs.nssTools}" - "${pkgs.iptables}" - "${pkgs.nettools}" - ]; - - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto"; - ExecStartPre = [ - "${libexec}/addconn --config ${configFile} --checkconfig" - "${libexec}/_stackmanager start" - "${ipsec} --checknss" - "${ipsec} --checknflog" - ]; - ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; - ExecStop = "${libexec}/whack --shutdown"; - ExecStopPost = [ - "${pkgs.iproute2}/bin/ip xfrm policy flush" - "${pkgs.iproute2}/bin/ip xfrm state flush" - "${ipsec} --stopnflog" - ]; - ExecReload = "${libexec}/whack --listen"; - }; - + restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles; + path = with pkgs; [ + libreswan + iproute2 + procps + nssTools + iptables + nettools + ]; + preStart = optionalString cfg.disableRedirects '' + # Disable send/receive redirects + echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects + echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects + ''; }; }; diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix index fde3293fc131f..952d1d47ca672 100644 --- a/nixos/modules/services/networking/monero.nix +++ b/nixos/modules/services/networking/monero.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.monero; - dataDir = "/var/lib/monero"; listToConf = option: list: concatMapStrings (value: "${option}=${value}\n") list; @@ -53,11 +52,19 @@ in enable = mkEnableOption "Monero node daemon"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/monero"; + description = '' + The directory where Monero stores its data files. + ''; + }; + mining.enable = mkOption { type = types.bool; default = false; description = '' - Whether to mine moneroj. + Whether to mine monero. ''; }; @@ -198,15 +205,14 @@ in config = mkIf cfg.enable { users.users.monero = { - uid = config.ids.uids.monero; + isSystemUser = true; + group = "monero"; description = "Monero daemon user"; - home = dataDir; + home = cfg.dataDir; createHome = true; }; - users.groups.monero = { - gid = config.ids.gids.monero; - }; + users.groups.monero = { }; systemd.services.monero = { description = "monero daemon"; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 10b49d9b2206e..8e814ffd0b9b0 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -20,8 +20,7 @@ let acl_file ${aclFile} persistence true allow_anonymous ${boolToString cfg.allowAnonymous} - bind_address ${cfg.host} - port ${toString cfg.port} + listener ${toString cfg.port} ${cfg.host} ${passwordConf} ${listenerConf} ${cfg.extraConf} @@ -233,15 +232,50 @@ in ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ProtectSystem = "strict"; - ProtectHome = true; + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; - ReadWritePaths = "${cfg.dataDir}"; + PrivateUsers = true; + ProtectClock = true; ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - NoNewPrivileges = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ]; + ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [ + certfile + keyfile + cafile + ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' rm -f ${cfg.dataDir}/passwd diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index f33c350a257a9..2ac0a8c7922ed 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -20,6 +20,15 @@ let mkZoneFileName = name: if name == "." then "root" else name; + # replaces include: directives for keys with fake keys for nsd-checkconf + injectFakeKeys = keys: concatStrings + (mapAttrsToList + (keyName: keyOptions: '' + fakeKey="$(${pkgs.bind}/bin/tsig-keygen -a ${escapeShellArgs [ keyOptions.algorithm keyName ]} | grep -oP "\s*secret \"\K.*(?=\";)")" + sed "s@^\s*include:\s*\"${stateDir}/private/${keyName}\"\$@secret: $fakeKey@" -i $out/nsd.conf + '') + keys); + nsdEnv = pkgs.buildEnv { name = "nsd-env"; @@ -34,9 +43,9 @@ let echo "|- checking zone '$out/zones/$zoneFile'" ${nsdPkg}/sbin/nsd-checkzone "$zoneFile" "$zoneFile" || { if grep -q \\\\\\$ "$zoneFile"; then - echo zone "$zoneFile" contains escaped dollar signes \\\$ - echo Escaping them is not needed any more. Please make shure \ - to unescape them where they prefix a variable name + echo zone "$zoneFile" contains escaped dollar signs \\\$ + echo Escaping them is not needed any more. Please make sure \ + to unescape them where they prefix a variable name. fi exit 1 @@ -44,7 +53,14 @@ let done echo "checking configuration file" + # Save original config file including key references... + cp $out/nsd.conf{,.orig} + # ...inject mock keys into config + ${injectFakeKeys cfg.keys} + # ...do the checkconf ${nsdPkg}/sbin/nsd-checkconf $out/nsd.conf + # ... and restore original config file. + mv $out/nsd.conf{.orig,} ''; }; diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index 5af035fd59e05..8c632c319d3c0 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -3,56 +3,103 @@ with lib; let - cfg = config.services.radicale; - confFile = pkgs.writeText "radicale.conf" cfg.config; - - defaultPackage = if versionAtLeast config.system.stateVersion "20.09" then { - pkg = pkgs.radicale3; - text = "pkgs.radicale3"; - } else if versionAtLeast config.system.stateVersion "17.09" then { - pkg = pkgs.radicale2; - text = "pkgs.radicale2"; - } else { - pkg = pkgs.radicale1; - text = "pkgs.radicale1"; + format = pkgs.formats.ini { + listToValue = concatMapStringsSep ", " (generators.mkValueStringDefault { }); }; -in -{ + pkg = if isNull cfg.package then + pkgs.radicale + else + cfg.package; + + confFile = if cfg.settings == { } then + pkgs.writeText "radicale.conf" cfg.config + else + format.generate "radicale.conf" cfg.settings; + + rightsFile = format.generate "radicale.rights" cfg.rights; - options = { - services.radicale.enable = mkOption { - type = types.bool; - default = false; + bindLocalhost = cfg.settings != { } && !hasAttrByPath [ "server" "hosts" ] cfg.settings; + +in { + options.services.radicale = { + enable = mkEnableOption "Radicale CalDAV and CardDAV server"; + + package = mkOption { + description = "Radicale package to use."; + # Default cannot be pkgs.radicale because non-null values suppress + # warnings about incompatible configuration and storage formats. + type = with types; nullOr package // { inherit (package) description; }; + default = null; + defaultText = "pkgs.radicale"; + }; + + config = mkOption { + type = types.str; + default = ""; description = '' - Enable Radicale CalDAV and CardDAV server. + Radicale configuration, this will set the service + configuration file. + This option is mutually exclusive with <option>settings</option>. + This option is deprecated. Use <option>settings</option> instead. ''; }; - services.radicale.package = mkOption { - type = types.package; - default = defaultPackage.pkg; - defaultText = defaultPackage.text; + settings = mkOption { + type = format.type; + default = { }; description = '' - Radicale package to use. This defaults to version 1.x if - <literal>system.stateVersion < 17.09</literal>, version 2.x if - <literal>17.09 ≤ system.stateVersion < 20.09</literal>, and - version 3.x otherwise. + Configuration for Radicale. See + <link xlink:href="https://radicale.org/3.0.html#documentation/configuration" />. + This option is mutually exclusive with <option>config</option>. + ''; + example = literalExample '' + server = { + hosts = [ "0.0.0.0:5232" "[::]:5232" ]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + storage = { + filesystem_folder = "/var/lib/radicale/collections"; + }; ''; }; - services.radicale.config = mkOption { - type = types.str; - default = ""; + rights = mkOption { + type = format.type; description = '' - Radicale configuration, this will set the service - configuration file. + Configuration for Radicale's rights file. See + <link xlink:href="https://radicale.org/3.0.html#documentation/authentication-and-rights" />. + This option only works in conjunction with <option>settings</option>. + Setting this will also set <option>settings.rights.type</option> and + <option>settings.rights.file</option> to approriate values. + ''; + default = { }; + example = literalExample '' + root = { + user = ".+"; + collection = ""; + permissions = "R"; + }; + principal = { + user = ".+"; + collection = "{user}"; + permissions = "RW"; + }; + calendars = { + user = ".+"; + collection = "{user}/[^/]+"; + permissions = "rw"; + }; ''; }; - services.radicale.extraArgs = mkOption { + extraArgs = mkOption { type = types.listOf types.str; default = []; description = "Extra arguments passed to the Radicale daemon."; @@ -60,33 +107,94 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ cfg.package ]; + assertions = [ + { + assertion = cfg.settings == { } || cfg.config == ""; + message = '' + The options services.radicale.config and services.radicale.settings + are mutually exclusive. + ''; + } + ]; - users.users.radicale = - { uid = config.ids.uids.radicale; - description = "radicale user"; - home = "/var/lib/radicale"; - createHome = true; - }; + warnings = optional (isNull cfg.package && versionOlder config.system.stateVersion "17.09") '' + The configuration and storage formats of your existing Radicale + installation might be incompatible with the newest version. + For upgrade instructions see + https://radicale.org/2.1.html#documentation/migration-from-1xx-to-2xx. + Set services.radicale.package to suppress this warning. + '' ++ optional (isNull cfg.package && versionOlder config.system.stateVersion "20.09") '' + The configuration format of your existing Radicale installation might be + incompatible with the newest version. For upgrade instructions see + https://github.com/Kozea/Radicale/blob/3.0.6/NEWS.md#upgrade-checklist. + Set services.radicale.package to suppress this warning. + '' ++ optional (cfg.config != "") '' + The option services.radicale.config is deprecated. + Use services.radicale.settings instead. + ''; + + services.radicale.settings.rights = mkIf (cfg.rights != { }) { + type = "from_file"; + file = toString rightsFile; + }; + + environment.systemPackages = [ pkg ]; + + users.users.radicale.uid = config.ids.uids.radicale; - users.groups.radicale = - { gid = config.ids.gids.radicale; }; + users.groups.radicale.gid = config.ids.gids.radicale; systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; after = [ "network.target" ]; + requires = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = concatStringsSep " " ([ - "${cfg.package}/bin/radicale" "-C" confFile + "${pkg}/bin/radicale" "-C" confFile ] ++ ( map escapeShellArg cfg.extraArgs )); User = "radicale"; Group = "radicale"; + StateDirectory = "radicale/collections"; + StateDirectoryMode = "0750"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "/dev/stdin" ]; + DevicePolicy = "strict"; + IPAddressAllow = mkIf bindLocalhost "localhost"; + IPAddressDeny = mkIf bindLocalhost "any"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = lib.optional + (hasAttrByPath [ "storage" "filesystem_folder" ] cfg.settings) + cfg.settings.storage.filesystem_folder; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; }; }; }; - meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ]; + meta.maintainers = with lib.maintainers; [ aneeshusa infinisil dotlambda ]; } diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index a515e4a3dc3ba..04f7d7e31f467 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -4,23 +4,25 @@ with lib; let runDir = "/run/searx"; + cfg = config.services.searx; + settingsFile = pkgs.writeText "settings.yml" + (builtins.toJSON cfg.settings); + generateConfig = '' cd ${runDir} # write NixOS settings as JSON - cat <<'EOF' > settings.yml - ${builtins.toJSON cfg.settings} - EOF + ( + umask 077 + cp --no-preserve=mode ${settingsFile} settings.yml + ) # substitute environment variables env -0 | while IFS='=' read -r -d ''' n v; do sed "s#@$n@#$v#g" -i settings.yml done - - # set strict permissions - chmod 400 settings.yml ''; settingType = with types; (oneOf diff --git a/nixos/modules/services/networking/solanum.nix b/nixos/modules/services/networking/solanum.nix new file mode 100644 index 0000000000000..989621b204ce6 --- /dev/null +++ b/nixos/modules/services/networking/solanum.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption types; + inherit (pkgs) solanum; + cfg = config.services.solanum; + + configFile = pkgs.writeText "solanum.conf" cfg.config; +in + +{ + + ###### interface + + options = { + + services.solanum = { + + enable = mkEnableOption "Solanum IRC daemon"; + + config = mkOption { + type = types.str; + default = '' + serverinfo { + name = "irc.example.com"; + sid = "1ix"; + description = "irc!"; + + vhost = "0.0.0.0"; + vhost6 = "::"; + }; + + listen { + host = "0.0.0.0"; + port = 6667; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + channel { + default_split_user_count = 0; + }; + ''; + description = '' + Solanum IRC daemon configuration file. + check <link xlink:href="https://github.com/solanum-ircd/solanum/blob/main/doc/reference.conf"/> for all options. + ''; + }; + + openFilesLimit = mkOption { + type = types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; + + motd = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Solanum MOTD text. + + Solanum will read its MOTD from <literal>/etc/solanum/ircd.motd</literal>. + If set, the value of this option will be written to this path. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable (lib.mkMerge [ + { + systemd.services.solanum = { + description = "Solanum IRC daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + BANDB_DBPATH = "/var/lib/solanum/ban.db"; + }; + serviceConfig = { + ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile ${configFile} -pidfile /run/solanum/ircd.pid"; + DynamicUser = true; + User = "solanum"; + StateDirectory = "solanum"; + RuntimeDirectory = "solanum"; + LimitNOFILE = "${toString cfg.openFilesLimit}"; + }; + }; + + } + + (mkIf (cfg.motd != null) { + environment.etc."solanum/ircd.motd".text = cfg.motd; + }) + ]); +} diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index 20704be9b36fe..4f4b5cef37413 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -44,19 +44,10 @@ let preStart = '' ${optionalString (suppl.configFile.path!=null) '' - touch -a ${suppl.configFile.path} - chmod 600 ${suppl.configFile.path} + (umask 077 && touch -a "${suppl.configFile.path}") ''} ${optionalString suppl.userControlled.enable '' - if ! test -e ${suppl.userControlled.socketDir}; then - mkdir -m 0770 -p ${suppl.userControlled.socketDir} - chgrp ${suppl.userControlled.group} ${suppl.userControlled.socketDir} - fi - - if test "$(stat --printf '%G' ${suppl.userControlled.socketDir})" != "${suppl.userControlled.group}"; then - echo "ERROR: bad ownership on ${suppl.userControlled.socketDir}" >&2 - exit 1 - fi + install -dm770 -g "${suppl.userControlled.group}" "${suppl.userControlled.socketDir}" ''} ''; diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 622c3d8ea434f..09aef9a1dcf12 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -4,51 +4,28 @@ with lib; let cfg = config.services.unbound; - stateDir = "/var/lib/unbound"; - - access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess; - - interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces; - - isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1"; - - forward = - optionalString (any isLocalAddress cfg.forwardAddresses) '' - do-not-query-localhost: no - '' - + optionalString (cfg.forwardAddresses != []) '' - forward-zone: - name: . - '' - + concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses; - - rootTrustAnchorFile = "${stateDir}/root.key"; - - trustAnchor = optionalString cfg.enableRootTrustAnchor - "auto-trust-anchor-file: ${rootTrustAnchorFile}"; - - confFile = pkgs.writeText "unbound.conf" '' - server: - ip-freebind: yes - directory: "${stateDir}" - username: unbound - chroot: "" - pidfile: "" - # when running under systemd there is no need to daemonize - do-daemonize: no - ${interfaces} - ${access} - ${trustAnchor} - ${lib.optionalString (cfg.localControlSocketPath != null) '' - remote-control: - control-enable: yes - control-interface: ${cfg.localControlSocketPath} - ''} - ${cfg.extraConfig} - ${forward} - ''; -in -{ + yesOrNo = v: if v then "yes" else "no"; + + toOption = indent: n: v: "${indent}${toString n}: ${v}"; + + toConf = indent: n: v: + if builtins.isFloat v then (toOption indent n (builtins.toJSON v)) + else if isInt v then (toOption indent n (toString v)) + else if isBool v then (toOption indent n (yesOrNo v)) + else if isString v then (toOption indent n v) + else if isList v then (concatMapStringsSep "\n" (toConf indent n) v) + else if isAttrs v then (concatStringsSep "\n" ( + ["${indent}${n}:"] ++ ( + mapAttrsToList (toConf "${indent} ") v + ) + )) + else throw (traceSeq v "services.unbound.settings: unexpected type"); + + confFile = pkgs.writeText "unbound.conf" (concatStringsSep "\n" ((mapAttrsToList (toConf "") cfg.settings) ++ [""])); + + rootTrustAnchorFile = "${cfg.stateDir}/root.key"; + +in { ###### interface @@ -64,25 +41,30 @@ in description = "The unbound package to use"; }; - allowedAccess = mkOption { - default = [ "127.0.0.0/24" ]; - type = types.listOf types.str; - description = "What networks are allowed to use unbound as a resolver."; + user = mkOption { + type = types.str; + default = "unbound"; + description = "User account under which unbound runs."; }; - interfaces = mkOption { - default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1"; - type = types.listOf types.str; - description = '' - What addresses the server should listen on. This supports the interface syntax documented in - <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8</manvolnum></citerefentry>. - ''; + group = mkOption { + type = types.str; + default = "unbound"; + description = "Group under which unbound runs."; }; - forwardAddresses = mkOption { - default = []; - type = types.listOf types.str; - description = "What servers to forward queries to."; + stateDir = mkOption { + default = "/var/lib/unbound"; + description = "Directory holding all state for unbound to run."; + }; + + resolveLocalQueries = mkOption { + type = types.bool; + default = true; + description = '' + Whether unbound should resolve local queries (i.e. add 127.0.0.1 to + /etc/resolv.conf). + ''; }; enableRootTrustAnchor = mkOption { @@ -106,23 +88,66 @@ in and group will be <literal>nogroup</literal>. Users that should be permitted to access the socket must be in the - <literal>unbound</literal> group. + <literal>config.services.unbound.group</literal> group. If this option is <literal>null</literal> remote control will not be - configured at all. Unbounds default values apply. + enabled. Unbounds default values apply. ''; }; - extraConfig = mkOption { - default = ""; - type = types.lines; + settings = mkOption { + default = {}; + type = with types; submodule { + + freeformType = let + validSettingsPrimitiveTypes = oneOf [ int str bool float ]; + validSettingsTypes = oneOf [ validSettingsPrimitiveTypes (listOf validSettingsPrimitiveTypes) ]; + settingsType = oneOf [ str (attrsOf validSettingsTypes) ]; + in attrsOf (oneOf [ settingsType (listOf settingsType) ]) + // { description = '' + unbound.conf configuration type. The format consist of an attribute + set of settings. Each settings can be either one value, a list of + values or an attribute set. The allowed values are integers, + strings, booleans or floats. + ''; + }; + + options = { + remote-control.control-enable = mkOption { + type = bool; + default = false; + internal = true; + }; + }; + }; + example = literalExample '' + { + server = { + interface = [ "127.0.0.1" ]; + }; + forward-zone = [ + { + name = "."; + forward-addr = "1.1.1.1@853#cloudflare-dns.com"; + } + { + name = "example.org."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + } + ]; + remote-control.control-enable = true; + }; + ''; description = '' - Extra unbound config. See - <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8 - </manvolnum></citerefentry>. + Declarative Unbound configuration + See the <citerefentry><refentrytitle>unbound.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manpage for a list of + available options. ''; }; - }; }; @@ -130,23 +155,56 @@ in config = mkIf cfg.enable { + services.unbound.settings = { + server = { + directory = mkDefault cfg.stateDir; + username = cfg.user; + chroot = ''""''; + pidfile = ''""''; + # when running under systemd there is no need to daemonize + do-daemonize = false; + interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); + auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; + tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + # prevent race conditions on system startup when interfaces are not yet + # configured + ip-freebind = mkDefault true; + }; + remote-control = { + control-enable = mkDefault false; + control-interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + server-key-file = mkDefault "${cfg.stateDir}/unbound_server.key"; + server-cert-file = mkDefault "${cfg.stateDir}/unbound_server.pem"; + control-key-file = mkDefault "${cfg.stateDir}/unbound_control.key"; + control-cert-file = mkDefault "${cfg.stateDir}/unbound_control.pem"; + } // optionalAttrs (cfg.localControlSocketPath != null) { + control-enable = true; + control-interface = cfg.localControlSocketPath; + }; + }; + environment.systemPackages = [ cfg.package ]; - users.users.unbound = { - description = "unbound daemon user"; - isSystemUser = true; - group = lib.mkIf (cfg.localControlSocketPath != null) (lib.mkDefault "unbound"); + users.users = mkIf (cfg.user == "unbound") { + unbound = { + description = "unbound daemon user"; + isSystemUser = true; + group = cfg.group; + }; }; - # We need a group so that we can give users access to the configured - # control socket. Unbound allows access to the socket only to the unbound - # user and the primary group. - users.groups = lib.mkIf (cfg.localControlSocketPath != null) { + users.groups = mkIf (cfg.group == "unbound") { unbound = {}; }; - networking.resolvconf.useLocalResolver = mkDefault true; + networking = mkIf cfg.resolveLocalQueries { + resolvconf = { + useLocalResolver = mkDefault true; + }; + networkmanager.dns = "unbound"; + }; environment.etc."unbound/unbound.conf".source = confFile; @@ -156,8 +214,15 @@ in before = [ "nss-lookup.target" ]; wantedBy = [ "multi-user.target" "nss-lookup.target" ]; - preStart = lib.mkIf cfg.enableRootTrustAnchor '' - ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + path = mkIf cfg.settings.remote-control.control-enable [ pkgs.openssl ]; + + preStart = '' + ${optionalString cfg.enableRootTrustAnchor '' + ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + ''} + ${optionalString cfg.settings.remote-control.control-enable '' + ${cfg.package}/bin/unbound-control-setup -d ${cfg.stateDir} + ''} ''; restartTriggers = [ @@ -181,8 +246,8 @@ in "CAP_SYS_RESOURCE" ]; - User = "unbound"; - Group = lib.mkIf (cfg.localControlSocketPath != null) (lib.mkDefault "unbound"); + User = cfg.user; + Group = cfg.group; MemoryDenyWriteExecute = true; NoNewPrivileges = true; @@ -211,9 +276,29 @@ in RestrictNamespaces = true; LockPersonality = true; RestrictSUIDSGID = true; + + Restart = "on-failure"; + RestartSec = "5s"; }; }; - # If networkmanager is enabled, ask it to interface with unbound. - networking.networkmanager.dns = "unbound"; }; + + imports = [ + (mkRenamedOptionModule [ "services" "unbound" "interfaces" ] [ "services" "unbound" "settings" "server" "interface" ]) + (mkChangedOptionModule [ "services" "unbound" "allowedAccess" ] [ "services" "unbound" "settings" "server" "access-control" ] ( + config: map (value: "${value} allow") (getAttrFromPath [ "services" "unbound" "allowedAccess" ] config) + )) + (mkRemovedOptionModule [ "services" "unbound" "forwardAddresses" ] '' + Add a new setting: + services.unbound.settings.forward-zone = [{ + name = "."; + forward-addr = [ # Your current services.unbound.forwardAddresses ]; + }]; + If any of those addresses are local addresses (127.0.0.1 or ::1), you must + also set services.unbound.settings.server.do-not-query-localhost to false. + '') + (mkRemovedOptionModule [ "services" "unbound" "extraConfig" ] '' + You can use services.unbound.settings to add any configuration you want. + '') + ]; } diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 6d4d8d617d252..471f4bf8b33ff 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -271,12 +271,15 @@ let }; script = '' - mkdir --mode 0644 -p "${dirOf values.privateKeyFile}" + set -e + + # If the parent dir does not already exist, create it. + # Otherwise, does nothing, keeping existing permisions intact. + mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" + if [ ! -f "${values.privateKeyFile}" ]; then - touch "${values.privateKeyFile}" - chmod 0600 "${values.privateKeyFile}" - wg genkey > "${values.privateKeyFile}" - chmod 0400 "${values.privateKeyFile}" + # Write private key file with atomically-correct permissions. + (set -e; umask 077; wg genkey > "${values.privateKeyFile}") fi ''; }; diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 61482596763a6..8a0685c3d96b2 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -3,6 +3,10 @@ with lib; let + package = if cfg.allowAuxiliaryImperativeNetworks + then pkgs.wpa_supplicant_ro_ssids + else pkgs.wpa_supplicant; + cfg = config.networking.wireless; configFile = if cfg.networks != {} || cfg.extraConfig != "" || cfg.userControlled.enable then pkgs.writeText "wpa_supplicant.conf" '' ${optionalString cfg.userControlled.enable '' @@ -47,6 +51,16 @@ in { description = "Force a specific wpa_supplicant driver."; }; + allowAuxiliaryImperativeNetworks = mkEnableOption "support for imperative & declarative networks" // { + description = '' + Whether to allow configuring networks "imperatively" (e.g. via + <package>wpa_supplicant_gui</package>) and declaratively via + <xref linkend="opt-networking.wireless.networks" />. + + Please note that this adds a custom patch to <package>wpa_supplicant</package>. + ''; + }; + networks = mkOption { type = types.attrsOf (types.submodule { options = { @@ -211,9 +225,9 @@ in { message = ''options networking.wireless."${name}".{psk,pskRaw,auth} are mutually exclusive''; }); - environment.systemPackages = [ pkgs.wpa_supplicant ]; + environment.systemPackages = [ package ]; - services.dbus.packages = [ pkgs.wpa_supplicant ]; + services.dbus.packages = [ package ]; services.udev.packages = [ pkgs.crda ]; # FIXME: start a separate wpa_supplicant instance per interface. @@ -230,13 +244,17 @@ in { wantedBy = [ "multi-user.target" ]; stopIfChanged = false; - path = [ pkgs.wpa_supplicant ]; + path = [ package ]; - script = '' + script = let + configStr = if cfg.allowAuxiliaryImperativeNetworks + then "-c /etc/wpa_supplicant.conf -I ${configFile}" + else "-c ${configFile}"; + in '' if [ -f /etc/wpa_supplicant.conf -a "/etc/wpa_supplicant.conf" != "${configFile}" ] then echo >&2 "<3>/etc/wpa_supplicant.conf present but ignored. Generated ${configFile} is used instead." fi - iface_args="-s -u -D${cfg.driver} -c ${configFile}" + iface_args="-s -u -D${cfg.driver} ${configStr}" ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index a71c635c9f6ef..47a7152f6fe6e 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -64,7 +64,7 @@ in { type = types.str; default = "root"; example = "wheel"; - description = "Group to grant acces to the Yggdrasil control socket."; + description = "Group to grant access to the Yggdrasil control socket."; }; openMulticastPort = mkOption { @@ -122,12 +122,11 @@ in { system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' if [ ! -e ${keysPath} ] then - mkdir -p ${builtins.dirOf keysPath} + mkdir --mode=700 -p ${builtins.dirOf keysPath} ${binYggdrasil} -genconf -json \ | ${pkgs.jq}/bin/jq \ 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ > ${keysPath} - chmod 600 ${keysPath} fi ''; diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index a7315896c5063..aa79ed27dcef7 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -103,8 +103,8 @@ in }; dataDir = mkOption { - default = "/var/lib/znc/"; - example = "/home/john/.znc/"; + default = "/var/lib/znc"; + example = "/home/john/.znc"; type = types.path; description = '' The state directory for ZNC. The config and the modules will be linked @@ -258,6 +258,34 @@ in ExecStart = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${escapeShellArgs cfg.extraFlags}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ cfg.dataDir ]; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; }; preStart = '' mkdir -p ${cfg.dataDir}/configs @@ -271,9 +299,8 @@ in # Ensure essential files exist. if [[ ! -f ${cfg.dataDir}/configs/znc.conf ]]; then echo "No znc.conf file found in ${cfg.dataDir}. Creating one now." - cp --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf + cp --no-preserve=ownership --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf chmod u+rw ${cfg.dataDir}/configs/znc.conf - chown ${cfg.user} ${cfg.dataDir}/configs/znc.conf fi if [[ ! -f ${cfg.dataDir}/znc.pem ]]; then diff --git a/nixos/modules/services/networking/znc/options.nix b/nixos/modules/services/networking/znc/options.nix index 048dbd7386300..7a43b45fabba6 100644 --- a/nixos/modules/services/networking/znc/options.nix +++ b/nixos/modules/services/networking/znc/options.nix @@ -44,7 +44,7 @@ let modules = mkOption { type = types.listOf types.str; default = [ "simple_away" ]; - example = literalExample "[ simple_away sasl ]"; + example = literalExample ''[ "simple_away" "sasl" ]''; description = '' ZNC network modules to load. ''; diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index cefe72b0e999c..37f6651ec4cf2 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -81,14 +81,9 @@ in jobdir=/var/spool/atjobs etcdir=/etc/at - for dir in "$spooldir" "$jobdir" "$etcdir"; do - if [ ! -d "$dir" ]; then - mkdir -p "$dir" - chown atd:atd "$dir" - fi - done - chmod 1770 "$spooldir" "$jobdir" - ${if cfg.allowEveryone then ''chmod a+rwxt "$spooldir" "$jobdir" '' else ""} + install -dm755 -o atd -g atd "$etcdir" + spool_and_job_dir_perms=${if cfg.allowEveryone then "1777" else "1770"} + install -dm"$spool_and_job_dir_perms" -o atd -g atd "$spooldir" "$jobdir" if [ ! -f "$etcdir"/at.deny ]; then touch "$etcdir"/at.deny chown root:atd "$etcdir"/at.deny diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix index a04bc883bf0f7..bed59dbf821f4 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -121,7 +121,6 @@ in { EnvironmentFile = [ configFile ] ++ optional (cfg.environmentFile != null) cfg.environmentFile; ExecStart = "${bitwarden_rs}/bin/bitwarden_rs"; LimitNOFILE = "1048576"; - LimitNPROC = "64"; PrivateTmp = "true"; PrivateDevices = "true"; ProtectHome = "true"; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index b901b19cf3187..0c24972823dd4 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -62,6 +62,22 @@ in description = "The firewall package used by fail2ban service."; }; + extraPackages = mkOption { + default = []; + type = types.listOf types.package; + example = lib.literalExample "[ pkgs.ipset ]"; + description = '' + Extra packages to be made available to the fail2ban service. The example contains + the packages needed by the `iptables-ipset-proto6` action. + ''; + }; + + maxretry = mkOption { + default = 3; + type = types.ints.unsigned; + description = "Number of failures before a host gets banned."; + }; + banaction = mkOption { default = "iptables-multiport"; type = types.str; @@ -243,7 +259,7 @@ in restartTriggers = [ fail2banConf jailConf pathsConf ]; reloadIfChanged = true; - path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ]; + path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages; unitConfig.Documentation = "man:fail2ban(1)"; @@ -291,7 +307,7 @@ in ''} # Miscellaneous options ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP} - maxretry = 3 + maxretry = ${toString cfg.maxretry} backend = systemd # Actions banaction = ${cfg.banaction} diff --git a/nixos/modules/services/security/hologram-agent.nix b/nixos/modules/services/security/hologram-agent.nix index e37334b3cf5e3..e29267e50003b 100644 --- a/nixos/modules/services/security/hologram-agent.nix +++ b/nixos/modules/services/security/hologram-agent.nix @@ -54,5 +54,5 @@ in { }; - meta.maintainers = with lib.maintainers; [ nand0p ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index 553638ad49658..d82ddb894ea55 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -23,7 +23,8 @@ in config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { enable = true; }; - config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) { + config.services.nginx = mkIf config.services.oauth2_proxy.enable (mkMerge + ((optional (cfg.virtualHosts != []) { recommendedProxySettings = true; # needed because duplicate headers }) ++ (map (vhost: { virtualHosts.