diff options
Diffstat (limited to 'nixos')
426 files changed, 11397 insertions, 3206 deletions
diff --git a/nixos/doc/manual/configuration/ipv6-config.xml b/nixos/doc/manual/configuration/ipv6-config.xml index 7b89b4092be7d..45e85dbf3dfdb 100644 --- a/nixos/doc/manual/configuration/ipv6-config.xml +++ b/nixos/doc/manual/configuration/ipv6-config.xml @@ -7,8 +7,12 @@ <para> IPv6 is enabled by default. Stateless address autoconfiguration is used to - automatically assign IPv6 addresses to all interfaces. You can disable IPv6 - support globally by setting: + automatically assign IPv6 addresses to all interfaces, and Privacy + Extensions (RFC 4946) are enabled by default. You can adjust the default + for this by setting <xref linkend="opt-networking.tempAddresses"/>. + This option may be overridden on a per-interface basis by + <xref linkend="opt-networking.interfaces._name_.tempAddress"/>. + You can disable IPv6 support globally by setting: <programlisting> <xref linkend="opt-networking.enableIPv6"/> = false; </programlisting> diff --git a/nixos/doc/manual/configuration/x-windows.xml b/nixos/doc/manual/configuration/x-windows.xml index a499f0080d705..e72193897068e 100644 --- a/nixos/doc/manual/configuration/x-windows.xml +++ b/nixos/doc/manual/configuration/x-windows.xml @@ -25,7 +25,7 @@ <programlisting> <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> = true; <xref linkend="opt-services.xserver.desktopManager.xfce.enable"/> = true; -<xref linkend="opt-services.xserver.desktopManager.gnome3.enable"/> = true; +<xref linkend="opt-services.xserver.desktopManager.gnome.enable"/> = true; <xref linkend="opt-services.xserver.desktopManager.mate.enable"/> = true; <xref linkend="opt-services.xserver.windowManager.xmonad.enable"/> = true; <xref linkend="opt-services.xserver.windowManager.twm.enable"/> = true; @@ -204,18 +204,18 @@ XKB </link> keyboard layouts using the option - <option> - <link linkend="opt-services.xserver.extraLayouts"> - services.xserver.extraLayouts - </link> - </option>. + <option><link linkend="opt-services.xserver.extraLayouts"> + services.xserver.extraLayouts</link></option>. + </para> + <para> As a first example, we are going to create a layout based on the basic US layout, with an additional layer to type some greek symbols by pressing the right-alt key. </para> <para> - To do this we are going to create a <literal>us-greek</literal> file - with a <literal>xkb_symbols</literal> section. + Create a file called <literal>us-greek</literal> with the following + content (under a directory called <literal>symbols</literal>; it's + an XKB peculiarity that will help with testing): </para> <programlisting> xkb_symbols "us-greek" @@ -231,14 +231,13 @@ xkb_symbols "us-greek" }; </programlisting> <para> - To install the layout, the filepath, a description and the list of - languages must be given: + A minimal layout specification must include the following: </para> <programlisting> <xref linkend="opt-services.xserver.extraLayouts"/>.us-greek = { description = "US layout with alt-gr greek"; languages = [ "eng" ]; - symbolsFile = /path/to/us-greek; + symbolsFile = /yourpath/symbols/us-greek; } </programlisting> <note> @@ -248,9 +247,27 @@ xkb_symbols "us-greek" </para> </note> <para> - The layout should now be installed and ready to use: try it by - running <literal>setxkbmap us-greek</literal> and type - <literal><alt>+a</literal>. To change the default the usual + Applying this customization requires rebuilding several packages, + and a broken XKB file can lead to the X session crashing at login. + Therefore, you're strongly advised to <emphasis role="strong">test + your layout before applying it</emphasis>: +<screen> +<prompt>$ </prompt>nix-shell -p xorg.xkbcomp +<prompt>$ </prompt>setxkbmap -I/yourpath us-greek -print | xkbcomp -I/yourpath - $DISPLAY +</screen> + </para> + <para> + You can inspect the predefined XKB files for examples: +<screen> +<prompt>$ </prompt>echo "$(nix-build --no-out-link '<nixpkgs>' -A xorg.xkeyboardconfig)/etc/X11/xkb/" +</screen> + </para> + <para> + Once the configuration is applied, and you did a logout/login + cycle, the layout should be ready to use. You can try it by e.g. + running <literal>setxkbmap us-greek</literal> and then type + <literal><alt>+a</literal> (it may not get applied in your + terminal straight away). To change the default, the usual <option> <link linkend="opt-services.xserver.layout"> services.xserver.layout diff --git a/nixos/doc/manual/contributing-to-this-manual.chapter.md b/nixos/doc/manual/contributing-to-this-manual.chapter.md new file mode 100644 index 0000000000000..26813d1042d69 --- /dev/null +++ b/nixos/doc/manual/contributing-to-this-manual.chapter.md @@ -0,0 +1,13 @@ +# Contributing to this manual {#chap-contributing} + +The DocBook and CommonMark sources of NixOS' manual are in the [nixos/doc/manual](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the [Nixpkgs](https://github.com/NixOS/nixpkgs) repository. + +You can quickly check your edits with the following: + +```ShellSession +$ cd /path/to/nixpkgs +$ ./nixos/doc/manual/md-to-db.sh +$ nix-build nixos/release.nix -A manual.x86_64-linux +``` + +If the build succeeds, the manual will be in `./result/share/doc/nixos/index.html`. diff --git a/nixos/doc/manual/contributing-to-this-manual.xml b/nixos/doc/manual/contributing-to-this-manual.xml deleted file mode 100644 index 137e04bb313b3..0000000000000 --- a/nixos/doc/manual/contributing-to-this-manual.xml +++ /dev/null @@ -1,22 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xml:id="chap-contributing"> - <title>Contributing to this manual</title> - <para> - The DocBook sources of NixOS' manual are in the <filename -xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual"> -nixos/doc/manual</filename> subdirectory of the <link -xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link> repository. - </para> - <para> - You can quickly check your edits with the following: - </para> -<screen> -<prompt>$ </prompt>cd /path/to/nixpkgs -<prompt>$ </prompt>nix-build nixos/release.nix -A manual.x86_64-linux -</screen> - <para> - If the build succeeds, the manual will be in - <filename>./result/share/doc/nixos/index.html</filename>. - </para> -</chapter> diff --git a/nixos/doc/manual/development/building-nixos.chapter.md b/nixos/doc/manual/development/building-nixos.chapter.md new file mode 100644 index 0000000000000..699a75f411522 --- /dev/null +++ b/nixos/doc/manual/development/building-nixos.chapter.md @@ -0,0 +1,18 @@ +# Building Your Own NixOS CD {#sec-building-cd} +Building a NixOS CD is as easy as configuring your own computer. The idea is to use another module which will replace your `configuration.nix` to configure the system that would be installed on the CD. + +Default CD/DVD configurations are available inside `nixos/modules/installer/cd-dvd` + +```ShellSession +$ git clone https://github.com/NixOS/nixpkgs.git +$ cd nixpkgs/nixos +$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix +``` + +Before burning your CD/DVD, you can check the content of the image by mounting anywhere like suggested by the following command: + +```ShellSession +# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> +``` + +If you want to customize your NixOS CD in more detail, or generate other kinds of images, you might want to check out [nixos-generators](https://github.com/nix-community/nixos-generators). This can also be a good starting point when you want to use Nix to build a 'minimal' image that doesn't include a NixOS installation. diff --git a/nixos/doc/manual/development/building-nixos.xml b/nixos/doc/manual/development/building-nixos.xml deleted file mode 100644 index d58b6354d1d36..0000000000000 --- a/nixos/doc/manual/development/building-nixos.xml +++ /dev/null @@ -1,33 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-building-cd"> - <title>Building Your Own NixOS CD</title> - <para> - Building a NixOS CD is as easy as configuring your own computer. The idea is - to use another module which will replace your - <filename>configuration.nix</filename> to configure the system that would be - installed on the CD. - </para> - <para> - Default CD/DVD configurations are available inside - <filename>nixos/modules/installer/cd-dvd</filename>. -<screen> -<prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs.git -<prompt>$ </prompt>cd nixpkgs/nixos -<prompt>$ </prompt>nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix</screen> - </para> - <para> - Before burning your CD/DVD, you can check the content of the image by - mounting anywhere like suggested by the following command: -<screen> -<prompt># </prompt>mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> - </para> - <para> - If you want to customize your NixOS CD in more detail, or generate other kinds - of images, you might want to check out <link - xlink:href="https://github.com/nix-community/nixos-generators">nixos-generators</link>. This can also be a good starting point when you want to use Nix to build a - 'minimal' image that doesn't include a NixOS installation. - </para> -</chapter> diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml index 43f511b3e96ba..78763a7350577 100644 --- a/nixos/doc/manual/development/development.xml +++ b/nixos/doc/manual/development/development.xml @@ -13,7 +13,7 @@ <xi:include href="writing-modules.xml" /> <xi:include href="building-parts.xml" /> <xi:include href="writing-documentation.xml" /> - <xi:include href="building-nixos.xml" /> + <xi:include href="../from_md/development/building-nixos.chapter.xml" /> <xi:include href="nixos-tests.xml" /> <xi:include href="testing-installer.xml" /> <xi:include href="releases.xml" /> diff --git a/nixos/doc/manual/development/settings-options.xml b/nixos/doc/manual/development/settings-options.xml index c99c3af92f894..7292cac62b707 100644 --- a/nixos/doc/manual/development/settings-options.xml +++ b/nixos/doc/manual/development/settings-options.xml @@ -50,7 +50,7 @@ </varlistentry> <varlistentry> <term> - <varname>pkgs.formats.ini</varname> { <replaceable>listsAsDuplicateKeys</replaceable> ? false, ... } + <varname>pkgs.formats.ini</varname> { <replaceable>listsAsDuplicateKeys</replaceable> ? false, <replaceable>listToValue</replaceable> ? null, ... } </term> <listitem> <para> @@ -66,6 +66,16 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <varname>listToValue</varname> + </term> + <listitem> + <para> + A function for turning a list of values into a single value. + </para> + </listitem> + </varlistentry> </variablelist> It returns a set with INI-specific attributes <varname>type</varname> and <varname>generate</varname> as specified <link linkend='pkgs-formats-result'>below</link>. </para> @@ -167,7 +177,7 @@ in { # We know that the `user` attribute exists because we set a default value # for it above, allowing us to use it without worries here - users.users.${cfg.settings.user} = {}; + users.users.${cfg.settings.user} = { isSystemUser = true; }; # ... }; diff --git a/nixos/doc/manual/development/writing-nixos-tests.xml b/nixos/doc/manual/development/writing-nixos-tests.xml index 5f70f74d5d90d..5a95436915fab 100644 --- a/nixos/doc/manual/development/writing-nixos-tests.xml +++ b/nixos/doc/manual/development/writing-nixos-tests.xml @@ -188,6 +188,25 @@ start_all() </varlistentry> <varlistentry> <term> + <methodname>get_screen_text_variants</methodname> + </term> + <listitem> + <para> + Return a list of different interpretations of what is currently visible + on the machine's screen using optical character recognition. The number + and order of the interpretations is not specified and is subject to + change, but if no exception is raised at least one will be returned. + </para> + <note> + <para> + This requires passing <option>enableOCR</option> to the test attribute + set. + </para> + </note> + </listitem> + </varlistentry> + <varlistentry> + <term> <methodname>get_screen_text</methodname> </term> <listitem> @@ -350,7 +369,8 @@ start_all() <para> Wait until the supplied regular expressions matches the textual contents of the screen by using optical character recognition (see - <methodname>get_screen_text</methodname>). + <methodname>get_screen_text</methodname> and + <methodname>get_screen_text_variants</methodname>). </para> <note> <para> diff --git a/nixos/doc/manual/from_md/README.md b/nixos/doc/manual/from_md/README.md new file mode 100644 index 0000000000000..cc6d08ca0a15a --- /dev/null +++ b/nixos/doc/manual/from_md/README.md @@ -0,0 +1,5 @@ +This directory is temporarily needed while we transition the manual to CommonMark. It stores the output of the ../md-to-db.sh script that converts CommonMark files back to DocBook. + +We are choosing to convert the Markdown to DocBook at authoring time instead of manual building time, because we do not want the pandoc toolchain to become part of the NixOS closure. + +Do not edit the DocBook files inside this directory or its subdirectories. Instead, edit the corresponding .md file in the normal manual directories, and run ../md-to-db.sh to update the file here. diff --git a/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml new file mode 100644 index 0000000000000..a9b0c6a5eefa1 --- /dev/null +++ b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml @@ -0,0 +1,22 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="chap-contributing"> + <title>Contributing to this manual</title> + <para> + The DocBook and CommonMark sources of NixOS’ manual are in the + <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual">nixos/doc/manual</link> + subdirectory of the + <link xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link> + repository. + </para> + <para> + You can quickly check your edits with the following: + </para> + <programlisting> +$ cd /path/to/nixpkgs +$ ./nixos/doc/manual/md-to-db.sh +$ nix-build nixos/release.nix -A manual.x86_64-linux +</programlisting> + <para> + If the build succeeds, the manual will be in + <literal>./result/share/doc/nixos/index.html</literal>. + </para> +</chapter> diff --git a/nixos/doc/manual/from_md/development/building-nixos.chapter.xml b/nixos/doc/manual/from_md/development/building-nixos.chapter.xml new file mode 100644 index 0000000000000..ceb744447dab7 --- /dev/null +++ b/nixos/doc/manual/from_md/development/building-nixos.chapter.xml @@ -0,0 +1,33 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-building-cd"> + <title>Building Your Own NixOS CD</title> + <para> + Building a NixOS CD is as easy as configuring your own computer. The + idea is to use another module which will replace your + <literal>configuration.nix</literal> to configure the system that + would be installed on the CD. + </para> + <para> + Default CD/DVD configurations are available inside + <literal>nixos/modules/installer/cd-dvd</literal> + </para> + <programlisting> +$ git clone https://github.com/NixOS/nixpkgs.git +$ cd nixpkgs/nixos +$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix +</programlisting> + <para> + Before burning your CD/DVD, you can check the content of the image + by mounting anywhere like suggested by the following command: + </para> + <programlisting> +# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> +</programlisting> + <para> + If you want to customize your NixOS CD in more detail, or generate + other kinds of images, you might want to check out + <link xlink:href="https://github.com/nix-community/nixos-generators">nixos-generators</link>. + This can also be a good starting point when you want to use Nix to + build a <quote>minimal</quote> image that doesn’t include a NixOS + installation. + </para> +</chapter> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml new file mode 100644 index 0000000000000..abcf3406aa34c --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -0,0 +1,15 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="release-21.11"> + <title>Release 21.11 (<quote>?</quote>, 2021.11/??)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Support is planned until the end of April 2022, handing over to + 22.05. + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/installation/installing-from-other-distro.xml b/nixos/doc/manual/installation/installing-from-other-distro.xml index 43f69b923d14d..63d1d52b01b2f 100644 --- a/nixos/doc/manual/installation/installing-from-other-distro.xml +++ b/nixos/doc/manual/installation/installing-from-other-distro.xml @@ -84,12 +84,12 @@ nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen> </para> <para> You'll need <literal>nixos-generate-config</literal> and - <literal>nixos-install</literal> and we'll throw in some man pages and - <literal>nixos-enter</literal> just in case you want to chroot into your - NixOS partition. They are installed by default on NixOS, but you don't have + <literal>nixos-install</literal>, but this also makes some man pages + and <literal>nixos-enter</literal> available, just in case you want to chroot into your + NixOS partition. NixOS installs these by default, but you don't have NixOS yet.. </para> -<screen><prompt>$ </prompt>nix-env -f '<nixpkgs/nixos>' --arg configuration {} -iA config.system.build.{nixos-generate-config,nixos-install,nixos-enter,manual.manpages}</screen> + <screen><prompt>$ </prompt>nix-env -f '<nixpkgs>' -iA nixos-install-tools</screen> </listitem> <listitem> <note> diff --git a/nixos/doc/manual/manual.xml b/nixos/doc/manual/manual.xml index db9e7313831da..158b3507a58ea 100644 --- a/nixos/doc/manual/manual.xml +++ b/nixos/doc/manual/manual.xml @@ -19,6 +19,6 @@ <xi:include href="./generated/options-db.xml" xpointer="configuration-variable-list" /> </appendix> - <xi:include href="contributing-to-this-manual.xml" /> + <xi:include href="./from_md/contributing-to-this-manual.chapter.xml" /> <xi:include href="release-notes/release-notes.xml" /> </book> diff --git a/nixos/doc/manual/md-to-db.sh b/nixos/doc/manual/md-to-db.sh new file mode 100755 index 0000000000000..fc4be7da22ba8 --- /dev/null +++ b/nixos/doc/manual/md-to-db.sh @@ -0,0 +1,33 @@ +#! /usr/bin/env nix-shell +#! nix-shell -I nixpkgs=channel:nixpkgs-unstable -i bash -p pandoc + +# This script is temporarily needed while we transition the manual to +# CommonMark. It converts the .md files in the regular manual folder +# into DocBook files in the from_md folder. + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +pushd $DIR + +OUT="$DIR/from_md" +mapfile -t MD_FILES < <(find . -type f -regex '.*\.md$') + +for mf in ${MD_FILES[*]}; do + if [ "${mf: -11}" == ".section.md" ]; then + mkdir -p $(dirname "$OUT/$mf") + pandoc "$mf" -t docbook \ + --extract-media=media \ + -f markdown+smart \ + | cat > "$OUT/${mf%".section.md"}.section.xml" + fi + + if [ "${mf: -11}" == ".chapter.md" ]; then + mkdir -p $(dirname "$OUT/$mf") + pandoc "$mf" -t docbook \ + --top-level-division=chapter \ + --extract-media=media \ + -f markdown+smart \ + | cat > "$OUT/${mf%".chapter.md"}.chapter.xml" + fi +done + +popd diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index e083d51406c76..6d7899f6dcdb6 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -8,6 +8,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. </para> + <xi:include href="../from_md/release-notes/rl-2111.section.xml" /> <xi:include href="rl-2105.xml" /> <xi:include href="rl-2009.xml" /> <xi:include href="rl-2003.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 4102fe206e19d..0dae49c636f61 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -83,10 +83,10 @@ like games. <itemizedlist> <para>This can be achieved with the following options which the desktop manager default enables, excluding <literal>games</literal>.</para> - <listitem><para><xref linkend="opt-services.gnome3.core-os-services.enable"/></para></listitem> - <listitem><para><xref linkend="opt-services.gnome3.core-shell.enable"/></para></listitem> - <listitem><para><xref linkend="opt-services.gnome3.core-utilities.enable"/></para></listitem> - <listitem><para><xref linkend="opt-services.gnome3.games.enable"/></para></listitem> + <listitem><para><option>services.gnome3.core-os-services.enable</option></para></listitem> + <listitem><para><option>services.gnome3.core-shell.enable</option></para></listitem> + <listitem><para><option>services.gnome3.core-utilities.enable</option></para></listitem> + <listitem><para><option>services.gnome3.games.enable</option></para></listitem> </itemizedlist> With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use <option>environment.gnome3.excludePackages</option> which only excluded the optional applications. diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index b5290b374f9db..a5501533be7fd 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -27,7 +27,7 @@ <para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para> </listitem> <listitem> - <para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para> + <para>GNOME desktop environment was upgraded to 40, see the release notes for <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link> and <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>. The <code>gnome3</code> attribute set has been renamed to <code>gnome</code> and so have been the NixOS options.</para> </listitem> <listitem> <para> @@ -78,11 +78,53 @@ </listitem> <listitem> <para> - <link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.0 "Matrix". See + <link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.1 "Matrix". See the <link xlink:href="https://kodi.tv/article/kodi-190-matrix-release">announcement</link> for further details. </para> </listitem> + <listitem> + <para> + The <option>services.packagekit.backend</option> option has been removed as + it only supported a single setting which would always be the default. + Instead new <link + xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> compliant <xref linkend="opt-services.packagekit.settings"/> + and <xref linkend="opt-services.packagekit.vendorSettings"/> options have + been introduced. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://nginx.org">Nginx</link> has been updated to stable version 1.20.0. + Now nginx uses the zlib-ng library by default. + </para> + </listitem> + <listitem> + <para> + KDE Gear (formerly KDE Applications) is upgraded to 21.04, see its + <link xlink:href="https://kde.org/announcements/gear/21.04/">release + notes</link> for details. + </para> + <para> + The <code>kdeApplications</code> package set is now <code>kdeGear</code>, + in keeping with the new name. The old name remains for compatibility, but + it is deprecated. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://libreswan.org/">Libreswan</link> has been updated + to version 4.4. The package now includes example configurations and manual + pages by default. The NixOS module has been changed to use the upstream + systemd units and write the configuration in the <literal>/etc/ipsec.d/ + </literal> directory. In addition, two new options have been added to + specify connection policies + (<xref linkend="opt-services.libreswan.policies"/>) + and disable send/receive redirects + (<xref linkend="opt-services.libreswan.disableRedirects"/>). + </para> + </listitem> </itemizedlist> </section> @@ -128,6 +170,11 @@ section of the NixOS manual</link> for more information. </para> </listitem> + <listitem> + <para> + <xref linkend="opt-services.nebula.networks" /> <link xlink:href="https://github.com/slackhq/nebula">Nebula VPN</link> + </para> + </listitem> </itemizedlist> </section> @@ -161,6 +208,12 @@ It was broken since the switch to cgroups-v2. </para> </listitem> + <listitem> + <para> + The <literal>linuxPackages.ati_drivers_x11</literal> kernel modules have been removed. + The drivers only supported kernels prior to 4.2, and thus have become obsolete. + </para> + </listitem> <listitem> <para> The <literal>systemConfig</literal> kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them. @@ -313,7 +366,18 @@ </listitem> <listitem> <para> - <literal>vim</literal> switched to Python 3, dropping all Python 2 support. + <literal>vim</literal> and <literal>neovim</literal> switched to Python 3, dropping all Python 2 support. + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>, + which is off by default, had a <literal>chmod</literal> race condition + fixed. As an aside, the parent directory's permissions were widened, + and the key files were made owner-writable. + This only affects newly created keys. + However, if the exact permissions are important for your setup, read + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>. </para> </listitem> <listitem> @@ -658,6 +722,60 @@ environment.systemPackages = [ Environment variables can be set using <option>environment.variables</option>. </para> </listitem> + <listitem> + <para> + <option>services.minio.dataDir</option> changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. + Currently, the service doesn't enforce nor checks the correct number of paths to correspond to minio requirements. + </para> + </listitem> + <listitem> + <para> + All CUDA toolkit versions prior to CUDA 10 have been removed. + </para> + </listitem> + <listitem> + <para> + The <package>kbdKeymaps</package> package was removed since dvp and neo + are now included in <package>kbd</package>. + + If you want to use the Programmer Dvorak Keyboard Layout, you have to use + <literal>dvorak-programmer</literal> in <option>console.keyMap</option> + now instead of <literal>dvp</literal>. + In <option>services.xserver.xkbVariant</option> it's still <literal>dvp</literal>. + </para> + </listitem> + <listitem> + <para> + The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures + <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well + as for each interface in <varname>services.babeld.interfaces</varname>. + </para> + </listitem> + <listitem> + <para> + The <option>services.zigbee2mqtt.config</option> option has been renamed to <option>services.zigbee2mqtt.settings</option> and + now follows <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC 0042</link>. + </para> + </listitem> + <listitem> + <para> + The <package>yadm</package> dotfile manager has been updated from 2.x to 3.x, which has new (XDG) default locations for some data/state files. Most yadm commands will fail and print a legacy path warning (which describes how to upgrade/migrate your repository). If you have scripts, daemons, scheduled jobs, shell profiles, etc. that invoke yadm, expect them to fail or misbehave until you perform this migration and prepare accordingly. + </para> + </listitem> + <listitem> + <para> + Instead of determining <option>services.radicale.package</option> + automatically based on <option>system.stateVersion</option>, the latest + version is always used because old versions are not officially supported. + </para> + <para> + Furthermore, Radicale's systemd unit was hardened which might break some + deployments. In particular, a non-default + <literal>filesystem_folder</literal> has to be added to + <option>systemd.services.radicale.serviceConfig.ReadWritePaths</option> if + the deprecated <option>services.radicale.config</option> is used. + </para> + </listitem> </itemizedlist> </section> @@ -772,6 +890,23 @@ environment.systemPackages = [ default in the CLI tooling which in turn enables us to use <literal>unbound-control</literal> without passing a custom configuration location. </para> + + <para> + The module has also been reworked to be <link + xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> compliant. As such, + <option>sevices.unbound.extraConfig</option> has been removed and replaced + by <xref linkend="opt-services.unbound.settings"/>. <option>services.unbound.interfaces</option> + has been renamed to <option>services.unbound.settings.server.interface</option>. + </para> + + <para> + <option>services.unbound.forwardAddresses</option> and + <option>services.unbound.allowedAccess</option> have also been changed to + use the new settings interface. You can follow the instructions when + executing <literal>nixos-rebuild</literal> to upgrade your configuration to + use the new interface. + </para> </listitem> <listitem> <para> @@ -829,8 +964,32 @@ environment.systemPackages = [ </para> </listitem> <listitem> + <para> + When defining a new user, one of <xref linkend="opt-users.users._name_.isNormalUser" /> and <xref linkend="opt-users.users._name_.isSystemUser" /> is now required. + This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. + Note that users defined with an explicit UID below 500 are exempted from this check, as <xref linkend="opt-users.users._name_.isSystemUser" /> has no effect for those. + </para> + </listitem> + <listitem> + <para> + The <literal>security.apparmor</literal> module, + for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link> + Mandatory Access Control system, + has been substantialy improved along with related tools, + so that module maintainers can now more easily write AppArmor profiles for NixOS. + The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>, + replacing the previous <literal>profiles</literal> option + to provide a way to disable a profile + and to select whether to confine in enforce mode (default) + or in complain mode (see <literal>journalctl -b --grep apparmor</literal>). + Security-minded users may also want to enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>, + at the cost of having some of their processes killed + when updating to a NixOS version introducing new AppArmor profiles. + </para> + </listitem> + <listitem> <para> - The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default. + The GNOME desktop manager once again installs <package>gnome.epiphany</package> by default. </para> </listitem> <listitem> @@ -924,6 +1083,47 @@ environment.systemPackages = [ option. </para> </listitem> + <listitem> + <para> + Prior to this release, systemd would also read system units from an undocumented <literal>/etc/systemd-mutable/system</literal> path. + This path has been dropped from the defaults. That path (or others) can be re-enabled by adding it to the + <link linkend="opt-boot.extraSystemdUnitPaths">boot.extraSystemdUnitPaths</link> list. + </para> + </listitem> + <listitem> + <para> + PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle and has been removed. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.xfce.org/">Xfce4</link> relies on + GIO/GVfs for userspace virtual filesystem access in applications + like <link xlink:href="https://docs.xfce.org/xfce/thunar/">thunar</link> and + <link xlink:href="https://docs.xfce.org/apps/gigolo/">gigolo</link>. + For that to work, the gvfs nixos service is enabled by default, + and it can be configured with the specific package that provides + GVfs. Until now Xfce4 was setting it to use a lighter version of + GVfs (without support for samba). To avoid conflicts with other + desktop environments this setting has been dropped. Users that + still want it should add the following to their system + configuration: + <programlisting> +<xref linkend="opt-services.gvfs.package" /> = pkgs.gvfs.override { samba = null; }; + </programlisting> + </para> + </listitem> + <listitem> + <para> + The newly enabled <literal>systemd-pstore.service</literal> now automatically evacuates crashdumps and panic logs from the persistent storage to <literal>/var/lib/systemd/pstore</literal>. + This prevents NVRAM from filling up, which ensures the latest diagnostic data is always stored and alleviates problems with writing new boot configurations. + </para> + </listitem> + <listitem> + <para> + Nixpkgs now contains <link xlink:href="https://github.com/NixOS/nixpkgs/pull/118232">automatically packaged GNOME Shell extensions</link> from the <link xlink:href="https://extensions.gnome.org/">GNOME Extensions</link> portal. You can find them, filed by their UUID, under <literal>gnome38Extensions</literal> attribute for GNOME 3.38 and under <literal>gnome40Extensions</literal> for GNOME 40. Finally, the <literal>gnomeExtensions</literal> attribute contains extensions for the latest GNOME Shell version in Nixpkgs, listed under a more human-friendly name. The unqualified attribute scope also contains manually packaged extensions. Note that the automatically packaged extensions are provided for convenience and are not checked or guaranteed to work. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md new file mode 100644 index 0000000000000..1499249148fb1 --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -0,0 +1,5 @@ +# Release 21.11 (“?”, 2021.11/??) {#release-21.11} + +In addition to numerous new and upgraded packages, this release has the following highlights: + +* Support is planned until the end of April 2022, handing over to 22.05. diff --git a/nixos/doc/manual/shell.nix b/nixos/doc/manual/shell.nix index cc3609d750e03..e5ec9b8f97f7d 100644 --- a/nixos/doc/manual/shell.nix +++ b/nixos/doc/manual/shell.nix @@ -4,5 +4,5 @@ in pkgs.mkShell { name = "nixos-manual"; - buildInputs = with pkgs; [ xmlformat jing xmloscopy ruby ]; + packages = with pkgs; [ xmlformat jing xmloscopy ruby ]; } diff --git a/nixos/lib/build-vms.nix b/nixos/lib/build-vms.nix index ebbb0296bef63..064e44f643b2b 100644 --- a/nixos/lib/build-vms.nix +++ b/nixos/lib/build-vms.nix @@ -36,6 +36,13 @@ rec { [ ../modules/virtualisation/qemu-vm.nix ../modules/testing/test-instrumentation.nix # !!! should only get added for automated test runs { key = "no-manual"; documentation.nixos.enable = false; } + { key = "no-revision"; + # Make the revision metadata constant, in order to avoid needless retesting. + # The human version (e.g. 21.05-pre) is left as is, because it is useful + # for external modules that test with e.g. nixosTest and rely on that + # version number. + config.system.nixos.revision = "constant-nixos-revision"; + } { key = "nodes"; _module.args.nodes = nodes; } ] ++ optional minimal ../modules/testing/minimal-kernel.nix; }; diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index 023d0791a5c7d..7d40d3b5548e9 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -15,6 +15,8 @@ , # size of the boot partition, is only used if partitionTableType is # either "efi" or "hybrid" + # This will be undersized slightly, as this is actually the offset of + # the end of the partition. Generally it will be 1MiB smaller. bootSize ? "256M" , # The files and directories to be placed in the target file system. @@ -163,6 +165,8 @@ let format' = format; in let closureInfo = pkgs.closureInfo { rootPaths = [ config.system.build.toplevel channelSources ]; }; + blockSize = toString (4 * 1024); # ext4fs block size (not block device sector size) + prepareImage = '' export PATH=${binPath} @@ -175,6 +179,24 @@ let format' = format; in let echo $(( "$1" * 512 )) } + # Given lines of numbers, adds them together + sum_lines() { + local acc=0 + while read -r number; do + acc=$((acc+number)) + done + echo "$acc" + } + + mebibyte=$(( 1024 * 1024 )) + + # Approximative percentage of reserved space in an ext4 fs over 512MiB. + # 0.05208587646484375 + # × 1000, integer part: 52 + compute_fudge() { + echo $(( $1 * 52 / 1000 )) + } + mkdir $out root="$PWD/root" @@ -235,12 +257,53 @@ let format' = format; in let ${if diskSize == "auto" then '' ${if partitionTableType == "efi" || partitionTableType == "hybrid" then '' - additionalSpace=$(( ($(numfmt --from=iec '${additionalSpace}') + $(numfmt --from=iec '${bootSize}')) / 1000 )) + # Add the GPT at the end + gptSpace=$(( 512 * 34 * 1 )) + # Normally we'd need to account for alignment and things, if bootSize + # represented the actual size of the boot partition. But it instead + # represents the offset at which it ends. + # So we know bootSize is the reserved space in front of the partition. + reservedSpace=$(( gptSpace + $(numfmt --from=iec '${bootSize}') )) + '' else if partitionTableType == "legacy+gpt" then '' + # Add the GPT at the end + gptSpace=$(( 512 * 34 * 1 )) + # And include the bios_grub partition; the ext4 partition starts at 2MB exactly. + reservedSpace=$(( gptSpace + 2 * mebibyte )) + '' else if partitionTableType == "legacy" then '' + # Add the 1MiB aligned reserved space (includes MBR) + reservedSpace=$(( mebibyte )) '' else '' - additionalSpace=$(( $(numfmt --from=iec '${additionalSpace}') / 1000 )) + reservedSpace=0 ''} - diskSize=$(( $(set -- $(du -d0 $root); echo "$1") + $additionalSpace )) - truncate -s "$diskSize"K $diskImage + additionalSpace=$(( $(numfmt --from=iec '${additionalSpace}') + reservedSpace )) + + # Compute required space in filesystem blocks + diskUsage=$(find . ! -type d -exec 'du' '--apparent-size' '--block-size' "${blockSize}" '{}' ';' | cut -f1 | sum_lines) + # Each inode takes space! + numInodes=$(find . | wc -l) + # Convert to bytes, inodes take two blocks each! + diskUsage=$(( (diskUsage + 2 * numInodes) * ${blockSize} )) + # Then increase the required space to account for the reserved blocks. + fudge=$(compute_fudge $diskUsage) + requiredFilesystemSpace=$(( diskUsage + fudge )) + + diskSize=$(( requiredFilesystemSpace + additionalSpace )) + + # Round up to the nearest mebibyte. + # This ensures whole 512 bytes sector sizes in the disk image + # and helps towards aligning partitions optimally. + if (( diskSize % mebibyte )); then + diskSize=$(( ( diskSize / mebibyte + 1) * mebibyte )) + fi + + truncate -s "$diskSize" $diskImage + + printf "Automatic disk size...\n" + printf " Closure space use: %d bytes\n" $diskUsage + printf " fudge: %d bytes\n" $fudge + printf " Filesystem size needed: %d bytes\n" $requiredFilesystemSpace + printf " Additional space: %d bytes\n" $additionalSpace + printf " Disk image size: %d bytes\n" $diskSize '' else '' truncate -s ${toString diskSize}M $diskImage ''} @@ -251,9 +314,9 @@ let format' = format; in let # Get start & length of the root partition in sectors to $START and $SECTORS. eval $(partx $diskImage -o START,SECTORS --nr ${rootPartition} --pairs) - mkfs.${fsType} -F -L ${label} $diskImage -E offset=$(sectorsToBytes $START) $(sectorsToKilobytes $SECTORS)K + mkfs.${fsType} -b ${blockSize} -F -L ${label} $diskImage -E offset=$(sectorsToBytes $START) $(sectorsToKilobytes $SECTORS)K '' else '' - mkfs.${fsType} -F -L ${label} $diskImage + mkfs.${fsType} -b ${blockSize} -F -L ${label} $diskImage ''} echo "copying staging root to image..." @@ -283,6 +346,9 @@ in pkgs.vmTools.runInLinuxVM ( # Some tools assume these exist ln -s vda /dev/xvda ln -s vda /dev/sda + # make systemd-boot find ESP without udev + mkdir /dev/block + ln -s /dev/vda1 /dev/block/254:1 mountPoint=/mnt mkdir $mountPoint diff --git a/nixos/lib/make-options-doc/default.nix b/nixos/lib/make-options-doc/default.nix index a1161621f0d49..14015ab64abb7 100644 --- a/nixos/lib/make-options-doc/default.nix +++ b/nixos/lib/make-options-doc/default.nix @@ -126,11 +126,37 @@ let } ''; + singleMDDoc = name: value: '' + ## ${lib.escape [ "<" ">" ] name} + ${value.description} + + ${lib.optionalString (value ? type) '' + *_Type_*: + ${value.type} + ''} + + ${lib.optionalString (value ? default) '' + *_Default_* + ``` + ${builtins.toJSON value.default} + ``` + ''} + + ${lib.optionalString (value ? example) '' + *_Example_* + ``` + ${builtins.toJSON value.example} + ``` + ''} + ''; + in { inherit optionsNix; optionsAsciiDoc = lib.concatStringsSep "\n" (lib.mapAttrsToList singleAsciiDoc optionsNix); + optionsMDDoc = lib.concatStringsSep "\n" (lib.mapAttrsToList singleMDDoc optionsNix); + optionsJSON = pkgs.runCommand "options.json" { meta.description = "List of NixOS options in JSON format"; buildInputs = [ pkgs.brotli ]; diff --git a/nixos/lib/test-driver/test-driver.py b/nixos/lib/test-driver/test-driver.py index 96b75a49928f0..e216e566f2867 100644 --- a/nixos/lib/test-driver/test-driver.py +++ b/nixos/lib/test-driver/test-driver.py @@ -1,8 +1,9 @@ #! /somewhere/python3 from contextlib import contextmanager, _GeneratorContextManager from queue import Queue, Empty -from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List +from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List, Iterable from xml.sax.saxutils import XMLGenerator +from colorama import Style import queue import io import _thread @@ -151,6 +152,8 @@ class Logger: self.xml.startDocument() self.xml.startElement("logfile", attrs={}) + self._print_serial_logs = True + def close(self) -> None: self.xml.endElement("logfile") self.xml.endDocument() @@ -174,15 +177,21 @@ class Logger: self.drain_log_queue() self.log_line(message, attributes) - def enqueue(self, message: Dict[str, str]) -> None: - self.queue.put(message) + def log_serial(self, message: str, machine: str) -> None: + self.enqueue({"msg": message, "machine": machine, "type": "serial"}) + if self._print_serial_logs: + eprint(Style.DIM + "{} # {}".format(machine, message) + Style.RESET_ALL) + + def enqueue(self, item: Dict[str, str]) -> None: + self.queue.put(item) def drain_log_queue(self) -> None: try: while True: item = self.queue.get_nowait() - attributes = {"machine": item["machine"], "type": "serial"} - self.log_line(self.sanitise(item["msg"]), attributes) + msg = self.sanitise(item["msg"]) + del item["msg"] + self.log_line(msg, item) except Empty: pass @@ -205,6 +214,37 @@ class Logger: self.xml.endElement("nest") +def _perform_ocr_on_screenshot( + screenshot_path: str, model_ids: Iterable[int] +) -> List[str]: + if shutil.which("tesseract") is None: + raise Exception("OCR requested but enableOCR is false") + + magick_args = ( + "-filter Catrom -density 72 -resample 300 " + + "-contrast -normalize -despeckle -type grayscale " + + "-sharpen 1 -posterize 3 -negate -gamma 100 " + + "-blur 1x65535" + ) + + tess_args = f"-c debug_file=/dev/null --psm 11" + + cmd = f"convert {magick_args} {screenshot_path} tiff:{screenshot_path}.tiff" + ret = subprocess.run(cmd, shell=True, capture_output=True) + if ret.returncode != 0: + raise Exception(f"TIFF conversion failed with exit code {ret.returncode}") + + model_results = [] + for model_id in model_ids: + cmd = f"tesseract {screenshot_path}.tiff - {tess_args} --oem {model_id}" + ret = subprocess.run(cmd, shell=True, capture_output=True) + if ret.returncode != 0: + raise Exception(f"OCR failed with exit code {ret.returncode}") + model_results.append(ret.stdout.decode("utf-8")) + + return model_results + + class Machine: def __init__(self, args: Dict[str, Any]) -> None: if "name" in args: @@ -276,8 +316,9 @@ class Machine: start_command += "-cdrom " + args["cdrom"] + " " if "usb" in args: + # https://github.com/qemu/qemu/blob/master/docs/usb2.txt start_command += ( - "-device piix3-usb-uhci -drive " + "-device usb-ehci -drive " + "id=usbdisk,file=" + args["usb"] + ",if=none,readonly " @@ -296,6 +337,9 @@ class Machine: def log(self, msg: str) -> None: self.logger.log(msg, {"machine": self.name}) + def log_serial(self, msg: str) -> None: + self.logger.log_serial(msg, self.name) + def nested(self, msg: str, attrs: Dict[str, str] = {}) -> _GeneratorContextManager: my_attrs = {"machine": self.name} my_attrs.update(attrs) @@ -637,43 +681,29 @@ class Machine: """Debugging: Dump the contents of the TTY<n>""" self.execute("fold -w 80 /dev/vcs{} | systemd-cat".format(tty)) - def get_screen_text(self) -> str: - if shutil.which("tesseract") is None: - raise Exception("get_screen_text used but enableOCR is false") - - magick_args = ( - "-filter Catrom -density 72 -resample 300 " - + "-contrast -normalize -despeckle -type grayscale " - + "-sharpen 1 -posterize 3 -negate -gamma 100 " - + "-blur 1x65535" - ) - - tess_args = "-c debug_file=/dev/null --psm 11 --oem 2" + def _get_screen_text_variants(self, model_ids: Iterable[int]) -> List[str]: + with tempfile.TemporaryDirectory() as tmpdir: + screenshot_path = os.path.join(tmpdir, "ppm") + self.send_monitor_command(f"screendump {screenshot_path}") + return _perform_ocr_on_screenshot(screenshot_path, model_ids) - with self.nested("performing optical character recognition"): - with tempfile.NamedTemporaryFile() as tmpin: - self.send_monitor_command("screendump {}".format(tmpin.name)) + def get_screen_text_variants(self) -> List[str]: + return self._get_screen_text_variants([0, 1, 2]) - cmd = "convert {} {} tiff:- | tesseract - - {}".format( - magick_args, tmpin.name, tess_args - ) - ret = subprocess.run(cmd, shell=True, capture_output=True) - if ret.returncode != 0: - raise Exception( - "OCR failed with exit code {}".format(ret.returncode) - ) - - return ret.stdout.decode("utf-8") + def get_screen_text(self) -> str: + return self._get_screen_text_variants([2])[0] def wait_for_text(self, regex: str) -> None: def screen_matches(last: bool) -> bool: - text = self.get_screen_text() - matches = re.search(regex, text) is not None + variants = self.get_screen_text_variants() + for text in variants: + if re.search(regex, text) is not None: + return True - if last and not matches: - self.log("Last OCR attempt failed. Text was: {}".format(text)) + if last: + self.log("Last OCR attempt failed. Text was: {}".format(variants)) - return matches + return False with self.nested("waiting for {} to appear on screen".format(regex)): retry(screen_matches) @@ -718,6 +748,7 @@ class Machine: shell_path = os.path.join(self.state_dir, "shell") self.shell_socket = create_socket(shell_path) + display_available = any(x in os.environ for x in ["DISPLAY", "WAYLAND_DISPLAY"]) qemu_options = ( " ".join( [ @@ -727,7 +758,7 @@ class Machine: "-device virtio-serial", "-device virtconsole,chardev=shell", "-device virtio-rng-pci", - "-serial stdio" if "DISPLAY" in os.environ else "-nographic", + "-serial stdio" if display_available else "-nographic", ] ) + " " @@ -766,8 +797,7 @@ class Machine: # Ignore undecodable bytes that may occur in boot menus line = _line.decode(errors="ignore").replace("\r", "").rstrip() self.last_lines.put(line) - eprint("{} # {}".format(self.name, line)) - self.logger.enqueue({"msg": line, "machine": self.name}) + self.log_serial(line) _thread.start_new_thread(process_serial_output, ()) @@ -909,6 +939,16 @@ def run_tests() -> None: machine.execute("sync") +def serial_stdout_on() -> None: + global log + log._print_serial_logs = True + + +def serial_stdout_off() -> None: + global log + log._print_serial_logs = False + + @contextmanager def subtest(name: str) -> Iterator[None]: with log.nested(name): diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index 6192be1cd0532..c9d4f0f0861d8 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -25,13 +25,21 @@ rec { name = "nixos-test-driver"; nativeBuildInputs = [ makeWrapper ]; - buildInputs = [ (python3.withPackages (p: [ p.ptpython ])) ]; + buildInputs = [ (python3.withPackages (p: [ p.ptpython p.colorama ])) ]; checkInputs = with python3Packages; [ pylint black mypy ]; dontUnpack = true; preferLocalBuild = true; + buildPhase = '' + python <<EOF + from pydoc import importfile + with open('driver-exports', 'w') as fp: + fp.write(','.join(dir(importfile('${testDriverScript}')))) + EOF + ''; + doCheck = true; checkPhase = '' mypy --disallow-untyped-defs \ @@ -50,12 +58,19 @@ rec { wrapProgram $out/bin/nixos-test-driver \ --prefix PATH : "${lib.makeBinPath [ qemu_pkg vde2 netpbm coreutils ]}" \ + + install -m 0644 -vD driver-exports $out/nix-support/driver-exports ''; }; # Run an automated test suite in the given virtual network. - # `driver' is the script that runs the network. - runTests = driver: + runTests = { + # the script that runs the network + driver, + # a source position in the format of builtins.unsafeGetAttrPos + # for meta.position + pos, + }: stdenv.mkDerivation { name = "vm-test-run-${driver.testName}"; @@ -68,7 +83,11 @@ rec { LOGFILE=/dev/null tests='exec(os.environ["testScript"])' ${driver}/bin/nixos-test-driver ''; - passthru = driver.passthru; + passthru = driver.passthru // { + inherit driver; + }; + + inherit pos; }; @@ -79,6 +98,11 @@ rec { # Skip linting (mainly intended for faster dev cycles) , skipLint ? false , passthru ? {} + , # For meta.position + pos ? # position used in error messages and for meta.position + (if t.meta.description or null != null + then builtins.unsafeGetAttrPos "description" t.meta + else builtins.unsafeGetAttrPos "testScript" t) , ... } @ t: let @@ -131,12 +155,10 @@ rec { "it's currently ${toString testNameLen} characters long.") else "nixos-test-driver-${name}"; - - warn = if skipLint then lib.warn "Linting is disabled!" else lib.id; in - warn (runCommand testDriverName + lib.warnIf skipLint "Linting is disabled" (runCommand testDriverName { - buildInputs = [ makeWrapper ]; + nativeBuildInputs = [ makeWrapper ]; testScript = testScript'; preferLocalBuild = true; testName = name; @@ -149,7 +171,10 @@ rec { echo -n "$testScript" > $out/test-script ${lib.optionalString (!skipLint) '' - ${python3Packages.black}/bin/black --check --diff $out/test-script + PYFLAKES_BUILTINS="$( + echo -n ${lib.escapeShellArg (lib.concatStringsSep "," nodeHostNames)}, + < ${lib.escapeShellArg "${testDriver}/nix-support/driver-exports"} + )" ${python3Packages.pyflakes}/bin/pyflakes $out/test-script ''} ln -s ${testDriver}/bin/nixos-test-driver $out/bin/ @@ -176,13 +201,15 @@ rec { driver = mkDriver null; driverInteractive = mkDriver pkgs.qemu; - test = passMeta (runTests driver); + test = passMeta (runTests { inherit driver pos; }); nodeNames = builtins.attrNames driver.nodes; invalidNodeNames = lib.filter (node: builtins.match "^[A-z_]([A-z0-9_]+)?