${vhost} = { @@ -60,5 +61,5 @@ in ''; }; - }) cfg.virtualHosts)); + }) cfg.virtualHosts))); } diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 54c2c2dea23af..9e8f18e93c85b 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -170,7 +170,7 @@ let else if k == "ServerTransportPlugin" then optionalString (v.transports != []) "${concatStringsSep "," v.transports} exec ${v.exec}" else if k == "HidServAuth" then - concatMapStringsSep "\n${k} " (settings: settings.onion + " " settings.auth) v + v.onion + " " + v.auth else generators.mkValueStringDefault {} v; genTorrc = settings: generators.toKeyValue { @@ -715,7 +715,7 @@ in (submodule { options = { onion = mkOption { - type = strMatching "[a-z2-7]{16}(\\.onion)?"; + type = strMatching "[a-z2-7]{16}\\.onion"; description = "Onion address."; example = "xxxxxxxxxxxxxxxx.onion"; }; @@ -726,6 +726,12 @@ in }; }) ]); + example = [ + { + onion = "xxxxxxxxxxxxxxxx.onion"; + auth = "xxxxxxxxxxxxxxxxxxxxxx"; + } + ]; }; options.HiddenServiceNonAnonymousMode = optionBool "HiddenServiceNonAnonymousMode"; options.HiddenServiceStatistics = optionBool "HiddenServiceStatistics"; diff --git a/nixos/modules/services/system/self-deploy.nix b/nixos/modules/services/system/self-deploy.nix new file mode 100644 index 0000000000000..3c82ed4fc593f --- /dev/null +++ b/nixos/modules/services/system/self-deploy.nix @@ -0,0 +1,170 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.self-deploy; + + workingDirectory = "/var/lib/nixos-self-deploy"; + repositoryDirectory = "${workingDirectory}/repo"; + outPath = "${workingDirectory}/system"; + + gitWithRepo = "git -C ${repositoryDirectory}"; + + renderNixArgs = args: + let + toArg = key: value: + if builtins.isString value + then " --argstr ${lib.escapeShellArg key} ${lib.escapeShellArg value}" + else " --arg ${lib.escapeShellArg key} ${lib.escapeShellArg (toString value)}"; + in + lib.concatStrings (lib.mapAttrsToList toArg args); + + isPathType = x: lib.strings.isCoercibleToString x && builtins.substring 0 1 (toString x) == "/"; + +in +{ + options.services.self-deploy = { + enable = lib.mkEnableOption "self-deploy"; + + nixFile = lib.mkOption { + type = lib.types.path; + + default = "/default.nix"; + + description = '' + Path to nix file in repository. Leading '/' refers to root of + git repository. + ''; + }; + + nixAttribute = lib.mkOption { + type = lib.types.str; + + description = '' + Attribute of `nixFile` that builds the current system. + ''; + }; + + nixArgs = lib.mkOption { + type = lib.types.attrs; + + default = { }; + + description = '' + Arguments to `nix-build` passed as `--argstr` or `--arg` depending on + the type. + ''; + }; + + switchCommand = lib.mkOption { + type = lib.types.enum [ "boot" "switch" "dry-activate" "test" ]; + + default = "switch"; + + description = '' + The `switch-to-configuration` subcommand used. + ''; + }; + + repository = lib.mkOption { + type = with lib.types; oneOf [ path str ]; + + description = '' + The repository to fetch from. Must be properly formatted for git. + + If this value is set to a path (must begin with `/`) then it's + assumed that the repository is local and the resulting service + won't wait for the network to be up. + + If the repository will be fetched over SSH, you must add an + entry to `programs.ssh.knownHosts` for the SSH host for the fetch + to be successful. + ''; + }; + + sshKeyFile = lib.mkOption { + type = with lib.types; nullOr path; + + default = null; + + description = '' + Path to SSH private key used to fetch private repositories over + SSH. + ''; + }; + + branch = lib.mkOption { + type = lib.types.str; + + default = "master"; + + description = '' + Branch to track + + Technically speaking any ref can be specified here, as this is + passed directly to a `git fetch`, but for the use-case of + continuous deployment you're likely to want to specify a branch. + ''; + }; + + startAt = lib.mkOption { + type = with lib.types; either str (listOf str); + + default = "hourly"; + + description = '' + The schedule on which to run the `self-deploy` service. Format + specified by `systemd.time 7`. + + This value can also be a list of `systemd.time 7` formatted + strings, in which case the service will be started on multiple + schedules. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.self-deploy = { + wantedBy = [ "multi-user.target" ]; + + requires = lib.mkIf (!(isPathType cfg.repository)) [ "network-online.target" ]; + + environment.GIT_SSH_COMMAND = lib.mkIf (!(isNull cfg.sshKeyFile)) + "${pkgs.openssh}/bin/ssh -i ${lib.escapeShellArg cfg.sshKeyFile}"; + + restartIfChanged = false; + + path = with pkgs; [ + git + nix + systemd + ]; + + script = '' + if [ ! -e ${repositoryDirectory} ]; then + mkdir --parents ${repositoryDirectory} + git init ${repositoryDirectory} + fi + + ${gitWithRepo} fetch ${lib.escapeShellArg cfg.repository} ${lib.escapeShellArg cfg.branch} + + ${gitWithRepo} checkout FETCH_HEAD + + nix-build${renderNixArgs cfg.nixArgs} ${lib.cli.toGNUCommandLineShell { } { + attr = cfg.nixAttribute; + out-link = outPath; + }} ${lib.escapeShellArg "${repositoryDirectory}${cfg.nixFile}"} + + ${lib.optionalString (cfg.switchCommand != "test") + "nix-env --profile /nix/var/nix/profiles/system --set ${outPath}"} + + ${outPath}/bin/switch-to-configuration ${cfg.switchCommand} + + rm ${outPath} + + ${gitWithRepo} gc --prune=all + + ${lib.optionalString (cfg.switchCommand == "boot") "systemctl reboot"} + ''; + }; + }; +} diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 7bec073e26f71..34a5219c95947 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.transmission; inherit (config.environment) etc; - apparmor = config.security.apparmor.enable; + apparmor = config.security.apparmor; rootDir = "/run/transmission"; homeDir = "/var/lib/transmission"; settingsDir = ".config/transmission-daemon"; @@ -184,8 +184,8 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Service"; - after = [ "network.target" ] ++ optional apparmor "apparmor.service"; - requires = optional apparmor "apparmor.service"; + after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; + requires = optional apparmor.enable "apparmor.service"; wantedBy = [ "multi-user.target" ]; environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; @@ -358,95 +358,39 @@ in }) ]; - security.apparmor.profiles = mkIf apparmor [ - (pkgs.writeText "apparmor-transmission-daemon" '' - include <tunables/global> - - ${pkgs.transmission}/bin/transmission-daemon { - include <abstractions/base> - include <abstractions/nameservice> - - # NOTE: https://github.com/NixOS/nixpkgs/pull/93457 - # will remove the need for these by fixing <abstractions/base> - r ${etc."hosts".source}, - r /etc/ld-nix.so.preload, - ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) '' - r ${etc."ld-nix.so.preload".source}, - ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n")) - (splitString "\n" config.environment.etc."ld-nix.so.preload".text)} - ''} - r ${etc."ssl/certs/ca-certificates.crt".source}, - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, - r ${pkgs.stdenv.cc.libc}/share/locale/**, - - mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*, - mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*, - mr ${getLib pkgs.attr}/lib/libattr*.so*, - mr ${getLib pkgs.c-ares}/lib/libcares*.so*, - mr ${getLib pkgs.curl}/lib/libcurl*.so*, - mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*, - mr ${getLib pkgs.libcap}/lib/libcap*.so*, - mr ${getLib pkgs.libevent}/lib/libevent*.so*, - mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*, - mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*, - mr ${getLib pkgs.libkrb5}/lib/lib*.so*, - mr ${getLib pkgs.libssh2}/lib/libssh2*.so*, - mr ${getLib pkgs.lz4}/lib/liblz4*.so*, - mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*, - mr ${getLib pkgs.openssl}/lib/libcrypto*.so*, - mr ${getLib pkgs.openssl}/lib/libssl*.so*, - mr ${getLib pkgs.systemd}/lib/libsystemd*.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libblkid.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libmount.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*, - mr ${getLib pkgs.xz}/lib/liblzma*.so*, - mr ${getLib pkgs.zlib}/lib/libz*.so*, - - r @{PROC}/sys/kernel/random/uuid, - r @{PROC}/sys/vm/overcommit_memory, - # @{pid} is not a kernel variable yet but a regexp - #r @{PROC}/@{pid}/environ, - r @{PROC}/@{pid}/mounts, - rwk /tmp/tr_session_id_*, - r /run/systemd/resolve/stub-resolv.conf, - - r ${pkgs.openssl.out}/etc/**, - r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, - r ${pkgs.transmission}/share/transmission/**, - - owner rw ${cfg.home}/${settingsDir}/**, - rw ${cfg.settings.download-dir}/**, - ${optionalString cfg.settings.incomplete-dir-enabled '' - rw ${cfg.settings.incomplete-dir}/**, - ''} - ${optionalString cfg.settings.watch-dir-enabled '' - rw ${cfg.settings.watch-dir}/**, - ''} - profile dirs { - rw ${cfg.settings.download-dir}/**, - ${optionalString cfg.settings.incomplete-dir-enabled '' - rw ${cfg.settings.incomplete-dir}/**, - ''} - ${optionalString cfg.settings.watch-dir-enabled '' - rw ${cfg.settings.watch-dir}/**, - ''} - } - - ${optionalString (cfg.settings.script-torrent-done-enabled && - cfg.settings.script-torrent-done-filename != "") '' - # Stack transmission_directories profile on top of - # any existing profile for script-torrent-done-filename - # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= - # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs - px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, - ''} + security.apparmor.policies."bin.transmission-daemon".profile = '' + include "${pkgs.transmission.apparmor}/bin.transmission-daemon" + ''; + security.apparmor.includes."local/bin.transmission-daemon" = '' + r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, + + owner rw ${cfg.home}/${settingsDir}/**, + rw ${cfg.settings.download-dir}/**, + ${optionalString cfg.settings.incomplete-dir-enabled '' + rw ${cfg.settings.incomplete-dir}/**, + ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} + profile dirs { + rw ${cfg.settings.download-dir}/**, + ${optionalString cfg.settings.incomplete-dir-enabled '' + rw ${cfg.settings.incomplete-dir}/**, + ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} + } - # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457 - # include <local/transmission-daemon> - } - '') - ]; + ${optionalString (cfg.settings.script-torrent-done-enabled && + cfg.settings.script-torrent-done-filename != "") '' + # Stack transmission_directories profile on top of + # any existing profile for script-torrent-done-filename + # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= + # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs + px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, + ''} + ''; }; meta.maintainers = with lib.maintainers; [ julm ]; diff --git a/nixos/modules/services/video/mirakurun.nix b/nixos/modules/services/video/mirakurun.nix index ce1dabe6bfa1e..6ea73fa5c679c 100644 --- a/nixos/modules/services/video/mirakurun.nix +++ b/nixos/modules/services/video/mirakurun.nix @@ -8,6 +8,18 @@ let username = config.users.users.mirakurun.name; groupname = config.users.users.mirakurun.group; settingsFmt = pkgs.formats.yaml {}; + + polkitRule = pkgs.writeTextDir "share/polkit-1/rules.d/10-mirakurun.rules" '' + polkit.addRule(function (action, subject) { + if ( + (action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.debian.pcsc-lite.access_card") && + subject.user == "${username}" + ) { + return polkit.Result.YES; + } + }); + ''; in { options = { @@ -48,6 +60,15 @@ in ''; }; + allowSmartCardAccess = mkOption { + type = types.bool; + default = true; + description = '' + Install polkit rules to allow Mirakurun to access smart card readers + which is commonly used along with tuner devices. + ''; + }; + serverSettings = mkOption { type = settingsFmt.type; default = {}; @@ -110,7 +131,7 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ mirakurun ]; + environment.systemPackages = [ mirakurun ] ++ optional cfg.allowSmartCardAccess polkitRule; environment.etc = { "mirakurun/server.yml".source = settingsFmt.generate "server.yml" cfg.serverSettings; "mirakurun/tuners.yml" = mkIf (cfg.tunerSettings != null) { diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 83d05ffbad9a0..34a31af9c9da1 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -292,6 +292,8 @@ in { WorkingDirectory = "${bookstack}"; }; script = '' + # set permissions + umask 077 # create .env file echo " APP_KEY=base64:$(head -n1 ${cfg.appKeyFile}) @@ -317,13 +319,14 @@ in { ${optionalString (cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME) "SESSION_SECURE_COOKIE=true"} ${toString cfg.extraConfig} " > "${cfg.dataDir}/.env" - # set permissions - chmod 700 "${cfg.dataDir}/.env" # migrate db ${pkgs.php}/bin/php artisan migrate --force - # create caches + # clear & create caches (needed in case of update) + ${pkgs.php}/bin/php artisan cache:clear + ${pkgs.php}/bin/php artisan config:clear + ${pkgs.php}/bin/php artisan view:clear ${pkgs.php}/bin/php artisan config:cache ${pkgs.php}/bin/php artisan route:cache ${pkgs.php}/bin/php artisan view:cache diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 00b58d5025742..0e2e182ffe93e 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -661,7 +661,7 @@ in ]; path = cfg.package.runtimeDeps ++ [ postgresqlPackage - pkgs.replace + pkgs.replace-secret cfg.package.rake ]; environment = cfg.package.runtimeEnv // { @@ -688,10 +688,7 @@ in mkSecretReplacement = file: lib.optionalString (file != null) '' - ( - password=$(<'${file}') - replace-literal -fe '${file}' "$password" /run/discourse/config/discourse.conf - ) + replace-secret '${file}' '${file}' /run/discourse/config/discourse.conf ''; in '' set -o errexit -o pipefail -o nounset -o errtrace @@ -713,11 +710,12 @@ in cfg.siteSettings "/run/discourse/config/nixos_site_settings.json" } - install -T -m 0400 -o discourse ${discourseConf} /run/discourse/config/discourse.conf + install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf ${mkSecretReplacement cfg.database.passwordFile} ${mkSecretReplacement cfg.mail.outgoing.passwordFile} ${mkSecretReplacement cfg.redis.passwordFile} ${mkSecretReplacement cfg.secretKeyBaseFile} + chmod 0400 /run/discourse/config/discourse.conf ) discourse-rake db:migrate >>/var/log/discourse/db_migration.log diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index b6e87c89e0aa1..f0b9e60116dd9 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -54,6 +54,7 @@ in frontendUrl = lib.mkOption { type = lib.types.str; + apply = x: if lib.hasSuffix "/" x then x else x + "/"; example = "keycloak.example.com/auth"; description = '' The public URL used as base for all frontend requests. Should @@ -84,106 +85,126 @@ in ''; }; - certificatePrivateKeyBundle = lib.mkOption { + sslCertificate = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; example = "/run/keys/ssl_cert"; description = '' - The path to a PEM formatted bundle of the private key and - certificate to use for TLS connections. + The path to a PEM formatted certificate to use for TLS/SSL + connections. This should be a string, not a Nix path, since Nix paths are copied into the world-readable Nix store. ''; }; - databaseType = lib.mkOption { - type = lib.types.enum [ "mysql" "postgresql" ]; - default = "postgresql"; - example = "mysql"; + sslCertificateKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/keys/ssl_key"; description = '' - The type of database Keycloak should connect to. - ''; - }; + The path to a PEM formatted private key to use for TLS/SSL + connections. - databaseHost = lib.mkOption { - type = lib.types.str; - default = "localhost"; - description = '' - Hostname of the database to connect to. + This should be a string, not a Nix path, since Nix paths are + copied into the world-readable Nix store. ''; }; - databasePort = - let - dbPorts = { - postgresql = 5432; - mysql = 3306; - }; - in - lib.mkOption { - type = lib.types.port; - default = dbPorts.${cfg.databaseType}; - description = '' - Port of the database to connect to. - ''; - }; + database = { + type = lib.mkOption { + type = lib.types.enum [ "mysql" "postgresql" ]; + default = "postgresql"; + example = "mysql"; + description = '' + The type of database Keycloak should connect to. + ''; + }; - databaseUseSSL = lib.mkOption { - type = lib.types.bool; - default = cfg.databaseHost != "localhost"; - description = '' - Whether the database connection should be secured by SSL / - TLS. - ''; - }; + host = lib.mkOption { + type = lib.types.str; + default = "localhost"; + description = '' + Hostname of the database to connect to. + ''; + }; - databaseCaCert = lib.mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - description = '' - The SSL / TLS CA certificate that verifies the identity of the - database server. + port = + let + dbPorts = { + postgresql = 5432; + mysql = 3306; + }; + in + lib.mkOption { + type = lib.types.port; + default = dbPorts.${cfg.database.type}; + description = '' + Port of the database to connect to. + ''; + }; - Required when PostgreSQL is used and SSL is turned on. + useSSL = lib.mkOption { + type = lib.types.bool; + default = cfg.database.host != "localhost"; + description = '' + Whether the database connection should be secured by SSL / + TLS. + ''; + }; - For MySQL, if left at <literal>null</literal>, the default - Java keystore is used, which should suffice if the server - certificate is issued by an official CA. - ''; - }; + caCert = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + The SSL / TLS CA certificate that verifies the identity of the + database server. - databaseCreateLocally = lib.mkOption { - type = lib.types.bool; - default = true; - description = '' - Whether a database should be automatically created on the - local host. Set this to false if you plan on provisioning a - local database yourself. This has no effect if - services.keycloak.databaseHost is customized. - ''; - }; + Required when PostgreSQL is used and SSL is turned on. - databaseUsername = lib.mkOption { - type = lib.types.str; - default = "keycloak"; - description = '' - Username to use when connecting to the database. - This is also used for automatic provisioning of the database. - Changing this after the initial installation doesn't delete the - old user and can cause further problems. - ''; - }; + For MySQL, if left at <literal>null</literal>, the default + Java keystore is used, which should suffice if the server + certificate is issued by an official CA. + ''; + }; - databasePasswordFile = lib.mkOption { - type = lib.types.path; - example = "/run/keys/db_password"; - description = '' - File containing the database password. + createLocally = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether a database should be automatically created on the + local host. Set this to false if you plan on provisioning a + local database yourself. This has no effect if + services.keycloak.database.host is customized. + ''; + }; - This should be a string, not a Nix path, since Nix paths are - copied into the world-readable Nix store. - ''; + username = lib.mkOption { + type = lib.types.str; + default = "keycloak"; + description = '' + Username to use when connecting to an external or manually + provisioned database; has no effect when a local database is + automatically provisioned. + + To use this with a local database, set <xref + linkend="opt-services.keycloak.database.createLocally" /> to + <literal>false</literal> and create the database and user + manually. The database should be called + <literal>keycloak</literal>. + ''; + }; + + passwordFile = lib.mkOption { + type = lib.types.path; + example = "/run/keys/db_password"; + description = '' + File containing the database password. + + This should be a string, not a Nix path, since Nix paths are + copied into the world-readable Nix store. + ''; + }; }; package = lib.mkOption { @@ -256,12 +277,12 @@ in config = let # We only want to create a database if we're actually going to connect to it. - databaseActuallyCreateLocally = cfg.databaseCreateLocally && cfg.databaseHost == "localhost"; - createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.databaseType == "postgresql"; - createLocalMySQL = databaseActuallyCreateLocally && cfg.databaseType == "mysql"; + databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "localhost"; + createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.database.type == "postgresql"; + createLocalMySQL = databaseActuallyCreateLocally && cfg.database.type == "mysql"; mySqlCaKeystore = pkgs.runCommandNoCC "mysql-ca-keystore" {} '' - ${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.databaseCaCert} -keystore $out -storepass notsosecretpassword -noprompt + ${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.database.caCert} -keystore $out -storepass notsosecretpassword -noprompt ''; keycloakConfig' = builtins.foldl' lib.recursiveUpdate { @@ -277,11 +298,11 @@ in }; "subsystem=datasources"."data-source=KeycloakDS" = { max-pool-size = "20"; - user-name = if databaseActuallyCreateLocally then "keycloak" else cfg.databaseUsername; + user-name = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username; password = "@db-password@"; }; } [ - (lib.optionalAttrs (cfg.databaseType == "postgresql") { + (lib.optionalAttrs (cfg.database.type == "postgresql") { "subsystem=datasources" = { "jdbc-driver=postgresql" = { driver-module-name = "org.postgresql"; @@ -289,16 +310,16 @@ in driver-xa-datasource-class-name = "org.postgresql.xa.PGXADataSource"; }; "data-source=KeycloakDS" = { - connection-url = "jdbc:postgresql://${cfg.databaseHost}:${builtins.toString cfg.databasePort}/keycloak"; + connection-url = "jdbc:postgresql://${cfg.database.host}:${builtins.toString cfg.database.port}/keycloak"; driver-name = "postgresql"; - "connection-properties=ssl".value = lib.boolToString cfg.databaseUseSSL; - } // (lib.optionalAttrs (cfg.databaseCaCert != null) { - "connection-properties=sslrootcert".value = cfg.databaseCaCert; + "connection-properties=ssl".value = lib.boolToString cfg.database.useSSL; + } // (lib.optionalAttrs (cfg.database.caCert != null) { + "connection-properties=sslrootcert".value = cfg.database.caCert; "connection-properties=sslmode".value = "verify-ca"; }); }; }) - (lib.optionalAttrs (cfg.databaseType == "mysql") { + (lib.optionalAttrs (cfg.database.type == "mysql") { "subsystem=datasources" = { "jdbc-driver=mysql" = { driver-module-name = "com.mysql"; @@ -306,22 +327,22 @@ in driver-class-name = "com.mysql.jdbc.Driver"; }; "data-source=KeycloakDS" = { - connection-url = "jdbc:mysql://${cfg.databaseHost}:${builtins.toString cfg.databasePort}/keycloak"; + connection-url = "jdbc:mysql://${cfg.database.host}:${builtins.toString cfg.database.port}/keycloak"; driver-name = "mysql"; - "connection-properties=useSSL".value = lib.boolToString cfg.databaseUseSSL; - "connection-properties=requireSSL".value = lib.boolToString cfg.databaseUseSSL; - "connection-properties=verifyServerCertificate".value = lib.boolToString cfg.databaseUseSSL; + "connection-properties=useSSL".value = lib.boolToString cfg.database.useSSL; + "connection-properties=requireSSL".value = lib.boolToString cfg.database.useSSL; + "connection-properties=verifyServerCertificate".value = lib.boolToString cfg.database.useSSL; "connection-properties=characterEncoding".value = "UTF-8"; valid-connection-checker-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"; validate-on-match = true; exception-sorter-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"; - } // (lib.optionalAttrs (cfg.databaseCaCert != null) { + } // (lib.optionalAttrs (cfg.database.caCert != null) { "connection-properties=trustCertificateKeyStoreUrl".value = "file:${mySqlCaKeystore}"; "connection-properties=trustCertificateKeyStorePassword".value = "notsosecretpassword"; }); }; }) - (lib.optionalAttrs (cfg.certificatePrivateKeyBundle != null) { + (lib.optionalAttrs (cfg.sslCertificate != null && cfg.sslCertificateKey != null) { "socket-binding-group=standard-sockets"."socket-binding=https".port = cfg.httpsPort; "core-service=management"."security-realm=UndertowRealm"."server-identity=ssl" = { keystore-path = "/run/keycloak/ssl/certificate_private_key_bundle.p12"; @@ -532,7 +553,9 @@ in jbossCliScript = pkgs.writeText "jboss-cli-script" (mkJbossScript keycloakConfig'); - keycloakConfig = pkgs.runCommandNoCC "keycloak-config" {} '' + keycloakConfig = pkgs.runCommandNoCC "keycloak-config" { + nativeBuildInputs = [ cfg.package ]; + } '' export JBOSS_BASE_DIR="$(pwd -P)"; export JBOSS_MODULEPATH="${cfg.package}/modules"; export JBOSS_LOG_DIR="$JBOSS_BASE_DIR/log"; @@ -542,11 +565,11 @@ in mkdir -p {deployments,ssl} - "${cfg.package}/bin/standalone.sh"& + standalone.sh& attempt=1 max_attempts=30 - while ! ${cfg.package}/bin/jboss-cli.sh --connect ':read-attribute(name=server-state)'; do + while ! jboss-cli.sh --connect ':read-attribute(name=server-state)'; do if [[ "$attempt" == "$max_attempts" ]]; then echo "ERROR: Could not connect to Keycloak after $attempt attempts! Failing.." >&2 exit 1 @@ -556,7 +579,7 @@ in (( attempt++ )) done - ${cfg.package}/bin/jboss-cli.sh --connect --file=${jbossCliScript} --echo-command + jboss-cli.sh --connect --file=${jbossCliScript} --echo-command cp configuration/standalone.xml $out ''; @@ -565,8 +588,8 @@ in assertions = [ { - assertion = (cfg.databaseUseSSL && cfg.databaseType == "postgresql") -> (cfg.databaseCaCert != null); - message = "A CA certificate must be specified (in 'services.keycloak.databaseCaCert') when PostgreSQL is used with SSL"; + assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null); + message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL"; } ]; @@ -576,6 +599,7 @@ in after = [ "postgresql.service" ]; before = [ "keycloak.service" ]; bindsTo = [ "postgresql.service" ]; + path = [ config.services.postgresql.package ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -583,13 +607,15 @@ in Group = "postgres"; }; script = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit - PSQL=${config.services.postgresql.package}/bin/psql + create_role="$(mktemp)" + trap 'rm -f "$create_role"' ERR EXIT - db_password="$(<'${cfg.databasePasswordFile}')" - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${cfg.databaseUsername}'" | grep -q 1 || $PSQL -tAc "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN PASSWORD '$db_password' CREATEDB" - $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "keycloak" OWNER "${cfg.databaseUsername}"' + echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$(<'${cfg.database.passwordFile}')' CREATEDB" > "$create_role" + psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role" + psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' ''; }; @@ -597,6 +623,7 @@ in after = [ "mysql.service" ]; before = [ "keycloak.service" ]; bindsTo = [ "mysql.service" ]; + path = [ config.services.mysql.package ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -604,13 +631,14 @@ in Group = config.services.mysql.group; }; script = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit - db_password="$(<'${cfg.databasePasswordFile}')" - ( echo "CREATE USER IF NOT EXISTS '${cfg.databaseUsername}'@'localhost' IDENTIFIED BY '$db_password';" + db_password="$(<'${cfg.database.passwordFile}')" + ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';" echo "CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;" - echo "GRANT ALL PRIVILEGES ON keycloak.* TO '${cfg.databaseUsername}'@'localhost';" - ) | ${config.services.mysql.package}/bin/mysql -N + echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';" + ) | mysql -N ''; }; @@ -628,6 +656,11 @@ in after = databaseServices; bindsTo = databaseServices; wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + cfg.package + openssl + replace-secret + ]; environment = { JBOSS_LOG_DIR = "/var/log/keycloak"; JBOSS_BASE_DIR = "/run/keycloak"; @@ -636,29 +669,38 @@ in serviceConfig = { ExecStartPre = let startPreFullPrivileges = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit - install -T -m 0400 -o keycloak -g keycloak '${cfg.databasePasswordFile}' /run/keycloak/secrets/db_password - '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) '' - install -T -m 0400 -o keycloak -g keycloak '${cfg.certificatePrivateKeyBundle}' /run/keycloak/secrets/ssl_cert_pk_bundle + umask u=rwx,g=,o= + + install -T -m 0400 -o keycloak -g keycloak '${cfg.database.passwordFile}' /run/keycloak/secrets/db_password + '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' + install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificate}' /run/keycloak/secrets/ssl_cert + install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificateKey}' /run/keycloak/secrets/ssl_key ''; startPre = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit + + umask u=rwx,g=,o= install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml - db_password="$(</run/keycloak/secrets/db_password)" - ${pkgs.replace}/bin/replace-literal -fe '@db-password@' "$db_password" /run/keycloak/configuration/standalone.xml + replace-secret '@db-password@' '/run/keycloak/secrets/db_password' /run/keycloak/configuration/standalone.xml export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration - ${cfg.package}/bin/add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}' - '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) '' + add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}' + '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' pushd /run/keycloak/ssl/ - cat /run/keycloak/secrets/ssl_cert_pk_bundle <(echo) /etc/ssl/certs/ca-certificates.crt > allcerts.pem - ${pkgs.openssl}/bin/openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert_pk_bundle -chain \ - -name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \ - -CAfile allcerts.pem -passout pass:notsosecretpassword + cat /run/keycloak/secrets/ssl_cert <(echo) \ + /run/keycloak/secrets/ssl_key <(echo) \ + /etc/ssl/certs/ca-certificates.crt \ + > allcerts.pem + openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert -inkey /run/keycloak/secrets/ssl_key -chain \ + -name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \ + -CAfile allcerts.pem -passout pass:notsosecretpassword popd ''; in [ @@ -690,4 +732,5 @@ in }; meta.doc = ./keycloak.xml; + meta.maintainers = [ lib.maintainers.talyz ]; } diff --git a/nixos/modules/services/web-apps/keycloak.xml b/nixos/modules/services/web-apps/keycloak.xml index ca5e223eee467..7ba656c20f166 100644 --- a/nixos/modules/services/web-apps/keycloak.xml +++ b/nixos/modules/services/web-apps/keycloak.xml @@ -41,31 +41,31 @@ <productname>PostgreSQL</productname> or <productname>MySQL</productname>. Which one is used can be configured in <xref - linkend="opt-services.keycloak.databaseType" />. The selected + linkend="opt-services.keycloak.database.type" />. The selected database will automatically be enabled and a database and role created unless <xref - linkend="opt-services.keycloak.databaseHost" /> is changed from + linkend="opt-services.keycloak.database.host" /> is changed from its default of <literal>localhost</literal> or <xref - linkend="opt-services.keycloak.databaseCreateLocally" /> is set + linkend="opt-services.keycloak.database.createLocally" /> is set to <literal>false</literal>. </para> <para> External database access can also be configured by setting - <xref linkend="opt-services.keycloak.databaseHost" />, <xref - linkend="opt-services.keycloak.databaseUsername" />, <xref - linkend="opt-services.keycloak.databaseUseSSL" /> and <xref - linkend="opt-services.keycloak.databaseCaCert" /> as + <xref linkend="opt-services.keycloak.database.host" />, <xref + linkend="opt-services.keycloak.database.username" />, <xref + linkend="opt-services.keycloak.database.useSSL" /> and <xref + linkend="opt-services.keycloak.database.caCert" /> as appropriate. Note that you need to manually create a database called <literal>keycloak</literal> and allow the configured database user full access to it. </para> <para> - <xref linkend="opt-services.keycloak.databasePasswordFile" /> + <xref linkend="opt-services.keycloak.database.passwordFile" /> must be set to the path to a file containing the password used - to log in to the database. If <xref linkend="opt-services.keycloak.databaseHost" /> - and <xref linkend="opt-services.keycloak.databaseCreateLocally" /> + to log in to the database. If <xref linkend="opt-services.keycloak.database.host" /> + and <xref linkend="opt-services.keycloak.database.createLocally" /> are kept at their defaults, the database role <literal>keycloak</literal> with that password is provisioned on the local database instance. @@ -115,17 +115,17 @@ </para> <para> - For HTTPS support, a TLS certificate and private key is - required. They should be <link + HTTPS support requires a TLS/SSL certificate and a private key, + both <link xlink:href="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM - formatted</link> and concatenated into a single file. The path - to this file should be configured in - <xref linkend="opt-services.keycloak.certificatePrivateKeyBundle" />. + formatted</link>. Their paths should be set through <xref + linkend="opt-services.keycloak.sslCertificate" /> and <xref + linkend="opt-services.keycloak.sslCertificateKey" />. </para> <warning> <para> - The path should be provided as a string, not a Nix path, + The paths should be provided as a strings, not a Nix paths, since Nix paths are copied into the world readable Nix store. </para> </warning> @@ -195,8 +195,9 @@ services.keycloak = { <link linkend="opt-services.keycloak.initialAdminPassword">initialAdminPassword</link> = "e6Wcm0RrtegMEHl"; # change on first login <link linkend="opt-services.keycloak.frontendUrl">frontendUrl</link> = "https://keycloak.example.com/auth"; <link linkend="opt-services.keycloak.forceBackendUrlToFrontendUrl">forceBackendUrlToFrontendUrl</link> = true; - <link linkend="opt-services.keycloak.certificatePrivateKeyBundle">certificatePrivateKeyBundle</link> = "/run/keys/ssl_cert"; - <link linkend="opt-services.keycloak.databasePasswordFile">databasePasswordFile</link> = "/run/keys/db_password"; + <link linkend="opt-services.keycloak.sslCertificate">sslCertificate</link> = "/run/keys/ssl_cert"; + <link linkend="opt-services.keycloak.sslCertificateKey">sslCertificateKey</link> = "/run/keys/ssl_key"; + <link linkend="opt-services.keycloak.database.passwordFile">database.passwordFile</link> = "/run/keys/db_password"; }; </programlisting> </para> diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index af46f4e1927f2..5e24bd06ffdbe 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -448,10 +448,10 @@ in { join pg_namespace s on s.oid = c.relnamespace \ where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \ and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then - SAFETY_ASSURED=1 rake db:schema:load - rake db:seed + SAFETY_ASSURED=1 rails db:schema:load + rails db:seed else - rake db:migrate + rails db:migrate fi ''; path = [ cfg.package pkgs.postgresql ]; diff --git a/nixos/modules/services/web-apps/shiori.nix b/nixos/modules/services/web-apps/shiori.nix index 8f96dd9b5dd7a..a15bb9744a9c5 100644 --- a/nixos/modules/services/web-apps/shiori.nix +++ b/nixos/modules/services/web-apps/shiori.nix @@ -86,10 +86,7 @@ in { SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" - "~@module" "~@obsolete" "~@privileged" "~@raw-io" - "~@resources" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index b2bb5055cd4c4..a7b93c9c45984 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -15,11 +15,9 @@ let apachectl = pkgs.runCommand "apachectl" { meta.priority = -1; } '' mkdir -p $out/bin cp ${pkg}/bin/apachectl $out/bin/apachectl - sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f ${httpdConf}|' + sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|' ''; - httpdConf = cfg.configFile; - php = cfg.phpPackage.override { apacheHttpd = pkg; }; phpModuleName = let @@ -682,6 +680,8 @@ in }) (filter (hostOpts: hostOpts.useACMEHost == null) acmeEnabledVhosts); in listToAttrs acmePairs; + # httpd requires a stable path to the configuration file for reloads + environment.etc."httpd/httpd.conf".source = cfg.configFile; environment.systemPackages = [ apachectl pkg @@ -753,6 +753,7 @@ in wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames); after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames; before = map (certName: "acme-${certName}.service") dependentCertNames; + restartTriggers = [ cfg.configFile ]; path = [ pkg pkgs.coreutils pkgs.gnugrep ]; @@ -771,9 +772,9 @@ in ''; serviceConfig = { - ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}"; - ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop"; - ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful"; + ExecStart = "@${pkg}/bin/httpd httpd -f /etc/httpd/httpd.conf"; + ExecStop = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful-stop"; + ExecReload = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; User = cfg.user; Group = cfg.group; Type = "forking"; @@ -800,6 +801,7 @@ in # certs are updated _after_ config has been reloaded. before = sslTargets; after = sslServices; + restartTriggers = [ cfg.configFile ]; # Block reloading if not all certs exist yet. # Happens when config changes add new vhosts/certs. unitConfig.ConditionPathExists = map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames; @@ -807,7 +809,7 @@ in Type = "oneshot"; TimeoutSec = 60; ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active httpd.service"; - ExecStartPre = "${pkg}/bin/httpd -f ${httpdConf} -t"; + ExecStartPre = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -t"; ExecStart = "/run/current-system/systemd/bin/systemctl reload httpd.service"; }; }; diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix index 6ecfc113ca26b..955b9756406d5 100644 --- a/nixos/modules/services/web-servers/caddy.nix +++ b/nixos/modules/services/web-servers/caddy.nix @@ -63,6 +63,18 @@ in { ''; }; + user = mkOption { + default = "caddy"; + type = types.str; + description = "User account under which caddy runs."; + }; + + group = mkOption { + default = "caddy"; + type = types.str; + description = "Group account under which caddy runs."; + }; + adapter = mkOption { default = "caddyfile"; example = "nginx"; @@ -123,8 +135,8 @@ in { ExecStart = "${cfg.package}/bin/caddy run --config ${configJSON}"; ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}"; Type = "simple"; - User = "caddy"; - Group = "caddy"; + User = cfg.user; + Group = cfg.group; Restart = "on-abnormal"; AmbientCapabilities = "cap_net_bind_service"; CapabilityBoundingSet = "cap_net_bind_service"; @@ -142,13 +154,18 @@ in { }; }; - users.users.caddy = { - group = "caddy"; - uid = config.ids.uids.caddy; - home = cfg.dataDir; - createHome = true; + users.users = optionalAttrs (cfg.user == "caddy") { + caddy = { + group = cfg.group; + uid = config.ids.uids.caddy; + home = cfg.dataDir; + createHome = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "caddy") { + caddy.gid = config.ids.gids.caddy; }; - users.groups.caddy.gid = config.ids.uids.caddy; }; } diff --git a/nixos/modules/services/web-servers/molly-brown.nix b/nixos/modules/services/web-servers/molly-brown.nix index e0587f3b47163..58db9b9beda06 100644 --- a/nixos/modules/services/web-servers/molly-brown.nix +++ b/nixos/modules/services/web-servers/molly-brown.nix @@ -41,7 +41,6 @@ in { As an example: <programlisting> - security.acme.certs."example.com".allowKeysForGroup = true; systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."example.com".group ]; </programlisting> diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 18e1263fef5e9..ebb3c38d6c25b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -154,9 +154,9 @@ let ${optionalString (cfg.recommendedProxySettings) '' proxy_redirect off; - proxy_connect_timeout 60; - proxy_send_timeout 60; - proxy_read_timeout 60; + proxy_connect_timeout ${cfg.proxyTimeout}; + proxy_send_timeout ${cfg.proxyTimeout}; + proxy_read_timeout ${cfg.proxyTimeout}; proxy_http_version 1.1; include ${recommendedProxyConfig}; ''} @@ -230,13 +230,13 @@ let defaultListen = if vhost.listen != [] then vhost.listen - else ((optionals hasSSL ( - singleton { addr = "0.0.0.0"; port = 443; ssl = true; } - ++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; } - )) ++ optionals (!onlySSL) ( - singleton { addr = "0.0.0.0"; port = 80; ssl = false; } - ++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; } - )); + else optionals (hasSSL || vhost.rejectSSL) ( + singleton { addr = "0.0.0.0"; port = 443; ssl = true; } + ++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; } + ) ++ optionals (!onlySSL) ( + singleton { addr = "0.0.0.0"; port = 80; ssl = false; } + ++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; } + ); hostListen = if vhost.forceSSL @@ -303,6 +303,9 @@ let ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ''} + ${optionalString vhost.rejectSSL '' + ssl_reject_handshake on; + ''} ${mkBasicAuth vhostName vhost} @@ -401,6 +404,15 @@ in "; }; + proxyTimeout = mkOption { + type = types.str; + default = "60s"; + example = "20s"; + description = " + Change the proxy related timeouts in recommendedProxySettings. + "; + }; + package = mkOption { default = pkgs.nginxStable; defaultText = "pkgs.nginxStable"; @@ -762,20 +774,27 @@ in } { - assertion = all (conf: with conf; - !(addSSL && (onlySSL || enableSSL)) && - !(forceSSL && (onlySSL || enableSSL)) && - !(addSSL && forceSSL) + assertion = all (host: with host; + count id [ addSSL (onlySSL || enableSSL) forceSSL rejectSSL ] <= 1 ) (attrValues virtualHosts); message = '' Options services.nginx.service.virtualHosts.<name>.addSSL, - services.nginx.virtualHosts.<name>.onlySSL and services.nginx.virtualHosts.<name>.forceSSL - are mutually exclusive. + services.nginx.virtualHosts.<name>.onlySSL, + services.nginx.virtualHosts.<name>.forceSSL and + services.nginx.virtualHosts.<name>.rejectSSL are mutually exclusive. + ''; + } + + { + assertion = any (host: host.rejectSSL) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.19.4"; + message = '' + services.nginx.virtualHosts.<name>.rejectSSL requires nginx version + 1.19.4 or above; see the documentation for services.nginx.package. ''; } { - assertion = all (conf: !(conf.enableACME && conf.useACMEHost != null)) (attrValues virtualHosts); + assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); message = '' Options services.nginx.service.virtualHosts.<name>.enableACME and services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. @@ -819,28 +838,38 @@ in # Logs directory and mode LogsDirectory = "nginx"; LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # New file permissions + UMask = "0027"; # 0640 / 0750 # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; # Security NoNewPrivileges = true; - # Sandboxing + # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) ProtectSystem = "strict"; ProtectHome = mkDefault true; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; + ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; + ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules); RestrictRealtime = true; RestrictSUIDSGID = true; + RemoveIPC = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid"; }; }; @@ -848,8 +877,9 @@ in source = configFile; }; - # postRun hooks on cert renew can't be used to restart Nginx since renewal - # runs as the unprivileged acme user. sslTargets are added to wantedBy + before + # This service waits for all certificates to be available + # before reloading nginx configuration. + # sslTargets are added to wantedBy + before # which allows the acme-finished-$cert.target to signify the successful updating # of certs end-to-end. systemd.services.nginx-config-reload = let diff --git a/nixos/modules/services/web-servers/nginx/gitweb.nix b/nixos/modules/services/web-servers/nginx/gitweb.nix index f7fb07bb79755..11bf2a309ea81 100644 --- a/nixos/modules/services/web-servers/nginx/gitweb.nix +++ b/nixos/modules/services/web-servers/nginx/gitweb.nix @@ -89,6 +89,6 @@ in }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 1f5fe6a368c1e..1c7d402447974 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -118,6 +118,18 @@ with lib; ''; }; + rejectSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to listen for and reject all HTTPS connections to this vhost. Useful in + <link linkend="opt-services.nginx.virtualHosts._name_.default">default</link> + server blocks to avoid serving the certificate for another vhost. Uses the + <literal>ssl_reject_handshake</literal> directive available in nginx versions + 1.19.4 and above. + ''; + }; + sslCertificate = mkOption { type = types.path; example = "/var/host.cert"; diff --git a/nixos/modules/services/web-servers/trafficserver.nix b/nixos/modules/services/web-servers/trafficserver.nix new file mode 100644 index 0000000000000..db0e2ac0bd05a --- /dev/null +++ b/nixos/modules/services/web-servers/trafficserver.nix @@ -0,0 +1,318 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.trafficserver; + user = config.users.users.trafficserver.name; + group = config.users.groups.trafficserver.name; + + getManualUrl = name: "https://docs.trafficserver.apache.org/en/latest/admin-guide/files/${name}.en.html"; + getConfPath = name: "${pkgs.trafficserver}/etc/trafficserver/${name}"; + + yaml = pkgs.formats.yaml { }; + + fromYAML = f: + let + jsonFile = pkgs.runCommand "in.json" + { + nativeBuildInputs = [ pkgs.remarshal ]; + } '' + yaml2json < "${f}" > "$out" + ''; + in + builtins.fromJSON (builtins.readFile jsonFile); + + mkYamlConf = name: cfg: + if cfg != null then { + "trafficserver/${name}.yaml".source = yaml.generate "${name}.yaml" cfg; + } else { + "trafficserver/${name}.yaml".text = ""; + }; + + mkRecordLines = path: value: + if isAttrs value then + lib.mapAttrsToList (n: v: mkRecordLines (path ++ [ n ]) v) value + else if isInt value then + "CONFIG ${concatStringsSep "." path} INT ${toString value}" + else if isFloat value then + "CONFIG ${concatStringsSep "." path} FLOAT ${toString value}" + else + "CONFIG ${concatStringsSep "." path} STRING ${toString value}"; + + mkRecordsConfig = cfg: concatStringsSep "\n" (flatten (mkRecordLines [ ] cfg)); + mkPluginConfig = cfg: concatStringsSep "\n" (map (p: "${p.path} ${p.arg}") cfg); +in +{ + options.services.trafficserver = { + enable = mkEnableOption "Apache Traffic Server"; + + cache = mkOption { + type = types.lines; + default = ""; + example = "dest_domain=example.com suffix=js action=never-cache"; + description = '' + Caching rules that overrule the origin's caching policy. + + Consult the <link xlink:href="${getManualUrl "cache.config"}">upstream + documentation</link> for more details. + ''; + }; + + hosting = mkOption { + type = types.lines; + default = ""; + example = "domain=example.com volume=1"; + description = '' + Partition the cache according to origin server or domain + + Consult the <link xlink:href="${getManualUrl "hosting.config"}"> + upstream documentation</link> for more details. + ''; + }; + + ipAllow = mkOption { + type = types.nullOr yaml.type; + default = fromYAML (getConfPath "ip_allow.yaml"); + defaultText = "upstream defaults"; + example = literalExample { + ip_allow = [{ + apply = "in"; + ip_addrs = "127.0.0.1"; + action = "allow"; + methods = "ALL"; + }]; + }; + description = '' + Control client access to Traffic Server and Traffic Server connections + to upstream servers. + + Consult the <link xlink:href="${getManualUrl "ip_allow.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + logging = mkOption { + type = types.nullOr yaml.type; + default = fromYAML (getConfPath "logging.yaml"); + defaultText = "upstream defaults"; + example = literalExample { }; + description = '' + Configure logs. + + Consult the <link xlink:href="${getManualUrl "logging.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + parent = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=. method=get parent="p1.example:8080; p2.example:8080" round_robin=true + ''; + description = '' + Identify the parent proxies used in an cache hierarchy. + + Consult the <link xlink:href="${getManualUrl "parent.config"}">upstream + documentation</link> for more details. + ''; + }; + + plugins = mkOption { + default = [ ]; + + description = '' + Controls run-time loadable plugins available to Traffic Server, as + well as their configuration. + + Consult the <link xlink:href="${getManualUrl "plugin.config"}">upstream + documentation</link> for more details. + ''; + + type = with types; + listOf (submodule { + options.path = mkOption { + type = str; + example = "xdebug.so"; + description = '' + Path to plugin. The path can either be absolute, or relative to + the plugin directory. + ''; + }; + options.arg = mkOption { + type = str; + default = ""; + example = "--header=ATS-My-Debug"; + description = "arguments to pass to the plugin"; + }; + }); + }; + + records = mkOption { + type = with types; + let valueType = (attrsOf (oneOf [ int float str valueType ])) // { + description = "Traffic Server records value"; + }; + in + valueType; + default = { }; + example = literalExample { proxy.config.proxy_name = "my_server"; }; + description = '' + List of configurable variables used by Traffic Server. + + Consult the <link xlink:href="${getManualUrl "records.config"}"> + upstream documentation</link> for more details. + ''; + }; + + remap = mkOption { + type = types.lines; + default = ""; + example = "map http://from.example http://origin.example"; + description = '' + URL remapping rules used by Traffic Server. + + Consult the <link xlink:href="${getManualUrl "remap.config"}"> + upstream documentation</link> for more details. + ''; + }; + + splitDns = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=internal.corp.example named="255.255.255.255:212 255.255.255.254" def_domain=corp.example search_list="corp.example corp1.example" + dest_domain=!internal.corp.example named=255.255.255.253 + ''; + description = '' + Specify the DNS server that Traffic Server should use under specific + conditions. + + Consult the <link xlink:href="${getManualUrl "splitdns.config"}"> + upstream documentation</link> for more details. + ''; + }; + + sslMulticert = mkOption { + type = types.lines; + default = ""; + example = "dest_ip=* ssl_cert_name=default.pem"; + description = '' + Configure SSL server certificates to terminate the SSL sessions. + + Consult the <link xlink:href="${getManualUrl "ssl_multicert.config"}"> + upstream documentation</link> for more details. + ''; + }; + + sni = mkOption { + type = types.nullOr yaml.type; + default = null; + example = literalExample { + sni = [{ + fqdn = "no-http2.example.com"; + https = "off"; + }]; + }; + description = '' + Configure aspects of TLS connection handling for both inbound and + outbound connections. + + Consult the <link xlink:href="${getManualUrl "sni.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + storage = mkOption { + type = types.lines; + default = "/var/cache/trafficserver 256M"; + example = "/dev/disk/by-id/XXXXX volume=1"; + description = '' + List all the storage that make up the Traffic Server cache. + + Consult the <link xlink:href="${getManualUrl "storage.config"}"> + upstream documentation</link> for more details. + ''; + }; + + strategies = mkOption { + type = types.nullOr yaml.type; + default = null; + description = '' + Specify the next hop proxies used in an cache hierarchy and the + algorithms used to select the next proxy. + + Consult the <link xlink:href="${getManualUrl "strategies.yaml"}"> + upstream documentation</link> for more details. + ''; + }; + + volume = mkOption { + type = types.nullOr yaml.type; + default = ""; + example = "volume=1 scheme=http size=20%"; + description = '' + Manage cache space more efficiently and restrict disk usage by + creating cache volumes of different sizes. + + Consult the <link xlink:href="${getManualUrl "volume.config"}"> + upstream documentation</link> for more details. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.etc = { + "trafficserver/cache.config".text = cfg.cache; + "trafficserver/hosting.config".text = cfg.hosting; + "trafficserver/parent.config".text = cfg.parent; + "trafficserver/plugin.config".text = mkPluginConfig cfg.plugins; + "trafficserver/records.config".text = mkRecordsConfig cfg.records; + "trafficserver/remap.config".text = cfg.remap; + "trafficserver/splitdns.config".text = cfg.splitDns; + "trafficserver/ssl_multicert.config".text = cfg.sslMulticert; + "trafficserver/storage.config".text = cfg.storage; + "trafficserver/volume.config".text = cfg.volume; + } // (mkYamlConf "ip_allow" cfg.ipAllow) + // (mkYamlConf "logging" cfg.logging) + // (mkYamlConf "sni" cfg.sni) + // (mkYamlConf "strategies" cfg.strategies); + + environment.systemPackages = [ pkgs.trafficserver ]; + systemd.packages = [ pkgs.trafficserver ]; + + # Traffic Server does privilege handling independently of systemd, and + # therefore should be started as root + systemd.services.trafficserver = { + enable = true; + wantedBy = [ "multi-user.target" ]; + }; + + # These directories can't be created by systemd because: + # + # 1. Traffic Servers starts as root and switches to an unprivileged user + # afterwards. The runtime directories defined below are assumed to be + # owned by that user. + # 2. The bin/trafficserver script assumes these directories exist. + systemd.tmpfiles.rules = [ + "d '/run/trafficserver' - ${user} ${group} - -" + "d '/var/cache/trafficserver' - ${user} ${group} - -" + "d '/var/lib/trafficserver' - ${user} ${group} - -" + "d '/var/log/trafficserver' - ${user} ${group} - -" + ]; + + services.trafficserver = { + records.proxy.config.admin.user_id = user; + records.proxy.config.body_factory.template_sets_dir = + "${pkgs.trafficserver}/etc/trafficserver/body_factory"; + }; + + users.users.trafficserver = { + description = "Apache Traffic Server"; + isSystemUser = true; + inherit group; + }; + users.groups.trafficserver = { }; + }; +} diff --git a/nixos/modules/services/x11/desktop-managers/cde.nix b/nixos/modules/services/x11/desktop-managers/cde.nix index 2d9504fb5f1ef..3f1575a0ca637 100644 --- a/nixos/modules/services/x11/desktop-managers/cde.nix +++ b/nixos/modules/services/x11/desktop-managers/cde.nix @@ -68,5 +68,5 @@ in { }]; }; - meta.maintainers = [ maintainers.gnidorah ]; + meta.maintainers = [ ]; } diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 14dcf009a7d13..101c64c7b3edf 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -26,7 +26,7 @@ in sessionPath = mkOption { default = []; type = types.listOf types.package; - example = literalExample "[ pkgs.gnome3.gpaste ]"; + example = literalExample "[ pkgs.gnome.gpaste ]"; description = '' Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart. @@ -94,8 +94,8 @@ in xapps ]; services.cinnamon.apps.enable = mkDefault true; - services.gnome3.glib-networking.enable = true; - services.gnome3.gnome-keyring.enable = true; + services.gnome.glib-networking.enable = true; + services.gnome.gnome-keyring.enable = true; services.gvfs.enable = true; services.udisks2.enable = true; services.upower.enable = mkDefault config.powerManagement.enable; @@ -110,7 +110,7 @@ in programs.dconf.enable = true; # Enable org.a11y.Bus - services.gnome3.at-spi2-core.enable = true; + services.gnome.at-spi2-core.enable = true; # Fix lockscreen security.pam.services = { @@ -128,6 +128,7 @@ in cinnamon-session cinnamon-desktop cinnamon-menus + cinnamon-translations # utils needed by some scripts killall @@ -135,19 +136,22 @@ in # session requirements cinnamon-screensaver # cinnamon-killer-daemon: provided by cinnamon-common - gnome3.networkmanagerapplet # session requirement - also nm-applet not needed + gnome.networkmanagerapplet # session requirement - also nm-applet not needed + + # For a polkit authentication agent + polkit_gnome # packages nemo cinnamon-control-center cinnamon-settings-daemon - gnome3.libgnomekbd + gnome.libgnomekbd orca # theme - gnome3.adwaita-icon-theme + gnome.adwaita-icon-theme hicolor-icon-theme - gnome3.gnome-themes-extra + gnome.gnome-themes-extra gtk3.out mint-artwork mint-themes @@ -192,7 +196,7 @@ in programs.evince.enable = mkDefault true; programs.file-roller.enable = mkDefault true; - environment.systemPackages = (with pkgs // pkgs.gnome3 // pkgs.cinnamon; pkgs.gnome3.removePackagesByName [ + environment.systemPackages = (with pkgs // pkgs.gnome // pkgs.cinnamon; pkgs.gnome.removePackagesByName [ # cinnamon team apps blueberry warpinator diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index f5559eb535419..6ee5b0fc54f7b 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -19,7 +19,7 @@ in # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix - ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix + ./lxqt.nix ./enlightenment.nix ./gnome.nix ./kodi.nix ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ./cinnamon.nix ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index 99e6edfba26e2..bacada9cbe74c 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -4,8 +4,8 @@ with lib; let - cfg = config.services.xserver.desktopManager.gnome3; - serviceCfg = config.services.gnome3; + cfg = config.services.xserver.desktopManager.gnome; + serviceCfg = config.services.gnome; # Prioritize nautilus by default when opening directories mimeAppsList = pkgs.writeTextFile { @@ -23,7 +23,7 @@ let ''; nixos-gsettings-desktop-schemas = let - defaultPackages = with pkgs; [ gsettings-desktop-schemas gnome3.gnome-shell ]; + defaultPackages = with pkgs; [ gsettings-desktop-schemas gnome.gnome-shell ]; in pkgs.runCommand "nixos-gsettings-desktop-schemas" { preferLocalBuild = true; } '' @@ -33,10 +33,10 @@ let (pkg: "cp -rf ${pkg}/share/gsettings-schemas/*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas\n") (defaultPackages ++ cfg.extraGSettingsOverridePackages)} - cp -f ${pkgs.gnome3.gnome-shell}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + cp -f ${pkgs.gnome.gnome-shell}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas ${optionalString flashbackEnabled '' - cp -f ${pkgs.gnome3.gnome-flashback}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + cp -f ${pkgs.gnome.gnome-flashback}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas ''} chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides @@ -57,19 +57,80 @@ let flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0; - notExcluded = pkg: mkDefault (!(lib.elem pkg config.environment.gnome3.excludePackages)); + notExcluded = pkg: mkDefault (!(lib.elem pkg config.environment.gnome.excludePackages)); in { meta = { + doc = ./gnome.xml; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "core-os-services" "enable" ] + [ "services" "gnome" "core-os-services" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "core-shell" "enable" ] + [ "services" "gnome" "core-shell" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "core-utilities" "enable" ] + [ "services" "gnome" "core-utilities" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "core-developer-tools" "enable" ] + [ "services" "gnome" "core-developer-tools" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "games" "enable" ] + [ "services" "gnome" "games" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "experimental-features" "realtime-scheduling" ] + [ "services" "gnome" "experimental-features" "realtime-scheduling" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "enable" ] + [ "services" "xserver" "desktopManager" "gnome" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "sessionPath" ] + [ "services" "xserver" "desktopManager" "gnome" "sessionPath" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "favoriteAppsOverride" ] + [ "services" "xserver" "desktopManager" "gnome" "favoriteAppsOverride" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "extraGSettingsOverrides" ] + [ "services" "xserver" "desktopManager" "gnome" "extraGSettingsOverrides" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "extraGSettingsOverridePackages" ] + [ "services" "xserver" "desktopManager" "gnome" "extraGSettingsOverridePackages" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "debug" ] + [ "services" "xserver" "desktopManager" "gnome" "debug" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "flashback" ] + [ "services" "xserver" "desktopManager" "gnome" "flashback" ] + ) + (mkRenamedOptionModule + [ "environment" "gnome3" "excludePackages" ] + [ "environment" "gnome" "excludePackages" ] + ) + ]; + options = { - services.gnome3 = { + services.gnome = { core-os-services.enable = mkEnableOption "essential services for GNOME3"; core-shell.enable = mkEnableOption "GNOME Shell services"; core-utilities.enable = mkEnableOption "GNOME core utilities"; @@ -109,7 +170,7 @@ in }; }; - services.xserver.desktopManager.gnome3 = { + services.xserver.desktopManager.gnome = { enable = mkOption { type = types.bool; default = false; @@ -119,14 +180,14 @@ in sessionPath = mkOption { default = []; type = types.listOf types.package; - example = literalExample "[ pkgs.gnome3.gpaste ]"; + example = literalExample "[ pkgs.gnome.gpaste ]"; description = '' Additional list of packages to be added to the session search path. Useful for GNOME Shell extensions or GSettings-conditional autostart. Note that this should be a last resort; patching the package is preferred (see GPaste). ''; - apply = list: list ++ [ pkgs.gnome3.gnome-shell pkgs.gnome3.gnome-shell-extensions ]; + apply = list: list ++ [ pkgs.gnome.gnome-shell pkgs.gnome.gnome-shell-extensions ]; }; favoriteAppsOverride = mkOption { @@ -185,9 +246,9 @@ in }; }; - environment.gnome3.excludePackages = mkOption { + environment.gnome.excludePackages = mkOption { default = []; - example = literalExample "[ pkgs.gnome3.totem ]"; + example = literalExample "[ pkgs.gnome.totem ]"; type = types.listOf types.package; description = "Which packages gnome should exclude from the default environment"; }; @@ -200,14 +261,14 @@ in system.nixos-generate-config.desktopConfiguration = ['' # Enable the GNOME 3 Desktop Environment. services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome.enable = true; '']; - services.gnome3.core-os-services.enable = true; - services.gnome3.core-shell.enable = true; - services.gnome3.core-utilities.enable = mkDefault true; + services.gnome.core-os-services.enable = true; + services.gnome.core-shell.enable = true; + services.gnome.core-utilities.enable = mkDefault true; - services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session.sessions ]; + services.xserver.displayManager.sessionPackages = [ pkgs.gnome.gnome-session.sessions ]; environment.extraInit = '' ${concatMapStrings (p: '' @@ -229,30 +290,25 @@ in # Override GSettings schemas environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; - # If gnome3 is installed, build vim for gtk3 too. + # If gnome is installed, build vim for gtk3 too. nixpkgs.config.vim.gui = "gtk3"; - - # Install gnome-software if flatpak is enabled - services.flatpak.guiPackages = [ - pkgs.gnome3.gnome-software - ]; }) (mkIf flashbackEnabled { services.xserver.displayManager.sessionPackages = map - (wm: pkgs.gnome3.gnome-flashback.mkSessionForWm { + (wm: pkgs.gnome.gnome-flashback.mkSessionForWm { inherit (wm) wmName wmLabel wmCommand; }) (optional cfg.flashback.enableMetacity { wmName = "metacity"; wmLabel = "Metacity"; - wmCommand = "${pkgs.gnome3.metacity}/bin/metacity"; + wmCommand = "${pkgs.gnome.metacity}/bin/metacity"; } ++ cfg.flashback.customSessions); security.pam.services.gnome-flashback = { enableGnomeKeyring = true; }; - systemd.packages = with pkgs.gnome3; [ + systemd.packages = with pkgs.gnome; [ gnome-flashback ] ++ (map (wm: gnome-flashback.mkSystemdTargetForWm { @@ -260,9 +316,9 @@ in }) cfg.flashback.customSessions); # gnome-panel needs these for menu applet - environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.gnome3.gnome-flashback}/share" ]; + environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.gnome.gnome-flashback}/share" ]; # TODO: switch to sessionVariables (resolve conflict) - environment.variables.XDG_CONFIG_DIRS = [ "${pkgs.gnome3.gnome-flashback}/etc/xdg" ]; + environment.variables.XDG_CONFIG_DIRS = [ "${pkgs.gnome.gnome-flashback}/etc/xdg" ]; }) (mkIf serviceCfg.core-os-services.enable { @@ -273,13 +329,14 @@ in services.accounts-daemon.enable = true; services.dleyna-renderer.enable = mkDefault true; services.dleyna-server.enable = mkDefault true; - services.gnome3.at-spi2-core.enable = true; - services.gnome3.evolution-data-server.enable = true; - services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-online-accounts.enable = mkDefault true; - services.gnome3.gnome-online-miners.enable = true; - services.gnome3.tracker-miners.enable = mkDefault true; - services.gnome3.tracker.enable = mkDefault true; + services.power-profiles-daemon.enable = mkDefault true; + services.gnome.at-spi2-core.enable = true; + services.gnome.evolution-data-server.enable = true; + services.gnome.gnome-keyring.enable = true; + services.gnome.gnome-online-accounts.enable = mkDefault true; + services.gnome.gnome-online-miners.enable = true; + services.gnome.tracker-miners.enable = mkDefault true; + services.gnome.tracker.enable = mkDefault true; services.hardware.bolt.enable = mkDefault true; services.packagekit.enable = mkDefault true; services.udisks2.enable = true; @@ -307,23 +364,23 @@ in (mkIf serviceCfg.core-shell.enable { services.colord.enable = mkDefault true; - services.gnome3.chrome-gnome-shell.enable = mkDefault true; - services.gnome3.glib-networking.enable = true; - services.gnome3.gnome-initial-setup.enable = mkDefault true; - services.gnome3.gnome-remote-desktop.enable = mkDefault true; - services.gnome3.gnome-settings-daemon.enable = true; - services.gnome3.gnome-user-share.enable = mkDefault true; - services.gnome3.rygel.enable = mkDefault true; + services.gnome.chrome-gnome-shell.enable = mkDefault true; + services.gnome.glib-networking.enable = true; + services.gnome.gnome-initial-setup.enable = mkDefault true; + services.gnome.gnome-remote-desktop.enable = mkDefault true; + services.gnome.gnome-settings-daemon.enable = true; + services.gnome.gnome-user-share.enable = mkDefault true; + services.gnome.rygel.enable = mkDefault true; services.gvfs.