$" node == null) nodeNames; + nodeHostNames = map (c: c.config.system.name) (lib.attrValues driver.nodes); + in if lib.length invalidNodeNames > 0 then throw '' diff --git a/nixos/maintainers/scripts/cloudstack/cloudstack-image.nix b/nixos/maintainers/scripts/cloudstack/cloudstack-image.nix index 37b46db059c06..005f75476e9a6 100644 --- a/nixos/maintainers/scripts/cloudstack/cloudstack-image.nix +++ b/nixos/maintainers/scripts/cloudstack/cloudstack-image.nix @@ -10,7 +10,6 @@ with lib; system.build.cloudstackImage = import ../../../lib/make-disk-image.nix { inherit lib config pkgs; - diskSize = 8192; format = "qcow2"; configFile = pkgs.writeText "configuration.nix" '' diff --git a/nixos/maintainers/scripts/ec2/amazon-image.nix b/nixos/maintainers/scripts/ec2/amazon-image.nix index 0ecf07669a119..677aff4421e05 100644 --- a/nixos/maintainers/scripts/ec2/amazon-image.nix +++ b/nixos/maintainers/scripts/ec2/amazon-image.nix @@ -40,8 +40,9 @@ in { }; sizeMB = mkOption { - type = types.int; + type = with types; either (enum [ "auto" ]) int; default = if config.ec2.hvm then 2048 else 8192; + example = 8192; description = "The size in MB of the image"; }; diff --git a/nixos/maintainers/scripts/openstack/openstack-image.nix b/nixos/maintainers/scripts/openstack/openstack-image.nix index 4c464f43f61d8..3255e7f3d44d6 100644 --- a/nixos/maintainers/scripts/openstack/openstack-image.nix +++ b/nixos/maintainers/scripts/openstack/openstack-image.nix @@ -12,8 +12,8 @@ with lib; system.build.openstackImage = import ../../../lib/make-disk-image.nix { inherit lib config; + additionalSpace = "1024M"; pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package - diskSize = 8192; format = "qcow2"; configFile = pkgs.writeText "configuration.nix" '' diff --git a/nixos/modules/config/console.nix b/nixos/modules/config/console.nix index 84ad76246fdb7..5be7f06c05d93 100644 --- a/nixos/modules/config/console.nix +++ b/nixos/modules/config/console.nix @@ -82,8 +82,7 @@ in packages = mkOption { type = types.listOf types.package; - default = with pkgs.kbdKeymaps; [ dvp neo ]; - defaultText = "with pkgs.kbdKeymaps; [ dvp neo ]"; + default = [ ]; description = '' List of additional packages that provide console fonts, keymaps and other resources for virtual consoles use. diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 6e7b8c4b88a20..72827c5abaae8 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -448,6 +448,40 @@ in (mkIf cfg.enable { environment.systemPackages = [ pkgs.fontconfig ]; environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/"; + security.apparmor.includes."abstractions/fonts" = '' + # fonts.conf + r ${pkg.out}/etc/fonts/fonts.conf, + + # fontconfig default config files + r ${pkg.out}/etc/fonts/conf.d/*.conf, + + # 00-nixos-cache.conf + r ${cacheConf}, + + # 10-nixos-rendering.conf + r ${renderConf}, + + # 50-user.conf + ${optionalString cfg.includeUserConf '' + r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf, + ''} + + # local.conf (indirect priority 51) + ${optionalString (cfg.localConf != "") '' + r ${localConf}, + ''} + + # 52-nixos-default-fonts.conf + r ${defaultFontsConf}, + + # 53-no-bitmaps.conf + r ${rejectBitmaps}, + + ${optionalString (!cfg.allowType1) '' + # 53-nixos-reject-type1.conf + r ${rejectType1}, + ''} + ''; }) (mkIf cfg.enable { fonts.fontconfig.confPackages = [ confPkg ]; diff --git a/nixos/modules/config/iproute2.nix b/nixos/modules/config/iproute2.nix index a1d9ebcec66bf..5f41f3d21e453 100644 --- a/nixos/modules/config/iproute2.nix +++ b/nixos/modules/config/iproute2.nix @@ -18,15 +18,15 @@ in }; config = mkIf cfg.enable { - environment.etc."iproute2/bpf_pinning" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/bpf_pinning"; }; - environment.etc."iproute2/ematch_map" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/ematch_map"; }; - environment.etc."iproute2/group" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/group"; }; - environment.etc."iproute2/nl_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/nl_protos"; }; - environment.etc."iproute2/rt_dsfield" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_dsfield"; }; - environment.etc."iproute2/rt_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_protos"; }; - environment.etc."iproute2/rt_realms" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_realms"; }; - environment.etc."iproute2/rt_scopes" = { mode = "0644"; text = fileContents "${pkgs.iproute}/etc/iproute2/rt_scopes"; }; - environment.etc."iproute2/rt_tables" = { mode = "0644"; text = (fileContents "${pkgs.iproute}/etc/iproute2/rt_tables") + environment.etc."iproute2/bpf_pinning" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/bpf_pinning"; }; + environment.etc."iproute2/ematch_map" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/ematch_map"; }; + environment.etc."iproute2/group" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/group"; }; + environment.etc."iproute2/nl_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/nl_protos"; }; + environment.etc."iproute2/rt_dsfield" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_dsfield"; }; + environment.etc."iproute2/rt_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_protos"; }; + environment.etc."iproute2/rt_realms" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_realms"; }; + environment.etc."iproute2/rt_scopes" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_scopes"; }; + environment.etc."iproute2/rt_tables" = { mode = "0644"; text = (fileContents "${pkgs.iproute2}/etc/iproute2/rt_tables") + (optionalString (cfg.rttablesExtraConfig != "") "\n\n${cfg.rttablesExtraConfig}"); }; }; } diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index a3eb55d8a42e8..fc35993b5a810 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -87,5 +87,12 @@ in environment.etc."ld-nix.so.preload".text = '' ${providerLibPath} ''; + security.apparmor.includes = { + "abstractions/base" = '' + r /etc/ld-nix.so.preload, + r ${config.environment.etc."ld-nix.so.preload".source}, + mr ${providerLibPath}, + ''; + }; }; } diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index c0e90a8c26e6c..0266bbfb121db 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -306,6 +306,7 @@ in { description = "PulseAudio system service user"; home = stateDir; createHome = true; + isSystemUser = true; }; users.groups.pulse.gid = gid; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 4a2647339c593..567a8b6f3b97e 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -6,6 +6,12 @@ let ids = config.ids; cfg = config.users; + isPasswdCompatible = str: !(hasInfix ":" str || hasInfix "\n" str); + passwdEntry = type: lib.types.addCheck type isPasswdCompatible // { + name = "passwdEntry ${type.name}"; + description = "${type.description}, not containing newlines or colons"; + }; + # Check whether a password hash will allow login. allowsLogin = hash: hash == "" # login without password @@ -54,7 +60,7 @@ let options = { name = mkOption { - type = types.str; + type = passwdEntry types.str; apply = x: assert (builtins.stringLength x < 32 || abort "Username '${x}' is longer than 31 characters which is not allowed!"); x; description = '' The name of the user account. If undefined, the name of the @@ -63,7 +69,7 @@ let }; description = mkOption { - type = types.str; + type = passwdEntry types.str; default = ""; example = "Alice Q. User"; description = '' @@ -92,6 +98,8 @@ let the user's UID is allocated in the range for system users (below 500) or in the range for normal users (starting at 1000). + Exactly one of <literal>isNormalUser</literal> and + <literal>isSystemUser</literal> must be true. ''; }; @@ -107,6 +115,8 @@ let <option>useDefaultShell</option> to <literal>true</literal>, and <option>isSystemUser</option> to <literal>false</literal>. + Exactly one of <literal>isNormalUser</literal> and + <literal>isSystemUser</literal> must be true. ''; }; @@ -124,7 +134,7 @@ let }; home = mkOption { - type = types.path; + type = passwdEntry types.path; default = "/var/empty"; description = "The user's home directory."; }; @@ -153,7 +163,7 @@ let }; shell = mkOption { - type = types.nullOr (types.either types.shellPackage types.path); + type = types.nullOr (types.either types.shellPackage (passwdEntry types.path)); default = pkgs.shadow; defaultText = "pkgs.shadow"; example = literalExample "pkgs.bashInteractive"; @@ -213,7 +223,7 @@ let }; hashedPassword = mkOption { - type = with types; nullOr str; + type = with types; nullOr (passwdEntry str); default = null; description = '' Specifies the hashed password for the user. @@ -247,7 +257,7 @@ let }; initialHashedPassword = mkOption { - type = with types; nullOr str; + type = with types; nullOr (passwdEntry str); default = null; description = '' Specifies the initial hashed password for the user, i.e. the @@ -319,7 +329,7 @@ let options = { name = mkOption { - type = types.str; + type = passwdEntry types.str; description = '' The name of the group. If undefined, the name of the attribute set will be used. @@ -336,7 +346,7 @@ let }; members = mkOption { - type = with types; listOf str; + type = with types; listOf (passwdEntry str); default = []; description = '' The user names of the group members, added to the @@ -521,6 +531,7 @@ in { }; nobody = { uid = ids.uids.nobody; + isSystemUser = true; description = "Unprivileged account (don't use!)"; group = "nogroup"; }; @@ -608,17 +619,28 @@ in { Neither the root account nor any wheel user has a password or SSH authorized key. You must set one to prevent being locked out of your system.''; } - ] ++ flip mapAttrsToList cfg.users (name: user: - { + ] ++ flatten (flip mapAttrsToList cfg.users (name: user: + [ + { assertion = (user.hashedPassword != null) - -> (builtins.match ".*:.*" user.hashedPassword == null); + -> (builtins.match ".*:.*" user.hashedPassword == null); message = '' - The password hash of user "${user.name}" contains a ":" character. - This is invalid and would break the login system because the fields - of /etc/shadow (file where hashes are stored) are colon-separated. - Please check the value of option `users.users."${user.name}".hashedPassword`.''; - } - ); + The password hash of user "${user.name}" contains a ":" character. + This is invalid and would break the login system because the fields + of /etc/shadow (file where hashes are stored) are colon-separated. + Please check the value of option `users.users."${user.name}".hashedPassword`.''; + } + { + assertion = let + xor = a: b: a && !b || b && !a; + isEffectivelySystemUser = user.isSystemUser || (user.uid != null && user.uid < 500); + in xor isEffectivelySystemUser user.isNormalUser; + message = '' + Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set. + ''; + } + ] + )); warnings = builtins.filter (x: x != null) ( diff --git a/nixos/modules/hardware/keyboard/teck.nix b/nixos/modules/hardware/keyboard/teck.nix new file mode 100644 index 0000000000000..091ddb81962e6 --- /dev/null +++ b/nixos/modules/hardware/keyboard/teck.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.hardware.keyboard.teck; +in +{ + options.hardware.keyboard.teck = { + enable = mkEnableOption "non-root access to the firmware of TECK keyboards"; + }; + + config = mkIf cfg.enable { + services.udev.packages = [ pkgs.teck-udev-rules ]; + }; +} + diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 061528f4b1b53..a50b5d32c3580 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -63,8 +63,7 @@ in description = '' On 64-bit systems, whether to support Direct Rendering for 32-bit applications (such as Wine). This is currently only - supported for the <literal>nvidia</literal> and - <literal>ati_unfree</literal> drivers, as well as + supported for the <literal>nvidia</literal> as well as <literal>Mesa</literal>. ''; }; diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix index 752de41f26dec..c587076dcd18e 100644 --- a/nixos/modules/hardware/printers.nix +++ b/nixos/modules/hardware/printers.nix @@ -15,7 +15,7 @@ let ${ppdOptionsString p.ppdOptions} ''; ensureDefaultPrinter = name: '' - ${pkgs.cups}/bin/lpoptions -d '${name}' + ${pkgs.cups}/bin/lpadmin -d '${name}' ''; # "graph but not # or /" can't be implemented as regex alone due to missing lookahead support diff --git a/nixos/modules/hardware/rtl-sdr.nix b/nixos/modules/hardware/rtl-sdr.nix index 77c8cb59a3d58..9605c7967f61d 100644 --- a/nixos/modules/hardware/rtl-sdr.nix +++ b/nixos/modules/hardware/rtl-sdr.nix @@ -6,14 +6,13 @@ let in { options.hardware.rtl-sdr = { enable = lib.mkEnableOption '' - Enables rtl-sdr udev rules and ensures 'plugdev' group exists. - This is a prerequisite to using devices supported by rtl-sdr without - being root, since rtl-sdr USB descriptors will be owned by plugdev - through udev. + Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules. + This is a prerequisite to using devices supported by rtl-sdr without being root, since rtl-sdr USB descriptors will be owned by plugdev through udev. ''; }; config = lib.mkIf cfg.enable { + boot.blacklistedKernelModules = [ "dvb_usb_rtl28xxu" "e4000" "rtl2832" ]; services.udev.packages = [ pkgs.rtl-sdr ]; users.groups.plugdev = {}; }; diff --git a/nixos/modules/hardware/system-76.nix b/nixos/modules/hardware/system-76.nix index 48eb63f4f22de..ed661fd3303bb 100644 --- a/nixos/modules/hardware/system-76.nix +++ b/nixos/modules/hardware/system-76.nix @@ -17,6 +17,9 @@ let firmware-pkg = pkgs.system76-firmware; firmwareConfig = mkIf cfg.firmware-daemon.enable { + # Make system76-firmware-cli usable by root from the command line. + environment.systemPackages = [ firmware-pkg ]; + services.dbus.packages = [ firmware-pkg ]; systemd.services.system76-firmware-daemon = { diff --git a/nixos/modules/hardware/video/ati.nix b/nixos/modules/hardware/video/ati.nix deleted file mode 100644 index 06d3ea324d8d5..0000000000000 --- a/nixos/modules/hardware/video/ati.nix +++ /dev/null @@ -1,40 +0,0 @@ -# This module provides the proprietary ATI X11 / OpenGL drivers. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - drivers = config.services.xserver.videoDrivers; - - enabled = elem "ati_unfree" drivers; - - ati_x11 = config.boot.kernelPackages.ati_drivers_x11; - -in - -{ - - config = mkIf enabled { - - nixpkgs.config.xorg.abiCompat = "1.17"; - - services.xserver.drivers = singleton - { name = "fglrx"; modules = [ ati_x11 ]; display = true; }; - - hardware.opengl.package = ati_x11; - hardware.opengl.package32 = pkgs.pkgsi686Linux.linuxPackages.ati_drivers_x11.override { libsOnly = true; kernel = null; }; - hardware.opengl.setLdLibraryPath = true; - - environment.systemPackages = [ ati_x11 ]; - - boot.extraModulePackages = [ ati_x11 ]; - - boot.blacklistedKernelModules = [ "radeon" ]; - - environment.etc.ati.source = "${ati_x11}/etc/ati"; - - }; - -} diff --git a/nixos/modules/hardware/xpadneo.nix b/nixos/modules/hardware/xpadneo.nix index d504697e61fd9..dbc4ba2125604 100644 --- a/nixos/modules/hardware/xpadneo.nix +++ b/nixos/modules/hardware/xpadneo.nix @@ -24,6 +24,6 @@ in }; meta = { - maintainers = with maintainers; [ metadark ]; + maintainers = with maintainers; [ kira-bruneau ]; }; } diff --git a/nixos/modules/i18n/input-method/default.nix b/nixos/modules/i18n/input-method/default.nix index 4649f9b862a5a..bbc5783565a3b 100644 --- a/nixos/modules/i18n/input-method/default.nix +++ b/nixos/modules/i18n/input-method/default.nix @@ -29,7 +29,7 @@ in options.i18n = { inputMethod = { enabled = mkOption { - type = types.nullOr (types.enum [ "ibus" "fcitx" "fcitx5" "nabi" "uim" "hime" ]); + type = types.nullOr (types.enum [ "ibus" "fcitx" "fcitx5" "nabi" "uim" "hime" "kime" ]); default = null; example = "fcitx"; description = '' @@ -46,6 +46,7 @@ in <listitem><para>nabi: A Korean input method based on XIM. Nabi doesn't support Qt 5.</para></listitem> <listitem><para>uim: The universal input method, is a library with a XIM bridge. uim mainly support Chinese, Japanese and Korean.</para></listitem> <listitem><para>hime: An extremely easy-to-use input method framework.</para></listitem> + <listitem><para>kime: Koream IME.</para></listitem> </itemizedlist> ''; }; diff --git a/nixos/modules/i18n/input-method/default.xml b/nixos/modules/i18n/input-method/default.xml index 73911059f8a61..dd66316c73080 100644 --- a/nixos/modules/i18n/input-method/default.xml +++ b/nixos/modules/i18n/input-method/default.xml @@ -40,6 +40,11 @@ Hime: An extremely easy-to-use input method framework. </para> </listitem> + <listitem> + <para> + Kime: Korean IME + </para> + </listitem> </itemizedlist> <section xml:id="module-services-input-methods-ibus"> <title>IBus</title> @@ -266,4 +271,21 @@ i18n.inputMethod = { }; </programlisting> </section> + <section xml:id="module-services-input-methods-kime"> + <title>Kime</title> + + <para> + Kime is Korean IME. it's built with Rust language and let you get simple, safe, fast Korean typing + </para> + + <para> + The following snippet can be used to configure Kime: + </para> + +<programlisting> +i18n.inputMethod = { + <link linkend="opt-i18n.inputMethod.enabled">enabled</link> = "kime"; +}; +</programlisting> + </section> </chapter> diff --git a/nixos/modules/i18n/input-method/kime.nix b/nixos/modules/i18n/input-method/kime.nix new file mode 100644 index 0000000000000..2a73cb3f46059 --- /dev/null +++ b/nixos/modules/i18n/input-method/kime.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, generators, ... }: +with lib; +let + cfg = config.i18n.inputMethod.kime; + yamlFormat = pkgs.formats.yaml { }; +in +{ + options = { + i18n.inputMethod.kime = { + config = mkOption { + type = yamlFormat.type; + default = { }; + example = literalExample '' + { + daemon = { + modules = ["Xim" "Indicator"]; + }; + + indicator = { + icon_color = "White"; + }; + + engine = { + hangul = { + layout = "dubeolsik"; + }; + }; + } + ''; + description = '' + kime configuration. Refer to <link xlink:href="https://github.com/Riey/kime/blob/v${pkgs.kime.version}/docs/CONFIGURATION.md"/> for details on supported values. + ''; + }; + }; + }; + + config = mkIf (config.i18n.inputMethod.enabled == "kime") { + i18n.inputMethod.package = pkgs.kime; + + environment.variables = { + GTK_IM_MODULE = "kime"; + QT_IM_MODULE = "kime"; + XMODIFIERS = "@im=kime"; + }; + + environment.etc."xdg/kime/config.yaml".text = replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg.config); + }; +} + diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 803bae4212ef7..12ad8a4ae0046 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -9,7 +9,7 @@ with lib; isoImage.edition = "gnome"; - services.xserver.desktopManager.gnome3 = { + services.xserver.desktopManager.gnome = { # Add firefox to favorite-apps favoriteAppsOverride = '' [org.gnome.shell] diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 1418420afcd98..c2836b5a9a1b7 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -162,12 +162,14 @@ let isolinuxCfg = concatStringsSep "\n" ([ baseIsolinuxCfg ] ++ optional config.boot.loader.grub.memtest86.enable isolinuxMemtest86Entry); + refindBinary = if targetArch == "x64" || targetArch == "aa64" then "refind_${targetArch}.efi" else null; + # Setup instructions for rEFInd. refind = - if targetArch == "x64" then + if refindBinary != null then '' # Adds rEFInd to the ISO. - cp -v ${pkgs.refind}/share/refind/refind_x64.efi $out/EFI/boot/ + cp -v ${pkgs.refind}/share/refind/${refindBinary} $out/EFI/boot/ '' else "# No refind for ${targetArch}" @@ -180,13 +182,32 @@ let # Menu configuration # + # Search using a "marker file" + search --set=root --file /EFI/nixos-installer-image + insmod gfxterm insmod png set gfxpayload=keep + set gfxmode=${concatStringsSep "," [ + # GRUB will use the first valid mode listed here. + # `auto` will sometimes choose the smallest valid mode it detects. + # So instead we'll list a lot of possibly valid modes :/ + #"3840x2160" + #"2560x1440" + "1920x1080" + "1366x768" + "1280x720" + "1024x768" + "800x600" + "auto" + ]} # Fonts can be loaded? # (This font is assumed to always be provided as a fallback by NixOS) - if loadfont (hd0)/EFI/boot/unicode.pf2; then + if loadfont (\$root)/EFI/boot/unicode.pf2; then + set with_fonts=true + fi + if [ "\$textmode" != "true" -a "\$with_fonts" == "true" ]; then # Use graphical term, it can be either with background image or a theme. # input is "console", while output is "gfxterm". # This enables "serial" input and output only when possible. @@ -207,11 +228,11 @@ let ${ # When there is a theme configured, use it, otherwise use the background image. if config.isoImage.grubTheme != null then '' # Sets theme. - set theme=(hd0)/EFI/boot/grub-theme/theme.txt + set theme=(\$root)/EFI/boot/grub-theme/theme.txt # Load theme fonts - $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (hd0)/EFI/boot/grub-theme/%P\n") + $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (\$root)/EFI/boot/grub-theme/%P\n") '' else '' - if background_image (hd0)/EFI/boot/efi-background.png; then + if background_image (\$root)/EFI/boot/efi-background.png; then # Black background means transparent background when there # is a background image set... This seems undocumented :( set color_normal=black/black @@ -228,9 +249,15 @@ let # Notes about grub: # * Yes, the grubMenuCfg has to be repeated in all submenus. Otherwise you # will get white-on-black console-like text on sub-menus. *sigh* - efiDir = pkgs.runCommand "efi-directory" {} '' + efiDir = pkgs.runCommand "efi-directory" { + nativeBuildInputs = [ pkgs.buildPackages.grub2_efi ]; + strictDeps = true; + } '' mkdir -p $out/EFI/boot/ + # Add a marker so GRUB can find the filesystem. + touch $out/EFI/nixos-installer-image + # ALWAYS required modules. MODULES="fat iso9660 part_gpt part_msdos \ normal boot linux configfile loopback chain halt \ @@ -258,12 +285,14 @@ let # Make our own efi program, we can't rely on "grub-install" since it seems to # probe for devices, even with --skip-fs-probe. - ${grubPkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${grubPkgs.grub2_efi.grubTarget} \ + grub-mkimage --directory=${grubPkgs.grub2_efi}/lib/grub/${grubPkgs.grub2_efi.grubTarget} -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${grubPkgs.grub2_efi.grubTarget} \ $MODULES cp ${grubPkgs.grub2_efi}/share/grub/unicode.pf2 $out/EFI/boot/ cat <<EOF > $out/EFI/boot/grub.cfg + set with_fonts=false + set textmode=false # If you want to use serial for "terminal_*" commands, you need to set one up: # Example manual configuration: # → serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 @@ -273,8 +302,28 @@ let export with_serial clear set timeout=10 + + # This message will only be viewable when "gfxterm" is not used. + echo "" + echo "Loading graphical boot menu..." + echo "" + echo "Press 't' to use the text boot menu on this console..." + echo "" + ${grubMenuCfg} + hiddenentry 'Text mode' --hotkey 't' { + loadfont (\$root)/EFI/boot/unicode.pf2 + set textmode=true + terminal_output gfxterm console + } + hiddenentry 'GUI mode' --hotkey 'g' { + $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (\$root)/EFI/boot/grub-theme/%P\n") + set textmode=false + terminal_output gfxterm + } + + # If the parameter iso_path is set, append the findiso parameter to the kernel # line. We need this to allow the nixos iso to be booted from grub directly. if [ \''${iso_path} ] ; then @@ -337,11 +386,17 @@ let } } - menuentry 'rEFInd' --class refind { - # UUID is hard-coded in the derivation. + ${lib.optionalString (refindBinary != null) '' + # GRUB apparently cannot do "chainloader" operations on "CD". + if [ "\$root" != "cd0" ]; then + # Force root to be the FAT partition + # Otherwise it breaks rEFInd's boot search --set=root --no-floppy --fs-uuid 1234-5678 - chainloader (\$root)/EFI/boot/refind_x64.efi - } + menuentry 'rEFInd' --class refind { + chainloader (\$root)/EFI/boot/${refindBinary} + } + fi + ''} menuentry 'Firmware Setup' --class settings { fwsetup clear @@ -357,7 +412,10 @@ let ${refind} ''; - efiImg = pkgs.runCommand "efi-image_eltorito" { buildInputs = [ pkgs.mtools pkgs.libfaketime ]; } + efiImg = pkgs.runCommand "efi-image_eltorito" { + nativeBuildInputs = [ pkgs.buildPackages.mtools pkgs.buildPackages.libfaketime pkgs.buildPackages.dosfstools ]; + strictDeps = true; + } # Be careful about determinism: du --apparent-size, # dates (cp -p, touch, mcopy -m, faketime for label), IDs (mkfs.vfat -i) '' @@ -366,7 +424,9 @@ let mkdir ./boot cp -p "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}" \ "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}" ./boot/ - touch --date=@0 ./EFI ./boot + + # Rewrite dates for everything in the FS + find . -exec touch --date=2000-01-01 {} + usage_size=$(du -sb --apparent-size . | tr -cd '[:digit:]') # Make the image 110% as big as the files need to make up for FAT overhead @@ -377,10 +437,10 @@ let echo "Usage size: $usage_size" echo "Image size: $image_size" truncate --size=$image_size "$out" - ${pkgs.libfaketime}/bin/faketime "2000-01-01 00:00:00" ${pkgs.dosfstools}/sbin/mkfs.vfat -i 12345678 -n EFIBOOT "$out" + faketime "2000-01-01 00:00:00" mkfs.vfat -i 12345678 -n EFIBOOT "$out" mcopy -psvm -i "$out" ./EFI ./boot :: # Verify the FAT partition. - ${pkgs.dosfstools}/sbin/fsck.vfat -vn "$out" + fsck.vfat -vn "$out" ''; # */ # Name used by UEFI for architectures. @@ -389,6 +449,8 @@ let "ia32" else if pkgs.stdenv.isx86_64 then "x64" + else if pkgs.stdenv.isAarch32 then + "arm" else if pkgs.stdenv.isAarch64 then "aa64" else diff --git a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix deleted file mode 100644 index 79db1fa29bc43..0000000000000 --- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, ... }: -{ - imports = [ - ../sd-card/sd-image-raspberrypi4-installer.nix - ]; - config = { - warnings = [ - '' - .../cd-dvd/sd-image-raspberrypi4.nix is deprecated and will eventually be removed. - Please switch to .../sd-card/sd-image-raspberrypi4-installer.nix, instead. - '' - ]; - }; -} diff --git a/nixos/modules/installer/sd-card/sd-image-aarch64.nix b/nixos/modules/installer/sd-card/sd-image-aarch64.nix index 96ebb7537da32..165e2aac27b49 100644 --- a/nixos/modules/installer/sd-card/sd-image-aarch64.nix +++ b/nixos/modules/installer/sd-card/sd-image-aarch64.nix @@ -18,13 +18,6 @@ # - ttyAMA0: for QEMU's -machine virt boot.kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; - boot.initrd.availableKernelModules = [ - # Allows early (earlier) modesetting for the Raspberry Pi - "vc4" "bcm2835_dma" "i2c_bcm2835" - # Allows early (earlier) modesetting for Allwinner SoCs - "sun4i_drm" "sun8i_drm_hdmi" "sun8i_mixer" - ]; - sdImage = { populateFirmwareCommands = let configTxt = pkgs.writeText "config.txt" '' diff --git a/nixos/modules/installer/sd-card/sd-image-raspberrypi4-installer.nix b/nixos/modules/installer/sd-card/sd-image-raspberrypi4-installer.nix deleted file mode 100644 index 59423e40b64c9..0000000000000 --- a/nixos/modules/installer/sd-card/sd-image-raspberrypi4-installer.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - imports = [ - ../../profiles/installation-device.nix - ./sd-image-raspberrypi4.nix - ]; - - # the installation media is also the installation target, - # so we don't want to provide the installation configuration.nix. - installer.cloneConfig = false; -} diff --git a/nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix b/nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix deleted file mode 100644 index 35a12c5382f7e..0000000000000 --- a/nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix +++ /dev/null @@ -1,8 +0,0 @@ -# To build, use: -# nix-build nixos -I nixos-config=nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix -A config.system.build.sdImage -{ config, lib, pkgs, ... }: - -{ - imports = [ ./sd-image-aarch64.nix ]; - boot.kernelPackages = pkgs.linuxPackages_rpi4; -} diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index b811ae07eb033..d0fe79903d345 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -29,6 +29,7 @@ in imports = [ (mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that partition's ID.") (mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 partition. The FAT partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.") + ../../profiles/all-hardware.nix ]; options.sdImage = { @@ -126,6 +127,13 @@ in ''; }; + expandOnBoot = mkOption { + type = types.bool; + default = true; + description = '' + Whether to configure the sd image to expand it's partition on boot. + ''; + }; }; config = { @@ -215,7 +223,7 @@ in ''; }) {}; - boot.postBootCommands = '' + boot.postBootCommands = lib.mkIf config.sdImage.expandOnBoot '' # On the first boot do some maintenance tasks if [ -f /nix-path-registration ]; then set -euo pipefail diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 6b1f54beee2ea..801e28cec44ae 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/iwfs2bfcy7lqwhri94p2i6jc87ih55zk-nix-2.3.10"; - i686-linux = "/nix/store/a3ccfvy9i5n418d5v0bir330kbcz3vj8-nix-2.3.10"; - aarch64-linux = "/nix/store/bh5g6cv7bv35iz853d3xv2sphn51ybmb-nix-2.3.10"; - x86_64-darwin = "/nix/store/8c98r6zlwn2d40qm7jnnrr2rdlqviszr-nix-2.3.10"; + x86_64-linux = "/nix/store/d1ppfhjhdwcsb4npfzyifv5z8i00fzsk-nix-2.3.11"; + i686-linux = "/nix/store/c6ikndcrzwpfn2sb5b9xb1f17p9b8iga-nix-2.3.11"; + aarch64-linux = "/nix/store/fb0lfrn0m8s197d264jzd64vhz9c8zbx-nix-2.3.11"; + x86_64-darwin = "/nix/store/qvb86ffv08q3r66qbd6nqifz425lyyhf-nix-2.3.11"; } diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 9d49d4055e431..ea9667995e13f 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -125,7 +125,7 @@ fi # Resolve the flake. if [[ -n $flake ]]; then - flake=$(nix "${flakeFlags[@]}" flake info --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) + flake=$(nix "${flakeFlags[@]}" flake metadata --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url) fi if [[ ! -e $NIXOS_CONFIG && -z $system && -z $flake ]]; then diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 77c974fc22c0a..cb2dbf6c85919 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -163,7 +163,8 @@ in # List packages installed in system profile. To search, run: # \$ nix search wget # environment.systemPackages = with pkgs; [ - # wget vim + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget # firefox # ]; diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix index af3e1aecca713..2768e17590b39 100644 --- a/nixos/modules/installer/virtualbox-demo.nix +++ b/nixos/modules/installer/virtualbox-demo.nix @@ -44,7 +44,7 @@ with lib; # Enable GDM/GNOME by uncommenting above two lines and two lines below. # services.xserver.displayManager.gdm.enable = true; - # services.xserver.desktopManager.gnome3.enable = true; + # services.xserver.desktopManager.gnome.enable = true; # Set your time zone. # time.timeZone = "Europe/Amsterdam"; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1fd56adfe103b..05cc5002aaf62 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -315,7 +315,7 @@ in restya-board = 284; mighttpd2 = 285; hass = 286; - monero = 287; + #monero = 287; # dynamically allocated as of 2021-05-08 ceph = 288; duplicati = 289; monetdb = 290; @@ -617,7 +617,7 @@ in restya-board = 284; mighttpd2 = 285; hass = 286; - monero = 287; + # monero = 287; # dynamically allocated as of 2021-05-08 ceph = 288; duplicati = 289; monetdb = 290; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b0359eb43af92..aa4e2ccc46bce 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -49,6 +49,7 @@ ./hardware/i2c.nix ./hardware/sensor/hddtemp.nix ./hardware/sensor/iio.nix + ./hardware/keyboard/teck.nix ./hardware/keyboard/zsa.nix ./hardware/ksm.nix ./hardware/ledger.nix @@ -75,7 +76,6 @@ ./hardware/wooting.nix ./hardware/uinput.nix ./hardware/video/amdgpu-pro.nix - ./hardware/video/ati.nix ./hardware/video/capture/mwprocapture.nix ./hardware/video/bumblebee.nix ./hardware/video/displaylink.nix @@ -92,6 +92,7 @@ ./i18n/input-method/ibus.nix ./i18n/input-method/nabi.nix ./i18n/input-method/uim.nix + ./i18n/input-method/kime.nix ./installer/tools/tools.nix ./misc/assertions.nix ./misc/crashdump.nix @@ -112,6 +113,9 @@ ./programs/autojump.nix ./programs/bandwhich.nix ./programs/bash/bash.nix + ./programs/bash/bash-completion.nix + ./programs/bash/ls-colors.nix + ./programs/bash/undistract-me.nix ./programs/bash-my-aws.nix ./programs/bcc.nix ./programs/browserpass.nix @@ -128,9 +132,11 @@ ./programs/droidcam.nix ./programs/environment.nix ./programs/evince.nix + ./programs/feedbackd.nix ./programs/file-roller.nix ./programs/firejail.nix ./programs/fish.nix + ./programs/flexoptix-app.nix ./programs/freetds.nix ./programs/fuse.nix ./programs/geary.nix @@ -156,10 +162,12 @@ ./programs/neovim.nix ./programs/nm-applet.nix ./programs/npm.nix + ./programs/noisetorch.nix ./programs/oblogout.nix ./programs/partition-manager.nix ./programs/plotinus.nix ./programs/proxychains.nix + ./programs/phosh.nix ./programs/qt5ct.nix ./programs/screen.nix ./programs/sedutil.nix @@ -203,7 +211,6 @@ ./rename.nix ./security/acme.nix ./security/apparmor.nix - ./security/apparmor-suid.nix ./security/audit.nix ./security/auditd.nix ./security/ca.nix @@ -231,6 +238,7 @@ ./services/amqp/activemq/default.nix ./services/amqp/rabbitmq.nix ./services/audio/alsa.nix + ./services/audio/botamusique.nix ./services/audio/jack.nix ./services/audio/icecast.nix ./services/audio/jmusicbot.nix @@ -288,6 +296,7 @@ ./services/continuous-integration/hail.nix ./services/continuous-integration/hercules-ci-agent/default.nix ./services/continuous-integration/hydra/default.nix + ./services/continuous-integration/github-runner.nix ./services/continuous-integration/gitlab-runner.nix ./services/continuous-integration/gocd-agent/default.nix ./services/continuous-integration/gocd-server/default.nix @@ -330,21 +339,21 @@ ./services/desktops/malcontent.nix ./services/desktops/pipewire/pipewire.nix ./services/desktops/pipewire/pipewire-media-session.nix - ./services/desktops/gnome3/at-spi2-core.nix - ./services/desktops/gnome3/chrome-gnome-shell.nix - ./services/desktops/gnome3/evolution-data-server.nix - ./services/desktops/gnome3/glib-networking.nix - ./services/desktops/gnome3/gnome-initial-setup.nix - ./services/desktops/gnome3/gnome-keyring.nix - ./services/desktops/gnome3/gnome-online-accounts.nix - ./services/desktops/gnome3/gnome-online-miners.nix - ./services/desktops/gnome3/gnome-remote-desktop.nix - ./services/desktops/gnome3/gnome-settings-daemon.nix - ./services/desktops/gnome3/gnome-user-share.nix - ./services/desktops/gnome3/rygel.nix - ./services/desktops/gnome3/sushi.nix - ./services/desktops/gnome3/tracker.nix - ./services/desktops/gnome3/tracker-miners.nix + ./services/desktops/gnome/at-spi2-core.nix + ./services/desktops/gnome/chrome-gnome-shell.nix + ./services/desktops/gnome/evolution-data-server.nix + ./services/desktops/gnome/glib-networking.nix + ./services/desktops/gnome/gnome-initial-setup.nix + ./services/desktops/gnome/gnome-keyring.nix + ./services/desktops/gnome/gnome-online-accounts.nix + ./services/desktops/gnome/gnome-online-miners.nix + ./services/desktops/gnome/gnome-remote-desktop.nix + ./services/desktops/gnome/gnome-settings-daemon.nix + ./services/desktops/gnome/gnome-user-share.nix + ./services/desktops/gnome/rygel.nix + ./services/desktops/gnome/sushi.nix + ./services/desktops/gnome/tracker.nix + ./services/desktops/gnome/tracker-miners.nix ./services/desktops/neard.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/system-config-printer.nix @@ -365,6 +374,7 @@ ./services/games/minecraft-server.nix ./services/games/minetest-server.nix ./services/games/openarena.nix + ./services/games/quake3-server.nix ./services/games/teeworlds.nix ./services/games/terraria.nix ./services/hardware/acpid.nix @@ -462,8 +472,10 @@ ./services/misc/cgminer.nix ./services/misc/confd.nix ./services/misc/couchpotato.nix + ./services/misc/dendrite.nix ./services/misc/devmon.nix ./services/misc/dictd.nix + ./services/misc/duckling.nix ./services/misc/dwm-status.nix ./services/misc/dysnomia.nix ./services/misc/disnix.nix @@ -525,6 +537,7 @@ ./services/misc/parsoid.nix ./services/misc/plex.nix ./services/misc/plikd.nix + ./services/misc/podgrab.nix ./services/misc/tautulli.nix ./services/misc/pinnwand.nix ./services/misc/pykms.nix @@ -625,6 +638,7 @@ ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/ceph.nix ./services/networking/3proxy.nix + ./services/networking/adguardhome.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -676,6 +690,7 @@ ./services/networking/gale.nix ./services/networking/gateone.nix ./services/networking/gdomap.nix + ./services/networking/ghostunnel.nix ./services/networking/git-daemon.nix ./services/networking/gnunet.nix ./services/networking/go-neb.nix @@ -696,6 +711,9 @@ ./services/networking/iodine.nix ./services/networking/iperf3.nix ./services/networking/ircd-hybrid/default.nix + ./services/networking/iscsi/initiator.nix + ./services/networking/iscsi/root-initiator.nix + ./services/networking/iscsi/target.nix ./services/networking/iwd.nix ./services/networking/jicofo.nix ./services/networking/jitsi-videobridge.nix @@ -727,6 +745,7 @@ ./services/networking/nar-serve.nix ./services/networking/nat.nix ./services/networking/ndppd.nix + ./services/networking/nebula.nix ./services/networking/networkmanager.nix ./services/networking/nextdns.nix ./services/networking/nftables.nix @@ -762,7 +781,6 @@ ./services/networking/prayer.nix ./services/networking/privoxy.nix ./services/networking/prosody.nix - ./services/networking/quagga.nix ./services/networking/quassel.nix ./services/networking/quorum.nix ./services/networking/quicktun.nix @@ -788,6 +806,7 @@ ./services/networking/smartdns.nix ./services/networking/smokeping.nix ./services/networking/softether.nix + ./services/networking/solanum.nix ./services/networking/spacecookie.nix ./services/networking/spiped.nix ./services/networking/squid.nix @@ -865,6 +884,7 @@ ./services/security/shibboleth-sp.nix ./services/security/sks.nix ./services/security/sshguard.nix + ./services/security/step-ca.nix ./services/security/tor.nix ./services/security/torify.nix ./services/security/torsocks.nix @@ -878,6 +898,7 @@ ./services/system/kerberos/default.nix ./services/system/nscd.nix ./services/system/saslauthd.nix + ./services/system/self-deploy.nix ./services/system/uptimed.nix ./services/torrent/deluge.nix ./services/torrent/flexget.nix @@ -963,6 +984,7 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix + ./services/web-servers/trafficserver.nix ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index d460c52dbefd4..797fcddb8c90b 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -37,6 +37,9 @@ in # drives. "uas" + # SD cards. + "sdhci_pci" + # Firewire support. Not tested. "ohci1394" "sbp2" @@ -46,11 +49,66 @@ in # VMware support. "mptspi" "vmxnet3" "vsock" ] ++ lib.optional platform.isx86 "vmw_balloon" - ++ lib.optionals (!platform.isAarch64) [ # not sure where else they're missing + ++ lib.optionals (!platform.isAarch64 && !platform.isAarch32) [ # not sure where else they're missing "vmw_vmci" "vmwgfx" "vmw_vsock_vmci_transport" # Hyper-V support. "hv_storvsc" + ] ++ lib.optionals (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ + # Most of the following falls into two categories: + # - early KMS / early display + # - early storage (e.g. USB) support + + # Allows using framebuffer configured by the initial boot firmware + "simplefb" + + # Allwinner support + + # Required for early KMS + "sun4i-drm" + "sun8i-mixer" # Audio, but required for kms + + # PWM for the backlight + "pwm-sun4i" + + # Broadcom + + "vc4" + ] ++ lib.optionals pkgs.stdenv.isAarch64 [ + # Most of the following falls into two categories: + # - early KMS / early display + # - early storage (e.g. USB) support + + # Broadcom + + "pcie-brcmstb" + + # Rockchip + "dw-hdmi" + "dw-mipi-dsi" + "rockchipdrm" + "rockchip-rga" + "phy-rockchip-pcie" + "pcie-rockchip-host" + + # Misc. uncategorized hardware + + # Used for some platform's integrated displays + "panel-simple" + "pwm-bl" + + # Power supply drivers, some platforms need them for USB + "axp20x-ac-power" + "axp20x-battery" + "pinctrl-axp209" + "mp8859" + + # USB drivers + "xhci-pci-renesas" + + # Misc "weak" dependencies + "analogix-dp" + "analogix-anx6345" # For DP or eDP (e.g. integrated display) ]; # Include lots of firmware. diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 00aafc6831b25..3f8f78f012a70 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -36,6 +36,7 @@ with lib; security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; + security.apparmor.killUnconfinedConfinables = mkDefault true; boot.kernelParams = [ # Slab/slub sanity checks, redzoning, and poisoning diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 7dc493fb495da..8e3aa20daa65d 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -99,5 +99,13 @@ with lib; # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; + + # Prevent installation media from evacuating persistent storage, as their + # var directory is not persistent and it would thus result in deletion of + # those entries. + environment.etc."systemd/pstore.conf".text = '' + [PStore] + Unlink=no + ''; }; } diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index 7ef8d687ca17f..b45eb16e3eaf6 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -1,6 +1,6 @@ # Global configuration for atop. -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -12,11 +12,85 @@ in options = { - programs.atop = { + programs.atop = rec { + enable = mkEnableOption "Atop"; + + package = mkOption { + type = types.package; + default = pkgs.atop; + defaultText = "pkgs.atop"; + description = '' + Which package to use for Atop. + ''; + }; + + netatop = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install and enable the netatop kernel module. + Note: this sets the kernel taint flag "O" for loading out-of-tree modules. + ''; + }; + package = mkOption { + type = types.package; + default = config.boot.kernelPackages.netatop; + defaultText = "config.boot.kernelPackages.netatop"; + description = '' + Which package to use for netatop. + ''; + }; + }; + + atopgpu.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install and enable the atopgpud daemon to get information about + NVIDIA gpus. + ''; + }; + + setuidWrapper.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install a setuid wrapper for Atop. This is required to use some of + the features as non-root user (e.g.: ipc information, netatop, atopgpu). + Atop tries to drop the root privileges shortly after starting. + ''; + }; + + atopService.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the atop service responsible for storing statistics for + long-term analysis. + ''; + }; + atopRotateTimer.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the atop-rotate timer, which restarts the atop service + daily to make sure the data files are rotate. + ''; + }; + atopacctService.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the atopacct service which manages process accounting. + This allows Atop to gather data about processes that disappeared in between + two refresh intervals. + ''; + }; settings = mkOption { type = types.attrs; - default = {}; + default = { }; example = { flags = "a1f"; interval = 5; @@ -25,12 +99,50 @@ in Parameters to be written to <filename>/etc/atoprc</filename>. ''; }; - }; }; - config = mkIf (cfg.settings != {}) { - environment.etc.atoprc.text = - concatStrings (mapAttrsToList (n: v: "${n} ${toString v}\n") cfg.settings); - }; + config = mkIf cfg.enable ( + let + atop = + if cfg.atopgpu.enable then + (cfg.package.override { withAtopgpu = true; }) + else + cfg.package; + in + { + environment.etc = mkIf (cfg.settings != { }) { + atoprc.text = concatStrings + (mapAttrsToList + (n: v: '' + ${n} ${toString v} + '') + cfg.settings); + }; + environment.systemPackages = [ atop (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; + boot.extraModulePackages = [ (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; + systemd = + let + mkSystemd = type: cond: name: restartTriggers: { + ${name} = lib.mkIf cond { + inherit restartTriggers; + wantedBy = [ (if type == "services" then "multi-user.target" else if type == "timers" then "timers.target" else null) ]; + }; + }; + mkService = mkSystemd "services"; + mkTimer = mkSystemd "timers"; + in + { + packages = [ atop (lib.mkIf cfg.netatop.enable cfg.netatop.package) ]; + services = + mkService cfg.atopService.enable "atop" [ atop ] + // mkService cfg.atopacctService.enable "atopacct" [ atop ] + // mkService cfg.netatop.enable "netatop" [ cfg.netatop.package ] + // mkService cfg.atopgpu.enable "atopgpu" [ atop ]; + timers = mkTimer cfg.atopRotateTimer.enable "atop-rotate" [ atop ]; + }; + security.wrappers = + lib.mkIf cfg.setuidWrapper.enable { atop = { source = "${atop}/bin/atop"; }; }; + } + ); } diff --git a/nixos/modules/programs/bash/bash-completion.nix b/nixos/modules/programs/bash/bash-completion.nix new file mode 100644 index 0000000000000..f07b1b636ef92 --- /dev/null +++ b/nixos/modules/programs/bash/bash-completion.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + enable = config.programs.bash.enableCompletion; +in +{ + options = { + programs.bash.enableCompletion = mkEnableOption "Bash completion for all interactive bash shells" // { + default = true; + }; + }; + + config = mkIf enable { + programs.bash.promptPluginInit = '' + # Check whether we're running a version of Bash that has support for + # programmable completion. If we do, enable all modules installed in + # the system and user profile in obsolete /etc/bash_completion.d/ + # directories. Bash loads completions in all + # $XDG_DATA_DIRS/bash-completion/completions/ + # on demand, so they do not need to be sourced here. + if shopt -q progcomp &>/dev/null; then + . "${pkgs.bash-completion}/etc/profile.d/bash_completion.sh" + nullglobStatus=$(shopt -p nullglob) + shopt -s nullglob + for p in $NIX_PROFILES; do + for m in "$p/etc/bash_completion.d/"*; do + . $m + done + done + eval "$nullglobStatus" + unset nullglobStatus p m + fi + ''; + }; +} diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1b3254b54a598..908ab34b08d0b 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -11,31 +11,6 @@ let cfg = config.programs.bash; - bashCompletion = optionalString cfg.enableCompletion '' - # Check whether we're running a version of Bash that has support for - # programmable completion. If we do, enable all modules installed in - # the system and user profile in obsolete /etc/bash_completion.d/ - # directories. Bash loads completions in all - # $XDG_DATA_DIRS/bash-completion/completions/ - # on demand, so they do not need to be sourced here. - if shopt -q progcomp &>/dev/null; then - . "${pkgs.bash-completion}/etc/profile.d/bash_completion.sh" - nullglobStatus=$(shopt -p nullglob) - shopt -s nullglob - for p in $NIX_PROFILES; do - for m in "$p/etc/bash_completion.d/"*; do - . $m - done - done - eval "$nullglobStatus" - unset nullglobStatus p m - fi - ''; - - lsColors = optionalString cfg.enableLsColors '' - eval "$(${pkgs.coreutils}/bin/dircolors -b)" - ''; - bashAliases = concatStringsSep "\n" ( mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) @@ -123,20 +98,13 @@ in type = types.lines; }; - enableCompletion = mkOption { - default = true; - description = '' - Enable Bash completion for all interactive bash shells. - ''; - type = types.bool; - }; - - enableLsColors = mkOption { - default = true; + promptPluginInit = mkOption { + default = ""; description = '' - Enable extra colors in directory listings. + Shell script code used to initialise bash prompt plugins. ''; - type = types.bool; + type = types.lines; + internal = true; }; }; @@ -167,8 +135,7 @@ in set +h ${cfg.promptInit} - ${bashCompletion} - ${lsColors} + ${cfg.promptPluginInit} ${bashAliases} ${cfge.interactiveShellInit} diff --git a/nixos/modules/programs/bash/ls-colors.nix b/nixos/modules/programs/bash/ls-colors.nix new file mode 100644 index 0000000000000..254ee14c477d6 --- /dev/null +++ b/nixos/modules/programs/bash/ls-colors.