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.telepathy.enable = mkDefault true; - systemd.packages = with pkgs.gnome3; [ + systemd.packages = with pkgs.gnome; [ gnome-session gnome-shell ]; - services.udev.packages = with pkgs.gnome3; [ + services.udev.packages = with pkgs.gnome; [ # Force enable KMS modifiers for devices that require them. # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1443 mutter @@ -332,7 +389,7 @@ in services.avahi.enable = mkDefault true; xdg.portal.extraPortals = [ - pkgs.gnome3.gnome-shell + pkgs.gnome.gnome-shell ]; services.geoclue2.enable = mkDefault true; @@ -359,16 +416,16 @@ in ]; # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-shell.bst - environment.systemPackages = with pkgs.gnome3; [ + environment.systemPackages = with pkgs.gnome; [ adwaita-icon-theme gnome-backgrounds gnome-bluetooth gnome-color-manager gnome-control-center - gnome-getting-started-docs gnome-shell gnome-shell-extensions gnome-themes-extra + pkgs.gnome-tour # GNOME Shell detects the .desktop file on first log-in. pkgs.nixos-artwork.wallpapers.simple-dark-gray pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom pkgs.gnome-user-docs @@ -385,12 +442,12 @@ in # Enable soft realtime scheduling, only supported on wayland (mkIf serviceCfg.experimental-features.realtime-scheduling { security.wrappers.".gnome-shell-wrapped" = { - source = "${pkgs.gnome3.gnome-shell}/bin/.gnome-shell-wrapped"; + source = "${pkgs.gnome.gnome-shell}/bin/.gnome-shell-wrapped"; capabilities = "cap_sys_nice=ep"; }; systemd.user.services.gnome-shell-wayland = let - gnomeShellRT = with pkgs.gnome3; pkgs.runCommand "gnome-shell-rt" {} '' + gnomeShellRT = with pkgs.gnome; pkgs.runCommand "gnome-shell-rt" {} '' mkdir -p $out/bin/ cp ${gnome-shell}/bin/gnome-shell $out/bin sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell @@ -405,43 +462,51 @@ in # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-utilities.bst (mkIf serviceCfg.core-utilities.enable { - environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ - baobab - cheese - eog - epiphany - gedit - gnome-calculator - gnome-calendar - gnome-characters - gnome-clocks - gnome-contacts - gnome-font-viewer - gnome-logs - gnome-maps - gnome-music - pkgs.gnome-photos - gnome-screenshot - gnome-system-monitor - gnome-weather - nautilus - pkgs.gnome-connections - simple-scan - totem - yelp - ] config.environment.gnome3.excludePackages); + environment.systemPackages = + with pkgs.gnome; + removePackagesByName + ([ + baobab + cheese + eog + epiphany + gedit + gnome-calculator + gnome-calendar + gnome-characters + gnome-clocks + gnome-contacts + gnome-font-viewer + gnome-logs + gnome-maps + gnome-music + pkgs.gnome-photos + gnome-screenshot + gnome-system-monitor + gnome-weather + nautilus + pkgs.gnome-connections + simple-scan + totem + yelp + ] ++ lib.optionals config.services.flatpak.enable [ + # Since PackageKit Nix support is not there yet, + # only install gnome-software if flatpak is enabled. + gnome-software + ]) + config.environment.gnome.excludePackages; # Enable default program modules # Since some of these have a corresponding package, we only # enable that program module if the package hasn't been excluded - # through `environment.gnome3.excludePackages` - programs.evince.enable = notExcluded pkgs.gnome3.evince; - programs.file-roller.enable = notExcluded pkgs.gnome3.file-roller; - programs.geary.enable = notExcluded pkgs.gnome3.geary; - programs.gnome-disks.enable = notExcluded pkgs.gnome3.gnome-disk-utility; - programs.gnome-terminal.enable = notExcluded pkgs.gnome3.gnome-terminal; - programs.seahorse.enable = notExcluded pkgs.gnome3.seahorse; - services.gnome3.sushi.enable = notExcluded pkgs.gnome3.sushi; + # through `environment.gnome.excludePackages` + programs.evince.enable = notExcluded pkgs.gnome.evince; + programs.file-roller.enable = notExcluded pkgs.gnome.file-roller; + programs.geary.enable = notExcluded pkgs.gnome.geary; + programs.gnome-disks.enable = notExcluded pkgs.gnome.gnome-disk-utility; + programs.gnome-terminal.enable = notExcluded pkgs.gnome.gnome-terminal; + programs.seahorse.enable = notExcluded pkgs.gnome.seahorse; + services.gnome.sushi.enable = notExcluded pkgs.gnome.sushi; # Let nautilus find extensions # TODO: Create nautilus-with-extensions package @@ -456,7 +521,7 @@ in }) (mkIf serviceCfg.games.enable { - environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ + environment.systemPackages = (with pkgs.gnome; removePackagesByName [ aisleriot atomix five-or-more @@ -476,12 +541,12 @@ in quadrapassel swell-foop tali - ] config.environment.gnome3.excludePackages); + ] config.environment.gnome.excludePackages); }) # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/-/blob/3.38.0/elements/core/meta-gnome-core-developer-tools.bst (mkIf serviceCfg.core-developer-tools.enable { - environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ + environment.systemPackages = (with pkgs.gnome; removePackagesByName [ dconf-editor devhelp pkgs.gnome-builder @@ -490,9 +555,9 @@ in # in default configurations. # https://github.com/NixOS/nixpkgs/issues/60908 /* gnome-boxes */ - ] config.environment.gnome3.excludePackages); + ] config.environment.gnome.excludePackages); - services.sysprof.enable = true; + services.sysprof.enable = notExcluded pkgs.sysprof; }) ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome.xml b/nixos/modules/services/x11/desktop-managers/gnome.xml new file mode 100644 index 0000000000000..624d5c894e74c --- /dev/null +++ b/nixos/modules/services/x11/desktop-managers/gnome.xml @@ -0,0 +1,276 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xml:id="chap-gnome"> + <title>GNOME Desktop</title> + <para> + GNOME provides a simple, yet full-featured desktop environment with a focus on productivity. Its Mutter compositor supports both Wayland and X server, and the GNOME Shell user interface is fully customizable by extensions. + </para> + + <section xml:id="sec-gnome-enable"> + <title>Enabling GNOME</title> + + <para> + All of the core apps, optional apps, games, and core developer tools from GNOME are available. + </para> + + <para> + To enable the GNOME desktop use: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.desktopManager.gnome.enable"/> = true; +<xref linkend="opt-services.xserver.displayManager.gdm.enable"/> = true; +</programlisting> + + <note> + <para> + While it is not strictly necessary to use GDM as the display manager with GNOME, it is recommended, as some features such as screen lock <link xlink:href="#sec-gnome-faq-can-i-use-lightdm-with-gnome">might not work</link> without it. + </para> + </note> + + <para> + The default applications used in NixOS are very minimal, inspired by the defaults used in <link xlink:href="https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/40.0/elements/core/meta-gnome-core-utilities.bst">gnome-build-meta</link>. + </para> + + <section xml:id="sec-gnome-without-the-apps"> + <title>GNOME without the apps</title> + + <para> + If you’d like to only use the GNOME desktop and not the apps, you can disable them with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.core-utilities.enable"/> = false; +</programlisting> + + <para> + and none of them will be installed. + </para> + + <para> + If you’d only like to omit a subset of the core utilities, you can use <xref linkend="opt-environment.gnome.excludePackages"/>. + Note that this mechanism can only exclude core utilities, games and core developer tools. + </para> + </section> + + <section xml:id="sec-gnome-disabling-services"> + <title>Disabling GNOME services</title> + + <para> + It is also possible to disable many of the <link xlink:href="https://github.com/NixOS/nixpkgs/blob/b8ec4fd2a4edc4e30d02ba7b1a2cc1358f3db1d5/nixos/modules/services/x11/desktop-managers/gnome.nix#L329-L348">core services</link>. For example, if you do not need indexing files, you can disable Tracker with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.tracker-miners.enable"/> = false; +<xref linkend="opt-services.gnome.tracker.enable"/> = false; +</programlisting> + + <para> + Note, however, that doing so is not supported and might break some applications. Notably, GNOME Music cannot work without Tracker. + </para> + </section> + + <section xml:id="sec-gnome-games"> + <title>GNOME games</title> + + <para> + You can install all of the GNOME games with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.games.enable"/> = true; +</programlisting> + </section> + + <section xml:id="sec-gnome-core-developer-tools"> + <title>GNOME core developer tools</title> + + <para> + You can install GNOME core developer tools with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.core-developer-tools.enable"/> = true; +</programlisting> + </section> + </section> + + <section xml:id="sec-gnome-enable-flashback"> + <title>Enabling GNOME Flashback</title> + + <para> + GNOME Flashback provides a desktop environment based on the classic GNOME 2 architecture. You can enable the default GNOME Flashback session, which uses the Metacity window manager, with: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.desktopManager.gnome.flashback.enableMetacity"/> = true; +</programlisting> + + <para> + It is also possible to create custom sessions that replace Metacity with a different window manager using <xref linkend="opt-services.xserver.desktopManager.gnome.flashback.customSessions"/>. + </para> + + <para> + The following example uses <literal>xmonad</literal> window manager: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.desktopManager.gnome.flashback.customSessions"/> = [ + { + wmName = "xmonad"; + wmLabel = "XMonad"; + wmCommand = "${pkgs.haskellPackages.xmonad}/bin/xmonad"; + } +]; +</programlisting> + + </section> + <section xml:id="sec-gnome-gdm"> + <title>GDM</title> + + <para> + If you want to use GNOME Wayland session on Nvidia hardware, you need to enable: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.displayManager.gdm.nvidiaWayland"/> = true; +</programlisting> + + <para> + as the default configuration will forbid this. + </para> + </section> + + <section xml:id="sec-gnome-icons-and-gtk-themes"> + <title>Icons and GTK Themes</title> + + <para> + Icon themes and GTK themes don’t require any special option to install in NixOS. + </para> + + <para> + You can add them to <xref linkend="opt-environment.systemPackages"/> and switch to them with GNOME Tweaks. + If you’d like to do this manually in dconf, change the values of the following keys: + </para> + +<programlisting> +/org/gnome/desktop/interface/gtk-theme +/org/gnome/desktop/interface/icon-theme +</programlisting> + + <para> + in <literal>dconf-editor</literal> + </para> + </section> + + <section xml:id="sec-gnome-shell-extensions"> + <title>Shell Extensions</title> + + <para> + Most Shell extensions are packaged under the <literal>gnomeExtensions</literal> attribute. + Some packages that include Shell extensions, like <literal>gnome.gpaste</literal>, don’t have their extension decoupled under this attribute. + </para> + + <para> + You can install them like any other package: + </para> + +<programlisting> +<xref linkend="opt-environment.systemPackages"/> = [ + gnomeExtensions.dash-to-dock + gnomeExtensions.gsconnect + gnomeExtensions.mpris-indicator-button +]; +</programlisting> + + <para> + Unfortunately, we lack a way for these to be managed in a completely declarative way. + So you have to enable them manually with an Extensions application. + It is possible to use a <link xlink:href="#sec-gnome-gsettings-overrides">GSettings override</link> for this on <literal>org.gnome.shell.enabled-extensions</literal>, but that will only influence the default value. + </para> + </section> + + <section xml:id="sec-gnome-gsettings-overrides"> + <title>GSettings Overrides</title> + + <para> + Majority of software building on the GNOME platform use GLib’s <link xlink:href="https://developer.gnome.org/gio/unstable/GSettings.html">GSettings</link> system to manage runtime configuration. For our purposes, the system consists of XML schemas describing the individual configuration options, stored in the package, and a settings backend, where the values of the settings are stored. On NixOS, like on most Linux distributions, dconf database is used as the backend. + </para> + + <para> + <link xlink:href="https://developer.gnome.org/gio/unstable/GSettings.html#id-1.4.19.2.9.25">GSettings vendor overrides</link> can be used to adjust the default values for settings of the GNOME desktop and apps by replacing the default values specified in the XML schemas. Using overrides will allow you to pre-seed user settings before you even start the session. + </para> + + <warning> + <para> + Overrides really only change the default values for GSettings keys so if you or an application changes the setting value, the value set by the override will be ignored. Until <link xlink:href="https://github.com/NixOS/nixpkgs/issues/54150">NixOS’s dconf module implements changing values</link>, you will either need to keep that in mind and clear the setting from the backend using <literal>dconf reset</literal> command when that happens, or use the <link xlink:href="https://nix-community.github.io/home-manager/options.html#opt-dconf.settings">module from home-manager</link>. + </para> + </warning> + + <para> + You can override the default GSettings values using the <xref linkend="opt-services.xserver.desktopManager.gnome.extraGSettingsOverrides"/> option. + </para> + + <para> + Take note that whatever packages you want to override GSettings for, you need to add them to + <xref linkend="opt-services.xserver.desktopManager.gnome.extraGSettingsOverridePackages"/>. + </para> + + <para> + You can use <literal>dconf-editor</literal> tool to explore which GSettings you can set. + </para> + + <section xml:id="sec-gnome-gsettings-overrides-example"> + <title>Example</title> + +<programlisting> +services.xserver.desktopManager.gnome = { + <link xlink:href="#opt-services.xserver.desktopManager.gnome.extraGSettingsOverrides">extraGSettingsOverrides</link> = '' + # Change default background + [org.gnome.desktop.background] + picture-uri='file://${pkgs.nixos-artwork.wallpapers.mosaic-blue.gnomeFilePath}' + + # Favorite apps in gnome-shell + [org.gnome.shell] + favorite-apps=['org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop'] + ''; + + <link xlink:href="#opt-services.xserver.desktopManager.gnome.extraGSettingsOverridePackages">extraGSettingsOverridePackages</link> = [ + pkgs.gsettings-desktop-schemas # for org.gnome.desktop + pkgs.gnome.gnome-shell # for org.gnome.shell + ]; +}; +</programlisting> + </section> + </section> + + <section xml:id="sec-gnome-faq"> + <title>Frequently Asked Questions</title> + + <section xml:id="sec-gnome-faq-can-i-use-lightdm-with-gnome"> + <title>Can I use LightDM with GNOME?</title> + + <para> + Yes you can, and any other display-manager in NixOS. + </para> + + <para> + However, it doesn’t work correctly for the Wayland session of GNOME Shell yet, and + won’t be able to lock your screen. + </para> + + <para> + See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/56342">this issue.</link> + </para> + </section> + + <section xml:id="sec-gnome-faq-nixos-rebuild-switch-kills-session"> + <title>Why does <literal>nixos-rebuild switch</literal> sometimes kill my session?</title> + + <para> + This is a known <link xlink:href="https://github.com/NixOS/nixpkgs/issues/44344">issue</link> without any workarounds. + If you are doing a fairly large upgrade, it is probably safer to use <literal>nixos-rebuild boot</literal>. + </para> + </section> + </section> +</chapter> diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index bf53082b267d1..71dfad5c7ca02 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -51,15 +51,15 @@ in environment.systemPackages = pkgs.lxqt.preRequisitePackages ++ pkgs.lxqt.corePackages ++ - (pkgs.gnome3.removePackagesByName + (pkgs.gnome.removePackagesByName pkgs.lxqt.optionalPackages config.environment.lxqt.excludePackages); # Link some extra directories in /run/current-system/software/share environment.pathsToLink = [ "/share" ]; + # virtual file systems support for PCManFM-QT services.gvfs.enable = true; - services.gvfs.package = pkgs.gvfs; services.upower.enable = config.powerManagement.enable; }; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index f236c14fcf3e9..19ab9edb7324f 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -76,7 +76,7 @@ in environment.systemPackages = pkgs.mate.basePackages ++ - (pkgs.gnome3.removePackagesByName + (pkgs.gnome.removePackagesByName pkgs.mate.extraPackages config.environment.mate.excludePackages) ++ [ @@ -97,8 +97,8 @@ in # Mate uses this for printing programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.gnome3.at-spi2-core.enable = true; - services.gnome3.gnome-keyring.enable = true; + services.gnome.at-spi2-core.enable = true; + services.gnome.gnome-keyring.enable = true; services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 195da75e74437..e492073b80ffd 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -43,7 +43,7 @@ in sessionPath = mkOption { default = []; type = types.listOf types.package; - example = literalExample "[ pkgs.gnome3.gpaste ]"; + example = literalExample "[ pkgs.gnome.gpaste ]"; description = '' Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart. @@ -142,12 +142,12 @@ in ]; services.pantheon.apps.enable = mkDefault true; services.pantheon.contractor.enable = mkDefault true; - services.gnome3.at-spi2-core.enable = true; - services.gnome3.evolution-data-server.enable = true; - services.gnome3.glib-networking.enable = true; - services.gnome3.gnome-keyring.enable = true; + services.gnome.at-spi2-core.enable = true; + services.gnome.evolution-data-server.enable = true; + services.gnome.glib-networking.enable = true; + services.gnome.gnome-keyring.enable = true; services.gvfs.enable = true; - services.gnome3.rygel.enable = mkDefault true; + services.gnome.rygel.enable = mkDefault true; services.gsignond.enable = mkDefault true; services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; services.udisks2.enable = true; @@ -177,7 +177,7 @@ in desktop-file-utils glib gnome-menus - gnome3.adwaita-icon-theme + gnome.adwaita-icon-theme gtk3.out hicolor-icon-theme lightlocker @@ -213,10 +213,10 @@ in elementary-settings-daemon pantheon-agent-geoclue2 pantheon-agent-polkit - ]) ++ (gnome3.removePackagesByName [ - gnome3.geary - gnome3.epiphany - gnome3.gnome-font-viewer + ]) ++ (gnome.removePackagesByName [ + gnome.geary + gnome.epiphany + gnome.gnome-font-viewer ] config.environment.pantheon.excludePackages); programs.evince.enable = mkDefault true; @@ -265,7 +265,7 @@ in }) (mkIf serviceCfg.apps.enable { - environment.systemPackages = (with pkgs.pantheon; pkgs.gnome3.removePackagesByName [ + environment.systemPackages = (with pkgs.pantheon; pkgs.gnome.removePackagesByName [ elementary-calculator elementary-calendar elementary-camera diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 44ee079b81737..b6be524aea663 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -8,7 +8,7 @@ let cfg = xcfg.desktopManager.plasma5; libsForQt5 = pkgs.plasma5Packages; - inherit (libsForQt5) kdeApplications kdeFrameworks plasma5; + inherit (libsForQt5) kdeGear kdeFrameworks plasma5; inherit (pkgs) writeText; pulseaudio = config.hardware.pulseaudio; @@ -213,7 +213,7 @@ in environment.systemPackages = with libsForQt5; - with plasma5; with kdeApplications; with kdeFrameworks; + with plasma5; with kdeGear; with kdeFrameworks; [ frameworkintegration kactivities @@ -316,6 +316,7 @@ in ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt pkgs.openobex pkgs.obexftp ] ++ lib.optional config.networking.networkmanager.enable plasma-nm ++ lib.optional config.hardware.pulseaudio.enable plasma-pa + ++ lib.optional config.services.pipewire.pulse.enable plasma-pa ++ lib.optional config.powerManagement.enable powerdevil ++ lib.optional config.services.colord.enable pkgs.colord-kde ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ] diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index fc7f7bea4e444..bbfdea2225b58 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -9,7 +9,7 @@ in { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; imports = [ @@ -74,8 +74,8 @@ in glib # for gsettings gtk3.out # gtk-update-icon-cache - gnome3.gnome-themes-extra - gnome3.adwaita-icon-theme + gnome.gnome-themes-extra + gnome.adwaita-icon-theme hicolor-icon-theme tango-icon-theme xfce4-icon-theme @@ -149,9 +149,8 @@ in security.polkit.enable = true; services.accounts-daemon.enable = true; services.upower.enable = config.powerManagement.enable; - services.gnome3.glib-networking.enable = true; + services.gnome.glib-networking.enable = true; services.gvfs.enable = true; - services.gvfs.package = pkgs.xfce.gvfs; services.tumbler.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager diff --git a/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixos/modules/services/x11/display-managers/account-service-util.nix index 2b08c62d0ad13..dec5c06cb3ca0 100644 --- a/nixos/modules/services/x11/display-managers/account-service-util.nix +++ b/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -39,6 +39,6 @@ python3.pkgs.buildPythonApplication { ''; meta = with lib; { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; } diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index f79eb64b5a6a2..e1b9a21eb9f0b 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.xserver.displayManager; - gdm = pkgs.gnome3.gdm; + gdm = pkgs.gnome.gdm; xSessionWrapper = if (cfg.setupCommands == "") then null else pkgs.writeScript "gdm-x-session-wrapper" '' @@ -154,14 +154,14 @@ in ] ++ optionals config.hardware.pulseaudio.enable [ "d /run/gdm/.config/pulse 0711 gdm gdm" "L+ /run/gdm/.config/pulse/${pulseConfig.name} - - - - ${pulseConfig}" - ] ++ optionals config.services.gnome3.gnome-initial-setup.enable [ + ] ++ optionals config.services.gnome.gnome-initial-setup.enable [ # Create stamp file for gnome-initial-setup to prevent it starting in GDM. "f /run/gdm/.config/gnome-initial-setup-done 0711 gdm gdm - yes" ]; # Otherwise GDM will not be able to start correctly and display Wayland sessions - systemd.packages = with pkgs.gnome3; [ gdm gnome-session gnome-shell ]; - environment.systemPackages = [ pkgs.gnome3.adwaita-icon-theme ]; + systemd.packages = with pkgs.gnome; [ gdm gnome-session gnome-shell ]; + environment.systemPackages = [ pkgs.gnome.adwaita-icon-theme ]; systemd.services.display-manager.wants = [ # Because sd_login_monitor_new requires /run/systemd/machines @@ -208,7 +208,7 @@ in EnvironmentFile = "-/etc/locale.conf"; }; - systemd.services.display-manager.path = [ pkgs.gnome3.gnome-session ]; + systemd.services.display-manager.path = [ pkgs.gnome.gnome-session ]; # Allow choosing an user account services.accounts-daemon.enable = true; @@ -218,14 +218,14 @@ in # We duplicate upstream's udev rules manually to make wayland with nvidia configurable services.udev.extraRules = '' # disable Wayland on Cirrus chipsets - ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-disable-wayland" + ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" # disable Wayland on Hi1710 chipsets - ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-disable-wayland" + ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ${optionalString (!cfg.gdm.nvidiaWayland) '' - DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-disable-wayland" + DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ''} # disable Wayland when modesetting is disabled - IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-disable-wayland" + IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ''; systemd.user.services.dbus.wantedBy = [ "default.target" ]; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix index 129df139c61ab..ecd46a9ee6d25 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix @@ -34,8 +34,8 @@ in { theme = { package = mkOption { type = types.package; - default = pkgs.gnome3.gnome-themes-extra; - defaultText = "pkgs.gnome3.gnome-themes-extra"; + default = pkgs.gnome.gnome-themes-extra; + defaultText = "pkgs.gnome.gnome-themes-extra"; description = '' The package path that contains the theme given in the name option. ''; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix index 9c1dc1d1c12d9..fe5a16bc60f15 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix @@ -47,8 +47,8 @@ in package = mkOption { type = types.package; - default = pkgs.gnome3.gnome-themes-extra; - defaultText = "pkgs.gnome3.gnome-themes-extra"; + default = pkgs.gnome.gnome-themes-extra; + defaultText = "pkgs.gnome.gnome-themes-extra"; description = '' The package path that contains the theme given in the name option. ''; @@ -68,8 +68,8 @@ in package = mkOption { type = types.package; - default = pkgs.gnome3.adwaita-icon-theme; - defaultText = "pkgs.gnome3.adwaita-icon-theme"; + default = pkgs.gnome.adwaita-icon-theme; + defaultText = "pkgs.gnome.adwaita-icon-theme"; description = '' The package path that contains the icon theme given in the name option. ''; @@ -89,8 +89,8 @@ in package = mkOption { type = types.package; - default = pkgs.gnome3.adwaita-icon-theme; - defaultText = "pkgs.gnome3.adwaita-icon-theme"; + default = pkgs.gnome.adwaita-icon-theme; + defaultText = "pkgs.gnome.adwaita-icon-theme"; description = '' The package path that contains the cursor theme given in the name option. ''; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 9bc9e2bf6162c..76f16646cf5e8 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -11,7 +11,7 @@ let in { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; options = { diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 2dafee9e36e3d..3d497c9f25eed 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -70,7 +70,7 @@ let in { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; # Note: the order in which lightdm greeter modules are imported diff --git a/nixos/modules/services/x11/window-managers/metacity.nix b/nixos/modules/services/x11/window-managers/metacity.nix index 5175fd7f3b1f8..600afe759b2c9 100644 --- a/nixos/modules/services/x11/window-managers/metacity.nix +++ b/nixos/modules/services/x11/window-managers/metacity.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.xserver.windowManager.metacity; - inherit (pkgs) gnome3; + inherit (pkgs) gnome; in { @@ -18,12 +18,12 @@ in services.xserver.windowManager.session = singleton { name = "metacity"; start = '' - ${gnome3.metacity}/bin/metacity & + ${gnome.metacity}/bin/metacity & waitPID=$! ''; }; - environment.systemPackages = [ gnome3.metacity ]; + environment.systemPackages = [ gnome.metacity ]; }; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 35bd4dabb6738..4dde4476d2c49 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -666,6 +666,7 @@ in # The default max inotify watches is 8192. # Nowadays most apps require a good number of inotify watches, # the value below is used by default on several other distros. + boot.kernel.sysctl."fs.inotify.max_user_instances" = mkDefault 524288; boot.kernel.sysctl."fs.inotify.max_user_watches" = mkDefault 524288; systemd.defaultUnit = mkIf cfg.autorun "graphical.target"; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 9dbca4e33f383..6751ca3f2ee72 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modules, baseModules, ... }: +{ config, lib, pkgs, modules, baseModules, specialArgs, ... }: with lib; @@ -13,7 +13,7 @@ let # !!! fix this children = mapAttrs (childName: childConfig: (import ../../../lib/eval-config.nix { - inherit baseModules; + inherit baseModules specialArgs; system = config.nixpkgs.initialSystem; modules = (optionals childConfig.inheritParentConfig modules) diff --git a/nixos/modules/system/boot/kexec.nix b/nixos/modules/system/boot/kexec.nix index 27a8e0217c558..03312aa26edc3 100644 --- a/nixos/modules/system/boot/kexec.nix +++ b/nixos/modules/system/boot/kexec.nix @@ -1,7 +1,7 @@ { pkgs, lib, ... }: { - config = lib.mkIf (lib.any (lib.meta.platformMatch pkgs.stdenv.hostPlatform) pkgs.kexectools.meta.platforms) { + config = lib.mkIf (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.kexectools) { environment.systemPackages = [ pkgs.kexectools ]; systemd.services.prepare-kexec = diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index bbdd5a4070600..1de58b3d2c4a8 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -716,10 +716,17 @@ let "NTP" "EmitSIP" "SIP" + "EmitPOP3" + "POP3" + "EmitSMTP" + "SMTP" + "EmitLPR" + "LPR" "EmitRouter" "EmitTimezone" "Timezone" "SendOption" + "SendVendorOption" ]) (assertInt "PoolOffset") (assertMinimum "PoolOffset" 0) @@ -728,6 +735,9 @@ let (assertValueOneOf "EmitDNS" boolValues) (assertValueOneOf "EmitNTP" boolValues) (assertValueOneOf "EmitSIP" boolValues) + (assertValueOneOf "EmitPOP3" boolValues) + (assertValueOneOf "EmitSMTP" boolValues) + (assertValueOneOf "EmitLPR" boolValues) (assertValueOneOf "EmitRouter" boolValues) (assertValueOneOf "EmitTimezone" boolValues) ]; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index d4ae4c93468f4..6be7b7e6846cd 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -90,6 +90,7 @@ let "systemd-fsck@.service" "systemd-fsck-root.service" "systemd-remount-fs.service" + "systemd-pstore.service" "local-fs.target" "local-fs-pre.target" "remote-fs.target" @@ -1183,6 +1184,7 @@ in systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.network-online.wantedBy = [ "multi-user.target" ]; systemd.services.systemd-importd.environment = proxy_env; + systemd.services.systemd-pstore.wantedBy = [ "sysinit.target" ]; # see #81138 # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index e468cb880039c..065d6cc95d18b 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -272,10 +272,10 @@ in wants = [ "local-fs.target" "remote-fs.target" ]; }; - # Emit systemd services to format requested filesystems. systemd.services = - let + # Emit systemd services to format requested filesystems. + let formatDevice = fs: let mountPoint' = "${escapeSystemdPath fs.mountPoint}.mount"; @@ -302,8 +302,35 @@ in unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig.Type = "oneshot"; }; - - in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems)); + in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems)) // { + # Mount /sys/fs/pstore for evacuating panic logs and crashdumps from persistent storage onto the disk using systemd-pstore. + # This cannot be done with the other special filesystems because the pstore module (which creates the mount point) is not loaded then. + # Since the pstore filesystem is usually empty right after mounting because the backend isn't registered yet, and a path unit cannot detect files inside of it, the same service waits for that to happen. systemd's restart mechanism can't be used here because the first failure also fails all dependent units. + "mount-pstore" = { + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.util-linux}/bin/mount -t pstore -o nosuid,noexec,nodev pstore /sys/fs/pstore"; + ExecStartPost = pkgs.writeShellScript "wait-for-pstore.sh" '' + set -eu + TRIES=0 + while [ $TRIES -lt 20 ] && [ "$(cat /sys/module/pstore/parameters/backend)" = "(null)" ]; do + sleep 0.1 + TRIES=$((TRIES+1)) + done + ''; + RemainAfterExit = true; + }; + unitConfig = { + ConditionPathIsMountPoint = "!/sys/fs/pstore"; + ConditionVirtualization = "!container"; + DefaultDependencies = false; # needed to prevent a cycle + }; + after = [ "modprobe@pstore.service" ]; + requires = [ "modprobe@pstore.service" ]; + before = [ "systemd-pstore.service" ]; + wantedBy = [ "systemd-pstore.service" ]; + }; + }; systemd.tmpfiles.rules = [ "d /run/keys 0750 root ${toString config.ids.gids.keys}" diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 21c30305188b6..376d6530f363d 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -103,6 +103,7 @@ in readOnly = true; type = types.package; default = if config.boot.zfs.enableUnstable then pkgs.zfsUnstable else pkgs.zfs; + defaultText = "if config.boot.zfs.enableUnstable then pkgs.zfsUnstable else pkgs.zfs"; description = "Configured ZFS userland tools package."; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f501f85b2a92c..879f077332e38 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -144,33 +144,20 @@ let }; tempAddress = mkOption { - type = types.enum [ "default" "enabled" "disabled" ]; - default = if cfg.enableIPv6 then "default" else "disabled"; - defaultText = literalExample ''if cfg.enableIPv6 then "default" else "disabled"''; + type = types.enum (lib.attrNames tempaddrValues); + default = cfg.tempAddresses; + defaultText = literalExample ''config.networking.tempAddresses''; description = '' When IPv6 is enabled with SLAAC, this option controls the use of - temporary address (aka privacy extensions). This is used to reduce tracking. - The three possible values are: - - <itemizedlist> - <listitem> - <para> - <literal>"default"</literal> to generate temporary addresses and use - them by default; - </para> - </listitem> - <listitem> - <para> - <literal>"enabled"</literal> to generate temporary addresses but keep - using the standard EUI-64 ones by default; - </para> - </listitem> - <listitem> - <para> - <literal>"disabled"</literal> to completely disable temporary addresses. - </para> - </listitem> - </itemizedlist> + temporary address (aka privacy extensions) on this + interface. This is used to reduce tracking. + + See also the global option + <xref linkend="opt-networking.tempAddresses"/>, which + applies to all interfaces where this is not set. + + Possible values are: + ${tempaddrDoc} ''; }; @@ -366,6 +353,32 @@ let isHexString = s: all (c: elem c hexChars) (stringToCharacters (toLower s)); + tempaddrValues = { + disabled = { + sysctl = "0"; + description = "completely disable IPv6 temporary addresses"; + }; + enabled = { + sysctl = "1"; + description = "generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses"; + }; + default = { + sysctl = "2"; + description = "generate IPv6 temporary addresses and use these as source addresses in routing"; + }; + }; + tempaddrDoc = '' + <itemizedlist> + ${concatStringsSep "\n" (mapAttrsToList (name: { description, ... }: '' + <listitem> + <para> + <literal>"${name}"</literal> to ${description}; + </para> + </listitem> + '') tempaddrValues)} + </itemizedlist> + ''; + in { @@ -1039,6 +1052,21 @@ in ''; }; + networking.tempAddresses = mkOption { + default = if cfg.enableIPv6 then "default" else "disabled"; + type = types.enum (lib.attrNames tempaddrValues); + description = '' + Whether to enable IPv6 Privacy Extensions for interfaces not + configured explicitly in + <xref linkend="opt-networking.interfaces._name_.tempAddress" />. + + This sets the ipv6.conf.*.use_tempaddr sysctl for all + interfaces. Possible values are: + + ${tempaddrDoc} + ''; + }; + }; @@ -1098,7 +1126,7 @@ in // listToAttrs (forEach interfaces (i: let opt = i.tempAddress; - val = { disabled = 0; enabled = 1; default = 2; }.${opt}; + val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val)); # Capabilities won't work unless we have at-least a 4.3 Linux @@ -1111,6 +1139,21 @@ in } else { ping.source = "${pkgs.iputils.out}/bin/ping"; }; + security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' + /run/wrappers/bin/ping { + include <abstractions/base> + include <nixos/security.wrappers> + rpx /run/wrappers/wrappers.*/ping, + } + /run/wrappers/wrappers.*/ping { + include <abstractions/base> + include <nixos/security.wrappers> + r /run/wrappers/wrappers.*/ping.real, + mrpx ${config.security.wrappers.ping.source}, + capability net_raw, + capability setpcap, + } + ''); # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, @@ -1188,9 +1231,11 @@ in (pkgs.writeTextFile rec { name = "ipv6-privacy-extensions.rules"; destination = "/etc/udev/rules.d/98-${name}"; - text = '' + text = let + sysctl-value = tempaddrValues.${cfg.tempAddresses}.sysctl; + in '' # enable and prefer IPv6 privacy addresses by default - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo 2 > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo ${sysctl-value} > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" ''; }) (pkgs.writeTextFile rec { @@ -1199,15 +1244,13 @@ in text = concatMapStrings (i: let opt = i.tempAddress; - val = if opt == "disabled" then 0 else 1; - msg = if opt == "disabled" - then "completely disable IPv6 privacy addresses" - else "enable IPv6 privacy addresses but prefer EUI-64 addresses"; + val = tempaddrValues.${opt}.sysctl; + msg = tempaddrValues.${opt}.description; in '' # override to ${msg} for ${i.name} - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${toString val}" - '') (filter (i: i.tempAddress != "default") interfaces); + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${val}" + '') (filter (i: i.tempAddress != cfg.tempAddresses) interfaces); }) ] ++ lib.optional (cfg.wlanInterfaces != {}) (pkgs.writeTextFile { diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index be83607c0af72..4f2f8df90eb8a 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -16,6 +16,16 @@ let userData=/etc/ec2-metadata/user-data + # Check if user-data looks like a shell script and execute it with the + # runtime shell if it does. Otherwise treat it as a nixos configuration + # expression + if IFS= LC_ALL=C read -rN2 shebang < $userData && [ "$shebang" = '#!' ]; then + # NB: we cannot chmod the $userData file, this is why we execute it via + # `pkgs.runtimeShell`. This means we have only limited support for shell + # scripts compatible with the `pkgs.runtimeShell`. + exec ${pkgs.runtimeShell} $userData + fi + if [ -s "$userData" ]; then # If the user-data looks like it could be a nix expression, # copy it over. Also, look for a magic three-hash comment and set diff --git a/nixos/modules/virtualisation/containerd.nix b/nixos/modules/virtualisation/containerd.nix index 194276d169588..b554bc6ea245f 100644 --- a/nixos/modules/virtualisation/containerd.nix +++ b/nixos/modules/virtualisation/containerd.nix @@ -44,9 +44,7 @@ in KillMode = "process"; Type = "notify"; Restart = "always"; - RestartSec = "5"; - StartLimitBurst = "8"; - StartLimitIntervalSec = "120s"; + RestartSec = "10"; # "limits" defined below are adopted from upstream: https://github.com/containerd/containerd/blob/master/containerd.service LimitNPROC = "infinity"; @@ -54,6 +52,13 @@ in LimitNOFILE = "infinity"; TasksMax = "infinity"; OOMScoreAdjust = "-999"; + + StateDirectory = "containerd"; + RuntimeDirectory = "containerd"; + }; + unitConfig = { + StartLimitBurst = "16"; + StartLimitIntervalSec = "120s"; }; }; }; diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 3eb0de3a85599..29f133786d8dd 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -150,6 +150,10 @@ in config = mkIf cfg.enable (mkMerge [{ boot.kernelModules = [ "bridge" "veth" ]; + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = mkOverride 98 true; + "net.ipv4.conf.default.forwarding" = mkOverride 98 true; + }; environment.systemPackages = [ cfg.package ] ++ optional cfg.enableNvidia pkgs.nvidia-docker; users.groups.docker.gid = config.ids.gids.docker; diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix index dca5c2abd4e0c..760f024f33fbd 100644 --- a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix @@ -71,7 +71,7 @@ } wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index e08ad3446281a..72bd2c24e5664 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -82,5 +82,5 @@ in { }; }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index f43c44f5dcaba..d12169787c5ad 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -11,9 +11,10 @@ let auth_unix_rw = "polkit" ${cfg.extraConfig} ''; + ovmfFilePrefix = if pkgs.stdenv.isAarch64 then "AAVMF" else "OVMF"; qemuConfigFile = pkgs.writeText "qemu.conf" '' ${optionalString cfg.qemuOvmf '' - nvram = ["/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd"] + nvram = [ "/run/libvirt/nix-ovmf/${ovmfFilePrefix}_CODE.fd:/run/libvirt/nix-ovmf/${ovmfFilePrefix}_VARS.fd" ] ''} ${optionalString (!cfg.qemuRunAsRoot) '' user = "qemu-libvirtd" @@ -206,8 +207,8 @@ in { done ${optionalString cfg.qemuOvmf '' - ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd /run/${dirName}/nix-ovmf/ - ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_VARS.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${pkgs.OVMF.fd}/FV/${ovmfFilePrefix}_CODE.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${pkgs.OVMF.fd}/FV/${ovmfFilePrefix}_VARS.fd /run/${dirName}/nix-ovmf/ ''} ''; diff --git a/nixos/modules/virtualisation/lxc.nix b/nixos/modules/virtualisation/lxc.nix index f484d5ee59a88..0f8b22a45df0c 100644 --- a/nixos/modules/virtualisation/lxc.nix +++ b/nixos/modules/virtualisation/lxc.nix @@ -74,9 +74,13 @@ in systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; security.apparmor.packages = [ pkgs.lxc ]; - security.apparmor.profiles = [ - "${pkgs.lxc}/etc/apparmor.d/lxc-containers" - "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start" - ]; + security.apparmor.policies = { + "bin.lxc-start".profile = '' + include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start + ''; + "lxc-containers".profile = '' + include ${pkgs.lxc}/etc/apparmor.d/lxc-containers + ''; + }; }; } diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 96e8d68ae50e9..6b6f4b6e65247 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -97,11 +97,17 @@ in { # does a bunch of unrelated things. systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; - security.apparmor.packages = [ cfg.lxcPackage ]; - security.apparmor.profiles = [ - "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers" - "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start" - ]; + security.apparmor = { + packages = [ cfg.lxcPackage ]; + policies = { + "bin.lxc-start".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start + ''; + "lxc-containers".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers + ''; + }; + }; # TODO: remove once LXD gets proper support for cgroupsv2 # (currently most of the e.g. CPU accounting stuff doesn't work) diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 7a1f11ce40d60..f3f318412df1b 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -35,6 +35,9 @@ let '' #! ${pkgs.runtimeShell} -e + # Exit early if we're asked to shut down. + trap "exit 0" SIGRTMIN+3 + # Initialise the container side of the veth pair. if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] || @@ -60,8 +63,12 @@ let ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} - # Start the regular stage 1 script. - exec "$1" + # Start the regular stage 2 script. + # We source instead of exec to not lose an early stop signal, which is + # also the only _reliable_ shutdown signal we have since early stop + # does not execute ExecStop* commands. + set +e + . "$1" '' ); @@ -127,12 +134,16 @@ let ''} # Run systemd-nspawn without startup notification (we'll - # wait for the container systemd to signal readiness). + # wait for the container systemd to signal readiness) + # Kill signal handling means systemd-nspawn will pass a system-halt signal + # to the container systemd when it receives SIGTERM for container shutdown; + # containerInit and stage2 have to handle this as well. exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ $EXTRA_NSPAWN_FLAGS \ --notify-ready=yes \ + --kill-signal=SIGRTMIN+3 \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ @@ -259,13 +270,10 @@ let Slice = "machine.slice"; Delegate = true; - # Hack: we don't want to kill systemd-nspawn, since we call - # "machinectl poweroff" in preStop to shut down the - # container cleanly. But systemd requires sending a signal - # (at least if we want remaining processes to be killed - # after the timeout). So send an ignored signal. + # We rely on systemd-nspawn turning a SIGTERM to itself into a shutdown + # signal (SIGRTMIN+3) for the inner container. KillMode = "mixed"; - KillSignal = "WINCH"; + KillSignal = "TERM"; DevicePolicy = "closed"; DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; @@ -420,7 +428,7 @@ let extraVeths = {}; additionalCapabilities = []; ephemeral = false; - timeoutStartSec = "15s"; + timeoutStartSec = "1min"; allowedDevices = []; hostAddress = null; hostAddress6 = null; @@ -747,8 +755,6 @@ in postStart = postStartScript dummyConfig; - preStop = "machinectl poweroff $INSTANCE"; - restartIfChanged = false; serviceConfig = serviceDirectives dummyConfig; diff --git a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix index 8c191397cf9a5..133cd4c0e9f91 100644 --- a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix @@ -15,7 +15,7 @@ } wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/nixos/modules/virtualisation/qemu-guest-agent.nix b/nixos/modules/virtualisation/qemu-guest-agent.nix index 6a735f451a7e3..3824d0c168f78 100644 --- a/nixos/modules/virtualisation/qemu-guest-agent.nix +++ b/nixos/modules/virtualisation/qemu-guest-agent.nix @@ -30,9 +30,12 @@ in { systemd.services.qemu-guest-agent = { description = "Run the QEMU Guest Agent"; serviceConfig = { - ExecStart = "${cfg.package}/bin/qemu-ga"; + ExecStart = "${cfg.package}/bin/qemu-ga --statedir /run/qemu-ga"; Restart = "always"; RestartSec = 0; + # Runtime directory and mode + RuntimeDirectory = "qemu-ga"; + RuntimeDirectoryMode = "0755"; }; }; } diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index ea82adf09ad1d..34183c0ba9ff9 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -70,8 +70,8 @@ in rec { (onFullSupported "nixos.tests.firefox") (onFullSupported "nixos.tests.firewall") (onFullSupported "nixos.tests.fontconfig-default-fonts") - (onFullSupported "nixos.tests.gnome3") - (onFullSupported "nixos.tests.gnome3-xorg") + (onFullSupported "nixos.tests.gnome") + (onFullSupported "nixos.tests.gnome-xorg") (onSystems ["x86_64-linux"] "nixos.tests.hibernate") (onFullSupported "nixos.tests.i3wm") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSimple") @@ -90,7 +90,7 @@ in rec { (onFullSupported "nixos.tests.keymap.azerty") (onFullSupported "nixos.tests.keymap.colemak") (onFullSupported "nixos.tests.keymap.dvorak") - (onFullSupported "nixos.tests.keymap.dvp") + (onFullSupported "nixos.tests.keymap.dvorak-programmer") (onFullSupported "nixos.tests.keymap.neo") (onFullSupported "nixos.tests.keymap.qwertz") (onFullSupported "nixos.tests.latestKernel.login") diff --git a/nixos/release.nix b/nixos/release.nix index 87382f42f5022..2367e79e4ad07 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -186,11 +186,6 @@ in rec { inherit system; }); - sd_image_raspberrypi4 = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage { - module = ./modules/installer/sd-card/sd-image-raspberrypi4-installer.nix; - inherit system; - }); - # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). ova = forMatchingSystems [ "x86_64-linux" ] (system: @@ -224,6 +219,25 @@ in rec { ); + # Test job for https://github.com/NixOS/nixpkgs/issues/121354 to test + # automatic sizing without blocking the channel. + amazonImageAutomaticSize = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: + + with import ./.. { inherit system; }; + + hydraJob ((import lib/eval-config.nix { + inherit system; + modules = + [ configuration + versionModule + ./maintainers/scripts/ec2/amazon-image.nix + ({ ... }: { amazonImage.sizeMB = "auto"; }) + ]; + }).config.system.build.amazonImage) + + ); + + # Ensure that all packages used by the minimal NixOS config end up in the channel. dummy = forAllSystems (system: pkgs.runCommand "dummy" { toplevel = (import lib/eval-config.nix { @@ -304,10 +318,10 @@ in rec { services.xserver.desktopManager.xfce.enable = true; }); - gnome3 = makeClosure ({ ... }: + gnome = makeClosure ({ ... }: { services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome.enable = true; }); pantheon = makeClosure ({ ... }: diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 99dd8ec6fd3c1..6f98b0da37805 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -245,7 +245,7 @@ in import ./make-test-python.nix ({ lib, ... }: { ) for line in subject_data.lower().split("\n"): if "subject" in line: - print(f"First subject in fullchain.pem: ", line) + print(f"First subject in fullchain.pem: {line}") assert cert_name.lower() in line return diff --git a/nixos/tests/airsonic.nix b/nixos/tests/airsonic.nix new file mode 100644 index 0000000000000..59bd84877c61c --- /dev/null +++ b/nixos/tests/airsonic.nix @@ -0,0 +1,32 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "airsonic"; + meta = with pkgs.lib.maintainers; { + maintainers = [ sumnerevans ]; + }; + + machine = + { pkgs, ... }: + { + services.airsonic = { + enable = true; + maxMemory = 800; + }; + + # Airsonic is a Java application, and unfortunately requires a significant + # amount of memory. + virtualisation.memorySize = 1024; + }; + + testScript = '' + def airsonic_is_up(_) -> bool: + return machine.succeed("curl --fail http://localhost:4040/login") + + + machine.start() + machine.wait_for_unit("airsonic.service") + machine.wait_for_open_port(4040) + + with machine.nested("Waiting for UI to work"): + retry(airsonic_is_up) + ''; +}) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 2347673cef1be..99393e5b18421 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -24,8 +24,12 @@ in _3proxy = handleTest ./3proxy.nix {}; acme = handleTest ./acme.nix {}; agda = handleTest ./agda.nix {}; + airsonic = handleTest ./airsonic.nix {}; + amazon-init-shell = handleTest ./amazon-init-shell.nix {}; ammonite = handleTest ./ammonite.nix {}; + apparmor = handleTest ./apparmor.nix {}; atd = handleTest ./atd.nix {}; + atop = handleTest ./atop.nix {}; avahi = handleTest ./avahi.nix {}; avahi-with-resolved = handleTest ./avahi.nix { networkd = true; }; awscli = handleTest ./awscli.nix { }; @@ -43,6 +47,7 @@ in boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; + botamusique = handleTest ./botamusique.nix {}; buildbot = handleTest ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; caddy = handleTest ./caddy.nix {}; @@ -88,6 +93,7 @@ in custom-ca = handleTest ./custom-ca.nix {}; croc = handleTest ./croc.nix {}; deluge = handleTest ./deluge.nix {}; + dendrite = handleTest ./dendrite.nix {}; dhparams = handleTest ./dhparams.nix {}; discourse = handleTest ./discourse.nix {}; dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; @@ -130,14 +136,15 @@ in fsck = handleTest ./fsck.nix {}; ft2-clone = handleTest ./ft2-clone.nix {}; gerrit = handleTest ./gerrit.nix {}; + ghostunnel = handleTest ./ghostunnel.nix {}; gitdaemon = handleTest ./gitdaemon.nix {}; gitea = handleTest ./gitea.nix {}; gitlab = handleTest ./gitlab.nix {}; gitolite = handleTest ./gitolite.nix {}; gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {}; glusterfs = handleTest ./glusterfs.nix {}; - gnome3 = handleTest ./gnome3.nix {}; - gnome3-xorg = handleTest ./gnome3-xorg.nix {}; + gnome = handleTest ./gnome.nix {}; + gnome-xorg = handleTest ./gnome-xorg.nix {}; go-neb = handleTest ./go-neb.nix {}; gobgpd = handleTest ./gobgpd.nix {}; gocd-agent = handleTest ./gocd-agent.nix {}; @@ -212,6 +219,7 @@ in latestKernel.login = handleTest ./login.nix { latestKernel = true; }; leaps = handleTest ./leaps.nix {}; lidarr = handleTest ./lidarr.nix {}; + libreswan = handleTest ./libreswan.nix {}; lightdm = handleTest ./lightdm.nix {}; limesurvey = handleTest ./limesurvey.nix {}; locate = handleTest ./locate.nix {}; @@ -297,6 +305,7 @@ in openarena = handleTest ./openarena.nix {}; openldap = handleTest ./openldap.nix {}; opensmtpd = handleTest ./opensmtpd.nix {}; + opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {}; openssh = handleTest ./openssh.nix {}; openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {}; openstack-image-userdata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).userdata or {}; @@ -376,6 +385,7 @@ in snapcast = handleTest ./snapcast.nix {}; snapper = handleTest ./snapper.nix {}; sogo = handleTest ./sogo.nix {}; + solanum = handleTest ./solanum.nix {}; solr = handleTest ./solr.nix {}; sonarr = handleTest ./sonarr.nix {}; spacecookie = handleTest ./spacecookie.nix {}; @@ -385,6 +395,7 @@ in sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {}; strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; sudo = handleTest ./sudo.nix {}; + sway = handleTest ./sway.nix {}; switchTest = handleTest ./switch-test.nix {}; sympa = handleTest ./sympa.nix {}; syncthing = handleTest ./syncthing.nix {}; @@ -413,6 +424,7 @@ in # traefik test relies on docker-containers trac = handleTest ./trac.nix {}; traefik = handleTestOn ["x86_64-linux"] ./traefik.nix {}; + trafficserver = handleTest ./trafficserver.nix {}; transmission = handleTest ./transmission.nix {}; trezord = handleTest ./trezord.nix {}; trickster = handleTest ./trickster.nix {}; diff --git a/nixos/tests/amazon-init-shell.nix b/nixos/tests/amazon-init-shell.nix new file mode 100644 index 0000000000000..f9268b2f3a009 --- /dev/null +++ b/nixos/tests/amazon-init-shell.nix @@ -0,0 +1,40 @@ +# This test verifies that the amazon-init service can treat the `user-data` ec2 +# metadata file as a shell script. If amazon-init detects that `user-data` is a +# script (based on the presence of the shebang #! line) it executes it and +# exits. +# Note that other tests verify that amazon-init can treat user-data as a nixos +# configuration expression. + +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +makeTest { + name = "amazon-init"; + meta = with maintainers; { + maintainers = [ urbas ]; + }; + machine = { ... }: + { + imports = [ ../modules/profiles/headless.nix ../modules/virtualisation/amazon-init.nix ]; + services.openssh.enable = true; + networking.hostName = ""; + environment.etc."ec2-metadata/user-data" = { + text = '' + #!/usr/bin/bash + + echo successful > /tmp/evidence + ''; + }; + }; + testScript = '' + # To wait until amazon-init terminates its run + unnamed.wait_for_unit("amazon-init.service") + + unnamed.succeed("grep -q successful /tmp/evidence") + ''; +} diff --git a/nixos/tests/apparmor.nix b/nixos/tests/apparmor.nix new file mode 100644 index 0000000000000..c6daa8e67de3f --- /dev/null +++ b/nixos/tests/apparmor.nix @@ -0,0 +1,82 @@ +import ./make-test-python.nix ({ pkgs, ... } : { + name = "apparmor"; + meta = with pkgs.lib.maintainers; { + maintainers = [ julm ]; + }; + + machine = + { lib, pkgs, config, ... }: + with lib; + { + security.apparmor.enable = mkDefault true; + }; + + testScript = + '' + machine.wait_for_unit("multi-user.target") + + with subtest("AppArmor profiles are loaded"): + machine.succeed("systemctl status apparmor.service") + + # AppArmor securityfs + with subtest("AppArmor securityfs is mounted"): + machine.succeed("mountpoint -q /sys/kernel/security") + machine.succeed("cat /sys/kernel/security/apparmor/profiles") + + # Test apparmorRulesFromClosure by: + # 1. Prepending a string of the relevant packages' name and version on each line. + # 2. Sorting according to those strings. + # 3. Removing those prepended strings. + # 4. Using `diff` against the expected output. + with subtest("apparmorRulesFromClosure"): + machine.succeed( + "${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" '' + mr ${pkgs.bash}/lib/**.so*, + r ${pkgs.bash}, + r ${pkgs.bash}/etc/**, + r ${pkgs.bash}/lib/**, + r ${pkgs.bash}/share/**, + x ${pkgs.bash}/foo/**, + mr ${pkgs.glibc}/lib/**.so*, + r ${pkgs.glibc}, + r ${pkgs.glibc}/etc/**, + r ${pkgs.glibc}/lib/**, + r ${pkgs.glibc}/share/**, + x ${pkgs.glibc}/foo/**, + mr ${pkgs.libcap}/lib/**.so*, + r ${pkgs.libcap}, + r ${pkgs.libcap}/etc/**, + r ${pkgs.libcap}/lib/**, + r ${pkgs.libcap}/share/**, + x ${pkgs.libcap}/foo/**, + mr ${pkgs.libcap.lib}/lib/**.so*, + r ${pkgs.libcap.lib}, + r ${pkgs.libcap.lib}/etc/**, + r ${pkgs.libcap.lib}/lib/**, + r ${pkgs.libcap.lib}/share/**, + x ${pkgs.libcap.lib}/foo/**, + mr ${pkgs.libidn2.out}/lib/**.so*, + r ${pkgs.libidn2.out}, + r ${pkgs.libidn2.out}/etc/**, + r ${pkgs.libidn2.out}/lib/**, + r ${pkgs.libidn2.out}/share/**, + x ${pkgs.libidn2.out}/foo/**, + mr ${pkgs.libunistring}/lib/**.so*, + r ${pkgs.libunistring}, + r ${pkgs.libunistring}/etc/**, + r ${pkgs.libunistring}/lib/**, + r ${pkgs.libunistring}/share/**, + x ${pkgs.libunistring}/foo/**, + ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } '' + ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${ + pkgs.apparmorRulesFromClosure { + name = "ping"; + additionalRules = ["x $path/foo/**"]; + } [ pkgs.libcap ] + } | + ${pkgs.coreutils}/bin/sort -n -k1 | + ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out + ''}" + ) + ''; +}) diff --git a/nixos/tests/atop.nix b/nixos/tests/atop.nix new file mode 100644 index 0000000000000..1f8b005041f0b --- /dev/null +++ b/nixos/tests/atop.nix @@ -0,0 +1,236 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let assertions = rec { + path = program: path: '' + with subtest("The path of ${program} should be ${path}"): + p = machine.succeed("type -p \"${program}\" | head -c -1") + assert p == "${path}", f"${program} is {p}, expected ${path}" + ''; + unit = name: state: '' + with subtest("Unit ${name} should be ${state}"): + if "${state}" == "active": + machine.wait_for_unit("${name}") + else: + machine.require_unit_state("${name}", "${state}") + ''; + version = '' + import re + + with subtest("binary should report the correct version"): + pkgver = "${pkgs.atop.version}" + ver = re.sub(r'(?s)^Version: (\d\.\d\.\d).