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + enable = config.programs.bash.enableLsColors; +in +{ + options = { + programs.bash.enableLsColors = mkEnableOption "extra colors in directory listings" // { + default = true; + }; + }; + + config = mkIf enable { + programs.bash.promptPluginInit = '' + eval "$(${pkgs.coreutils}/bin/dircolors -b)" + ''; + }; +} diff --git a/nixos/modules/programs/bash/undistract-me.nix b/nixos/modules/programs/bash/undistract-me.nix new file mode 100644 index 0000000000000..0e6465e048a10 --- /dev/null +++ b/nixos/modules/programs/bash/undistract-me.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.bash.undistractMe; +in +{ + options = { + programs.bash.undistractMe = { + enable = mkEnableOption "notifications when long-running terminal commands complete"; + + playSound = mkEnableOption "notification sounds when long-running terminal commands complete"; + + timeout = mkOption { + default = 10; + description = '' + Number of seconds it would take for a command to be considered long-running. + ''; + type = types.int; + }; + }; + }; + + config = mkIf cfg.enable { + programs.bash.promptPluginInit = '' + export LONG_RUNNING_COMMAND_TIMEOUT=${toString cfg.timeout} + export UDM_PLAY_SOUND=${if cfg.playSound then "1" else "0"} + . "${pkgs.undistract-me}/etc/profile.d/undistract-me.sh" + ''; + }; + + meta = { + maintainers = with maintainers; [ kira-bruneau ]; + }; +} diff --git a/nixos/modules/programs/ccache.nix b/nixos/modules/programs/ccache.nix index 3c9e64932f16e..d672e1da017a8 100644 --- a/nixos/modules/programs/ccache.nix +++ b/nixos/modules/programs/ccache.nix @@ -17,7 +17,7 @@ in { type = types.listOf types.str; description = "Nix top-level packages to be compiled using CCache"; default = []; - example = [ "wxGTK30" "qt48" "ffmpeg_3_3" "libav_all" ]; + example = [ "wxGTK30" "ffmpeg" "libav_all" ]; }; }; diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index ec85cb9d18c91..298abac8afa98 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -54,6 +54,8 @@ in services.dbus.packages = [ pkgs.dconf ]; + systemd.packages = [ pkgs.dconf ]; + # For dconf executable environment.systemPackages = [ pkgs.dconf ]; diff --git a/nixos/modules/programs/feedbackd.nix b/nixos/modules/programs/feedbackd.nix new file mode 100644 index 0000000000000..bb14489a6f4dc --- /dev/null +++ b/nixos/modules/programs/feedbackd.nix @@ -0,0 +1,32 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.programs.feedbackd; +in { + options = { + programs.feedbackd = { + enable = mkEnableOption '' + Whether to enable the feedbackd D-BUS service and udev rules. + + Your user needs to be in the `feedbackd` group to trigger effects. + ''; + package = mkOption { + description = '' + Which feedbackd package to use. + ''; + type = types.package; + default = pkgs.feedbackd; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + services.dbus.packages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + + users.groups.feedbackd = {}; + }; +} diff --git a/nixos/modules/programs/file-roller.nix b/nixos/modules/programs/file-roller.nix index 64f6a94e7641b..b939d59909c0d 100644 --- a/nixos/modules/programs/file-roller.nix +++ b/nixos/modules/programs/file-roller.nix @@ -30,9 +30,9 @@ with lib; config = mkIf config.programs.file-roller.enable { - environment.systemPackages = [ pkgs.gnome3.file-roller ]; + environment.systemPackages = [ pkgs.gnome.file-roller ]; - services.dbus.packages = [ pkgs.gnome3.file-roller ]; + services.dbus.packages = [ pkgs.gnome.file-roller ]; }; diff --git a/nixos/modules/programs/fish.nix b/nixos/modules/programs/fish.nix index 392f06eb93326..8dd7101947fae 100644 --- a/nixos/modules/programs/fish.nix +++ b/nixos/modules/programs/fish.nix @@ -8,6 +8,11 @@ let cfg = config.programs.fish; + fishAbbrs = concatStringsSep "\n" ( + mapAttrsFlatten (k: v: "abbr -ag ${k} ${escapeShellArg v}") + cfg.shellAbbrs + ); + fishAliases = concatStringsSep "\n" ( mapAttrsFlatten (k: v: "alias ${k} ${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) @@ -83,6 +88,18 @@ in ''; }; + shellAbbrs = mkOption { + default = {}; + example = { + gco = "git checkout"; + npu = "nix-prefetch-url"; + }; + description = '' + Set of fish abbreviations. + ''; + type = with types; attrsOf str; + }; + shellAliases = mkOption { default = {}; description = '' @@ -205,6 +222,7 @@ in # if we haven't sourced the interactive config, do it status --is-interactive; and not set -q __fish_nixos_interactive_config_sourced and begin + ${fishAbbrs} ${fishAliases} ${sourceEnv "interactiveShellInit"} diff --git a/nixos/modules/programs/flexoptix-app.nix b/nixos/modules/programs/flexoptix-app.nix new file mode 100644 index 0000000000000..93dcdfeb51473 --- /dev/null +++ b/nixos/modules/programs/flexoptix-app.nix @@ -0,0 +1,25 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.flexoptix-app; +in { + options = { + programs.flexoptix-app = { + enable = mkEnableOption "FLEXOPTIX app + udev rules"; + + package = mkOption { + description = "FLEXOPTIX app package to use"; + type = types.package; + default = pkgs.flexoptix-app; + defaultText = "\${pkgs.flexoptix-app}"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/programs/geary.nix b/nixos/modules/programs/geary.nix index 5e441a75cb602..407680c30dc3d 100644 --- a/nixos/modules/programs/geary.nix +++ b/nixos/modules/programs/geary.nix @@ -15,10 +15,10 @@ in { }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.gnome3.geary ]; + environment.systemPackages = [ pkgs.gnome.geary ]; programs.dconf.enable = true; - services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-online-accounts.enable = true; + services.gnome.gnome-keyring.enable = true; + services.gnome.gnome-online-accounts.enable = true; }; } diff --git a/nixos/modules/programs/gnome-disks.nix b/nixos/modules/programs/gnome-disks.nix index 80dc2983ea504..4b128b4712650 100644 --- a/nixos/modules/programs/gnome-disks.nix +++ b/nixos/modules/programs/gnome-disks.nix @@ -41,9 +41,9 @@ with lib; config = mkIf config.programs.gnome-disks.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-disk-utility ]; + environment.systemPackages = [ pkgs.gnome.gnome-disk-utility ]; - services.dbus.packages = [ pkgs.gnome3.gnome-disk-utility ]; + services.dbus.packages = [ pkgs.gnome.gnome-disk-utility ]; }; diff --git a/nixos/modules/programs/gnome-documents.nix b/nixos/modules/programs/gnome-documents.nix index 9dd53483055cd..43ad3163efd85 100644 --- a/nixos/modules/programs/gnome-documents.nix +++ b/nixos/modules/programs/gnome-documents.nix @@ -13,7 +13,7 @@ with lib; # Added 2019-08-09 imports = [ (mkRenamedOptionModule - [ "services" "gnome3" "gnome-documents" "enable" ] + [ "services" "gnome" "gnome-documents" "enable" ] [ "programs" "gnome-documents" "enable" ]) ]; @@ -41,13 +41,13 @@ with lib; config = mkIf config.programs.gnome-documents.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-documents ]; + environment.systemPackages = [ pkgs.gnome.gnome-documents ]; - services.dbus.packages = [ pkgs.gnome3.gnome-documents ]; + services.dbus.packages = [ pkgs.gnome.gnome-documents ]; - services.gnome3.gnome-online-accounts.enable = true; + services.gnome.gnome-online-accounts.enable = true; - services.gnome3.gnome-online-miners.enable = true; + services.gnome.gnome-online-miners.enable = true; }; diff --git a/nixos/modules/programs/gnome-terminal.nix b/nixos/modules/programs/gnome-terminal.nix index f2617e5bc0385..71a6b217880c5 100644 --- a/nixos/modules/programs/gnome-terminal.nix +++ b/nixos/modules/programs/gnome-terminal.nix @@ -28,9 +28,9 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-terminal ]; - services.dbus.packages = [ pkgs.gnome3.gnome-terminal ]; - systemd.packages = [ pkgs.gnome3.gnome-terminal ]; + environment.systemPackages = [ pkgs.gnome.gnome-terminal ]; + services.dbus.packages = [ pkgs.gnome.gnome-terminal ]; + systemd.packages = [ pkgs.gnome.gnome-terminal ]; programs.bash.vteIntegration = true; programs.zsh.vteIntegration = true; diff --git a/nixos/modules/programs/gpaste.nix b/nixos/modules/programs/gpaste.nix index 8bc52c28d814b..cff2fb8d00348 100644 --- a/nixos/modules/programs/gpaste.nix +++ b/nixos/modules/programs/gpaste.nix @@ -27,10 +27,10 @@ with lib; ###### implementation config = mkIf config.programs.gpaste.enable { - environment.systemPackages = [ pkgs.gnome3.gpaste ]; - services.dbus.packages = [ pkgs.gnome3.gpaste ]; - systemd.packages = [ pkgs.gnome3.gpaste ]; + environment.systemPackages = [ pkgs.gnome.gpaste ]; + services.dbus.packages = [ pkgs.gnome.gpaste ]; + systemd.packages = [ pkgs.gnome.gpaste ]; # gnome-control-center crashes in Keyboard Shortcuts pane without the GSettings schemas. - services.xserver.desktopManager.gnome3.sessionPath = [ pkgs.gnome3.gpaste ]; + services.xserver.desktopManager.gnome.sessionPath = [ pkgs.gnome.gpaste ]; }; } diff --git a/nixos/modules/programs/noisetorch.nix b/nixos/modules/programs/noisetorch.nix new file mode 100644 index 0000000000000..5f3b0c8f5d1ee --- /dev/null +++ b/nixos/modules/programs/noisetorch.nix @@ -0,0 +1,25 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let cfg = config.programs.noisetorch; +in { + options.programs.noisetorch = { + enable = mkEnableOption "noisetorch + setcap wrapper"; + + package = mkOption { + type = types.package; + default = pkgs.noisetorch; + description = '' + The noisetorch package to use. + ''; + }; + }; + + config = mkIf cfg.enable { + security.wrappers.noisetorch = { + source = "${cfg.package}/bin/noisetorch"; + capabilities = "cap_sys_resource=+ep"; + }; + }; +} diff --git a/nixos/modules/programs/phosh.nix b/nixos/modules/programs/phosh.nix new file mode 100644 index 0000000000000..1f50065f78187 --- /dev/null +++ b/nixos/modules/programs/phosh.nix @@ -0,0 +1,159 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.phosh; + + # Based on https://source.puri.sm/Librem5/librem5-base/-/blob/4596c1056dd75ac7f043aede07887990fd46f572/default/sm.puri.OSK0.desktop + oskItem = pkgs.makeDesktopItem { + name = "sm.puri.OSK0"; + type = "Application"; + desktopName = "On-screen keyboard"; + exec = "${pkgs.squeekboard}/bin/squeekboard"; + categories = "GNOME;Core;"; + extraEntries = '' + OnlyShowIn=GNOME; + NoDisplay=true + X-GNOME-Autostart-Phase=Panel + X-GNOME-Provides=inputmethod + X-GNOME-Autostart-Notify=true + X-GNOME-AutoRestart=true + ''; + }; + + phocConfigType = types.submodule { + options = { + xwayland = mkOption { + description = '' + Whether to enable XWayland support. + + To start XWayland immediately, use `immediate`. + ''; + type = types.enum [ "true" "false" "immediate" ]; + default = "false"; + }; + cursorTheme = mkOption { + description = '' + Cursor theme to use in Phosh. + ''; + type = types.str; + default = "default"; + }; + outputs = mkOption { + description = '' + Output configurations. + ''; + type = types.attrsOf phocOutputType; + default = { + DSI-1 = { + scale = 2; + }; + }; + }; + }; + }; + + phocOutputType = types.submodule { + options = { + modeline = mkOption { + description = '' + One or more modelines. + ''; + type = types.either types.str (types.listOf types.str); + default = []; + example = [ + "87.25 720 776 848 976 1440 1443 1453 1493 -hsync +vsync" + "65.13 768 816 896 1024 1024 1025 1028 1060 -HSync +VSync" + ]; + }; + mode = mkOption { + description = '' + Default video mode. + ''; + type = types.nullOr types.str; + default = null; + example = "768x1024"; + }; + scale = mkOption { + description = '' + Display scaling factor. + ''; + type = types.nullOr types.ints.unsigned; + default = null; + example = 2; + }; + rotate = mkOption { + description = '' + Screen transformation. + ''; + type = types.enum [ + "90" "180" "270" "flipped" "flipped-90" "flipped-180" "flipped-270" null + ]; + default = null; + }; + }; + }; + + optionalKV = k: v: if v == null then "" else "${k} = ${builtins.toString v}"; + + renderPhocOutput = name: output: let + modelines = if builtins.isList output.modeline + then output.modeline + else [ output.modeline ]; + renderModeline = l: "modeline = ${l}"; + in '' + [output:${name}] + ${concatStringsSep "\n" (map renderModeline modelines)} + ${optionalKV "mode" output.mode} + ${optionalKV "scale" output.scale} + ${optionalKV "rotate" output.rotate} + ''; + + renderPhocConfig = phoc: let + outputs = mapAttrsToList renderPhocOutput phoc.outputs; + in '' + [core] + xwayland = ${phoc.xwayland} + ${concatStringsSep "\n" outputs} + [cursor] + theme = ${phoc.cursorTheme} + ''; +in { + options = { + programs.phosh = { + enable = mkEnableOption '' + Whether to enable, Phosh, related packages and default configurations. + ''; + phocConfig = mkOption { + description = '' + Configurations for the Phoc compositor. + ''; + type = types.oneOf [ types.lines types.path phocConfigType ]; + default = {}; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ + pkgs.phoc + pkgs.phosh + pkgs.squeekboard + oskItem + ]; + + programs.feedbackd.enable = true; + + security.pam.services.phosh = {}; + + services.gnome.core-shell.enable = true; + services.gnome.core-os-services.enable = true; + services.xserver.displayManager.sessionPackages = [ pkgs.phosh ]; + + environment.etc."phosh/phoc.ini".source = + if builtins.isPath cfg.phocConfig then cfg.phocConfig + else if builtins.isString cfg.phocConfig then pkgs.writeText "phoc.ini" cfg.phocConfig + else pkgs.writeText "phoc.ini" (renderPhocConfig cfg.phocConfig); + }; +} diff --git a/nixos/modules/programs/seahorse.nix b/nixos/modules/programs/seahorse.nix index b229d2a2c0db0..c0a356bff57c1 100644 --- a/nixos/modules/programs/seahorse.nix +++ b/nixos/modules/programs/seahorse.nix @@ -31,14 +31,14 @@ with lib; config = mkIf config.programs.seahorse.enable { - programs.ssh.askPassword = mkDefault "${pkgs.gnome3.seahorse}/libexec/seahorse/ssh-askpass"; + programs.ssh.askPassword = mkDefault "${pkgs.gnome.seahorse}/libexec/seahorse/ssh-askpass"; environment.systemPackages = [ - pkgs.gnome3.seahorse + pkgs.gnome.seahorse ]; services.dbus.packages = [ - pkgs.gnome3.seahorse + pkgs.gnome.seahorse ]; }; diff --git a/nixos/modules/programs/sway.nix b/nixos/modules/programs/sway.nix index 107e783c0c212..3c09d9f00fd5d 100644 --- a/nixos/modules/programs/sway.nix +++ b/nixos/modules/programs/sway.nix @@ -31,6 +31,7 @@ let extraOptions = cfg.extraOptions; withBaseWrapper = cfg.wrapperFeatures.base; withGtkWrapper = cfg.wrapperFeatures.gtk; + isNixOS = true; }; in { options.programs.sway = { @@ -38,9 +39,8 @@ in { Sway, the i3-compatible tiling Wayland compositor. You can manually launch Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to ~/.config/sway/config to modify the default configuration. See - https://github.com/swaywm/sway/wiki and "man 5 sway" for more information. - Please have a look at the "extraSessionCommands" example for running - programs natively under Wayland''; + <link xlink:href="https://github.com/swaywm/sway/wiki" /> and + "man 5 sway" for more information''; wrapperFeatures = mkOption { type = wrapperOptions; @@ -55,16 +55,20 @@ in { type = types.lines; default = ""; example = '' + # SDL: export SDL_VIDEODRIVER=wayland - # needs qt5.qtwayland in systemPackages - export QT_QPA_PLATFORM=wayland + # QT (needs qt5.qtwayland in systemPackages): + export QT_QPA_PLATFORM=wayland-egl export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" # Fix for some Java AWT applications (e.g. Android Studio), # use this if they aren't displayed properly: export _JAVA_AWT_WM_NONREPARENTING=1 ''; description = '' - Shell commands executed just before Sway is started. + Shell commands executed just before Sway is started. See + <link xlink:href="https://github.com/swaywm/sway/wiki/Running-programs-natively-under-wayland" /> + and <link xlink:href="https://github.com/swaywm/wlroots/blob/master/docs/env_vars.md" /> + for some useful environment variables. ''; }; @@ -94,13 +98,15 @@ in { ''; example = literalExample '' with pkgs; [ - xwayland i3status i3status-rust termite rofi light ] ''; description = '' - Extra packages to be installed system wide. + Extra packages to be installed system wide. See + <link xlink:href="https://github.com/swaywm/sway/wiki/Useful-add-ons-for-sway" /> and + <link xlink:href="https://github.com/swaywm/sway/wiki/i3-Migration-Guide#common-x11-apps-used-on-i3-with-wayland-alternatives" /> + for a list of useful software. ''; }; @@ -120,8 +126,11 @@ in { systemPackages = [ swayPackage ] ++ cfg.extraPackages; etc = { "sway/config".source = mkOptionDefault "${swayPackage}/etc/sway/config"; - #"sway/security.d".source = mkOptionDefault "${swayPackage}/etc/sway/security.d/"; - #"sway/config.d".source = mkOptionDefault "${swayPackage}/etc/sway/config.d/"; + "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' + # Import the most important environment variables into the D-Bus and systemd + # user environments (e.g. required for screen sharing and Pinentry prompts): + exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP + ''; }; }; security.pam.services.swaylock = {}; @@ -131,7 +140,9 @@ in { # To make a Sway session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = [ swayPackage ]; programs.xwayland.enable = mkDefault true; + # For screen sharing (this option only has an effect with xdg.portal.enable): + xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-wlr ]; }; - meta.maintainers = with lib.maintainers; [ gnidorah primeos colemickens ]; + meta.maintainers = with lib.maintainers; [ primeos colemickens ]; } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 9f1efc4627984..233e3ee848be8 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -18,6 +18,7 @@ with lib; # Completely removed modules (mkRemovedOptionModule [ "fonts" "fontconfig" "penultimate" ] "The corresponding package has removed from nixpkgs.") + (mkRemovedOptionModule [ "services" "quagga" ] "the corresponding package has been removed from nixpkgs") (mkRemovedOptionModule [ "services" "chronos" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "deepin" ] "The corresponding packages were removed from nixpkgs.") (mkRemovedOptionModule [ "services" "firefox" "syncserver" "user" ] "") diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix deleted file mode 100644 index 6c479e070e2b2..0000000000000 --- a/nixos/modules/security/apparmor-suid.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.security.apparmor; -in -with lib; -{ - imports = [ - (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - ]; - - options.security.apparmor.confineSUIDApplications = mkOption { - type = types.bool; - default = true; - description = '' - Install AppArmor profiles for commonly-used SUID application - to mitigate potential privilege escalation attacks due to bugs - in such applications. - - Currently available profiles: ping - ''; - }; - - config = mkIf (cfg.confineSUIDApplications) { - security.apparmor.profiles = [ (pkgs.writeText "ping" '' - #include <tunables/global> - /run/wrappers/bin/ping { - #include <abstractions/base> - #include <abstractions/consoles> - #include <abstractions/nameservice> - - capability net_raw, - capability setuid, - network inet raw, - - ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, - ${pkgs.libcap.lib}/lib/libcap.so* mr, - ${pkgs.attr.out}/lib/libattr.so* mr, - - ${pkgs.iputils}/bin/ping mixr, - - #/etc/modules.conf r, - - ## Site-specific additions and overrides. See local/README for details. - ##include <local/bin.ping> - } - '') ]; - }; - -} diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index cfc65b347bc69..be1b0362fc131 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,59 +1,216 @@ { config, lib, pkgs, ... }: +with lib; + let - inherit (lib) mkIf mkOption types concatMapStrings; + inherit (builtins) attrNames head map match readFile; + inherit (lib) types; + inherit (config.environment) etc; cfg = config.security.apparmor; + mkDisableOption = name: mkEnableOption name // { + default = true; + example = false; + }; + enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies; in { - options = { - security.apparmor = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the AppArmor Mandatory Access Control system."; - }; - profiles = mkOption { - type = types.listOf types.path; - default = []; - description = "List of files containing AppArmor profiles."; - }; - packages = mkOption { - type = types.listOf types.package; - default = []; - description = "List of packages to be added to apparmor's include path"; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.apparmor-utils ]; - - boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; - - systemd.services.apparmor = let - paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") - ([ pkgs.apparmor-profiles ] ++ cfg.packages); - in { - after = [ "local-fs.target" ]; - before = [ "sysinit.target" ]; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - DefaultDependencies = "no"; - }; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' - ) cfg.profiles; - ExecStop = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' - ) cfg.profiles; - ExecReload = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' - ) cfg.profiles; - }; - }; - }; + imports = [ + (mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.") + (mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") + apparmor/includes.nix + apparmor/profiles.nix + ]; + + options = { + security.apparmor = { + enable = mkEnableOption '' + the AppArmor Mandatory Access Control system. + + If you're enabling this module on a running system, + note that a reboot will be required to activate AppArmor in the kernel. + + Also, beware that enabling this module privileges stability over security + by not trying to kill unconfined but newly confinable running processes by default, + though it would be needed because AppArmor can only confine new + or already confined processes of an executable. + This killing would for instance be necessary when upgrading to a NixOS revision + introducing for the first time an AppArmor profile for the executable + of a running process. + + Enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/> + if you want this service to do such killing + by sending a <literal>SIGTERM</literal> to those running processes''; + policies = mkOption { + description = '' + AppArmor policies. + ''; + type = types.attrsOf (types.submodule ({ name, config, ... }: { + options = { + enable = mkDisableOption "loading of the profile into the kernel"; + enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; + profile = mkOption { + description = "The policy of the profile."; + type = types.lines; + apply = pkgs.writeText name; + }; + }; + })); + default = {}; + }; + includes = mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + List of paths to be added to AppArmor's searched paths + when resolving <literal>include</literal> directives. + ''; + apply = mapAttrs pkgs.writeText; + }; + packages = mkOption { + type = types.listOf types.package; + default = []; + description = "List of packages to be added to AppArmor's include path"; + }; + enableCache = mkEnableOption '' + caching of AppArmor policies + in <literal>/var/cache/apparmor/</literal>. + + Beware that AppArmor policies almost always contain Nix store paths, + and thus produce at each change of these paths + a new cached version accumulating in the cache''; + killUnconfinedConfinables = mkEnableOption '' + killing of processes which have an AppArmor profile enabled + (in <xref linkend="opt-security.apparmor.policies"/>) + but are not confined (because AppArmor can only confine new processes). + + This is only sending a gracious <literal>SIGTERM</literal> signal to the processes, + not a <literal>SIGKILL</literal>. + + Beware that due to a current limitation of AppArmor, + only profiles with exact paths (and no name) can enable such kills''; + }; + }; + + config = mkIf cfg.enable { + assertions = map (policy: + { assertion = match ".