*', r'\1', machine.succeed("atop -V")) + assert ver == pkgver, f"Version is `{ver}`, expected `{pkgver}`" + ''; + atoprc = contents: + if builtins.stringLength contents > 0 then '' + with subtest("/etc/atoprc should have the correct contents"): + f = machine.succeed("cat /etc/atoprc") + assert f == "${contents}", f"/etc/atoprc contents: '{f}', expected '${contents}'" + '' else '' + with subtest("/etc/atoprc should not be present"): + machine.succeed("test ! -e /etc/atoprc") + ''; + wrapper = present: + if present then path "atop" "/run/wrappers/bin/atop" + '' + with subtest("Wrapper should be setuid root"): + stat = machine.succeed("stat --printf '%a %u' /run/wrappers/bin/atop") + assert stat == "4511 0", f"Wrapper stat is {stat}, expected '4511 0'" + '' + else path "atop" "/run/current-system/sw/bin/atop"; + atopService = present: + if present then + unit "atop.service" "active" + + '' + with subtest("atop.service should write some data to /var/log/atop"): + + def has_data_files(last: bool) -> bool: + files = int(machine.succeed("ls -1 /var/log/atop | wc -l")) + if files == 0: + machine.log("Did not find at least one 1 data file") + if not last: + machine.log("Will retry...") + return False + return True + + with machine.nested("Waiting for data files"): + retry(has_data_files) + '' else unit "atop.service" "inactive"; + atopRotateTimer = present: + unit "atop-rotate.timer" (if present then "active" else "inactive"); + atopacctService = present: + if present then + unit "atopacct.service" "active" + + '' + with subtest("atopacct.service should enable process accounting"): + machine.wait_until_succeeds("test -f /run/pacct_source") + + with subtest("atopacct.service should write data to /run/pacct_shadow.d"): + + def has_data_files(last: bool) -> bool: + files = int(machine.succeed("ls -1 /run/pacct_shadow.d | wc -l")) + if files == 0: + machine.log("Did not find at least one 1 data file") + if not last: + machine.log("Will retry...") + return False + return True + + with machine.nested("Waiting for data files"): + retry(has_data_files) + '' else unit "atopacct.service" "inactive"; + netatop = present: + if present then + unit "netatop.service" "active" + + '' + with subtest("The netatop kernel module should be loaded"): + out = machine.succeed("modprobe -n -v netatop") + assert out == "", f"Module should be loaded already, but modprobe would have done {out}." + '' else '' + with subtest("The netatop kernel module should be absent"): + machine.fail("modprobe -n -v netatop") + ''; + atopgpu = present: + if present then + (unit "atopgpu.service" "active") + (path "atopgpud" "/run/current-system/sw/bin/atopgpud") + else (unit "atopgpu.service" "inactive") + '' + with subtest("atopgpud should not be present"): + machine.fail("type -p atopgpud") + ''; +}; +in +{ + name = "atop"; + + justThePackage = makeTest { + name = "atop-justThePackage"; + machine = { + environment.systemPackages = [ pkgs.atop ]; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService false) + (atopRotateTimer false) + (atopacctService false) + (netatop false) + (atopgpu false) + ]; + }; + defaults = makeTest { + name = "atop-defaults"; + machine = { + programs.atop = { + enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop false) + (atopgpu false) + ]; + }; + minimal = makeTest { + name = "atop-minimal"; + machine = { + programs.atop = { + enable = true; + atopService.enable = false; + atopRotateTimer.enable = false; + atopacctService.enable = false; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService false) + (atopRotateTimer false) + (atopacctService false) + (netatop false) + (atopgpu false) + ]; + }; + netatop = makeTest { + name = "atop-netatop"; + machine = { + programs.atop = { + enable = true; + netatop.enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop true) + (atopgpu false) + ]; + }; + atopgpu = makeTest { + name = "atop-atopgpu"; + machine = { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (getName pkg) [ + "cudatoolkit" + ]; + + programs.atop = { + enable = true; + atopgpu.enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop false) + (atopgpu true) + ]; + }; + everything = makeTest { + name = "atop-everthing"; + machine = { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (getName pkg) [ + "cudatoolkit" + ]; + + programs.atop = { + enable = true; + settings = { + flags = "faf1"; + interval = 2; + }; + setuidWrapper.enable = true; + netatop.enable = true; + atopgpu.enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "flags faf1\\ninterval 2\\n") + (wrapper true) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop true) + (atopgpu true) + ]; + }; +} diff --git a/nixos/tests/botamusique.nix b/nixos/tests/botamusique.nix new file mode 100644 index 0000000000000..ccb105dc142f2 --- /dev/null +++ b/nixos/tests/botamusique.nix @@ -0,0 +1,47 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "botamusique"; + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + machine = { config, ... }: { + services.murmur = { + enable = true; + registerName = "NixOS tests"; + }; + + services.botamusique = { + enable = true; + settings = { + server = { + channel = "NixOS tests"; + }; + bot = { + version = false; + auto_check_update = false; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("murmur.service") + machine.wait_for_unit("botamusique.service") + + machine.sleep(10) + + machine.wait_until_succeeds( + "journalctl -u murmur.service -e | grep -q '<1:botamusique(-1)> Authenticated'" + ) + + with subtest("Check systemd hardening"): + output = machine.execute("systemctl show botamusique.service")[1] + machine.log(output) + output = machine.execute("systemd-analyze security botamusique.service")[1] + machine.log(output) + ''; +}) diff --git a/nixos/tests/buildbot.nix b/nixos/tests/buildbot.nix index 11f9fbef635ed..977c728835f03 100644 --- a/nixos/tests/buildbot.nix +++ b/nixos/tests/buildbot.nix @@ -109,5 +109,5 @@ import ./make-test-python.nix { bbworker.fail("nc -z bbmaster 8011") ''; - meta.maintainers = with pkgs.lib.maintainers; [ nand0p ]; + meta.maintainers = with pkgs.lib.maintainers; [ ]; } {} diff --git a/nixos/tests/cage.nix b/nixos/tests/cage.nix index 53476c2fbe82f..80ce1e0d8b3a7 100644 --- a/nixos/tests/cage.nix +++ b/nixos/tests/cage.nix @@ -18,6 +18,10 @@ import ./make-test-python.nix ({ pkgs, ...} : }; virtualisation.memorySize = 1024; + # Need to switch to a different VGA card / GPU driver because Cage segfaults with the default one (std): + # machine # [ 14.355893] .cage-wrapped[736]: segfault at 20 ip 00007f035fa0d8c7 sp 00007ffce9e4a2f0 error 4 in libwlroots.so.8[7f035fa07000+5a000] + # machine # [ 14.358108] Code: 4f a8 ff ff eb aa 0f 1f 44 00 00 c3 0f 1f 80 00 00 00 00 41 54 49 89 f4 55 31 ed 53 48 89 fb 48 8d 7f 18 48 8d 83 b8 00 00 00 <80> 7f 08 00 75 0d 48 83 3f 00 0f 85 91 00 00 00 48 89 fd 48 83 c7 + virtualisation.qemu.options = [ "-vga virtio" ]; }; enableOCR = true; @@ -25,11 +29,6 @@ import ./make-test-python.nix ({ pkgs, ...} : testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; in '' - # Need to switch to a different VGA card / GPU driver because Cage segfaults with the default one (std): - # machine # [ 14.355893] .cage-wrapped[736]: segfault at 20 ip 00007f035fa0d8c7 sp 00007ffce9e4a2f0 error 4 in libwlroots.so.8[7f035fa07000+5a000] - # machine # [ 14.358108] Code: 4f a8 ff ff eb aa 0f 1f 44 00 00 c3 0f 1f 80 00 00 00 00 41 54 49 89 f4 55 31 ed 53 48 89 fb 48 8d 7f 18 48 8d 83 b8 00 00 00 <80> 7f 08 00 75 0d 48 83 3f 00 0f 85 91 00 00 00 48 89 fd 48 83 c7 - os.environ["QEMU_OPTS"] = "-vga virtio" - with subtest("Wait for cage to boot up"): start_all() machine.wait_for_file("/run/user/${toString user.uid}/wayland-0.lock") diff --git a/nixos/tests/cagebreak.nix b/nixos/tests/cagebreak.nix index 87f43cc3c3216..e343cd88e7f57 100644 --- a/nixos/tests/cagebreak.nix +++ b/nixos/tests/cagebreak.nix @@ -17,56 +17,27 @@ in let alice = config.users.users.alice; in { + # Automatically login on tty1 as a normal user: imports = [ ./common/user-account.nix ]; + services.getty.autologinUser = "alice"; + programs.bash.loginShellInit = '' + if [ "$(tty)" = "/dev/tty1" ]; then + set -e - environment.systemPackages = [ pkgs.cagebreak pkgs.wallutils ]; - services.xserver = { - enable = true; - displayManager.autoLogin = { - enable = true; - user = alice.name; - }; - }; - services.xserver.windowManager.session = lib.singleton { - manage = "desktop"; - name = "cagebreak"; - start = '' - export XDG_RUNTIME_DIR="/run/user/${toString alice.uid}" - ${pkgs.cagebreak}/bin/cagebreak & - waitPID=$! - ''; - }; + mkdir -p ~/.config/cagebreak + cp -f ${cagebreakConfigfile} ~/.config/cagebreak/config - systemd.services.setupCagebreakConfig = { - wantedBy = [ "multi-user.target" ]; - before = [ "multi-user.target" ]; - environment = { - HOME = alice.home; - }; - unitConfig = { - type = "oneshot"; - RemainAfterExit = true; - user = alice.name; - }; - script = '' - cd $HOME - CONFFILE=$HOME/.config/cagebreak/config - mkdir -p $(dirname $CONFFILE) - cp ${cagebreakConfigfile} $CONFFILE - ''; - }; + cagebreak + fi + ''; - # Copied from cage: - # this needs a fairly recent kernel, otherwise: - # [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory - # [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory - # [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory - # [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory - # [backend/drm/drm.c:618] Failed to initialize renderer on connector 'Virtual-1': initial page-flip failed - # [backend/drm/drm.c:701] Failed to initialize renderer for plane - boot.kernelPackages = pkgs.linuxPackages_latest; + hardware.opengl.enable = true; + programs.xwayland.enable = true; + environment.systemPackages = [ pkgs.cagebreak pkgs.wayland-utils ]; virtualisation.memorySize = 1024; + # Need to switch to a different VGA card / GPU driver than the default one (std) so that Cagebreak can launch: + virtualisation.qemu.options = [ "-vga virtio" ]; }; enableOCR = true; @@ -80,14 +51,15 @@ in machine.wait_for_file("${XDG_RUNTIME_DIR}/wayland-0") with subtest("ensure wayland works with wayinfo from wallutils"): - machine.succeed("env XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR} wayinfo") + print(machine.succeed("env XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR} wayland-info")) - with subtest("ensure xwayland works with xterm"): - machine.send_key("ctrl-t") - machine.send_key("t") - machine.wait_until_succeeds("pgrep xterm") - machine.wait_for_text("${user.name}@machine") - machine.screenshot("screen") - machine.send_key("ctrl-d") + # TODO: Fix the XWayland test (log the cagebreak output to debug): + # with subtest("ensure xwayland works with xterm"): + # machine.send_key("ctrl-t") + # machine.send_key("t") + # machine.wait_until_succeeds("pgrep xterm") + # machine.wait_for_text("${user.name}@machine") + # machine.screenshot("screen") + # machine.send_key("ctrl-d") ''; }) diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 8429d932ae694..60ecf986d6eed 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -54,7 +54,8 @@ mapAttrs (channel: chromiumPkg: makeTest rec { in "${pkgs.xdotool}/bin/xdotool ${xdoScript}"; in '' import shlex - from contextlib import contextmanager, _GeneratorContextManager + import re + from contextlib import contextmanager # Run as user alice diff --git a/nixos/tests/clickhouse.nix b/nixos/tests/clickhouse.nix index 98d8b4b465257..017f2ee35dab0 100644 --- a/nixos/tests/clickhouse.nix +++ b/nixos/tests/clickhouse.nix @@ -4,6 +4,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine = { services.clickhouse.enable = true; + virtualisation.memorySize = 4096; }; testScript = diff --git a/nixos/tests/containers-custom-pkgs.nix b/nixos/tests/containers-custom-pkgs.nix index c050e49bc29d2..1627a2c70c3ca 100644 --- a/nixos/tests/containers-custom-pkgs.nix +++ b/nixos/tests/containers-custom-pkgs.nix @@ -30,5 +30,5 @@ in { }; # This test only consists of evaluating the test machine - testScript = ""; + testScript = "pass"; }) diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 0ff0d3f954528..1dcccfc306a35 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -111,6 +111,26 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.succeed(f"nixos-container stop {id1}") machine.succeed(f"nixos-container start {id1}") + # clear serial backlog for next tests + machine.succeed("logger eat console backlog 3ea46eb2-7f82-4f70-b810-3f00e3dd4c4d") + machine.wait_for_console_text( + "eat console backlog 3ea46eb2-7f82-4f70-b810-3f00e3dd4c4d" + ) + + with subtest("Stop a container early"): + machine.succeed(f"nixos-container stop {id1}") + machine.succeed(f"nixos-container start {id1} &") + machine.wait_for_console_text("Stage 2") + machine.succeed(f"nixos-container stop {id1}") + machine.wait_for_console_text(f"Container {id1} exited successfully") + machine.succeed(f"nixos-container start {id1}") + + with subtest("Stop a container without machined (regression test for #109695)"): + machine.systemctl("stop systemd-machined") + machine.succeed(f"nixos-container stop {id1}") + machine.wait_for_console_text(f"Container {id1} has been shut down") + machine.succeed(f"nixos-container start {id1}") + with subtest("tmpfiles are present"): machine.log("creating container tmpfiles") machine.succeed( @@ -142,6 +162,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.fail( "nixos-container create b0rk --config-file ${brokenCfg}" ) - machine.succeed(f"test ! -e /var/lib/containers/b0rk") + machine.succeed("test ! -e /var/lib/containers/b0rk") ''; }) diff --git a/nixos/tests/couchdb.nix b/nixos/tests/couchdb.nix index d038ee7d890dc..049532481b15f 100644 --- a/nixos/tests/couchdb.nix +++ b/nixos/tests/couchdb.nix @@ -24,8 +24,6 @@ with lib; }; nodes = { - couchdb1 = makeNode pkgs.couchdb testuser testpass; - couchdb2 = makeNode pkgs.couchdb2 testuser testpass; couchdb3 = makeNode pkgs.couchdb3 testuser testpass; }; @@ -41,42 +39,6 @@ with lib; in '' start_all() - couchdb1.wait_for_unit("couchdb.service") - couchdb1.wait_until_succeeds( - "${curlJqCheck "" "GET" "" ".couchdb" "Welcome"}" - ) - couchdb1.wait_until_succeeds( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "2"}" - ) - couchdb1.succeed("${curlJqCheck testlogin "PUT" "foo" ".ok" "true"}") - couchdb1.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "3"}" - ) - couchdb1.succeed( - "${curlJqCheck testlogin "DELETE" "foo" ".ok" "true"}" - ) - couchdb1.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "2"}" - ) - - couchdb2.wait_for_unit("couchdb.service") - couchdb2.wait_until_succeeds( - "${curlJqCheck "" "GET" "" ".couchdb" "Welcome"}" - ) - couchdb2.wait_until_succeeds( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "0"}" - ) - couchdb2.succeed("${curlJqCheck testlogin "PUT" "foo" ".ok" "true"}") - couchdb2.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "1"}" - ) - couchdb2.succeed( - "${curlJqCheck testlogin "DELETE" "foo" ".ok" "true"}" - ) - couchdb2.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "0"}" - ) - couchdb3.wait_for_unit("couchdb.service") couchdb3.wait_until_succeeds( "${curlJqCheck testlogin "GET" "" ".couchdb" "Welcome"}" diff --git a/nixos/tests/custom-ca.nix b/nixos/tests/custom-ca.nix index 67f7b3ff1f161..7ce1101911db0 100644 --- a/nixos/tests/custom-ca.nix +++ b/nixos/tests/custom-ca.nix @@ -92,13 +92,19 @@ in { onlySSL = true; sslCertificate = "${example-good-cert}/server.crt"; sslCertificateKey = "${example-good-cert}/server.key"; - locations."/".extraConfig = "return 200 'It works!';"; + locations."/".extraConfig = '' + add_header Content-Type text/plain; + return 200 'It works!'; + ''; }; services.nginx.virtualHosts."bad.example.com" = { onlySSL = true; sslCertificate = "${example-bad-cert}/server.crt"; sslCertificateKey = "${example-bad-cert}/server.key"; - locations."/".extraConfig = "return 200 'It does not work!';"; + locations."/".extraConfig = '' + add_header Content-Type text/plain; + return 200 'It does not work!'; + ''; }; environment.systemPackages = with pkgs; @@ -106,6 +112,7 @@ in }; testScript = '' + from typing import Tuple def execute_as(user: str, cmd: str) -> Tuple[int, str]: """ Run a shell command as a specific user. diff --git a/nixos/tests/dendrite.nix b/nixos/tests/dendrite.nix new file mode 100644 index 0000000000000..a444c9b200189 --- /dev/null +++ b/nixos/tests/dendrite.nix @@ -0,0 +1,99 @@ +import ./make-test-python.nix ( + { pkgs, ... }: + let + homeserverUrl = "http://homeserver:8008"; + + private_key = pkgs.runCommand "matrix_key.pem" { + buildInputs = [ pkgs.dendrite ]; + } "generate-keys --private-key $out"; + in + { + name = "dendrite"; + meta = with pkgs.lib; { + maintainers = teams.matrix.members; + }; + + nodes = { + homeserver = { pkgs, ... }: { + services.dendrite = { + enable = true; + settings = { + global.server_name = "test-dendrite-server.com"; + global.private_key = private_key; + client_api.registration_disabled = false; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8008 ]; + }; + + client = { pkgs, ... }: { + environment.systemPackages = [ + ( + pkgs.writers.writePython3Bin "do_test" + { libraries = [ pkgs.python3Packages.matrix-nio ]; } '' + import asyncio + + from nio import AsyncClient + + + async def main() -> None: + # Connect to dendrite + client = AsyncClient("http://homeserver:8008", "alice") + + # Register as user alice + response = await client.register("alice", "my-secret-password") + + # Log in as user alice + response = await client.login("my-secret-password") + + # Create a new room + response = await client.room_create(federate=False) + room_id = response.room_id + + # Join the room + response = await client.join(room_id) + + # Send a message to the room + response = await client.room_send( + room_id=room_id, + message_type="m.room.message", + content={ + "msgtype": "m.text", + "body": "Hello world!" + } + ) + + # Sync responses + response = await client.sync(timeout=30000) + + # Check the message was received by dendrite + last_message = response.rooms.join[room_id].timeline.events[-1].body + assert last_message == "Hello world!" + + # Leave the room + response = await client.room_leave(room_id) + + # Close the client + await client.close() + + asyncio.get_event_loop().run_until_complete(main()) + '' + ) + ]; + }; + }; + + testScript = '' + start_all() + + with subtest("start the homeserver"): + homeserver.wait_for_unit("dendrite.service") + homeserver.wait_for_open_port(8008) + + with subtest("ensure messages can be exchanged"): + client.succeed("do_test") + ''; + + } +) diff --git a/nixos/tests/docker-tools-overlay.nix b/nixos/tests/docker-tools-overlay.nix index 98eb728661565..6781388e639b6 100644 --- a/nixos/tests/docker-tools-overlay.nix +++ b/nixos/tests/docker-tools-overlay.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "docker-tools-overlay"; meta = with pkgs.lib.maintainers; { - maintainers = [ lnl7 ]; + maintainers = [ lnl7 roberth ]; }; nodes = { diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 96662b4540cc6..39b97b4cb997f 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "docker-tools"; meta = with pkgs.lib.maintainers; { - maintainers = [ lnl7 ]; + maintainers = [ lnl7 roberth ]; }; nodes = { diff --git a/nixos/tests/docker.nix b/nixos/tests/docker.nix index 58e33535ed31e..dee7480eb4a96 100644 --- a/nixos/tests/docker.nix +++ b/nixos/tests/docker.nix @@ -45,5 +45,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { # Must match version 4 times to ensure client and server git commits and versions are correct docker.succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "4" ]') + docker.succeed("systemctl restart systemd-sysctl") + docker.succeed("grep 1 /proc/sys/net/ipv4/conf/all/forwarding") + docker.succeed("grep 1 /proc/sys/net/ipv4/conf/default/forwarding") ''; }) diff --git a/nixos/tests/fancontrol.nix b/nixos/tests/fancontrol.nix index 356cd57ffa1a3..296c680264150 100644 --- a/nixos/tests/fancontrol.nix +++ b/nixos/tests/fancontrol.nix @@ -1,28 +1,34 @@ import ./make-test-python.nix ({ pkgs, ... } : { name = "fancontrol"; + meta = with pkgs.lib.maintainers; { + maintainers = [ evils ]; + }; - machine = - { ... }: - { hardware.fancontrol.enable = true; - hardware.fancontrol.config = '' - INTERVAL=42 - DEVPATH=hwmon1=devices/platform/dummy - DEVNAME=hwmon1=dummy - FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input - FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input - MINTEMP=hwmon1/device/pwm1=25 - MAXTEMP=hwmon1/device/pwm1=65 - MINSTART=hwmon1/device/pwm1=150 - MINSTOP=hwmon1/device/pwm1=0 - ''; + machine = { ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + hardware.fancontrol.enable = true; + hardware.fancontrol.config = '' + INTERVAL=42 + DEVPATH=hwmon1=devices/platform/dummy + DEVNAME=hwmon1=dummy + FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input + FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input + MINTEMP=hwmon1/device/pwm1=25 + MAXTEMP=hwmon1/device/pwm1=65 + MINSTART=hwmon1/device/pwm1=150 + MINSTOP=hwmon1/device/pwm1=0 + ''; }; # This configuration cannot be valid for the test VM, so it's expected to get an 'outdated' error. testScript = '' start_all() - machine.wait_for_unit("fancontrol.service") - machine.wait_until_succeeds( - "journalctl -eu fancontrol | grep 'Configuration appears to be outdated'" + # can't wait for unit fancontrol.service because it doesn't become active due to invalid config + # fancontrol.service is WantedBy multi-user.target + machine.wait_for_unit("multi-user.target") + machine.succeed( + "journalctl -eu fancontrol | tee /dev/stderr | grep 'Configuration appears to be outdated'" ) + machine.shutdown() ''; }) diff --git a/nixos/tests/fontconfig-default-fonts.nix b/nixos/tests/fontconfig-default-fonts.nix index 68c6ac9e9c833..58d0f6227cc7b 100644 --- a/nixos/tests/fontconfig-default-fonts.nix +++ b/nixos/tests/fontconfig-default-fonts.nix @@ -4,7 +4,6 @@ import ./make-test-python.nix ({ lib, ... }: meta.maintainers = with lib.maintainers; [ jtojnar - worldofpeace ]; machine = { config, pkgs, ... }: { diff --git a/nixos/tests/ghostunnel.nix b/nixos/tests/ghostunnel.nix new file mode 100644 index 0000000000000..a82cff8082b75 --- /dev/null +++ b/nixos/tests/ghostunnel.nix @@ -0,0 +1,104 @@ +{ pkgs, ... }: import ./make-test-python.nix { + + nodes = { + backend = { pkgs, ... }: { + services.nginx.enable = true; + services.nginx.virtualHosts."backend".root = pkgs.runCommand "webroot" {} '' + mkdir $out + echo hi >$out/hi.txt + ''; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + service = { ... }: { + services.ghostunnel.enable = true; + services.ghostunnel.servers."plain-old" = { + listen = "0.0.0.0:443"; + cert = "/root/service-cert.pem"; + key = "/root/service-key.pem"; + disableAuthentication = true; + target = "backend:80"; + unsafeTarget = true; + }; + services.ghostunnel.servers."client-cert" = { + listen = "0.0.0.0:1443"; + cert = "/root/service-cert.pem"; + key = "/root/service-key.pem"; + cacert = "/root/ca.pem"; + target = "backend:80"; + allowCN = ["client"]; + unsafeTarget = true; + }; + networking.firewall.allowedTCPPorts = [ 443 1443 ]; + }; + client = { pkgs, ... }: { + environment.systemPackages = [ + pkgs.curl + ]; + }; + }; + + testScript = '' + + # prepare certificates + + def cmd(command): + print(f"+{command}") + r = os.system(command) + if r != 0: + raise Exception(f"Command {command} failed with exit code {r}") + + # Create CA + cmd("${pkgs.openssl}/bin/openssl genrsa -out ca-key.pem 4096") + cmd("${pkgs.openssl}/bin/openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem") + + # Create service + cmd("${pkgs.openssl}/bin/openssl genrsa -out service-key.pem 4096") + cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=service' -sha256 -new -key service-key.pem -out service.csr") + cmd("echo subjectAltName = DNS:service,IP:127.0.0.1 >> extfile.cnf") + cmd("echo extendedKeyUsage = serverAuth >> extfile.cnf") + cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out service-cert.pem -extfile extfile.cnf") + + # Create client + cmd("${pkgs.openssl}/bin/openssl genrsa -out client-key.pem 4096") + cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr") + cmd("echo extendedKeyUsage = clientAuth > extfile-client.cnf") + cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf") + + cmd("ls -al") + + start_all() + + # Configuration + service.copy_from_host("ca.pem", "/root/ca.pem") + service.copy_from_host("service-cert.pem", "/root/service-cert.pem") + service.copy_from_host("service-key.pem", "/root/service-key.pem") + client.copy_from_host("ca.pem", "/root/ca.pem") + client.copy_from_host("service-cert.pem", "/root/service-cert.pem") + client.copy_from_host("client-cert.pem", "/root/client-cert.pem") + client.copy_from_host("client-key.pem", "/root/client-key.pem") + + backend.wait_for_unit("nginx.service") + service.wait_for_unit("multi-user.target") + service.wait_for_unit("multi-user.target") + client.wait_for_unit("multi-user.target") + + # Check assumptions before the real test + client.succeed("bash -c 'diff <(curl -v --no-progress-meter http://backend/hi.txt) <(echo hi)'") + + # Plain old simple TLS can connect, ignoring cert + client.succeed("bash -c 'diff <(curl -v --no-progress-meter --insecure https://service/hi.txt) <(echo hi)'") + + # Plain old simple TLS provides correct signature with its cert + client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service/hi.txt) <(echo hi)'") + + # Client can authenticate with certificate + client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cert /root/client-cert.pem --key /root/client-key.pem --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'") + + # Client must authenticate with certificate + client.fail("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'") + ''; + + meta.maintainers = with pkgs.lib.maintainers; [ + roberth + ]; +} diff --git a/nixos/tests/gitdaemon.nix b/nixos/tests/gitdaemon.nix index d0156fb9a49fb..bb07b6e97b7fb 100644 --- a/nixos/tests/gitdaemon.nix +++ b/nixos/tests/gitdaemon.nix @@ -18,6 +18,11 @@ in { environment.systemPackages = [ pkgs.git ]; + systemd.tmpfiles.rules = [ + # type path mode user group age arg + " d /git 0755 root root - -" + ]; + services.gitDaemon = { enable = true; basePath = "/git"; @@ -35,7 +40,6 @@ in { with subtest("create project.git"): server.succeed( - "mkdir /git", "git init --bare /git/project.git", "touch /git/project.git/git-daemon-export-ok", ) diff --git a/nixos/tests/gnome3-xorg.nix b/nixos/tests/gnome-xorg.nix index 0d05c12384f32..55f9c90c20a08 100644 --- a/nixos/tests/gnome3-xorg.nix +++ b/nixos/tests/gnome-xorg.nix @@ -1,5 +1,5 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { - name = "gnome3-xorg"; + name = "gnome-xorg"; meta = with lib; { maintainers = teams.gnome.members; }; @@ -21,8 +21,8 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { }; }; - services.xserver.desktopManager.gnome3.enable = true; - services.xserver.desktopManager.gnome3.debug = true; + services.xserver.desktopManager.gnome.enable = true; + services.xserver.desktopManager.gnome.debug = true; services.xserver.displayManager.defaultSession = "gnome-xorg"; virtualisation.memorySize = 1024; diff --git a/nixos/tests/gnome3.nix b/nixos/tests/gnome.nix index 7e301be49d109..e8d18a41bd064 100644 --- a/nixos/tests/gnome3.nix +++ b/nixos/tests/gnome.nix @@ -1,5 +1,5 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { - name = "gnome3"; + name = "gnome"; meta = with lib; { maintainers = teams.gnome.members; }; @@ -20,13 +20,13 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { }; }; - services.xserver.desktopManager.gnome3.enable = true; - services.xserver.desktopManager.gnome3.debug = true; + services.xserver.desktopManager.gnome.enable = true; + services.xserver.desktopManager.gnome.debug = true; environment.systemPackages = [ (pkgs.makeAutostartItem { name = "org.gnome.Terminal"; - package = pkgs.gnome3.gnome-terminal; + package = pkgs.gnome.gnome-terminal; }) ]; diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 3b7295324a186..c75dd248ecb32 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let configDir = "/var/lib/foobar"; @@ -6,9 +6,7 @@ let mqttPassword = "secret"; in { name = "home-assistant"; - meta = with pkgs.lib; { - maintainers = with maintainers; [ dotlambda ]; - }; + meta.maintainers = lib.teams.home-assistant.members; nodes.hass = { pkgs, ... }: { environment.systemPackages = with pkgs; [ mosquitto ]; @@ -47,6 +45,10 @@ in { payload_on = "let_there_be_light"; payload_off = "off"; }]; + emulated_hue = { + host_ip = "127.0.0.1"; + listen_port = 80; + }; logger = { default = "info"; logs."homeassistant.components.mqtt" = "debug"; @@ -82,6 +84,9 @@ in { hass.succeed( "mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light" ) + with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"): + hass.wait_for_open_port(80) + hass.succeed("curl --fail http://localhost:80/description.xml") with subtest("Print log to ease debugging"): output_log = hass.succeed("cat ${configDir}/home-assistant.log") print("\n### home-assistant.log ###\n") @@ -93,5 +98,8 @@ in { # example line: 2020-06-20 10:01:32 DEBUG (MainThread) [homeassistant.components.mqtt] Received message on home-assistant/test: b'let_there_be_light' with subtest("Check we received the mosquitto message"): assert "let_there_be_light" in output_log + + with subtest("Check systemd unit hardening"): + hass.log(hass.succeed("systemd-analyze security home-assistant.service")) ''; }) diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix index e5d7009bb7b9a..6c2846a1636bd 100644 --- a/nixos/tests/installed-tests/default.nix +++ b/nixos/tests/installed-tests/default.nix @@ -97,6 +97,7 @@ in gsconnect = callInstalledTest ./gsconnect.nix {}; ibus = callInstalledTest ./ibus.nix {}; libgdata = callInstalledTest ./libgdata.nix {}; + librsvg = callInstalledTest ./librsvg.nix {}; glib-testing = callInstalledTest ./glib-testing.nix {}; libjcat = callInstalledTest ./libjcat.nix {}; libxmlb = callInstalledTest ./libxmlb.nix {}; diff --git a/nixos/tests/installed-tests/gnome-photos.nix b/nixos/tests/installed-tests/gnome-photos.nix index 05e7ccb65ad52..bcb6479ee89c6 100644 --- a/nixos/tests/installed-tests/gnome-photos.nix +++ b/nixos/tests/installed-tests/gnome-photos.nix @@ -7,7 +7,7 @@ makeInstalledTest { testConfig = { programs.dconf.enable = true; - services.gnome3.at-spi2-core.enable = true; # needed for dogtail + services.gnome.at-spi2-core.enable = true; # needed for dogtail environment.systemPackages = with pkgs; [ # gsettings tool with access to gsettings-desktop-schemas (stdenv.mkDerivation { diff --git a/nixos/tests/installed-tests/libgdata.nix b/nixos/tests/installed-tests/libgdata.nix index f11a7bc1bc511..b0d39c042be4e 100644 --- a/nixos/tests/installed-tests/libgdata.nix +++ b/nixos/tests/installed-tests/libgdata.nix @@ -6,6 +6,6 @@ makeInstalledTest { testConfig = { # # GLib-GIO-DEBUG: _g_io_module_get_default: Found default implementation dummy (GDummyTlsBackend) for ‘gio-tls-backend’ # Bail out! libgdata:ERROR:../gdata/tests/common.c:134:gdata_test_init: assertion failed (child_error == NULL): TLS support is not available (g-tls-error-quark, 0) - services.gnome3.glib-networking.enable = true; + services.gnome.glib-networking.enable = true; }; } diff --git a/nixos/tests/installed-tests/librsvg.nix b/nixos/tests/installed-tests/librsvg.nix new file mode 100644 index 0000000000000..378e7cce3ff4c --- /dev/null +++ b/nixos/tests/installed-tests/librsvg.nix @@ -0,0 +1,9 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.librsvg; + + testConfig = { + virtualisation.memorySize = 2047; + }; +} diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 24c55081f9a43..48f0f59342557 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -75,7 +75,7 @@ let else '' def assemble_qemu_flags(): flags = "-cpu max" - ${if system == "x86_64-linux" + ${if (system == "x86_64-linux" || system == "i686-linux") then ''flags += " -m 1024"'' else ''flags += " -m 768 -enable-kvm -machine virt,gic-version=host"'' } diff --git a/nixos/tests/ipv6.nix b/nixos/tests/ipv6.nix index f9d6d82b54acf..75faa6f602010 100644 --- a/nixos/tests/ipv6.nix +++ b/nixos/tests/ipv6.nix @@ -8,12 +8,34 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { }; nodes = - # Remove the interface configuration provided by makeTest so that the - # interfaces are all configured implicitly - { client = { ... }: { networking.interfaces = lib.mkForce {}; }; + { + # We use lib.mkForce here to remove the interface configuration + # provided by makeTest, so that the interfaces are all configured + # implicitly. + + # This client should use privacy extensions fully, having a + # completely-default network configuration. + client_defaults.networking.interfaces = lib.mkForce {}; + + # Both of these clients should obtain temporary addresses, but + # not use them as the default source IP. We thus run the same + # checks against them — but the configuration resulting in this + # behaviour is different. + + # Here, by using an altered default value for the global setting... + client_global_setting = { + networking.interfaces = lib.mkForce {}; + networking.tempAddresses = "enabled"; + }; + # and here, by setting this on the interface explicitly. + client_interface_setting = { + networking.tempAddresses = "disabled"; + networking.interfaces = lib.mkForce { + eth1.tempAddress = "enabled"; + }; + }; server = - { ... }: { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; @@ -40,9 +62,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { # Start the router first so that it respond to router solicitations. router.wait_for_unit("radvd") + clients = [client_defaults, client_global_setting, client_interface_setting] + start_all() - client.wait_for_unit("network.target") + for client in clients: + client.wait_for_unit("network.target") server.wait_for_unit("network.target") server.wait_for_unit("httpd.service") @@ -64,28 +89,42 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { with subtest("Loopback address can be pinged"): - client.succeed("ping -c 1 ::1 >&2") - client.fail("ping -c 1 ::2 >&2") + client_defaults.succeed("ping -c 1 ::1 >&2") + client_defaults.fail("ping -c 1 2001:db8:: >&2") with subtest("Local link addresses can be obtained and pinged"): - client_ip = wait_for_address(client, "eth1", "link") - server_ip = wait_for_address(server, "eth1", "link") - client.succeed(f"ping -c 1 {client_ip}%eth1 >&2") - client.succeed(f"ping -c 1 {server_ip}%eth1 >&2") + for client in clients: + client_ip = wait_for_address(client, "eth1", "link") + server_ip = wait_for_address(server, "eth1", "link") + client.succeed(f"ping -c 1 {client_ip}%eth1 >&2") + client.succeed(f"ping -c 1 {server_ip}%eth1 >&2") with subtest("Global addresses can be obtained, pinged, and reached via http"): - client_ip = wait_for_address(client, "eth1", "global") - server_ip = wait_for_address(server, "eth1", "global") - client.succeed(f"ping -c 1 {client_ip} >&2") - client.succeed(f"ping -c 1 {server_ip} >&2") - client.succeed(f"curl --fail -g http://[{server_ip}]") - client.fail(f"curl --fail -g http://[{client_ip}]") - - with subtest("Privacy extensions: Global temporary address can be obtained and pinged"): - ip = wait_for_address(client, "eth1", "global", temporary=True) + for client in clients: + client_ip = wait_for_address(client, "eth1", "global") + server_ip = wait_for_address(server, "eth1", "global") + client.succeed(f"ping -c 1 {client_ip} >&2") + client.succeed(f"ping -c 1 {server_ip} >&2") + client.succeed(f"curl --fail -g http://[{server_ip}]") + client.fail(f"curl --fail -g http://[{client_ip}]") + + with subtest( + "Privacy extensions: Global temporary address is used as default source address" + ): + ip = wait_for_address(client_defaults, "eth1", "global", temporary=True) # Default route should have "src <temporary address>" in it - client.succeed(f"ip r g ::2 | grep {ip}") - - # TODO: test reachability of a machine on another network. + client_defaults.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'") + + for client, setting_desc in ( + (client_global_setting, "global"), + (client_interface_setting, "interface"), + ): + with subtest(f'Privacy extensions: "enabled" through {setting_desc} setting)'): + # We should be obtaining both a temporary address and an EUI-64 address... + ip = wait_for_address(client, "eth1", "global") + assert "ff:fe" in ip + ip_temp = wait_for_address(client, "eth1", "global", temporary=True) + # But using the EUI-64 one. + client.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'") ''; }) diff --git a/nixos/tests/jellyfin.nix b/nixos/tests/jellyfin.nix index 65360624d4875..cae31a7192582 100644 --- a/nixos/tests/jellyfin.nix +++ b/nixos/tests/jellyfin.nix @@ -1,16 +1,155 @@ -import ./make-test-python.nix ({ lib, ...}: - -{ - name = "jellyfin"; - meta.maintainers = with lib.maintainers; [ minijackson ]; - - machine = - { ... }: - { services.jellyfin.enable = true; }; - - testScript = '' - machine.wait_for_unit("jellyfin.service") - machine.wait_for_open_port(8096) - machine.succeed("curl --fail http://localhost:8096/") - ''; -}) +import ./make-test-python.nix ({ lib, pkgs, ... }: + + { + name = "jellyfin"; + meta.maintainers = with lib.maintainers; [ minijackson ]; + + machine = + { ... }: + { + services.jellyfin.enable = true; + environment.systemPackages = with pkgs; [ ffmpeg ]; + }; + + # Documentation of the Jellyfin API: https://api.jellyfin.org/ + # Beware, this link can be resource intensive + testScript = + let + payloads = { + auth = pkgs.writeText "auth.json" (builtins.toJSON { + Username = "jellyfin"; + }); + empty = pkgs.writeText "empty.json" (builtins.toJSON { }); + }; + in + '' + import json + from urllib.parse import urlencode + + machine.wait_for_unit("jellyfin.service") + machine.wait_for_open_port(8096) + machine.succeed("curl --fail http://localhost:8096/") + + machine.wait_until_succeeds("curl --fail http://localhost:8096/health | grep Healthy") + + auth_header = 'MediaBrowser Client="NixOS Integration Tests", DeviceId="1337", Device="Apple II", Version="20.09"' + + + def api_get(path): + return f"curl --fail 'http://localhost:8096{path}' -H 'X-Emby-Authorization:{auth_header}'" + + + def api_post(path, json_file=None): + if json_file: + return f"curl --fail -X post 'http://localhost:8096{path}' -d '@{json_file}' -H Content-Type:application/json -H 'X-Emby-Authorization:{auth_header}'" + else: + return f"curl --fail -X post 'http://localhost:8096{path}' -H 'X-Emby-Authorization:{auth_header}'" + + + with machine.nested("Wizard completes"): + machine.wait_until_succeeds(api_get("/Startup/Configuration")) + machine.succeed(api_get("/Startup/FirstUser")) + machine.succeed(api_post("/Startup/Complete")) + + with machine.nested("Can login"): + auth_result = machine.succeed( + api_post( + "/Users/AuthenticateByName", + "${payloads.auth}", + ) + ) + auth_result = json.loads(auth_result) + auth_token = auth_result["AccessToken"] + auth_header += f", Token={auth_token}" + + sessions_result = machine.succeed(api_get("/Sessions")) + sessions_result = json.loads(sessions_result) + + this_session = [ + session for session in sessions_result if session["DeviceId"] == "1337" + ] + if len(this_session) != 1: + raise Exception("Session not created") + + me = machine.succeed(api_get("/Users/Me")) + me = json.loads(me)["Id"] + + with machine.nested("Can add library"): + tempdir = machine.succeed("mktemp -d -p /var/lib/jellyfin").strip() + machine.succeed(f"chmod 755 '{tempdir}'") + + # Generate a dummy video that we can test later + videofile = f"{tempdir}/Big Buck Bunny (2008) [1080p].mkv" + machine.succeed(f"ffmpeg -f lavfi -i testsrc2=duration=5 '{videofile}'") + + add_folder_query = urlencode( + { + "name": "My Library", + "collectionType": "Movies", + "paths": tempdir, + "refreshLibrary": "true", + } + ) + + machine.succeed( + api_post( + f"/Library/VirtualFolders?{add_folder_query}", + "${payloads.empty}", + ) + ) + + + def is_refreshed(_): + folders = machine.succeed(api_get("/Library/VirtualFolders")) + folders = json.loads(folders) + print(folders) + return all(folder["RefreshStatus"] == "Idle" for folder in folders) + + + retry(is_refreshed) + + with machine.nested("Can identify videos"): + items = [] + + # For some reason, having the folder refreshed doesn't mean the + # movie was scanned + def has_movie(_): + global items + + items = machine.succeed( + api_get(f"/Users/{me}/Items?IncludeItemTypes=Movie&Recursive=true") + ) + items = json.loads(items)["Items"] + + return len(items) == 1 + + retry(has_movie) + + video = items[0]["Id"] + + item_info = machine.succeed(api_get(f"/Users/{me}/Items/{video}")) + item_info = json.loads(item_info) + + if item_info["Name"] != "Big Buck Bunny": + raise Exception("Jellyfin failed to properly identify file") + + with machine.nested("Can read videos"): + media_source_id = item_info["MediaSources"][0]["Id"] + + machine.succeed( + "ffmpeg" + + f" -headers 'X-Emby-Authorization:{auth_header}'" + + f" -i http://localhost:8096/Videos/{video}/master.m3u8?mediaSourceId={media_source_id}" + + " /tmp/test.mkv" + ) + + duration = machine.succeed( + "ffprobe /tmp/test.mkv" + + " -show_entries format=duration" + + " -of compact=print_section=0:nokey=1" + ) + + if duration.strip() != "5.000000": + raise Exception("Downloaded video has wrong duration") + ''; + }) diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 17089141e9e43..a300609cf2bfc 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -32,6 +32,7 @@ with pkgs; { linux_5_4 = makeKernelTest "5.4" linuxPackages_5_4; linux_5_10 = makeKernelTest "5.10" linuxPackages_5_10; linux_5_11 = makeKernelTest "5.11" linuxPackages_5_11; + linux_5_12 = makeKernelTest "5.12" linuxPackages_5_12; linux_testing = makeKernelTest "testing" linuxPackages_testing; } diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 45d8677af5675..fc321b8902f1d 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -3,7 +3,8 @@ # client using their Keycloak login. let - frontendUrl = "http://keycloak/auth"; + certs = import ./common/acme/server/snakeoil-certs.nix; + frontendUrl = "https://${certs.domain}/auth"; initialAdminPassword = "h4IhoJFnt2iQIR9"; keycloakTest = import ./make-test-python.nix ( @@ -17,11 +18,27 @@ let nodes = { keycloak = { ... }: { virtualisation.memorySize = 1024; + + security.pki.certificateFiles = [ + certs.ca.cert + ]; + + networking.extraHosts = '' + 127.0.0.1 ${certs.domain} + ''; + services.keycloak = { enable = true; - inherit frontendUrl databaseType initialAdminPassword; - databasePasswordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"; + inherit frontendUrl initialAdminPassword; + sslCertificate = certs.${certs.domain}.cert; + sslCertificateKey = certs.${certs.domain}.key; + database = { + type = databaseType; + username = "bogus"; + passwordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"; + }; }; + environment.systemPackages = with pkgs; [ xmlstarlet libtidy diff --git a/nixos/tests/keymap.nix b/nixos/tests/keymap.nix index 09d5d2a6c9e14..a18a05f90c6d3 100644 --- a/nixos/tests/keymap.nix +++ b/nixos/tests/keymap.nix @@ -107,17 +107,32 @@ in pkgs.lib.mapAttrs mkKeyboardTest { altgr.expect = [ "~" "#" "{" "[" "|" ]; }; - extraConfig.console.keyMap = "azerty/fr"; + extraConfig.console.keyMap = "fr"; extraConfig.services.xserver.layout = "fr"; }; + bone = { + tests = { + layer1.qwerty = [ "f" "j" ]; + layer1.expect = [ "e" "n" ]; + layer2.qwerty = [ "shift-f" "shift-j" "shift-6" ]; + layer2.expect = [ "E" "N" "$" ]; + layer3.qwerty = [ "caps_lock-d" "caps_lock-f" ]; + layer3.expect = [ "{" "}" ]; + }; + + extraConfig.console.keyMap = "bone"; + extraConfig.services.xserver.layout = "de"; + extraConfig.services.xserver.xkbVariant = "bone"; + }; + colemak = { tests = { homerow.qwerty = [ "a" "s" "d" "f" "j" "k" "l" "semicolon" ]; homerow.expect = [ "a" "r" "s" "t" "n" "e" "i" "o" ]; }; - extraConfig.console.keyMap = "colemak/colemak"; + extraConfig.console.keyMap = "colemak"; extraConfig.services.xserver.layout = "us"; extraConfig.services.xserver.xkbVariant = "colemak"; }; @@ -129,9 +144,13 @@ in pkgs.lib.mapAttrs mkKeyboardTest { symbols.qwerty = [ "q" "w" "e" "minus" "equal" ]; symbols.expect = [ "'" "," "." "[" "]" ]; }; + + extraConfig.console.keyMap = "dvorak"; + extraConfig.services.xserver.layout = "us"; + extraConfig.services.xserver.xkbVariant = "dvorak"; }; - dvp = { + dvorak-programmer = { tests = { homerow.qwerty = [ "a" "s" "d" "f" "j" "k" "l" "semicolon" ]; homerow.expect = [ "a" "o" "e" "u" "h" "t" "n" "s" ]; @@ -142,6 +161,7 @@ in pkgs.lib.mapAttrs mkKeyboardTest { symbols.expect = [ "&" "[" "{" "}" "(" "=" "*" ")" "+" "]" "!" ]; }; + extraConfig.console.keyMap = "dvorak-programmer"; extraConfig.services.xserver.layout = "us"; extraConfig.services.xserver.xkbVariant = "dvp"; }; @@ -156,6 +176,7 @@ in pkgs.lib.mapAttrs mkKeyboardTest { layer3.expect = [ "{" "}" ]; }; + extraConfig.console.keyMap = "neo"; extraConfig.services.xserver.layout = "de"; extraConfig.services.xserver.xkbVariant = "neo"; }; diff --git a/nixos/tests/libreswan.nix b/nixos/tests/libreswan.nix new file mode 100644 index 0000000000000..17ae60af8eed4 --- /dev/null +++ b/nixos/tests/libreswan.nix @@ -0,0 +1,134 @@ +# This test sets up a host-to-host IPsec VPN between Alice and Bob, each on its +# own network and with Eve as the only route between each other. We check that +# Eve can eavesdrop the plaintext traffic between Alice and Bob, but once they +# enable the secure tunnel Eve's spying becomes ineffective. + +import ./make-test-python.nix ({ lib, pkgs, ... }: + +let + + # IPsec tunnel between Alice and Bob + tunnelConfig = { + services.libreswan.enable = true; + services.libreswan.connections.tunnel = + '' + leftid=@alice + left=fd::a + rightid=@bob + right=fd::b + authby=secret + auto=add + ''; + environment.etc."ipsec.d/tunnel.secrets" = + { text = ''@alice @bob : PSK "j1JbIi9WY07rxwcNQ6nbyThKCf9DGxWOyokXIQcAQUnafsNTUJxfsxwk9WYK8fHj"''; + mode = "600"; + }; + }; + + # Common network setup + baseNetwork = { + # shared hosts file + extraHosts = lib.mkVMOverride '' + fd::a alice + fd::b bob + fd::e eve + ''; + # remove all automatic addresses + useDHCP = false; + interfaces.eth1.ipv4.addresses = lib.mkVMOverride []; + interfaces.eth2.ipv4.addresses = lib.mkVMOverride []; + # open a port for testing + firewall.allowedUDPPorts = [ 1234 ]; + }; + + # Adds an address and route from a to b via Eve + addRoute = a: b: { + interfaces.eth1.ipv6.addresses = + [ { address = a; prefixLength = 64; } ]; + interfaces.eth1.ipv6.routes = + [ { address = b; prefixLength = 128; via = "fd::e"; } ]; + }; + +in + +{ + name = "libreswan"; + meta = with lib.maintainers; { + maintainers = [ rnhmjoj ]; + }; + + # Our protagonist + nodes.alice = { ... }: { + virtualisation.vlans = [ 1 ]; + networking = baseNetwork // addRoute "fd::a" "fd::b"; + } // tunnelConfig; + + # Her best friend + nodes.bob = { ... }: { + virtualisation.vlans = [ 2 ]; + networking = baseNetwork // addRoute "fd::b" "fd::a"; + } // tunnelConfig; + + # The malicious network operator + nodes.eve = { ... }: { + virtualisation.vlans = [ 1 2 ]; + networking = lib.mkMerge + [ baseNetwork + { interfaces.br0.ipv6.addresses = + [ { address = "fd::e"; prefixLength = 64; } ]; + bridges.br0.interfaces = [ "eth1" "eth2" ]; + } + ]; + environment.systemPackages = [ pkgs.tcpdump ]; + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + }; + + testScript = + '' + def alice_to_bob(msg: str): + """ + Sends a message as Alice to Bob + """ + bob.execute("nc -lu ::0 1234 >/tmp/msg &") + alice.sleep(1) + alice.succeed(f"echo '{msg}' | nc -uw 0 bob 1234") + bob.succeed(f"grep '{msg}' /tmp/msg") + + + def eavesdrop(): + """ + Starts eavesdropping on Alice and Bob + """ + match = "src host alice and dst host bob" + eve.execute(f"tcpdump -i br0 -c 1 -Avv {match} >/tmp/log &") + + + start_all() + + with subtest("Network is up"): + alice.wait_until_succeeds("ping -c1 bob") + + with subtest("Eve can eavesdrop cleartext traffic"): + eavesdrop() + alice_to_bob("I secretly love turnip") + eve.sleep(1) + eve.succeed("grep turnip /tmp/log") + + with subtest("Libreswan is ready"): + alice.wait_for_unit("ipsec") + bob.wait_for_unit("ipsec") + alice.succeed("ipsec verify 1>&2") + + with subtest("Alice and Bob can start the tunnel"): + alice.execute("ipsec auto --start tunnel &") + bob.succeed("ipsec auto --start tunnel") + # apparently this is needed to "wake" the tunnel + bob.execute("ping -c1 alice") + + with subtest("Eve no longer can eavesdrop"): + eavesdrop() + alice_to_bob("Just kidding, I actually like rhubarb") + eve.sleep(1) + eve.fail("grep rhubarb /tmp/log") + ''; +}) diff --git a/nixos/tests/lightdm.nix b/nixos/tests/lightdm.nix index 9611bdbdafec3..e98230ecb1794 100644 --- a/nixos/tests/lightdm.nix +++ b/nixos/tests/lightdm.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "lightdm"; meta = with pkgs.lib.maintainers; { - maintainers = [ aszlig worldofpeace ]; + maintainers = [ aszlig ]; }; machine = { ... }: { diff --git a/nixos/tests/minecraft-server.nix b/nixos/tests/minecraft-server.nix index e6e0bca972a97..dbe2cd6d56fe1 100644 --- a/nixos/tests/minecraft-server.nix +++ b/nixos/tests/minecraft-server.nix @@ -24,7 +24,7 @@ in import ./make-test-python.nix ({ pkgs, ... }: { }; }; - virtualisation.memorySize = 2048; + virtualisation.memorySize = 2047; }; testScript = '' diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix index 308c1396013d6..e29bd559ed9bb 100644 --- a/nixos/tests/mosquitto.nix +++ b/nixos/tests/mosquitto.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 1888; @@ -30,6 +30,9 @@ in { ]; }; }; + + # disable private /tmp for this test + systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false; }; client1 = client; diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 1ea61f99a9513..c8756207f27b6 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -511,7 +511,7 @@ let machine.sleep(10) residue = machine.succeed("ip tuntap list") assert ( - residue is "" + residue == "" ), "Some virtual interface has not been properly cleaned:\n{}".format(residue) ''; }; @@ -665,10 +665,10 @@ let ipv4Residue = machine.succeed("ip -4 route list dev eth0 | head -n-3").strip() ipv6Residue = machine.succeed("ip -6 route list dev eth0 | head -n-3").strip() assert ( - ipv4Residue is "" + ipv4Residue == "" ), "The IPv4 routing table has not been properly cleaned:\n{}".format(ipv4Residue) assert ( - ipv6Residue is "" + ipv6Residue == "" ), "The IPv6 routing table has not been properly cleaned:\n{}".format(ipv6Residue) ''; }; diff --git a/nixos/tests/nfs/kerberos.nix b/nixos/tests/nfs/kerberos.nix index 75d1210496b00..5684131f671b1 100644 --- a/nixos/tests/nfs/kerberos.nix +++ b/nixos/tests/nfs/kerberos.nix @@ -88,8 +88,8 @@ in "kdb5_util create -s -r NFS.TEST -P master_key", "systemctl restart kadmind.service kdc.service", ) - server.wait_for_unit(f"kadmind.service") - server.wait_for_unit(f"kdc.service") + server.wait_for_unit("kadmind.service") + server.wait_for_unit("kdc.service") # create principals server.succeed( @@ -102,8 +102,8 @@ in # add principals to server keytab server.succeed("kadmin.local ktadd nfs/server.nfs.test") server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service") - server.wait_for_unit(f"rpc-gssd.service") - server.wait_for_unit(f"rpc-svcgssd.service") + server.wait_for_unit("rpc-gssd.service") + server.wait_for_unit("rpc-svcgssd.service") client.wait_for_unit("network-online.target") diff --git a/nixos/tests/nixos-generate-config.nix b/nixos/tests/nixos-generate-config.nix index 7bf8d4da7b6d4..1dadf4992ed00 100644 --- a/nixos/tests/nixos-generate-config.nix +++ b/nixos/tests/nixos-generate-config.nix @@ -14,7 +14,7 @@ import ./make-test-python.nix ({ lib, ... } : { system.nixos-generate-config.desktopConfiguration = ['' # DESKTOP services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome.enable = true; '']; }; testScript = '' @@ -35,7 +35,7 @@ import ./make-test-python.nix ({ lib, ... } : { # Test if the Perl variable $desktopConfiguration is spliced correctly machine.succeed( - "grep 'services\\.xserver\\.desktopManager\\.gnome3\\.enable = true;' /etc/nixos/configuration.nix" + "grep 'services\\.xserver\\.desktopManager\\.gnome\\.enable = true;' /etc/nixos/configuration.nix" ) ''; }) diff --git a/nixos/tests/nsd.nix b/nixos/tests/nsd.nix index a558ee0a42542..7387f4f1dfa10 100644 --- a/nixos/tests/nsd.nix +++ b/nixos/tests/nsd.nix @@ -43,6 +43,10 @@ in import ./make-test-python.nix ({ pkgs, ...} : { services.nsd.enable = true; services.nsd.rootServer = true; services.nsd.interfaces = lib.mkForce []; + services.nsd.keys."tsig.example.com." = { + algorithm = "hmac-sha256"; + keyFile = pkgs.writeTextFile { name = "tsig.example.com."; text = "aR3FJA92+bxRSyosadsJ8Aeeav5TngQW/H/EF9veXbc="; }; + }; services.nsd.zones."example.com.".data = '' @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600 ipv4 A 1.2.3.4 @@ -51,6 +55,7 @@ in import ./make-test-python.nix ({ pkgs, ...} : { ns A 192.168.0.1 ns AAAA dead:beef::1 ''; + services.nsd.zones."example.com.".provideXFR = [ "0.0.0.0 tsig.example.com." ]; services.nsd.zones."deleg.example.com.".data = '' @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600 @ A 9.8.7.6 @@ -71,6 +76,10 @@ in import ./make-test-python.nix ({ pkgs, ...} : { clientv6.wait_for_unit("network.target") server.wait_for_unit("nsd.service") + with subtest("server tsig.example.com."): + expected_tsig = " secret: \"aR3FJA92+bxRSyosadsJ8Aeeav5TngQW/H/EF9veXbc=\"\n" + tsig=server.succeed("cat /var/lib/nsd/private/tsig.example.com.") + assert expected_tsig == tsig, f"Expected /var/lib/nsd/private/tsig.example.com. to contain '{expected_tsig}', but found '{tsig}'" def assert_host(type, rr, query, expected): self = clientv4 if type == 4 else clientv6 diff --git a/nixos/tests/oci-containers.nix b/nixos/tests/oci-containers.nix index 0dfc7ffb276be..68077e3540a5e 100644 --- a/nixos/tests/oci-containers.nix +++ b/nixos/tests/oci-containers.nix @@ -12,7 +12,7 @@ let name = "oci-containers-${backend}"; meta = { - maintainers = with lib.maintainers; [ adisbladis benley mkaito ]; + maintainers = with lib.maintainers; [ adisbladis benley ] ++ lib.teams.serokell.members; }; nodes = { diff --git a/nixos/tests/opensmtpd-rspamd.nix b/nixos/tests/opensmtpd-rspamd.nix new file mode 100644 index 0000000000000..9cb2624e6c4e9 --- /dev/null +++ b/nixos/tests/opensmtpd-rspamd.nix @@ -0,0 +1,142 @@ +import ./make-test-python.nix { + name = "opensmtpd-rspamd"; + + nodes = { + smtp1 = { pkgs, ... }: { + imports = [ common/user-account.nix ]; + networking = { + firewall.allowedTCPPorts = [ 25 143 ]; + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + }; + environment.systemPackages = [ pkgs.opensmtpd ]; + services.opensmtpd = { + enable = true; + extraServerArgs = [ "-v" ]; + serverConfiguration = '' + listen on 0.0.0.0 + action dovecot_deliver mda \ + "${pkgs.dovecot}/libexec/dovecot/deliver -d %{user.username}" + match from any for local action dovecot_deliver + + action do_relay relay + # DO NOT DO THIS IN PRODUCTION! + # Setting up authentication requires a certificate which is painful in + # a test environment, but THIS WOULD BE DANGEROUS OUTSIDE OF A + # WELL-CONTROLLED ENVIRONMENT! + match from any for any action do_relay + ''; + }; + services.dovecot2 = { + enable = true; + enableImap = true; + mailLocation = "maildir:~/mail"; + protocols = [ "imap" ]; + }; + }; + + smtp2 = { pkgs, ... }: { + imports = [ common/user-account.nix ]; + virtualisation.memorySize = 512; + networking = { + firewall.allowedTCPPorts = [ 25 143 ]; + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.2"; prefixLength = 24; } + ]; + }; + environment.systemPackages = [ pkgs.opensmtpd ]; + services.rspamd = { + enable = true; + locals."worker-normal.inc".text = '' + bind_socket = "127.0.0.1:11333"; + ''; + }; + services.opensmtpd = { + enable = true; + extraServerArgs = [ "-v" ]; + serverConfiguration = '' + filter rspamd proc-exec "${pkgs.opensmtpd-filter-rspamd}/bin/filter-rspamd" + listen on 0.0.0.0 filter rspamd + action dovecot_deliver mda \ + "${pkgs.dovecot}/libexec/dovecot/deliver -d %{user.username}" + match from any for local action dovecot_deliver + ''; + }; + services.dovecot2 = { + enable = true; + enableImap = true; + mailLocation = "maildir:~/mail"; + protocols = [ "imap" ]; + }; + }; + + client = { pkgs, ... }: { + networking = { + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.3"; prefixLength = 24; } + ]; + }; + environment.systemPackages = let + sendTestMail = pkgs.writeScriptBin "send-a-test-mail" '' + #!${pkgs.python3.interpreter} + import smtplib, sys + + with smtplib.SMTP('192.168.1.1') as smtp: + smtp.sendmail('alice@[192.168.1.1]', 'bob@[192.168.1.2]', """ + From: alice@smtp1 + To: bob@smtp2 + Subject: Test + + Hello World + Here goes the spam test + XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X + """) + ''; + + checkMailBounced = pkgs.writeScriptBin "check-mail-bounced" '' + #!${pkgs.python3.interpreter} + import imaplib + + with imaplib.IMAP4('192.168.1.1', 143) as imap: + imap.login('alice', 'foobar') + imap.select() + status, refs = imap.search(None, 'ALL') + assert status == 'OK' + assert len(refs) == 1 + status, msg = imap.fetch(refs[0], 'BODY[TEXT]') + assert status == 'OK' + content = msg[0][1] + print("===> content:", content) + assert b"An error has occurred while attempting to deliver a message" in content + ''; + in [ sendTestMail checkMailBounced ]; + }; + }; + + testScript = '' + start_all() + + client.wait_for_unit("network-online.target") + smtp1.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("rspamd") + smtp2.wait_for_unit("dovecot2") + + # To prevent sporadic failures during daemon startup, make sure + # services are listening on their ports before sending requests + smtp1.wait_for_open_port(25) + smtp2.wait_for_open_port(25) + smtp2.wait_for_open_port(143) + smtp2.wait_for_open_port(11333) + + client.succeed("send-a-test-mail") + smtp1.wait_until_fails("smtpctl show queue | egrep .") + client.succeed("check-mail-bounced >&2") + ''; + + meta.timeout = 1800; +} diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index f778d30bdc06c..3cc38ebe34716 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -69,6 +69,9 @@ in { imports = [ ../modules/profiles/installation-device.nix ../modules/profiles/base.nix ]; virtualisation.memorySize = 1300; + # To add the secondary disk: + virtualisation.qemu.options = [ "-drive index=2,file=${debianImage}/disk-image.qcow2,read-only,if=virtio" ]; + # The test cannot access the network, so any packages # nixos-rebuild needs must be included in the VM. system.extraDependencies = with pkgs; @@ -95,11 +98,6 @@ in { }); testScript = '' - # hack to add the secondary disk - os.environ[ - "QEMU_OPTS" - ] = "-drive index=2,file=${debianImage}/disk-image.qcow2,read-only,if=virtio" - machine.start() machine.succeed("udevadm settle") machine.wait_for_unit("multi-user.target") diff --git a/nixos/tests/pinnwand.nix b/nixos/tests/pinnwand.nix index 0c583e1104dec..0391c4133111b 100644 --- a/nixos/tests/pinnwand.nix +++ b/nixos/tests/pinnwand.nix @@ -61,7 +61,7 @@ in client.wait_until_succeeds("ping -c1 server") # make sure pinnwand is listening - server.wait_until_succeeds("ss -lnp | grep ${toString port}") + server.wait_for_open_port(${toString port}) # send the contents of /etc/machine-id response = client.succeed("steck paste /etc/machine-id") @@ -75,6 +75,12 @@ in if line.startswith("Removal link:"): removal_link = line.split(":", 1)[1] + + # start the reaper, it shouldn't do anything meaningful here + server.systemctl("start pinnwand-reaper.service") + server.wait_until_fails("systemctl is-active -q pinnwand-reaper.service") + server.log(server.execute("journalctl -u pinnwand-reaper -e --no-pager")[1]) + # check whether paste matches what we sent client.succeed(f"curl {raw_url} > /tmp/machine-id") client.succeed("diff /tmp/machine-id /etc/machine-id") @@ -82,5 +88,7 @@ in # remove paste and check that it's not available any more client.succeed(f"curl {removal_link}") client.fail(f"curl --fail {raw_url}") + + server.log(server.succeed("systemd-analyze security pinnwand")) ''; }) diff --git a/nixos/tests/plotinus.nix b/nixos/tests/plotinus.nix index 39a4234dbf73a..ddd6a4c119461 100644 --- a/nixos/tests/plotinus.nix +++ b/nixos/tests/plotinus.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { { imports = [ ./common/x11.nix ]; programs.plotinus.enable = true; - environment.systemPackages = [ pkgs.gnome3.gnome-calculator pkgs.xdotool ]; + environment.systemPackages = [ pkgs.gnome.gnome-calculator pkgs.xdotool ]; }; testScript = '' diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index 6a1801fb28840..b2f2540fb7a13 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -50,7 +50,6 @@ in { testScript = '' import os import re - import sys start_all() diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 21419c0d081a3..e3bfff218adb0 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -302,7 +302,7 @@ let url = "http://localhost"; configFile = pkgs.writeText "json-exporter-conf.json" (builtins.toJSON { metrics = [ - { name = "json_test_metric"; path = "$.test"; } + { name = "json_test_metric"; path = "{ .test }"; } ]; }); }; @@ -326,6 +326,57 @@ let ''; }; + kea = { + exporterConfig = { + enable = true; + controlSocketPaths = [ + "/run/kea/kea-dhcp6.sock" + ]; + }; + metricProvider = { + users.users.kea = { + isSystemUser = true; + }; + users.groups.kea = {}; + + systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6.service" ]; + + systemd.services.kea-dhcp6 = let + configFile = pkgs.writeText "kea-dhcp6.conf" (builtins.toJSON { + Dhcp6 = { + "control-socket" = { + "socket-type" = "unix"; + "socket-name" = "/run/kea/kea-dhcp6.sock"; + }; + }; + }); + in + { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = false; + User = "kea"; + Group = "kea"; + ExecStart = "${pkgs.kea}/bin/kea-dhcp6 -c ${configFile}"; + StateDirectory = "kea"; + RuntimeDirectory = "kea"; + UMask = "0007"; + }; + }; + }; + exporterTest = '' + wait_for_unit("kea-dhcp6.service") + wait_for_file("/run/kea/kea-dhcp6.sock") + wait_for_unit("prometheus-kea-exporter.service") + wait_for_open_port(9547) + succeed( + "curl --fail localhost:9547/metrics | grep 'packets_received_total'" + ) + ''; + }; + knot = { exporterConfig = { enable = true; @@ -334,13 +385,48 @@ let services.knot = { enable = true; extraArgs = [ "-v" ]; + extraConfig = '' + server: + listen: 127.0.0.1@53 + + template: + - id: default + global-module: mod-stats + dnssec-signing: off + zonefile-sync: -1 + journal-db: /var/lib/knot/journal + kasp-db: /var/lib/knot/kasp + timer-db: /var/lib/knot/timer + zonefile-load: difference + storage: ${pkgs.buildEnv { + name = "foo"; + paths = [ + (pkgs.writeTextDir "test.zone" '' + @ SOA ns.example.com. noc.example.com. 2019031301 86400 7200 3600000 172800 + @ NS ns1 + @ NS ns2 + ns1 A 192.168.0.1 + '') + ]; + }} + + mod-stats: + - id: custom + edns-presence: on + query-type: on + + zone: + - domain: test + file: test.zone + module: mod-stats/custom + ''; }; }; exporterTest = '' wait_for_unit("knot.service") wait_for_unit("prometheus-knot-exporter.service") wait_for_open_port(9433) - succeed("curl -sSf 'localhost:9433' | grep -q 'knot_server_zone_count 0.0'") + succeed("curl -sSf 'localhost:9433' | grep -q 'knot_server_zone_count 1.0'") ''; }; @@ -371,8 +457,8 @@ let }; metricProvider = { systemd.services.prometheus-lnd-exporter.serviceConfig.DynamicUser = false; - services.bitcoind.enable = true; - services.bitcoind.extraConfig = '' + services.bitcoind.main.enable = true; + services.bitcoind.main.extraConfig = '' rpcauth=bitcoinrpc:e8fe33f797e698ac258c16c8d7aadfbe$872bdb8f4d787367c26bcfd75e6c23c4f19d44a69f5d1ad329e5adf3f82710f7 bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333 @@ -986,7 +1072,7 @@ let # Note: this does not connect the test environment to the Tor network. # Client, relay, bridge or exit connectivity are disabled by default. services.tor.enable = true; - services.tor.controlPort = 9051; + services.tor.settings.ControlPort = 9051; }; exporterTest = '' wait_for_unit("tor.service") diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix index 1d3679c82a20c..5101628a682c6 100644 --- a/nixos/tests/radicale.nix +++ b/nixos/tests/radicale.nix @@ -1,140 +1,95 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: + let user = "someuser"; password = "some_password"; - port = builtins.toString 5232; + port = "5232"; + filesystem_folder = "/data/radicale"; + + cli = "${pkgs.calendar-cli}/bin/calendar-cli --caldav-user ${user} --caldav-pass ${password}"; +in { + name = "radicale3"; + meta.maintainers = with lib.maintainers; [ dotlambda ]; - common = { pkgs, ... }: { + machine = { pkgs, ... }: { services.radicale = { enable = true; - config = '' - [auth] - type = htpasswd - htpasswd_filename = /etc/radicale/htpasswd - htpasswd_encryption = bcrypt - - [storage] - filesystem_folder = /tmp/collections - ''; + settings = { + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + storage = { + inherit filesystem_folder; + hook = "git add -A && (git diff --cached --quiet || git commit -m 'Changes by '%(user)s)"; + }; + logging.level = "info"; + }; + rights = { + principal = { + user = ".+"; + collection = "{user}"; + permissions = "RW"; + }; + calendars = { + user = ".+"; + collection = "{user}/[^/]+"; + permissions = "rw"; + }; + }; }; + systemd.services.radicale.path = [ pkgs.git ]; + environment.systemPackages = [ pkgs.git ]; + systemd.tmpfiles.rules = [ "d ${filesystem_folder} 0750 radicale radicale -" ]; # WARNING: DON'T DO THIS IN PRODUCTION! # This puts unhashed secrets directly into the Nix store for ease of testing. - environment.etc."radicale/htpasswd".source = pkgs.runCommand "htpasswd" {} '' + environment.etc."radicale/users".source = pkgs.runCommand "htpasswd" {} '' ${pkgs.apacheHttpd}/bin/htpasswd -bcB "$out" ${user} ${password} ''; }; - -in - - import ./make-test-python.nix ({ lib, ... }@args: { - name = "radicale"; - meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ]; - - nodes = rec { - radicale = radicale1; # Make the test script read more nicely - radicale1 = lib.recursiveUpdate (common args) { - nixpkgs.overlays = [ - (self: super: { - radicale1 = super.radicale1.overrideAttrs (oldAttrs: { - propagatedBuildInputs = with self.pythonPackages; - (oldAttrs.propagatedBuildInputs or []) ++ [ passlib ]; - }); - }) - ]; - system.stateVersion = "17.03"; - }; - radicale1_export = lib.recursiveUpdate radicale1 { - services.radicale.extraArgs = [ - "--export-storage" "/tmp/collections-new" - ]; - system.stateVersion = "17.03"; - }; - radicale2_verify = lib.recursiveUpdate radicale2 { - services.radicale.extraArgs = [ "--debug" "--verify-storage" ]; - system.stateVersion = "17.09"; - }; - radicale2 = lib.recursiveUpdate (common args) { - system.stateVersion = "17.09"; - }; - radicale3 = lib.recursiveUpdate (common args) { - system.stateVersion = "20.09"; - }; - }; - - # This tests whether the web interface is accessible to an authenticated user - testScript = { nodes }: let - switchToConfig = nodeName: let - newSystem = nodes.${nodeName}.config.system.build.toplevel; - in "${newSystem}/bin/switch-to-configuration test"; - in '' - with subtest("Check Radicale 1 functionality"): - radicale.succeed( - "${switchToConfig "radicale1"} >&2" - ) - radicale.wait_for_unit("radicale.service") - radicale.wait_for_open_port(${port}) - radicale.succeed( - "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" - ) - - with subtest("Export data in Radicale 2 format"): - radicale.succeed("systemctl stop radicale") - radicale.succeed("ls -al /tmp/collections") - radicale.fail("ls -al /tmp/collections-new") - - with subtest("Radicale exits immediately after exporting storage"): - radicale.succeed( - "${switchToConfig "radicale1_export"} >&2" - ) - radicale.wait_until_fails("systemctl status radicale") - radicale.succeed("ls -al /tmp/collections") - radicale.succeed("ls -al /tmp/collections-new") - - with subtest("Verify data in Radicale 2 format"): - radicale.succeed("rm -r /tmp/collections/${user}") - radicale.succeed("mv /tmp/collections-new/collection-root /tmp/collections") - radicale.succeed( - "${switchToConfig "radicale2_verify"} >&2" - ) - radicale.wait_until_fails("systemctl status radicale") - - (retcode, logs) = radicale.execute("journalctl -u radicale -n 10") - assert ( - retcode == 0 and "Verifying storage" in logs - ), "Radicale 2 didn't verify storage" - assert ( - "failed" not in logs and "exception" not in logs - ), "storage verification failed" - - with subtest("Check Radicale 2 functionality"): - radicale.succeed( - "${switchToConfig "radicale2"} >&2" - ) - radicale.wait_for_unit("radicale.service") - radicale.wait_for_open_port(${port}) - - (retcode, output) = radicale.execute( - "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" - ) - assert ( - retcode == 0 and "VCALENDAR" in output - ), "Could not read calendar from Radicale 2" - - radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/") - - with subtest("Check Radicale 3 functionality"): - radicale.succeed( - "${switchToConfig "radicale3"} >&2" - ) - radicale.wait_for_unit("radicale.service") - radicale.wait_for_open_port(${port}) - - (retcode, output) = radicale.execute( - "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" - ) - assert ( - retcode == 0 and "VCALENDAR" in output - ), "Could not read calendar from Radicale 3" - - radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/") - ''; + testScript = '' + machine.wait_for_unit("radicale.service") + machine.wait_for_open_port(${port}) + + machine.succeed("sudo -u radicale git -C ${filesystem_folder} init") + machine.succeed( + "sudo -u radicale git -C ${filesystem_folder} config --local user.email radicale@example.com" + ) + machine.succeed( + "sudo -u radicale git -C ${filesystem_folder} config --local user.name radicale" + ) + + with subtest("Test calendar and event creation"): + machine.succeed( + "${cli} --caldav-url http://localhost:${port}/${user} calendar create cal" + ) + machine.succeed("test -d ${filesystem_folder}/collection-root/${user}/cal") + machine.succeed('test -z "$(ls ${filesystem_folder}/collection-root/${user}/cal)"') + machine.succeed( + "${cli} --caldav-url http://localhost:${port}/${user}/cal calendar add 2021-04-23 testevent" + ) + machine.succeed('test -n "$(ls ${filesystem_folder}/collection-root/${user}/cal)"') + (status, stdout) = machine.execute( + "sudo -u radicale git -C ${filesystem_folder} log --format=oneline | wc -l" + ) + assert status == 0, "git log failed" + assert stdout == "3\n", "there should be exactly 3 commits" + + with subtest("Test rights file"): + machine.fail( + "${cli} --caldav-url http://localhost:${port}/${user} calendar create sub/cal" + ) + machine.fail( + "${cli} --caldav-url http://localhost:${port}/otheruser calendar create cal" + ) + + with subtest("Test web interface"): + machine.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/") + + with subtest("Test security"): + output = machine.succeed("systemd-analyze security radicale.service") + machine.log(output) + assert output[-9:-1] == "SAFE :-}" + ''; }) diff --git a/nixos/tests/rspamd.nix b/nixos/tests/rspamd.nix index f0ccfe7ea0e6a..3fd55444fd8a5 100644 --- a/nixos/tests/rspamd.nix +++ b/nixos/tests/rspamd.nix @@ -25,6 +25,7 @@ let machine = { services.rspamd.enable = true; networking.enableIPv6 = enableIPv6; + virtualisation.memorySize = 1024; }; testScript = '' start_all() @@ -68,6 +69,7 @@ in group = "rspamd"; }]; }; + virtualisation.memorySize = 1024; }; testScript = '' @@ -116,6 +118,7 @@ in ''; }; }; + virtualisation.memorySize = 1024; }; testScript = '' @@ -221,6 +224,7 @@ in rspamd_logger.infox(rspamd_config, 'Work dammit!!!') ''; }; + virtualisation.memorySize = 1024; }; testScript = '' ${initMachine} @@ -287,6 +291,7 @@ in postfix.enable = true; workers.rspamd_proxy.type = "rspamd_proxy"; }; + virtualisation.memorySize = 1024; }; testScript = '' ${initMachine} diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix index da6d4c9ffe828..c691bfc08ef72 100644 --- a/nixos/tests/sanoid.nix +++ b/nixos/tests/sanoid.nix @@ -33,14 +33,22 @@ in { autosnap = true; }; - datasets."pool/test".useTemplate = [ "test" ]; + datasets."pool/sanoid".useTemplate = [ "test" ]; + extraArgs = [ "--verbose" ]; }; services.syncoid = { enable = true; sshKey = "/var/lib/syncoid/id_ecdsa"; - commonArgs = [ "--no-sync-snap" ]; - commands."pool/test".target = "root@target:pool/test"; + commands = { + # Sync snapshot taken by sanoid + "pool/sanoid" = { + target = "root@target:pool/sanoid"; + extraArgs = [ "--no-sync-snap" ]; + }; + # Take snapshot and sync + "pool/syncoid".target = "root@target:pool/syncoid"; + }; }; }; target = { ... }: { @@ -54,18 +62,19 @@ in { testScript = '' source.succeed( - "mkdir /tmp/mnt", + "mkdir /mnt", "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s", "udevadm settle", - "zpool create pool /dev/vdb1", - "zfs create -o mountpoint=legacy pool/test", - "mount -t zfs pool/test /tmp/mnt", + "zpool create pool -R /mnt /dev/vdb1", + "zfs create pool/sanoid", + "zfs create pool/syncoid", "udevadm settle", ) target.succeed( + "mkdir /mnt", "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s", "udevadm settle", - "zpool create pool /dev/vdb1", + "zpool create pool -R /mnt /dev/vdb1", "udevadm settle", ) @@ -76,16 +85,15 @@ in { "chown -R syncoid:syncoid /var/lib/syncoid/", ) - source.succeed("touch /tmp/mnt/test.txt") + # Take snapshot with sanoid + source.succeed("touch /mnt/pool/sanoid/test.txt") source.systemctl("start --wait sanoid.service") + # Sync snapshots target.wait_for_open_port(22) + source.succeed("touch /mnt/pool/syncoid/test.txt") source.systemctl("start --wait syncoid.service") - target.succeed( - "mkdir /tmp/mnt", - "zfs set mountpoint=legacy pool/test", - "mount -t zfs pool/test /tmp/mnt", - ) - target.succeed("cat /tmp/mnt/test.txt") + target.succeed("cat /mnt/pool/sanoid/test.txt") + target.succeed("cat /mnt/pool/syncoid/test.txt") ''; }) diff --git a/nixos/tests/shadow.nix b/nixos/tests/shadow.nix index c51961e1fc68b..dd2a575b1935a 100644 --- a/nixos/tests/shadow.nix +++ b/nixos/tests/shadow.nix @@ -36,9 +36,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Normal login"): shadow.send_key("alt-f2") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 2 ]") - shadow.wait_for_unit(f"getty@tty2.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty2'") + shadow.wait_until_succeeds("[ $(fgconsole) = 2 ]") + shadow.wait_for_unit("getty@tty2.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty2'") shadow.wait_until_tty_matches(2, "login: ") shadow.send_chars("emma\n") shadow.wait_until_tty_matches(2, "login: emma") @@ -60,9 +60,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Change password"): shadow.send_key("alt-f3") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 3 ]") - shadow.wait_for_unit(f"getty@tty3.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty3'") + shadow.wait_until_succeeds("[ $(fgconsole) = 3 ]") + shadow.wait_for_unit("getty@tty3.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty3'") shadow.wait_until_tty_matches(3, "login: ") shadow.send_chars("emma\n") shadow.wait_until_tty_matches(3, "login: emma") @@ -78,9 +78,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { shadow.send_chars("${password3}\n") shadow.sleep(2) shadow.send_key("alt-f4") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 4 ]") - shadow.wait_for_unit(f"getty@tty4.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty4'") + shadow.wait_until_succeeds("[ $(fgconsole) = 4 ]") + shadow.wait_for_unit("getty@tty4.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty4'") shadow.wait_until_tty_matches(4, "login: ") shadow.send_chars("emma\n") shadow.wait_until_tty_matches(4, "login: emma") @@ -106,9 +106,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { with subtest("nologin shell"): shadow.send_key("alt-f5") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 5 ]") - shadow.wait_for_unit(f"getty@tty5.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty5'") + shadow.wait_until_succeeds("[ $(fgconsole) = 5 ]") + shadow.wait_for_unit("getty@tty5.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty5'") shadow.wait_until_tty_matches(5, "login: ") shadow.send_chars("layla\n") shadow.wait_until_tty_matches(5, "login: layla") diff --git a/nixos/tests/signal-desktop.nix b/nixos/tests/signal-desktop.nix index c424288e00a90..42485cd0da7ed 100644 --- a/nixos/tests/signal-desktop.nix +++ b/nixos/tests/signal-desktop.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "signal-desktop"; meta = with pkgs.lib.maintainers; { - maintainers = [ flokli ]; + maintainers = [ flokli primeos ]; }; machine = { ... }: @@ -16,7 +16,7 @@ import ./make-test-python.nix ({ pkgs, ...} : services.xserver.enable = true; test-support.displayManager.auto.user = "alice"; - environment.systemPackages = [ pkgs.signal-desktop ]; + environment.systemPackages = with pkgs; [ signal-desktop file ]; virtualisation.memorySize = 1024; }; @@ -39,5 +39,16 @@ import ./make-test-python.nix ({ pkgs, ...} : machine.wait_for_text("Signal") machine.wait_for_text("File Edit View Window Help") machine.screenshot("signal_desktop") + + # Test if the database is encrypted to prevent these issues: + # - https://github.com/NixOS/nixpkgs/issues/108772 + # - https://github.com/NixOS/nixpkgs/pull/117555 + print(machine.succeed("su - alice -c 'file ~/.config/Signal/sql/db.sqlite'")) + machine.succeed( + "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep 'db.sqlite: data'" + ) + machine.fail( + "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -e SQLite -e database" + ) ''; }) diff --git a/nixos/tests/solanum.nix b/nixos/tests/solanum.nix new file mode 100644 index 0000000000000..aabfb906aa818 --- /dev/null +++ b/nixos/tests/solanum.nix @@ -0,0 +1,89 @@ +let + clients = [ + "ircclient1" + "ircclient2" + ]; + server = "solanum"; + ircPort = 6667; + channel = "nixos-cat"; + iiDir = "/tmp/irc"; +in + +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "solanum"; + nodes = { + "${server}" = { + networking.firewall.allowedTCPPorts = [ ircPort ]; + services.solanum = { + enable = true; + }; + }; + } // lib.listToAttrs (builtins.map (client: lib.nameValuePair client { + imports = [ + ./common/user-account.nix + ]; + + systemd.services.ii = { + requires = [ "network.target" ]; + wantedBy = [ "default.target" ]; + + serviceConfig = { + Type = "simple"; + ExecPreStartPre = "mkdir -p ${iiDir}"; + ExecStart = '' + ${lib.getBin pkgs.ii}/bin/ii -n ${client} -s ${server} -i ${iiDir} + ''; + User = "alice"; + }; + }; + }) clients); + + testScript = + let + msg = client: "Hello, my name is ${client}"; + clientScript = client: [ + '' + ${client}.wait_for_unit("network.target") + ${client}.systemctl("start ii") + ${client}.wait_for_unit("ii") + ${client}.wait_for_file("${iiDir}/${server}/out") + '' + # wait until first PING from server arrives before joining, + # so we don't try it too early + '' + ${client}.wait_until_succeeds("grep 'PING' ${iiDir}/${server}/out") + '' + # join ${channel} + '' + ${client}.succeed("echo '/j #${channel}' > ${iiDir}/${server}/in") + ${client}.wait_for_file("${iiDir}/${server}/#${channel}/in") + '' + # send a greeting + '' + ${client}.succeed( + "echo '${msg client}' > ${iiDir}/${server}/#${channel}/in" + ) + '' + # check that all greetings arrived on all clients + ] ++ builtins.map (other: '' + ${client}.succeed( + "grep '${msg other}$' ${iiDir}/${server}/#${channel}/out" + ) + '') clients; + + # foldl', but requires a non-empty list instead of a start value + reduce = f: list: + builtins.foldl' f (builtins.head list) (builtins.tail list); + in '' + start_all() + ${server}.systemctl("status solanum") + ${server}.wait_for_open_port(${toString ircPort}) + + # run clientScript for all clients so that every list + # entry is executed by every client before advancing + # to the next one. + '' + lib.concatStrings + (reduce + (lib.zipListsWith (cs: c: cs + c)) + (builtins.map clientScript clients)); +}) diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix index 2a85c490665a9..4885d6e17b829 100644 --- a/nixos/tests/sudo.nix +++ b/nixos/tests/sudo.nix @@ -10,7 +10,7 @@ in maintainers = [ lschuermann ]; }; - machine = + nodes.machine = { lib, ... }: with lib; { @@ -48,6 +48,19 @@ in }; }; + nodes.strict = { ... }: { + users.users = { + admin = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + noadmin = { isNormalUser = true; }; + }; + + security.sudo = { + enable = true; + wheelNeedsPassword = false; + execWheelOnly = true; + }; + }; + testScript = '' with subtest("users in wheel group should have passwordless sudo"): @@ -79,5 +92,11 @@ in with subtest("users in group 'barfoo' should not be able to keep their environment"): machine.fail("sudo -u test3 sudo -n -E -u root true") + + with subtest("users in wheel should be able to run sudo despite execWheelOnly"): + strict.succeed('su - admin -c "sudo -u root true"') + + with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"): + strict.fail('su - noadmin -c "sudo --help"') ''; }) diff --git a/nixos/tests/sway.nix b/nixos/tests/sway.nix new file mode 100644 index 0000000000000..1d23b0e94313e --- /dev/null +++ b/nixos/tests/sway.nix @@ -0,0 +1,106 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "sway"; + meta = { + maintainers = with lib.maintainers; [ primeos synthetica ]; + }; + + machine = { config, ... }: { + # Automatically login on tty1 as a normal user: + imports = [ ./common/user-account.nix ]; + services.getty.autologinUser = "alice"; + + environment = { + # For glinfo and wayland-info: + systemPackages = with pkgs; [ mesa-demos wayland-utils ]; + # Use a fixed SWAYSOCK path (for swaymsg): + variables."SWAYSOCK" = "/tmp/sway-ipc.sock"; + # For convenience: + shellAliases = { + test-x11 = "glinfo | head -n 3 | tee /tmp/test-x11.out && touch /tmp/test-x11-exit-ok"; + test-wayland = "wayland-info | tee /tmp/test-wayland.out && touch /tmp/test-wayland-exit-ok"; + }; + }; + + # Automatically configure and start Sway when logging in on tty1: + programs.bash.loginShellInit = '' + if [ "$(tty)" = "/dev/tty1" ]; then + set -e + + mkdir -p ~/.config/sway + sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config + + sway --validate + sway && touch /tmp/sway-exit-ok + fi + ''; + + programs.sway.enable = true; + + # To test pinentry via gpg-agent: + programs.gnupg.agent.enable = true; + + virtualisation.memorySize = 1024; + # Need to switch to a different VGA card / GPU driver than the default one (std) so that Sway can launch: + virtualisation.qemu.options = [ "-vga virtio" ]; + }; + + enableOCR = true; + + testScript = { nodes, ... }: '' + start_all() + machine.wait_for_unit("multi-user.target") + + # To check the version: + print(machine.succeed("sway --version")) + + # Wait for Sway to complete startup: + machine.wait_for_file("/run/user/1000/wayland-1") + machine.wait_for_file("/tmp/sway-ipc.sock") + + # Test XWayland: + machine.succeed( + "su - alice -c 'swaymsg exec WINIT_UNIX_BACKEND=x11 WAYLAND_DISPLAY=invalid alacritty'" + ) + machine.wait_for_text("alice@machine") + machine.send_chars("test-x11\n") + machine.wait_for_file("/tmp/test-x11-exit-ok") + print(machine.succeed("cat /tmp/test-x11.out")) + machine.screenshot("alacritty_glinfo") + machine.succeed("pkill alacritty") + + # Start a terminal (Alacritty) on workspace 3: + machine.send_key("alt-3") + machine.succeed( + "su - alice -c 'swaymsg exec WINIT_UNIX_BACKEND=wayland DISPLAY=invalid alacritty'" + ) + machine.wait_for_text("alice@machine") + machine.send_chars("test-wayland\n") + machine.wait_for_file("/tmp/test-wayland-exit-ok") + print(machine.succeed("cat /tmp/test-wayland.out")) + machine.screenshot("alacritty_wayland_info") + machine.send_key("alt-shift-q") + machine.wait_until_fails("pgrep alacritty") + + # Test gpg-agent starting pinentry-gnome3 via D-Bus (tests if + # $WAYLAND_DISPLAY is correctly imported into the D-Bus user env): + machine.succeed( + "su - alice -c 'swaymsg -- exec gpg --no-tty --yes --quick-generate-key test'" + ) + machine.wait_until_succeeds("pgrep --exact gpg") + machine.wait_for_text("Passphrase") + machine.screenshot("gpg_pinentry") + machine.send_key("alt-shift-q") + machine.wait_until_fails("pgrep --exact gpg") + + # Test swaynag: + machine.send_key("alt-shift-e") + machine.wait_for_text("You pressed the exit shortcut.") + machine.screenshot("sway_exit") + + # Exit Sway and verify process exit status 0: + machine.succeed("su - alice -c 'swaymsg exit || true'") + machine.wait_for_file("/tmp/sway-exit-ok") + ''; +}) diff --git a/nixos/tests/systemd-confinement.nix b/nixos/tests/systemd-confinement.nix index d04e4a3f867cd..e6a308f46d27d 100644 --- a/nixos/tests/systemd-confinement.nix +++ b/nixos/tests/systemd-confinement.nix @@ -59,7 +59,8 @@ import ./make-test-python.nix { "chroot-exec chown 65534 /bin", ) machine.succeed( - 'test "$(chroot-exec id -u)" = 0', "chroot-exec chown 0 /bin", + 'test "$(chroot-exec id -u)" = 0', + "chroot-exec chown 0 /bin", ) ''; } diff --git a/nixos/tests/systemd-networkd.nix b/nixos/tests/systemd-networkd.nix index 4f2cb75f5a0cb..7faeae3704eca 100644 --- a/nixos/tests/systemd-networkd.nix +++ b/nixos/tests/systemd-networkd.nix @@ -6,7 +6,6 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { networking.firewall.enable = false; virtualisation.vlans = [ 1 ]; environment.systemPackages = with pkgs; [ wireguard-tools ]; - boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; systemd.network = { enable = true; netdevs = { diff --git a/nixos/tests/trafficserver.nix b/nixos/tests/trafficserver.nix new file mode 100644 index 0000000000000..3979a1b4a4825 --- /dev/null +++ b/nixos/tests/trafficserver.nix @@ -0,0 +1,176 @@ +# verifies: +# 1. Traffic Server is able to start +# 2. Traffic Server spawns traffic_crashlog upon startup +# 3. Traffic Server proxies HTTP requests according to URL remapping rules +# in 'services.trafficserver.remap' +# 4. Traffic Server applies per-map settings specified with the conf_remap +# plugin +# 5. Traffic Server caches HTTP responses +# 6. Traffic Server processes HTTP PUSH requests +# 7. Traffic Server can load the healthchecks plugin +# 8. Traffic Server logs HTTP traffic as configured +# +# uses: +# - bin/traffic_manager +# - bin/traffic_server +# - bin/traffic_crashlog +# - bin/traffic_cache_tool +# - bin/traffic_ctl +# - bin/traffic_logcat +# - bin/traffic_logstats +# - bin/tspush +import ./make-test-python.nix ({ pkgs, ... }: { + name = "trafficserver"; + meta = with pkgs.lib.maintainers; { + maintainers = [ midchildan ]; + }; + + nodes = { + ats = { pkgs, lib, config, ... }: let + user = config.users.users.trafficserver.name; + group = config.users.groups.trafficserver.name; + healthchecks = pkgs.writeText "healthchecks.conf" '' + /status /tmp/ats.status text/plain 200 500 + ''; + in { + services.trafficserver.enable = true; + + services.trafficserver.records = { + proxy.config.http.server_ports = "80 80:ipv6"; + proxy.config.hostdb.host_file.path = "/etc/hosts"; + proxy.config.log.max_space_mb_headroom = 0; + proxy.config.http.push_method_enabled = 1; + + # check that cache storage is usable before accepting traffic + proxy.config.http.wait_for_cache = 2; + }; + + services.trafficserver.plugins = [ + { path = "healthchecks.so"; arg = toString healthchecks; } + { path = "xdebug.so"; } + ]; + + services.trafficserver.remap = '' + map http://httpbin.test http://httpbin + map http://pristine-host-hdr.test http://httpbin \ + @plugin=conf_remap.so \ + @pparam=proxy.config.url_remap.pristine_host_hdr=1 + map http://ats/tspush http://httpbin/cache \ + @plugin=conf_remap.so \ + @pparam=proxy.config.http.cache.required_headers=0 + ''; + + services.trafficserver.storage = '' + /dev/vdb volume=1 + ''; + + networking.firewall.allowedTCPPorts = [ 80 ]; + virtualisation.emptyDiskImages = [ 256 ]; + services.udev.extraRules = '' + KERNEL=="vdb", OWNER="${user}", GROUP="${group}" + ''; + }; + + httpbin = { pkgs, lib, ... }: let + python = pkgs.python3.withPackages + (ps: with ps; [ httpbin gunicorn gevent ]); + in { + systemd.services.httpbin = { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${python}/bin/gunicorn -b 0.0.0.0:80 httpbin:app -k gevent"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + + client = { pkgs, lib, ... }: { + environment.systemPackages = with pkgs; [ curl ]; + }; + }; + + testScript = { nodes, ... }: let + sampleFile = pkgs.writeText "sample.txt" '' + It's the season of White Album. + ''; + in '' + import json + import re + + ats.wait_for_unit("trafficserver") + ats.wait_for_open_port(80) + httpbin.wait_for_unit("httpbin") + httpbin.wait_for_open_port(80) + + with subtest("Traffic Server is running"): + out = ats.succeed("traffic_ctl server status") + assert out.strip() == "Proxy -- on" + + with subtest("traffic_crashlog is running"): + ats.succeed("pgrep -f traffic_crashlog") + + with subtest("basic remapping works"): + out = client.succeed("curl -vv -H 'Host: httpbin.test' http://ats/headers") + assert json.loads(out)["headers"]["Host"] == "httpbin" + + with subtest("conf_remap plugin works"): + out = client.succeed( + "curl -vv -H 'Host: pristine-host-hdr.test' http://ats/headers" + ) + assert json.loads(out)["headers"]["Host"] == "pristine-host-hdr.test" + + with subtest("caching works"): + out = client.succeed( + "curl -vv -D - -H 'Host: httpbin.test' -H 'X-Debug: X-Cache' http://ats/cache/60 -o /dev/null" + ) + assert "X-Cache: miss" in out + + out = client.succeed( + "curl -vv -D - -H 'Host: httpbin.test' -H 'X-Debug: X-Cache' http://ats/cache/60 -o /dev/null" + ) + assert "X-Cache: hit-fresh" in out + + with subtest("pushing to cache works"): + url = "http://ats/tspush" + + ats.succeed(f"echo {url} > /tmp/urls.txt") + out = ats.succeed( + f"tspush -f '${sampleFile}' -u {url}" + ) + assert "HTTP/1.0 201 Created" in out, "cache push failed" + + out = ats.succeed( + "traffic_cache_tool --spans /etc/trafficserver/storage.config find --input /tmp/urls.txt" + ) + assert "Span: /dev/vdb" in out, "cache not stored on disk" + + out = client.succeed(f"curl {url}").strip() + expected = ( + open("${sampleFile}").read().strip() + ) + assert out == expected, "cache content mismatch" + + with subtest("healthcheck plugin works"): + out = client.succeed("curl -vv http://ats/status -o /dev/null -w '%{http_code}'") + assert out.strip() == "500" + + ats.succeed("touch /tmp/ats.status") + + out = client.succeed("curl -vv http://ats/status -o /dev/null -w '%{http_code}'") + assert out.strip() == "200" + + with subtest("logging works"): + access_log_path = "/var/log/trafficserver/squid.blog" + ats.wait_for_file(access_log_path) + + out = ats.succeed(f"traffic_logcat {access_log_path}").split("\n")[0] + expected = "^\S+ \S+ \S+ TCP_MISS/200 \S+ GET http://httpbin/headers - DIRECT/httpbin application/json$" + assert re.fullmatch(expected, out) is not None, "no matching logs" + + out = json.loads(ats.succeed(f"traffic_logstats -jf {access_log_path}")) + assert out["total"]["error.total"]["req"] == "0", "unexpected log stat" + ''; +}) diff --git a/nixos/tests/unbound.nix b/nixos/tests/unbound.nix index ca9718ac633eb..fcfa222299c88 100644 --- a/nixos/tests/unbound.nix +++ b/nixos/tests/unbound.nix @@ -61,13 +61,16 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - interfaces = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ]; - allowedAccess = [ "192.168.0.0/24" "fd21::/64" "::1" "127.0.0.0/8" ]; - extraConfig = '' - server: - local-data: "example.local. IN A 1.2.3.4" - local-data: "example.local. IN AAAA abcd::eeff" - ''; + settings = { + server = { + interface = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ]; + access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ]; + local-data = [ + ''"example.local. IN A 1.2.3.4"'' + ''"example.local. IN AAAA abcd::eeff"'' + ]; + }; + }; }; }; @@ -90,19 +93,25 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - allowedAccess = [ "192.168.0.0/24" "fd21::/64" "::1" "127.0.0.0/8" ]; - interfaces = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" - "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" - "192.168.0.2@443" "fd21::2@443" "::1@443" "127.0.0.1@443" ]; - forwardAddresses = [ - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address - ]; - extraConfig = '' - server: - tls-service-pem: ${cert}/cert.pem - tls-service-key: ${cert}/key.pem - ''; + settings = { + server = { + interface = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" + "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" + "192.168.0.2@443" "fd21::2@443" "::1@443" "127.0.0.1@443" ]; + access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ]; + tls-service-pem = "${cert}/cert.pem"; + tls-service-key = "${cert}/key.pem"; + }; + forward-zone = [ + { + name = "."; + forward-addr = [ + (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address + (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address + ]; + } + ]; + }; }; }; @@ -122,12 +131,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - allowedAccess = [ "::1" "127.0.0.0/8" ]; - interfaces = [ "::1" "127.0.0.1" ]; + settings = { + server = { + interface = [ "::1" "127.0.0.1" ]; + access-control = [ "::1 allow" "127.0.0.0/8 allow" ]; + }; + include = "/etc/unbound/extra*.conf"; + }; localControlSocketPath = "/run/unbound/unbound.ctl"; - extraConfig = '' - include: "/etc/unbound/extra*.conf" - ''; }; users.users = { @@ -143,12 +154,13 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: unauthorizeduser = { isSystemUser = true; }; }; + # Used for testing configuration reloading environment.etc = { "unbound-extra1.conf".text = '' forward-zone: - name: "example.local." - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address} + name: "example.local." + forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} + forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address} ''; "unbound-extra2.conf".text = '' auth-zone: @@ -180,7 +192,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: testScript = { nodes, ... }: '' import typing - import json zone = "example.local." records = [("AAAA", "abcd::eeff"), ("A", "1.2.3.4")] diff --git a/nixos/tests/v2ray.nix b/nixos/tests/v2ray.nix index f1b2570cc8604..4808e149d31ed 100644 --- a/nixos/tests/v2ray.nix +++ b/nixos/tests/v2ray.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: let v2rayUser = { # A random UUID. id = "a6a46834-2150-45f8-8364-0f6f6ab32384"; - alterId = 4; + alterId = 0; # Non-zero support will be disabled in the future. }; # 1080 [http proxy] -> 1081 [vmess] -> direct diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 0a7369b0fa2aa..09314d93b7d04 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -226,18 +226,16 @@ let def create_vm_${name}(): - # fmt: off - vbm(f"createvm --name ${name} ${createFlags}") - vbm(f"modifyvm ${name} ${vmFlags}") - vbm(f"setextradata ${name} VBoxInternal/PDM/HaltOnReset 1") - vbm(f"storagectl ${name} ${controllerFlags}") - vbm(f"storageattach ${name} ${diskFlags}") - vbm(f"sharedfolder add ${name} ${sharedFlags}") - vbm(f"sharedfolder add ${name} ${nixstoreFlags}") + vbm("createvm --name ${name} ${createFlags}") + vbm("modifyvm ${name} ${vmFlags}") + vbm("setextradata ${name} VBoxInternal/PDM/HaltOnReset 1") + vbm("storagectl ${name} ${controllerFlags}") + vbm("storageattach ${name} ${diskFlags}") + vbm("sharedfolder add ${name} ${sharedFlags}") + vbm("sharedfolder add ${name} ${nixstoreFlags}") cleanup_${name}() ${mkLog "$HOME/VirtualBox VMs/${name}/Logs/VBox.log" "HOST-${name}"} - # fmt: on def destroy_vm_${name}(): @@ -259,9 +257,7 @@ let def wait_for_ip_${name}(interface): property = f"/VirtualBox/GuestInfo/Net/{interface}/V4/IP" - # fmt: off getip = f"VBoxManage guestproperty get ${name} {property} | sed -n -e 's/^Value: //p'" - # fmt: on ip = machine.succeed( ru( @@ -394,9 +390,7 @@ let machine.wait_for_x() - # fmt: off ${mkLog "$HOME/.config/VirtualBox/VBoxSVC.log" "HOST-SVC"} - # fmt: on ${testScript} # (keep black happy) diff --git a/nixos/tests/web-servers/unit-php.nix b/nixos/tests/web-servers/unit-php.nix index 24d6f5f16a72c..c4e89f069f16d 100644 --- a/nixos/tests/web-servers/unit-php.nix +++ b/nixos/tests/web-servers/unit-php.nix @@ -34,7 +34,7 @@ in { }; users = { users.testuser = { - isNormalUser = false; + isSystemUser = true; uid = 1074; group = "testgroup"; }; diff --git a/nixos/tests/wmderland.nix b/nixos/tests/wmderland.nix index d121ed98b7ac7..6de0cd9212eea 100644 --- a/nixos/tests/wmderland.nix +++ b/nixos/tests/wmderland.nix @@ -1,6 +1,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "wmderland"; - meta = with pkgs.stdenv.lib.maintainers; { + meta = with pkgs.lib.maintainers; { maintainers = [ takagiy ]; }; diff --git a/nixos/tests/yggdrasil.nix b/nixos/tests/yggdrasil.nix index 0b58ad29aa2b1..0e75ed54db281 100644 --- a/nixos/tests/yggdrasil.nix +++ b/nixos/tests/yggdrasil.nix @@ -147,7 +147,7 @@ in import ./make-test-python.nix ({ pkgs, ...} : { # If Alice can talk to Carol, then Bob's outbound peering and Carol's # local peering have succeeded and everybody is connected. alice.wait_until_succeeds(f"ping -c 1 {carol_ip6}") - alice.succeed(f"ping -c 1 ${bobIp6}") + alice.succeed("ping -c 1 ${bobIp6}") bob.succeed("ping -c 1 ${aliceIp6}") bob.succeed(f"ping -c 1 {carol_ip6}") diff --git a/nixos/tests/zigbee2mqtt.nix b/nixos/tests/zigbee2mqtt.nix index b7bb21f9227af..98aadbb699bdf 100644 --- a/nixos/tests/zigbee2mqtt.nix +++ b/nixos/tests/zigbee2mqtt.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { machine = { pkgs, ... }: @@ -6,6 +6,8 @@ import ./make-test-python.nix ({ pkgs, ... }: services.zigbee2mqtt = { enable = true; }; + + systemd.services.zigbee2mqtt.serviceConfig.DevicePolicy = lib.mkForce "auto"; }; testScript = '' @@ -14,6 +16,8 @@ import ./make-test-python.nix ({ pkgs, ... }: machine.succeed( "journalctl -eu zigbee2mqtt | grep \"Error: Error while opening serialport 'Error: Error: No such file or directory, cannot open /dev/ttyACM0'\"" ) + + machine.log(machine.succeed("systemd-analyze security zigbee2mqtt.service")) ''; } ) |