*/.*" policy == null; + message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; + # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions + # which does not recurse into sub-directories. + } + ) (attrNames cfg.policies); + + environment.systemPackages = [ + pkgs.apparmor-utils + pkgs.apparmor-bin-utils + ]; + environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( + # It's important to put only enabledPolicies here and not all cfg.policies + # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* + mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++ + mapAttrsToList (name: path: { inherit name path; }) cfg.includes + ); + environment.etc."apparmor/parser.conf".text = '' + ${if cfg.enableCache then "write-cache" else "skip-cache"} + cache-loc /var/cache/apparmor + Include /etc/apparmor.d + '' + + concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; + # For aa-logprof + environment.etc."apparmor/apparmor.conf".text = '' + ''; + # For aa-logprof + environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; + environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" { + header = '' + [settings] + # /etc/apparmor.d/ is read-only on NixOS + profiledir = /var/cache/apparmor/logprof + inactive_profiledir = /etc/apparmor.d/disable + # Use: journalctl -b --since today --grep audit: | aa-logprof + logfiles = /dev/stdin + + parser = ${pkgs.apparmor-parser}/bin/apparmor_parser + ldd = ${pkgs.glibc.bin}/bin/ldd + logger = ${pkgs.util-linux}/bin/logger + + # customize how file ownership permissions are presented + # 0 - off + # 1 - default of what ever mode the log reported + # 2 - force the new permissions to be user + # 3 - force all perms on the rule to be user + default_owner_prompt = 1 + + custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + + [qualifiers] + ${pkgs.runtimeShell} = icnu + ${pkgs.bashInteractive}/bin/sh = icnu + ${pkgs.bashInteractive}/bin/bash = icnu + ${config.users.defaultUserShell} = icnu + ''; + footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; + passAsFile = [ "header" ]; + } '' + cp $headerPath $out + sed '1,/\[qualifiers\]/d' $footer >> $out + ''; + + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; + + systemd.services.apparmor = { + after = [ + "local-fs.target" + "systemd-journald-audit.socket" + ]; + before = [ "sysinit.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Description="Load AppArmor policies"; + DefaultDependencies = "no"; + ConditionSecurity = "apparmor"; + }; + # Reloading instead of restarting enables to load new AppArmor profiles + # without necessarily restarting all services which have Requires=apparmor.service + reloadIfChanged = true; + restartTriggers = [ + etc."apparmor/parser.conf".source + etc."apparmor.d".source + ]; + serviceConfig = let + killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' + set -eu + ${pkgs.apparmor-bin-utils}/bin/aa-status --json | + ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | + xargs --verbose --no-run-if-empty --delimiter='\n' \ + kill + ''; + commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}"; + in { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; + ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; + ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecReload = + # Add or replace into the kernel profiles in enabledPolicies + # (because AppArmor can do that without stopping the processes already confined). + mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ + # Remove from the kernel any profile whose name is not + # one of the names within the content of the profiles in enabledPolicies + # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). + # Note that this does not remove profiles dynamically generated by libvirt. + [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ + # Optionaly kill the processes which are unconfined but now have a profile loaded + # (because AppArmor can only start to confine new processes). + optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; + CacheDirectory = [ "apparmor" "apparmor/logprof" ]; + CacheDirectoryMode = "0700"; + }; + }; + }; + + meta.maintainers = with maintainers; [ julm ]; } diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix new file mode 100644 index 0000000000000..e3dd410b3bb57 --- /dev/null +++ b/nixos/modules/security/apparmor/includes.nix @@ -0,0 +1,317 @@ +{ config, lib, pkgs, ... }: +let + inherit (builtins) attrNames hasAttr isAttrs; + inherit (lib) getLib; + inherit (config.environment) etc; + # Utility to generate an AppArmor rule + # only when the given path exists in config.environment.etc + etcRule = arg: + let go = { path ? null, mode ? "r", trail ? "" }: + lib.optionalString (hasAttr path etc) + "${mode} ${config.environment.etc.${path}.source}${trail},"; + in if isAttrs arg + then go arg + else go { path = arg; }; +in +{ +# FIXME: most of the etcRule calls below have been +# written systematically by converting from apparmor-profiles's profiles +# without testing nor deep understanding of their uses, +# and thus may need more rules or can have less rules; +# this remains to be determined case by case, +# some may even be completely useless. +config.security.apparmor.includes = { + # This one is included by <tunables/global> + # which is usualy included before any profile. + "abstractions/tunables/alias" = '' + alias /bin -> /run/current-system/sw/bin, + alias /lib/modules -> /run/current-system/kernel/lib/modules, + alias /sbin -> /run/current-system/sw/sbin, + alias /usr -> /run/current-system/sw, + ''; + "abstractions/audio" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" + '' + lib.concatMapStringsSep "\n" etcRule [ + "asound.conf" + "esound/esd.conf" + "libao.conf" + { path = "pulse"; trail = "/"; } + { path = "pulse"; trail = "/**"; } + { path = "sound"; trail = "/"; } + { path = "sound"; trail = "/**"; } + { path = "alsa/conf.d"; trail = "/"; } + { path = "alsa/conf.d"; trail = "/*"; } + "openal/alsoft.conf" + "wildmidi/wildmidi.conf" + ]; + "abstractions/authentication" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" + # Defined in security.pam + include <abstractions/pam> + '' + lib.concatMapStringsSep "\n" etcRule [ + "nologin" + "securetty" + { path = "security"; trail = "/*"; } + "shadow" + "gshadow" + "pwdb.conf" + "default/passwd" + "login.defs" + ]; + "abstractions/base" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" + r ${pkgs.stdenv.cc.libc}/share/locale/**, + r ${pkgs.stdenv.cc.libc}/share/locale.alias, + ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} + ${etcRule "localtime"} + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, + ''; + "abstractions/bash" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" + + # bash inspects filesystems at startup + # and /etc/mtab is linked to /proc/mounts + @{PROC}/mounts + + # system-wide bash configuration + '' + lib.concatMapStringsSep "\n" etcRule [ + "profile.dos" + "profile" + "profile.d" + { path = "profile.d"; trail = "/*"; } + "bashrc" + "bash.bashrc" + "bash.bashrc.local" + "bash_completion" + "bash_completion.d" + { path = "bash_completion.d"; trail = "/*"; } + # bash relies on system-wide readline configuration + "inputrc" + # run out of /etc/bash.bashrc + "DIR_COLORS" + ]; + "abstractions/consoles" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" + ''; + "abstractions/cups-client" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" + ${etcRule "cups/cups-client.conf"} + ''; + "abstractions/dbus-session-strict" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" + ${etcRule "machine-id"} + ''; + "abstractions/dconf" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" + ${etcRule { path = "dconf"; trail = "/**"; }} + ''; + "abstractions/dri-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" + ${etcRule "drirc"} + ''; + # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ + # by symlinking them but without exporting them outside of its NixOS module, + # those are therefore added there to this "abstractions/fonts". + "abstractions/fonts" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" + ${etcRule { path = "fonts"; trail = "/**"; }} + ''; + "abstractions/gnome" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" + include <abstractions/fonts> + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "gnome"; trail = "/gtkrc*"; } + { path = "gtk"; trail = "/*"; } + { path = "gtk-2.0"; trail = "/*"; } + { path = "gtk-3.0"; trail = "/*"; } + "orbitrc" + { path = "pango"; trail = "/*"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/*"; } + "papersize" + { path = "cups"; trail = "/lpoptions"; } + { path = "gnome"; trail = "/defaults.list"; } + { path = "xdg"; trail = "/{,*-}mimeapps.list"; } + "xdg/mimeapps.list" + ]; + "abstractions/kde" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "qt3"; trail = "/kstylerc"; } + { path = "qt3"; trail = "/qt_plugins_3.3rc"; } + { path = "qt3"; trail = "/qtrc"; } + "kderc" + { path = "kde3"; trail = "/*"; } + "kde4rc" + { path = "xdg"; trail = "/kdeglobals"; } + { path = "xdg"; trail = "/Trolltech.conf"; } + ]; + "abstractions/kerberosclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "krb5.keytab"; mode="rk"; } + "krb5.conf" + "krb5.conf.d" + { path = "krb5.conf.d"; trail = "/*"; } + + # config files found via strings on libs + "krb.conf" + "krb.realms" + "srvtab" + ]; + "abstractions/ldapclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" + '' + lib.concatMapStringsSep "\n" etcRule [ + "ldap.conf" + "ldap.secret" + { path = "openldap"; trail = "/*"; } + { path = "openldap"; trail = "/cacerts/*"; } + { path = "sasl2"; trail = "/*"; } + ]; + "abstractions/likewise" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" + ''; + "abstractions/mdns" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" + ${etcRule "nss_mdns.conf"} + ''; + "abstractions/nameservice" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" + + # Many programs wish to perform nameservice-like operations, such as + # looking up users by name or id, groups by name or id, hosts by name + # or IP, etc. These operations may be performed through files, dns, + # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. + mr ${getLib pkgs.nss}/lib/libnss_*.so*, + mr ${getLib pkgs.nss}/lib64/libnss_*.so*, + '' + lib.concatMapStringsSep "\n" etcRule [ + "group" + "host.conf" + "hosts" + "nsswitch.conf" + "gai.conf" + "passwd" + "protocols" + + # libtirpc (used for NIS/YP login) needs this + "netconfig" + + "resolv.conf" + + { path = "samba"; trail = "/lmhosts"; } + "services" + + "default/nss" + + # libnl-3-200 via libnss-gw-name + { path = "libnl"; trail = "/classid"; } + { path = "libnl-3"; trail = "/classid"; } + ]; + "abstractions/nis" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" + ''; + "abstractions/nvidia" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" + ${etcRule "vdpau_wrapper.cfg"} + ''; + "abstractions/opencl-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" + ${etcRule { path = "OpenCL"; trail = "/**"; }} + ''; + "abstractions/opencl-mesa" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" + ${etcRule "default/drirc"} + ''; + "abstractions/openssl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" + ${etcRule { path = "ssl"; trail = "/openssl.cnf"; }} + ''; + "abstractions/p11-kit" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "pkcs11"; trail = "/"; } + { path = "pkcs11"; trail = "/pkcs11.conf"; } + { path = "pkcs11"; trail = "/modules/"; } + { path = "pkcs11"; trail = "/modules/*"; } + ]; + "abstractions/perl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" + ${etcRule { path = "perl"; trail = "/**"; }} + ''; + "abstractions/php" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "php"; trail = "/**/"; } + { path = "php5"; trail = "/**/"; } + { path = "php7"; trail = "/**/"; } + { path = "php"; trail = "/**.ini"; } + { path = "php5"; trail = "/**.ini"; } + { path = "php7"; trail = "/**.ini"; } + ]; + "abstractions/postfix-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" + '' + lib.concatMapStringsSep "\n" etcRule [ + "mailname" + { path = "postfix"; trail = "/*.cf"; } + "postfix/main.cf" + "postfix/master.cf" + ]; + "abstractions/python" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" + ''; + "abstractions/qt5" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "xdg"; trail = "/QtProject/qtlogging.ini"; } + { path = "xdg/QtProject"; trail = "/qtlogging.ini"; } + "xdg/QtProject/qtlogging.ini" + ]; + "abstractions/samba" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" + ${etcRule { path = "samba"; trail = "/*"; }} + ''; + "abstractions/ssl_certs" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" + + # For the NixOS module: security.acme + r /var/lib/acme/*/cert.pem, + r /var/lib/acme/*/chain.pem, + r /var/lib/acme/*/fullchain.pem, + + '' + lib.concatMapStringsSep "\n" etcRule [ + "ssl/certs/ca-certificates.crt" + "ssl/certs/ca-bundle.crt" + "pki/tls/certs/ca-bundle.crt" + + { path = "ssl/trust"; trail = "/"; } + { path = "ssl/trust"; trail = "/*"; } + { path = "ssl/trust/anchors"; trail = "/"; } + { path = "ssl/trust/anchors"; trail = "/**"; } + { path = "pki/trust"; trail = "/"; } + { path = "pki/trust"; trail = "/*"; } + { path = "pki/trust/anchors"; trail = "/"; } + { path = "pki/trust/anchors"; trail = "/**"; } + ]; + "abstractions/ssl_keys" = '' + # security.acme NixOS module + r /var/lib/acme/*/full.pem, + r /var/lib/acme/*/key.pem, + ''; + "abstractions/vulkan" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" + ${etcRule { path = "vulkan/icd.d"; trail = "/"; }} + ${etcRule { path = "vulkan/icd.d"; trail = "/*.json"; }} + ''; + "abstractions/winbind" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" + ${etcRule { path = "samba"; trail = "/smb.conf"; }} + ${etcRule { path = "samba"; trail = "/dhcp.conf"; }} + ''; + "abstractions/X" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" + ${etcRule { path = "X11/cursors"; trail = "/"; }} + ${etcRule { path = "X11/cursors"; trail = "/**"; }} + ''; +}; +} diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix new file mode 100644 index 0000000000000..8eb630b5a48a5 --- /dev/null +++ b/nixos/modules/security/apparmor/profiles.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: +let apparmor = config.security.apparmor; in +{ +config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; +config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' + include "${pkgs.iputils.apparmor}/bin.ping" + include "${pkgs.inetutils.apparmor}/bin.ping" + # Note that including those two profiles in the same profile + # would not work if the second one were to re-include <tunables/global>. +''; +} diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 1c4ee421fc56a..7df86e71423f3 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -10,15 +10,10 @@ let blacklist = cfg.caCertificateBlacklist; }; - caCertificates = pkgs.runCommand "ca-certificates.crt" - { files = - cfg.certificateFiles ++ - [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; - preferLocalBuild = true; - } - '' - cat $files > $out - ''; + caCertificates = pkgs.runCommand "ca-certificates.crt" { + files = cfg.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; + preferLocalBuild = true; + } "awk 1 $files > $out"; # awk ensures a newline between each pair of consecutive files in diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index d51dbbb77f718..e7abc1e0d597c 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -7,6 +7,10 @@ with lib; maintainers = [ maintainers.joachifm ]; }; + imports = [ + (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; + options = { security.allowUserNamespaces = mkOption { type = types.bool; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 103cf20501237..b5bd22f6ba7b8 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -433,7 +433,7 @@ let ("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring - "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + "auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"} ${optionalString cfg.gnupg.enable "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + optionalString cfg.gnupg.storeOnly " store-only" @@ -471,7 +471,7 @@ let ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ${optionalString cfg.enableGnomeKeyring - "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} + "password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} # Session management. ${optionalString cfg.setEnvironment '' @@ -512,7 +512,7 @@ let ("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} ${optionalString (cfg.enableGnomeKeyring) - "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + "session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString cfg.gnupg.enable "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + optionalString cfg.gnupg.noAutostart " no-autostart" @@ -895,6 +895,81 @@ in runuser-l = { rootOK = true; unixAuth = false; }; }; + security.apparmor.includes."abstractions/pam" = let + isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); + in + lib.concatMapStringsSep "\n" + (name: "r ${config.environment.etc."pam.d/${name}".source},") + (attrNames config.security.pam.services) + + '' + mr ${getLib pkgs.pam}/lib/security/pam_filter/*, + mr ${getLib pkgs.pam}/lib/security/pam_*.so, + r ${getLib pkgs.pam}/lib/security/, + '' + + optionalString use_ldap '' + mr ${pam_ldap}/lib/security/pam_ldap.so, + '' + + optionalString config.services.sssd.enable '' + mr ${pkgs.sssd}/lib/security/pam_sss.so, + '' + + optionalString config.krb5.enable '' + mr ${pam_krb5}/lib/security/pam_krb5.so, + mr ${pam_ccreds}/lib/security/pam_ccreds.so, + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + '' + + optionalString (config.security.pam.enableSSHAgentAuth + && isEnabled (cfg: cfg.sshAgentAuth)) '' + mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so, + '' + + optionalString (isEnabled (cfg: cfg.fprintAuth)) '' + mr ${pkgs.fprintd}/lib/security/pam_fprintd.so, + '' + + optionalString (isEnabled (cfg: cfg.u2fAuth)) '' + mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so, + '' + + optionalString (isEnabled (cfg: cfg.usbAuth)) '' + mr ${pkgs.pam_usb}/lib/security/pam_usb.so, + '' + + optionalString (isEnabled (cfg: cfg.oathAuth)) '' + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, + '' + + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' + mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, + '' + + optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) '' + mr ${pkgs.duo-unix}/lib/security/pam_duo.so, + '' + + optionalString (isEnabled (cfg: cfg.otpwAuth)) '' + mr ${pkgs.otpw}/lib/security/pam_otpw.so, + '' + + optionalString config.security.pam.enableEcryptfs '' + mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, + '' + + optionalString (isEnabled (cfg: cfg.pamMount)) '' + mr ${pkgs.pam_mount}/lib/security/pam_mount.so, + '' + + optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) '' + mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so, + '' + + optionalString (isEnabled (cfg: cfg.startSession)) '' + mr ${pkgs.systemd}/lib/security/pam_systemd.so, + '' + + optionalString (isEnabled (cfg: cfg.enableAppArmor) + && config.security.apparmor.enable) '' + mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so, + '' + + optionalString (isEnabled (cfg: cfg.enableKwallet)) '' + mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so, + '' + + optionalString config.virtualisation.lxc.lxcfs.enable '' + mr ${pkgs.lxc}/lib/security/pam_cgfs.so + ''; }; } diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index cc3ff3d11b917..2e73f8f4f311d 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -61,6 +61,17 @@ in ''; }; + security.sudo.execWheelOnly = mkOption { + type = types.bool; + default = false; + description = '' + Only allow members of the <code>wheel</code> group to execute sudo by + setting the executable's permissions accordingly. + This prevents users that are not members of <code>wheel</code> from + exploiting vulnerabilities in sudo such as CVE-2021-3156. + ''; + }; + security.sudo.configFile = mkOption { type = types.lines; # Note: if syntax errors are detected in this file, the NixOS @@ -216,9 +227,20 @@ in ${cfg.extraConfig} ''; - security.wrappers = { - sudo.source = "${cfg.package.out}/bin/sudo"; - sudoedit.source = "${cfg.package.out}/bin/sudoedit"; + security.wrappers = let + owner = "root"; + group = if cfg.execWheelOnly then "wheel" else "root"; + setuid = true; + permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x"; + in { + sudo = { + source = "${cfg.package.out}/bin/sudo"; + inherit owner group setuid permissions; + }; + sudoedit = { + source = "${cfg.package.out}/bin/sudoedit"; + inherit owner group setuid permissions; + }; }; environment.systemPackages = [ sudo ]; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 3cbf22fea7a96..1e65f45151555 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -171,6 +171,14 @@ in export PATH="${wrapperDir}:$PATH" ''; + security.apparmor.includes."nixos/security.wrappers" = '' + include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [ + securityWrapper + pkgs.stdenv.cc.cc + pkgs.stdenv.cc.libc + ]}" + ''; + ###### setcap activation script system.activationScripts.wrappers = lib.stringAfter [ "specialfs" "users" ] diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix new file mode 100644 index 0000000000000..14614d2dd1613 --- /dev/null +++ b/nixos/modules/services/audio/botamusique.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.botamusique; + + format = pkgs.formats.ini {}; + configFile = format.generate "botamusique.ini" cfg.settings; +in +{ + meta.maintainers = with lib.maintainers; [ hexa ]; + + options.services.botamusique = { + enable = mkEnableOption "botamusique, a bot to play audio streams on mumble"; + + package = mkOption { + type = types.package; + default = pkgs.botamusique; + description = "The botamusique package to use."; + }; + + settings = mkOption { + type = with types; submodule { + freeformType = format.type; + options = { + server.host = mkOption { + type = types.str; + default = "localhost"; + example = "mumble.example.com"; + description = "Hostname of the mumble server to connect to."; + }; + + server.port = mkOption { + type = types.port; + default = 64738; + description = "Port of the mumble server to connect to."; + }; + + bot.username = mkOption { + type = types.str; + default = "botamusique"; + description = "Name the bot should appear with."; + }; + + bot.comment = mkOption { + type = types.str; + default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!"; + description = "Comment displayed for the bot."; + }; + }; + }; + default = {}; + description = '' + Your <filename>configuration.ini</filename> as a Nix attribute set. Look up + possible options in the <link xlink:href="https://github.com/azlux/botamusique/blob/master/configuration.example.ini">configuration.example.ini</link>. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.botamusique = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki"; + + environment.HOME = "/var/lib/botamusique"; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}"; + Restart = "always"; # the bot exits when the server connection is lost + + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + IPAddressDeny = [ + "link-local" + "multicast" + ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + StateDirectory = "botamusique"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + WorkingDirectory = "/var/lib/botamusique"; + }; + }; + }; +} diff --git a/nixos/modules/services/audio/jack.nix b/nixos/modules/services/audio/jack.nix index bee97dbfc6b3d..f341b432f7586 100644 --- a/nixos/modules/services/audio/jack.nix +++ b/nixos/modules/services/audio/jack.nix @@ -290,5 +290,5 @@ in { ]; - meta.maintainers = [ maintainers.gnidorah ]; + meta.maintainers = [ ]; } diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index eee6c5f423d5d..e33e860d883da 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -233,14 +233,15 @@ in { { User = "${cfg.user}"; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf"; - ExecStartPre = pkgs.writeShellScript "mpd-start-pre" '' + ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ('' set -euo pipefail install -m 600 ${mpdConf} /run/mpd/mpd.conf - ${optionalString (cfg.credentials != []) - "${pkgs.replace}/bin/replace-literal -fe ${ - concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials) - } /run/mpd/mpd.conf"} - ''; + '' + optionalString (cfg.credentials != []) + (concatStringsSep "\n" + (imap0 + (i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'') + cfg.credentials)) + ); RuntimeDirectory = "mpd"; Type = "notify"; LimitRTPRIO = 50; diff --git a/nixos/modules/services/audio/mpdscribble.nix b/nixos/modules/services/audio/mpdscribble.nix index 642d8743935f1..1368543ae1a4a 100644 --- a/nixos/modules/services/audio/mpdscribble.nix +++ b/nixos/modules/services/audio/mpdscribble.nix @@ -59,7 +59,7 @@ let replaceSecret = secretFile: placeholder: targetFile: optionalString (secretFile != null) '' - ${pkgs.replace}/bin/replace-literal -ef ${placeholder} "$(cat ${secretFile})" ${targetFile}''; + ${pkgs.replace-secret}/bin/replace-secret '${placeholder}' '${secretFile}' '${targetFile}' ''; preStart = pkgs.writeShellScript "mpdscribble-pre-start" '' cp -f "${cfgTemplate}" "${cfgFile}" diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index be661b201f0df..18fb29fd72a5d 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -169,6 +169,7 @@ let (map (mkAuthorizedKey cfg false) cfg.authorizedKeys ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly); useDefaultShell = true; + isSystemUser = true; }; groups.${cfg.group} = { }; }; diff --git a/nixos/modules/services/backup/duplicity.nix b/nixos/modules/services/backup/duplicity.nix index a8d5642486235..1f6883ed02b79 100644 --- a/nixos/modules/services/backup/duplicity.nix +++ b/nixos/modules/services/backup/duplicity.nix @@ -1,16 +1,17 @@ -{ config, lib, pkgs, ...}: +{ config, lib, pkgs, ... }: with lib; - let cfg = config.services.duplicity; stateDirectory = "/var/lib/duplicity"; - localTarget = if hasPrefix "file://" cfg.targetUrl + localTarget = + if hasPrefix "file://" cfg.targetUrl then removePrefix "file://" cfg.targetUrl else null; -in { +in +{ options.services.duplicity = { enable = mkEnableOption "backups with duplicity"; @@ -24,7 +25,7 @@ in { include = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "/home" ]; description = '' List of paths to include into the backups. See the FILE SELECTION @@ -35,7 +36,7 @@ in { exclude = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' List of paths to exclude from backups. See the FILE SELECTION section in <citerefentry><refentrytitle>duplicity</refentrytitle> @@ -82,14 +83,60 @@ in { extraFlags = mkOption { type = types.listOf types.str; - default = []; - example = [ "--full-if-older-than" "1M" ]; + default = [ ]; + example = [ "--backend-retry-delay" "100" ]; description = '' Extra command-line flags passed to duplicity. See <citerefentry><refentrytitle>duplicity</refentrytitle> <manvolnum>1</manvolnum></citerefentry>. ''; }; + + fullIfOlderThan = mkOption { + type = types.str; + default = "never"; + example = "1M"; + description = '' + If <literal>"never"</literal> (the default) always do incremental + backups (the first backup will be a full backup, of course). If + <literal>"always"</literal> always do full backups. Otherwise, this + must be a string representing a duration. Full backups will be made + when the latest full backup is older than this duration. If this is not + the case, an incremental backup is performed. + ''; + }; + + cleanup = { + maxAge = mkOption { + type = types.nullOr types.str; + default = null; + example = "6M"; + description = '' + If non-null, delete all backup sets older than the given time. Old backup sets + will not be deleted if backup sets newer than time depend on them. + ''; + }; + maxFull = mkOption { + type = types.nullOr types.int; + default = null; + example = 2; + description = '' + If non-null, delete all backups sets that are older than the count:th last full + backup (in other words, keep the last count full backups and + associated incremental sets). + ''; + }; + maxIncr = mkOption { + type = types.nullOr types.int; + default = null; + example = 1; + description = '' + If non-null, delete incremental sets of all backups sets that are + older than the count:th last full backup (in other words, keep only + old full backups and not their increments). + ''; + }; + }; }; config = mkIf cfg.enable { @@ -99,18 +146,26 @@ in { environment.HOME = stateDirectory; - serviceConfig = { - ExecStart = '' - ${pkgs.duplicity}/bin/duplicity ${escapeShellArgs ( - [ - cfg.root - cfg.targetUrl - "--archive-dir" stateDirectory - ] + script = + let + target = escapeShellArg cfg.targetUrl; + extra = escapeShellArgs ([ "--archive-dir" stateDirectory ] ++ cfg.extraFlags); + dup = "${pkgs.duplicity}/bin/duplicity"; + in + '' + set -x + ${dup} cleanup ${target} --force ${extra} + ${lib.optionalString (cfg.cleanup.maxAge != null) "${dup} remove-older-than ${lib.escapeShellArg cfg.cleanup.maxAge} ${target} --force ${extra}"} + ${lib.optionalString (cfg.cleanup.maxFull != null) "${dup} remove-all-but-n-full ${toString cfg.cleanup.maxFull} ${target} --force ${extra}"} + ${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-incr-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"} + exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArgs ( + [ cfg.root cfg.targetUrl ] ++ concatMap (p: [ "--include" p ]) cfg.include ++ concatMap (p: [ "--exclude" p ]) cfg.exclude - ++ cfg.extraFlags)} + ++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ]) + )} ${extra} ''; + serviceConfig = { PrivateTmp = true; ProtectSystem = "strict"; ProtectHome = "read-only"; @@ -130,7 +185,7 @@ in { assertions = singleton { # Duplicity will fail if the last file selection option is an include. It # is not always possible to detect but this simple case can be caught. - assertion = cfg.include != [] -> cfg.exclude != [] || cfg.extraFlags != []; + assertion = cfg.include != [ ] -> cfg.exclude != [ ] || cfg.extraFlags != [ ]; message = '' Duplicity will fail if you only specify included paths ("Because the default is to include all files, the expression is redundant. Exiting diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index f4bd3aa447e5e..9da2d522a68d6 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -48,7 +48,7 @@ in { startAt = mkOption { default = "*-*-* 01:15:00"; - type = types.str; + type = with types; either (listOf str) str; description = '' This option defines (see <literal>systemd.time</literal> for format) when the databases should be dumped. diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index e72e3fa59cf92..b764db1f14e4a 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -197,14 +197,14 @@ in { ])) (attrValues cfg.commands); after = [ "zfs.target" ]; serviceConfig = { - ExecStartPre = (map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "hold,send" pool - ]) (getPools "source")) ++ - (map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "create,mount,receive,rollback" pool - ]) (getPools "target")); + ExecStartPre = let + allowCmd = permissions: pool: lib.escapeShellArgs [ + "+/run/booted-system/sw/bin/zfs" "allow" + cfg.user (concatStringsSep "," permissions) pool + ]; + in + (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++ + (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target")); User = cfg.user; Group = cfg.group; }; diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index e62fbc94415ca..5ab0286a38a86 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -83,7 +83,8 @@ in systemd.services.k3s = { description = "k3s service"; - after = mkIf cfg.docker [ "docker.service" ]; + after = [ "network.service" "firewall.service" ] ++ (optional cfg.docker "docker.service"); + wants = [ "network.service" "firewall.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { # See: https://github.com/rancher/k3s/blob/dddbd16305284ae4bd14c0aade892412310d7edc/install.sh#L197 @@ -92,6 +93,10 @@ in Delegate = "yes"; Restart = "always"; RestartSec = "5s"; + LimitNOFILE = 1048576; + LimitNPROC = "infinity"; + LimitCORE = "infinity"; + TasksMax = "infinity"; ExecStart = concatStringsSep " \\\n " ( [ "${cfg.package}/bin/k3s ${cfg.role}" diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index f55079300b15e..1378b5ccfb7a4 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -62,7 +62,7 @@ in ''; }; - enable = mkEnableOption "Whether to enable Kubernetes addon manager."; + enable = mkEnableOption "Kubernetes addon manager."; }; ###### implementation diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index a5b1321547668..f1531caa75443 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -145,7 +145,7 @@ in extraOpts = mkOption { description = "Kubernetes apiserver extra command line options."; default = ""; - type = str; + type = separatedString " "; }; extraSANs = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index a99ef6640e974..0c81fa9ae492f 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -38,7 +38,7 @@ in extraOpts = mkOption { description = "Kubernetes controller manager extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 19edc338bba1b..0dc3649237b7f 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -7,12 +7,12 @@ let defaultContainerdConfigFile = pkgs.writeText "containerd.toml" '' version = 2 - root = "/var/lib/containerd/daemon" - state = "/var/run/containerd/daemon" + root = "/var/lib/containerd" + state = "/run/containerd" oom_score = 0 [grpc] - address = "/var/run/containerd/containerd.sock" + address = "/run/containerd/containerd.sock" [plugins."io.containerd.grpc.v1.cri"] sandbox_image = "pause:latest" diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index b5346b1cd44d8..fcfcc84354772 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -134,7 +134,7 @@ in containerRuntimeEndpoint = mkOption { description = "Endpoint at which to find the container runtime api interface/socket"; type = str; - default = "unix:///var/run/containerd/containerd.sock"; + default = "unix:///run/containerd/containerd.sock"; }; enable = mkEnableOption "Kubernetes kubelet."; @@ -142,7 +142,7 @@ in extraOpts = mkOption { description = "Kubernetes kubelet extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 86d1dc2439bd9..7aa449f9aa21a 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -25,7 +25,7 @@ in extraOpts = mkOption { description = "Kubernetes proxy extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 5f6113227d9db..454c689759df1 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -21,7 +21,7 @@ in extraOpts = mkOption { description = "Kubernetes scheduler extra command line options."; default = ""; - type = str; + type = separatedString " "; }; featureGates = mkOption { diff --git a/nixos/modules/services/computing/foldingathome/client.nix b/nixos/modules/services/computing/foldingathome/client.nix index 9f99af48c48a6..fbef6a04b16d0 100644 --- a/nixos/modules/services/computing/foldingathome/client.nix +++ b/nixos/modules/services/computing/foldingathome/client.nix @@ -49,6 +49,15 @@ in ''; }; + daemonNiceLevel = mkOption { + type = types.ints.between (-20) 19; + default = 0; + description = '' + Daemon process priority for FAHClient. + 0 is the default Unix process priority, 19 is the lowest. + ''; + }; + extraArgs = mkOption { type = types.listOf types.str; default = []; @@ -70,6 +79,7 @@ in serviceConfig = { DynamicUser = true; StateDirectory = "foldingathome"; + Nice = cfg.daemonNiceLevel; WorkingDirectory = "%S/foldingathome"; }; }; diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 0b52f8afed831..a3dee94e2dc5d 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -403,9 +403,7 @@ in requires = [ "munged.service" "mysql.service" ]; preStart = '' - cp ${slurmdbdConf} ${configPath} - chmod 600 ${configPath} - chown ${cfg.user} ${configPath} + install -m 600 -o ${cfg.user} -T ${slurmdbdConf} ${configPath} ${optionalString (cfg.dbdserver.storagePassFile != null) '' echo "StoragePass=$(cat ${cfg.dbdserver.storagePassFile})" \ >> ${configPath} diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index a49f5f8100dc9..f668e69e5df7b 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -283,5 +283,5 @@ in { '') ]; - meta.maintainers = with lib.maintainers; [ nand0p mic92 lopsided98 ]; + meta.maintainers = with lib.maintainers; [ mic92 lopsided98 ]; } diff --git a/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixos/modules/services/continuous-integration/buildbot/worker.nix index 7b8a35f54bfa3..708b3e1cc1825 100644 --- a/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -191,6 +191,6 @@ in { }; }; - meta.maintainers = with lib.maintainers; [ nand0p ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixos/modules/services/continuous-integration/buildkite-agents.nix index b0045409ae609..3dd1c40aaa4b2 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -76,7 +76,7 @@ let }; tags = mkOption { - type = types.attrsOf types.str; + type = types.attrsOf (types.either types.str (types.listOf types.str)); default = {}; example = { queue = "default"; docker = "true"; ruby2 ="true"; }; description = '' @@ -230,7 +230,11 @@ in ## don't end up in the Nix store. preStart = let sshDir = "${cfg.dataDir}/.ssh"; - tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags); + tagStr = name: value: + if lib.isList value + then lib.concatStringsSep "," (builtins.map (v: "${name}=${v}") value) + else "${name}=${value}"; + tagsStr = lib.concatStringsSep "," (lib.mapAttrsToList tagStr cfg.tags); in optionalString (cfg.privateSshKeyPath != null) '' mkdir -m 0700 -p "${sshDir}" @@ -241,7 +245,7 @@ in token="$(cat ${toString cfg.tokenPath})" name="${cfg.name}" shell="${cfg.shell}" - tags="${tagStr}" + tags="${tagsStr}" build-path="${cfg.dataDir}/builds" hooks-path="${cfg.hooksPath}" ${cfg.extraConfig} diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix new file mode 100644 index 0000000000000..9627b723f8f1b --- /dev/null +++ b/nixos/modules/services/continuous-integration/github-runner.nix @@ -0,0 +1,299 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.services.github-runner; + svcName = "github-runner"; + systemdDir = "${svcName}/${cfg.name}"; + # %t: Runtime directory root (usually /run); see systemd.unit(5) + runtimeDir = "%t/${systemdDir}"; + # %S: State directory root (usually /var/lib); see systemd.unit(5) + stateDir = "%S/${systemdDir}"; + # %L: Log directory root (usually /var/log); see systemd.unit(5) + logsDir = "%L/${systemdDir}"; +in +{ + options.services.github-runner = { + enable = mkOption { + default = false; + example = true; + description = '' + Whether to enable GitHub Actions runner. + + Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: + <link xlink:href="https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners" + >About self-hosted runners</link>. + ''; + type = lib.types.bool; + }; + + url = mkOption { + type = types.str; + description = '' + Repository to add the runner to. + + Changing this option triggers a new runner registration. + ''; + example = "https://github.com/nixos/nixpkgs"; + }; + + tokenFile = mkOption { + type = types.path; + description = '' + The full path to a file which contains the runner registration token. + The file should contain exactly one line with the token without any newline. + The token can be used to re-register a runner of the same name but is time-limited. + + Changing this option or the file's content triggers a new runner registration. + ''; + example = "/run/secrets/github-runner/nixos.token"; + }; + + name = mkOption { + # Same pattern as for `networking.hostName` + type = types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$"; + description = '' + Name of the runner to configure. Defaults to the hostname. + + Changing this option triggers a new runner registration. + ''; + example = "nixos"; + default = config.networking.hostName; + }; + + runnerGroup = mkOption { + type = types.nullOr types.str; + description = '' + Name of the runner group to add this runner to (defaults to the default runner group). + + Changing this option triggers a new runner registration. + ''; + default = null; + }; + + extraLabels = mkOption { + type = types.listOf types.str; + description = '' + Extra labels in addition to the default (<literal>["self-hosted", "Linux", "X64"]</literal>). + + Changing this option triggers a new runner registration. + ''; + example = literalExample ''[ "nixos" ]''; + default = [ ]; + }; + + replace = mkOption { + type = types.bool; + description = '' + Replace any existing runner with the same name. + + Without this flag, registering a new runner with the same name fails. + ''; + default = false; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + description = '' + Extra packages to add to <literal>PATH</literal> of the service to make them available to workflows. + ''; + default = [ ]; + }; + }; + + config = mkIf cfg.enable { + warnings = optionals (isStorePath cfg.tokenFile) [ + '' + `services.github-runner.tokenFile` points to the Nix store and, therefore, is world-readable. + Consider using a path outside of the Nix store to keep the token private. + '' + ]; + + systemd.services.${svcName} = { + description = "GitHub Actions runner"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + + environment = { + HOME = runtimeDir; + RUNNER_ROOT = runtimeDir; + }; + + path = (with pkgs; [ + bash + coreutils + git + gnutar + gzip + ]) ++ [ + config.nix.package + ] ++ cfg.extraPackages; + + serviceConfig = rec { + ExecStart = "${pkgs.github-runner}/bin/runsvc.sh"; + + # Does the following, sequentially: + # - Copy the current and the previous `tokenFile` to the $RUNTIME_DIRECTORY + # and make it accessible to the service user to allow for a content + # comparison. + # - If the module configuration or the token has changed, clear the state directory. + # - Configure the runner. + # - Copy the configured `tokenFile` to the $STATE_DIRECTORY and make it + # inaccessible to the service user. + # - Set up the directory structure by creating the necessary symlinks. + ExecStartPre = + let + # Wrapper script which expects the full path of the state, runtime and logs + # directory as arguments. Overrides the respective systemd variables to provide + # unambiguous directory names. This becomes relevant, for example, if the + # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory= + # to contain more than one directory. This causes systemd to set the respective + # environment variables with the path of all of the given directories, separated + # by a colon. + writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" '' + set -euo pipefail + + STATE_DIRECTORY="$1" + RUNTIME_DIRECTORY="$2" + LOGS_DIRECTORY="$3" + + ${lines} + ''; + currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json"; + runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" ] cfg; + newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); + currentConfigTokenFilename = ".current-token"; + newConfigTokenFilename = ".new-token"; + runnerCredFiles = [ + ".credentials" + ".credentials_rsaparams" + ".runner" + ]; + ownConfigTokens = writeScript "own-config-tokens" '' + # Copy current and new token file to runtime dir and make it accessible to the service user + cp ${escapeShellArg cfg.tokenFile} "$RUNTIME_DIRECTORY/${newConfigTokenFilename}" + chmod 600 "$RUNTIME_DIRECTORY/${newConfigTokenFilename}" + chown "$USER" "$RUNTIME_DIRECTORY/${newConfigTokenFilename}" + + if [[ -e "$STATE_DIRECTORY/${currentConfigTokenFilename}" ]]; then + cp "$STATE_DIRECTORY/${currentConfigTokenFilename}" "$RUNTIME_DIRECTORY/${currentConfigTokenFilename}" + chmod 600 "$RUNTIME_DIRECTORY/${currentConfigTokenFilename}" + chown "$USER" "$RUNTIME_DIRECTORY/${currentConfigTokenFilename}" + fi + ''; + disownConfigTokens = writeScript "disown-config-tokens" '' + # Make the token inaccessible to the runner service user + chmod 600 "$STATE_DIRECTORY/${currentConfigTokenFilename}" + chown root:root "$STATE_DIRECTORY/${currentConfigTokenFilename}" + ''; + unconfigureRunner = writeScript "unconfigure" '' + differs= + # Set `differs = 1` if current and new runner config differ or if `currentConfigPath` does not exist + ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 || differs=1 + # Also trigger a registration if the token content changed + ${pkgs.diffutils}/bin/diff -q \ + "$RUNTIME_DIRECTORY"/{${currentConfigTokenFilename},${newConfigTokenFilename}} \ + >/dev/null 2>&1 || differs=1 + + if [[ -n "$differs" ]]; then + echo "Config has changed, removing old runner state." + echo "The old runner will still appear in the GitHub Actions UI." \ + "You have to remove it manually." + find "$STATE_DIRECTORY/" -mindepth 1 -delete + fi + ''; + configureRunner = writeScript "configure" '' + empty=$(ls -A "$STATE_DIRECTORY") + if [[ -z "$empty" ]]; then + echo "Configuring GitHub Actions Runner" + token=$(< "$RUNTIME_DIRECTORY"/${newConfigTokenFilename}) + RUNNER_ROOT="$STATE_DIRECTORY" ${pkgs.github-runner}/bin/config.sh \ + --unattended \ + --work "$RUNTIME_DIRECTORY" \ + --url ${escapeShellArg cfg.url} \ + --token "$token" \ + --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} \ + --name ${escapeShellArg cfg.name} \ + ${optionalString cfg.replace "--replace"} \ + ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} + + # Move the automatically created _diag dir to the logs dir + mkdir -p "$STATE_DIRECTORY/_diag" + cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/" + rm -rf "$STATE_DIRECTORY/_diag/" + + # Cleanup token from config + rm -f "$RUNTIME_DIRECTORY"/${currentConfigTokenFilename} + mv "$RUNTIME_DIRECTORY"/${newConfigTokenFilename} "$STATE_DIRECTORY/${currentConfigTokenFilename}" + + # Symlink to new config + ln -s '${newConfigPath}' "${currentConfigPath}" + fi + ''; + setupRuntimeDir = writeScript "setup-runtime-dirs" '' + # Link _diag dir + ln -s "$LOGS_DIRECTORY" "$RUNTIME_DIRECTORY/_diag" + + # Link the runner credentials to the runtime dir + ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$RUNTIME_DIRECTORY/" + ''; + in + map (x: "${x} ${escapeShellArgs [ stateDir runtimeDir logsDir ]}") [ + "+${ownConfigTokens}" # runs as root + unconfigureRunner + configureRunner + "+${disownConfigTokens}" # runs as root + setupRuntimeDir + ]; + + # Contains _diag + LogsDirectory = [ systemdDir ]; + # Default RUNNER_ROOT which contains ephemeral Runner data + RuntimeDirectory = [ systemdDir ]; + # Home of persistent runner data, e.g., credentials + StateDirectory = [ systemdDir ]; + StateDirectoryMode = "0700"; + WorkingDirectory = runtimeDir; + + # By default, use a dynamically allocated user + DynamicUser = true; + + KillMode = "process"; + KillSignal = "SIGTERM"; + + # Hardening (may overlap with DynamicUser=) + # The following options are only for optimizing: + # systemd-analyze security github-runner + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0066"; + + # Needs network access + PrivateNetwork = false; + # Cannot be true due to Node + MemoryDenyWriteExecute = false; + }; + }; + }; +} diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix index 9f9b86ee61cbb..2f0b573e87210 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix @@ -37,15 +37,22 @@ let description = '' Number of tasks to perform simultaneously. - A task is a single derivation build or an evaluation. + A task is a single derivation build, an evaluation or an effect run. At minimum, you need 2 concurrent tasks for <literal>x86_64-linux</literal> in your cluster, to allow for import from derivation. <literal>concurrentTasks</literal> can be around the CPU core count or lower if memory is the bottleneck. + + The optimal value depends on the resource consumption characteristics of your workload, + including memory usage and in-task parallelism. This is typically determined empirically. + + When scaling, it is generally better to have a double-size machine than two machines, + because each split of resources causes inefficiencies; particularly with regards + to build latency because of extra downloads. ''; - type = types.int; - default = 4; + type = types.either types.ints.positive (types.enum [ "auto" ]); + default = "auto"; }; workDirectory = mkOption { description = '' @@ -186,7 +193,18 @@ in # even shortly after the previous lookup. This *also* applies to the daemon. narinfo-cache-negative-ttl = 0 ''; - services.hercules-ci-agent.tomlFile = - format.generate "hercules-ci-agent.toml" cfg.settings; + services.hercules-ci-agent = { + tomlFile = + format.generate "hercules-ci-agent.toml" cfg.settings; + + settings.labels = { + agent.source = + if options.services.hercules-ci-agent.package.highestPrio == (lib.modules.mkOptionDefault { }).priority + then "nixpkgs" + else lib.mkOptionDefault "override"; + pkgs.version = pkgs.lib.version; + lib.version = lib.version; + }; + }; }; } diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix index e8a42e59de0d0..06c174e7d376e 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix @@ -68,7 +68,23 @@ in # Trusted user allows simplified configuration and better performance # when operating in a cluster. nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ]; - services.hercules-ci-agent.settings.nixUserIsTrusted = true; + services.hercules-ci-agent = { + settings = { + nixUserIsTrusted = true; + labels = + let + mkIfNotNull = x: mkIf (x != null) x; + in + { + nixos.configurationRevision = mkIfNotNull config.system.configurationRevision; + nixos.release = config.system.nixos.release; + nixos.label = mkIfNotNull config.system.nixos.label; + nixos.codeName = config.system.nixos.codeName; + nixos.tags = config.system.nixos.tags; + nixos.systemName = mkIfNotNull config.system.name; + }; + }; + }; users.users.hercules-ci-agent = { home = cfg.settings.baseDirectory; diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index d55a7db39150f..820be5085de9f 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -1,79 +1,108 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + concatStringsSep + flip + literalExample + optionalAttrs + optionals + recursiveUpdate + mkEnableOption + mkIf + mkOption + types + versionAtLeast + ; + cfg = config.services.cassandra; + defaultUser = "cassandra"; - cassandraConfig = flip recursiveUpdate cfg.extraConfig - ({ commitlog_sync = "batch"; - commitlog_sync_batch_window_in_ms = 2; - start_native_transport = cfg.allowClients; - cluster_name = cfg.clusterName; - partitioner = "org.apache.cassandra.dht.Murmur3Partitioner"; - endpoint_snitch = "SimpleSnitch"; - data_file_directories = [ "${cfg.homeDir}/data" ]; - commitlog_directory = "${cfg.homeDir}/commitlog"; - saved_caches_directory = "${cfg.homeDir}/saved_caches"; - } // (lib.optionalAttrs (cfg.seedAddresses != []) { - seed_provider = [{ - class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; - parameters = [ { seeds = concatStringsSep "," cfg.seedAddresses; } ]; - }]; - }) // (lib.optionalAttrs (lib.versionAtLeast cfg.package.version "3") { - hints_directory = "${cfg.homeDir}/hints"; - }) - ); - cassandraConfigWithAddresses = cassandraConfig // - ( if cfg.listenAddress == null - then { listen_interface = cfg.listenInterface; } - else { listen_address = cfg.listenAddress; } - ) // ( - if cfg.rpcAddress == null - then { rpc_interface = cfg.rpcInterface; } - else { rpc_address = cfg.rpcAddress; } - ); - cassandraEtc = pkgs.stdenv.mkDerivation - { name = "cassandra-etc"; - cassandraYaml = builtins.toJSON cassandraConfigWithAddresses; - cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh"; - cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; - passAsFile = [ "extraEnvSh" ]; - inherit (cfg) extraEnvSh; - buildCommand = '' - mkdir -p "$out" - - echo "$cassandraYaml" > "$out/cassandra.yaml" - ln -s "$cassandraLogbackConfig" "$out/logback.xml" - - ( cat "$cassandraEnvPkg" - echo "# lines from services.cassandra.extraEnvSh: " - cat "$extraEnvShPath" - ) > "$out/cassandra-env.sh" - - # Delete default JMX Port, otherwise we can't set it using env variable - sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" - - # Delete default password file - sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" - ''; - }; - defaultJmxRolesFile = builtins.foldl' - (left: right: left + right) "" - (map (role: "${role.username} ${role.password}") cfg.jmxRoles); - fullJvmOptions = cfg.jvmOpts - ++ lib.optionals (cfg.jmxRoles != []) [ + + cassandraConfig = flip recursiveUpdate cfg.extraConfig ( + { + commitlog_sync = "batch"; + commitlog_sync_batch_window_in_ms = 2; + start_native_transport = cfg.allowClients; + cluster_name = cfg.clusterName; + partitioner = "org.apache.cassandra.dht.Murmur3Partitioner"; + endpoint_snitch = "SimpleSnitch"; + data_file_directories = [ "${cfg.homeDir}/data" ]; + commitlog_directory = "${cfg.homeDir}/commitlog"; + saved_caches_directory = "${cfg.homeDir}/saved_caches"; + } // optionalAttrs (cfg.seedAddresses != [ ]) { + seed_provider = [ + { + class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; + parameters = [{ seeds = concatStringsSep "," cfg.seedAddresses; }]; + } + ]; + } // optionalAttrs (versionAtLeast cfg.package.version "3") { + hints_directory = "${cfg.homeDir}/hints"; + } + ); + + cassandraConfigWithAddresses = cassandraConfig // ( + if cfg.listenAddress == null + then { listen_interface = cfg.listenInterface; } + else { listen_address = cfg.listenAddress; } + ) // ( + if cfg.rpcAddress == null + then { rpc_interface = cfg.rpcInterface; } + else { rpc_address = cfg.rpcAddress; } + ); + + cassandraEtc = pkgs.stdenv.mkDerivation { + name = "cassandra-etc"; + + cassandraYaml = builtins.toJSON cassandraConfigWithAddresses; + cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh"; + cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; + + passAsFile = [ "extraEnvSh" ]; + inherit (cfg) extraEnvSh; + + buildCommand = '' + mkdir -p "$out" + + echo "$cassandraYaml" > "$out/cassandra.yaml" + ln -s "$cassandraLogbackConfig" "$out/logback.xml" + + ( cat "$cassandraEnvPkg" + echo "# lines from services.cassandra.extraEnvSh: " + cat "$extraEnvShPath" + ) > "$out/cassandra-env.sh" + + # Delete default JMX Port, otherwise we can't set it using env variable + sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" + + # Delete default password file + sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" + ''; + }; + + defaultJmxRolesFile = + builtins.foldl' + (left: right: left + right) "" + (map (role: "${role.username} ${role.password}") cfg.jmxRoles); + + fullJvmOptions = + cfg.jvmOpts + ++ optionals (cfg.jmxRoles != [ ]) [ "-Dcom.sun.management.jmxremote.authenticate=true" "-Dcom.sun.management.jmxremote.password.file=${cfg.jmxRolesFile}" - ] - ++ lib.optionals cfg.remoteJmx [ + ] ++ optionals cfg.remoteJmx [ "-Djava.rmi.server.hostname=${cfg.rpcAddress}" ]; -in { + +in +{ options.services.cassandra = { + enable = mkEnableOption '' Apache Cassandra – Scalable and highly available database. ''; + clusterName = mkOption { type = types.str; default = "Test Cluster"; @@ -83,16 +112,19 @@ in { another. All nodes in a cluster must have the same value. ''; }; + user = mkOption { type = types.str; default = defaultUser; description = "Run Apache Cassandra under this user."; }; + group = mkOption { type = types.str; default = defaultUser; description = "Run Apache Cassandra under this group."; }; + homeDir = mkOption { type = types.path; default = "/var/lib/cassandra"; @@ -100,6 +132,7 @@ in { Home directory for Apache Cassandra. ''; }; + package = mkOption { type = types.package; default = pkgs.cassandra; @@ -109,17 +142,19 @@ in { The Apache Cassandra package to use. ''; }; + jvmOpts = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' Populate the JVM_OPT environment variable. ''; }; + listenAddress = mkOption { type = types.nullOr types.str; default = "127.0.0.1"; - example = literalExample "null"; + example = null; description = '' Address or interface to bind to and tell other Cassandra nodes to connect to. You _must_ change this if you want multiple @@ -136,6 +171,7 @@ in { Setting listen_address to 0.0.0.0 is always wrong. ''; }; + listenInterface = mkOption { type = types.nullOr types.str; default = null; @@ -146,10 +182,11 @@ in { supported. ''; }; + rpcAddress = mkOption { type = types.nullOr types.str; default = "127.0.0.1"; - example = literalExample "null"; + example = null; description = '' The address or interface to bind the native transport server to. @@ -167,6 +204,7 @@ in { internet. Firewall it if needed. ''; }; + rpcInterface = mkOption { type = types.nullOr types.str; default = null; @@ -176,6 +214,7 @@ in { correspond to a single address, IP aliasing is not supported. ''; }; + logbackConfig = mkOption { type = types.lines; default = '' @@ -197,6 +236,7 @@ in { XML logback configuration for cassandra ''; }; + seedAddresses = mkOption { type = types.listOf types.str; default = [ "127.0.0.1" ]; @@ -207,6 +247,7 @@ in { Set to 127.0.0.1 for a single node cluster. ''; }; + allowClients = mkOption { type = types.bool; default = true; @@ -219,16 +260,19 @@ in { <literal>extraConfig</literal>. ''; }; + extraConfig = mkOption { type = types.attrs; - default = {}; + default = { }; example = - { commitlog_sync_batch_window_in_ms = 3; + { + commitlog_sync_batch_window_in_ms = 3; }; description = '' Extra options to be merged into cassandra.yaml as nix attribute set. ''; }; + extraEnvSh = mkOption { type = types.lines; default = ""; @@ -237,48 +281,53 @@ in { Extra shell lines to be appended onto cassandra-env.sh. ''; }; + fullRepairInterval = mkOption { type = types.nullOr types.str; default = "3w"; - example = literalExample "null"; + example = null; description = '' - Set the interval how often full repairs are run, i.e. - <literal>nodetool repair --full</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html - for more information. + Set the interval how often full repairs are run, i.e. + <literal>nodetool repair --full</literal> is executed. See + https://cassandra.apache.org/doc/latest/operating/repair.html + for more information. - Set to <literal>null</literal> to disable full repairs. - ''; + Set to <literal>null</literal> to disable full repairs. + ''; }; + fullRepairOptions = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "--partitioner-range" ]; description = '' - Options passed through to the full repair command. - ''; + Options passed through to the full repair command. + ''; }; + incrementalRepairInterval = mkOption { type = types.nullOr types.str; default = "3d"; - example = literalExample "null"; + example = null; description = '' - Set the interval how often incremental repairs are run, i.e. - <literal>nodetool repair</literal> is executed. See - https://cassandra.apache.org/doc/latest/operating/repair.html - for more information. + Set the interval how often incremental repairs are run, i.e. + <literal>nodetool repair</literal> is executed. See + https://cassandra.apache.org/doc/latest/operating/repair.html + for more information. - Set to <literal>null</literal> to disable incremental repairs. - ''; + Set to <literal>null</literal> to disable incremental repairs. + ''; }; + incrementalRepairOptions = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "--partitioner-range" ]; description = '' - Options passed through to the incremental repair command. - ''; + Options passed through to the incremental repair command. + ''; }; + maxHeapSize = mkOption { type = types.nullOr types.str; default = null; @@ -299,6 +348,7 @@ in { expensive GC will be (usually). ''; }; + heapNewSize = mkOption { type = types.nullOr types.str; default = null; @@ -322,6 +372,7 @@ in { 100 MB per physical CPU core. ''; }; + mallocArenaMax = mkOption { type = types.nullOr types.int; default = null; @@ -330,6 +381,7 @@ in { Set this to control the amount of arenas per-thread in glibc. ''; }; + remoteJmx = mkOption { type = types.bool; default = false; @@ -341,6 +393,7 @@ in { See: https://wiki.apache.org/cassandra/JmxSecurity ''; }; + jmxPort = mkOption { type = types.int; default = 7199; @@ -351,8 +404,9 @@ in { Firewall it if needed. ''; }; + jmxRoles = mkOption { - default = []; + default = [ ]; description = '' Roles that are allowed to access the JMX (e.g. nodetool) BEWARE: The passwords will be stored world readable in the nix-store. @@ -375,11 +429,13 @@ in { }; }); }; + jmxRolesFile = mkOption { type = types.nullOr types.path; - default = if (lib.versionAtLeast cfg.package.version "3.11") - then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile - else null; + default = + if versionAtLeast cfg.package.version "3.11" + then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile + else null; example = "/var/lib/cassandra/jmx.password"; description = '' Specify your own jmx roles file. @@ -391,102 +447,115 @@ in { }; config = mkIf cfg.enable { - assertions = - [ { assertion = (cfg.listenAddress == null) != (cfg.listenInterface == null); - message = "You have to set either listenAddress or listenInterface"; - } - { assertion = (cfg.rpcAddress == null) != (cfg.rpcInterface == null); - message = "You have to set either rpcAddress or rpcInterface"; - } - { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); - message = "If you set either of maxHeapSize or heapNewSize you have to set both"; - } - { assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; - message = '' - If you want JMX available remotely you need to set a password using - <literal>jmxRoles</literal> or <literal>jmxRolesFile</literal> if - using Cassandra older than v3.11. - ''; - } - ]; + assertions = [ + { + assertion = (cfg.listenAddress == null) != (cfg.listenInterface == null); + message = "You have to set either listenAddress or listenInterface"; + } + { + assertion = (cfg.rpcAddress == null) != (cfg.rpcInterface == null); + message = "You have to set either rpcAddress or rpcInterface"; + } + { + assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); + message = "If you set either of maxHeapSize or heapNewSize you have to set both"; + } + { + assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; + message = '' + If you want JMX available remotely you need to set a password using + <literal>jmxRoles</literal> or <literal>jmxRolesFile</literal> if + using Cassandra older than v3.11. + ''; + } + ]; users = mkIf (cfg.user == defaultUser) { - extraUsers.${defaultUser} = - { group = cfg.group; - home = cfg.homeDir; - createHome = true; - uid = config.ids.uids.cassandra; - description = "Cassandra service user"; - }; - extraGroups.${defaultUser}.gid = config.ids.gids.cassandra; + users.${defaultUser} = { + group = cfg.group; + home = cfg.homeDir; + createHome = true; + uid = config.ids.uids.cassandra; + description = "Cassandra service user"; + }; + groups.${defaultUser}.gid = config.ids.gids.cassandra; }; - systemd.services.cassandra = - { description = "Apache Cassandra service"; - after = [ "network.target" ]; - environment = - { CASSANDRA_CONF = "${cassandraEtc}"; - JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; - MAX_HEAP_SIZE = toString cfg.maxHeapSize; - HEAP_NEWSIZE = toString cfg.heapNewSize; - MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; - LOCAL_JMX = if cfg.remoteJmx then "no" else "yes"; - JMX_PORT = toString cfg.jmxPort; - }; - wantedBy = [ "multi-user.target" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = "${cfg.package}/bin/cassandra -f"; - SuccessExitStatus = 143; - }; + systemd.services.cassandra = { + description = "Apache Cassandra service"; + after = [ "network.target" ]; + environment = { + CASSANDRA_CONF = "${cassandraEtc}"; + JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; + MAX_HEAP_SIZE = toString cfg.maxHeapSize; + HEAP_NEWSIZE = toString cfg.heapNewSize; + MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; + LOCAL_JMX = if cfg.remoteJmx then "no" else "yes"; + JMX_PORT = toString cfg.jmxPort; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/cassandra -f"; + SuccessExitStatus = 143; }; + }; - systemd.services.cassandra-full-repair = - { description = "Perform a full repair on this Cassandra node"; - after = [ "cassandra.service" ]; - requires = [ "cassandra.service" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = - lib.concatStringsSep " " - ([ "${cfg.package}/bin/nodetool" "repair" "--full" - ] ++ cfg.fullRepairOptions); - }; + systemd.services.cassandra-full-repair = { + description = "Perform a full repair on this Cassandra node"; + after = [ "cassandra.service" ]; + requires = [ "cassandra.service" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = + concatStringsSep " " + ([ + "${cfg.package}/bin/nodetool" + "repair" + "--full" + ] ++ cfg.fullRepairOptions); }; + }; + systemd.timers.cassandra-full-repair = mkIf (cfg.fullRepairInterval != null) { description = "Schedule full repairs on Cassandra"; wantedBy = [ "timers.target" ]; - timerConfig = - { OnBootSec = cfg.fullRepairInterval; - OnUnitActiveSec = cfg.fullRepairInterval; - Persistent = true; - }; + timerConfig = { + OnBootSec = cfg.fullRepairInterval; + OnUnitActiveSec = cfg.fullRepairInterval; + Persistent = true; + }; }; - systemd.services.cassandra-incremental-repair = - { description = "Perform an incremental repair on this cassandra node."; - after = [ "cassandra.service" ]; - requires = [ "cassandra.service" ]; - serviceConfig = - { User = cfg.user; - Group = cfg.group; - ExecStart = - lib.concatStringsSep " " - ([ "${cfg.package}/bin/nodetool" "repair" - ] ++ cfg.incrementalRepairOptions); - }; + systemd.services.cassandra-incremental-repair = { + description = "Perform an incremental repair on this cassandra node."; + after = [ "cassandra.service" ]; + requires = [ "cassandra.service" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = + concatStringsSep " " + ([ + "${cfg.package}/bin/nodetool" + "repair" + ] ++ cfg.incrementalRepairOptions); }; + }; + systemd.timers.cassandra-incremental-repair = mkIf (cfg.incrementalRepairInterval != null) { description = "Schedule incremental repairs on Cassandra"; wantedBy = [ "timers.target" ]; - timerConfig = - { OnBootSec = cfg.incrementalRepairInterval; - OnUnitActiveSec = cfg.incrementalRepairInterval; - Persistent = true; - }; + timerConfig = { + OnBootSec = cfg.incrementalRepairInterval; + OnUnitActiveSec = cfg.incrementalRepairInterval; + Persistent = true; + }; }; }; + + meta.maintainers = with lib.maintainers; [ roberth ]; } diff --git a/nixos/modules/services/databases/clickhouse.nix b/nixos/modules/services/databases/clickhouse.nix index 27440fec4e10b..f2f4e9d25542d 100644 --- a/nixos/modules/services/databases/clickhouse.nix +++ b/nixos/modules/services/databases/clickhouse.nix @@ -42,6 +42,7 @@ with lib; User = "clickhouse"; Group = "clickhouse"; ConfigurationDirectory = "clickhouse-server"; + AmbientCapabilities = "CAP_SYS_NICE"; StateDirectory = "clickhouse"; LogsDirectory = "clickhouse"; ExecStart = "${pkgs.clickhouse}/bin/clickhouse-server --config-file=${pkgs.clickhouse}/etc/clickhouse-server/config.xml"; diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index c99a7529213d7..6cc29cd717ecb 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -4,24 +4,17 @@ with lib; let cfg = config.services.couchdb; - useVersion2 = strings.versionAtLeast (strings.getVersion cfg.package) "2.0"; configFile = pkgs.writeText "couchdb.ini" ( '' [couchdb] database_dir = ${cfg.databaseDir} uri_file = ${cfg.uriFile} view_index_dir = ${cfg.viewIndexDir} - '' + (if cfg.adminPass != null then - '' + '' + (optionalString (cfg.adminPass != null) '' [admins] ${cfg.adminUser} = ${cfg.adminPass} - '' else - "") + (if useVersion2 then - '' + '' + '' [chttpd] - '' else - '' - [httpd] '') + '' port = ${toString cfg.port} @@ -30,8 +23,7 @@ let [log] file = ${cfg.logFile} ''); - executable = if useVersion2 then "${cfg.package}/bin/couchdb" - else ''${cfg.package}/bin/couchdb -a ${configFile} -a ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} -a ${cfg.configFile}''; + executable = "${cfg.package}/bin/couchdb"; in { @@ -177,8 +169,7 @@ in { environment.systemPackages = [ cfg.package ]; - services.couchdb.configFile = mkDefault - (if useVersion2 then "/var/lib/couchdb/local.ini" else "/var/lib/couchdb/couchdb.ini"); + services.couchdb.configFile = mkDefault "/var/lib/couchdb/local.ini"; systemd.tmpfiles.rules = [ "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -" @@ -195,7 +186,7 @@ in { touch ${cfg.configFile} ''; - environment = mkIf useVersion2 { + environment = { # we are actually specifying 4 configuration files: # 1. the preinstalled default.ini # 2. the module configuration diff --git a/nixos/modules/services/databases/pgmanage.nix b/nixos/modules/services/databases/pgmanage.nix index 0f8634dab3193..8508e76b5cd6e 100644 --- a/nixos/modules/services/databases/pgmanage.nix +++ b/nixos/modules/services/databases/pgmanage.nix @@ -197,6 +197,7 @@ in { group = pgmanage; home = cfg.sqlRoot; createHome = true; + isSystemUser = true; }; groups.${pgmanage} = { name = pgmanage; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 900185fbbdf79..effc9182472e2 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -159,11 +159,11 @@ in For more information on how to specify the target and on which privileges exist, see the <link xlink:href="https://www.postgresql.org/docs/current/sql-grant.html">GRANT syntax</link>. - The attributes are used as <code>GRANT ''${attrName} ON ''${attrValue}</code>. + The attributes are used as <code>GRANT ''${attrValue} ON ''${attrName}</code>. ''; example = literalExample '' { - "DATABASE nextcloud" = "ALL PRIVILEGES"; + "DATABASE \"nextcloud\"" = "ALL PRIVILEGES"; "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; } ''; @@ -295,8 +295,7 @@ in # systems! mkDefault (if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11 else if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 - else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql_9_5 - else throw "postgresql_9_4 was removed, please upgrade your postgresql version."); + else throw "postgresql_9_5 was removed, please upgrade your postgresql version."); services.postgresql.dataDir = mkDefault "/var/lib/postgresql/${cfg.package.psqlSchema}"; diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 3ddc7aad81e9a..c4d51958e239b 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.redis; + ulimitNofile = cfg.maxclients + 32; + mkValueString = value: if value == true then "yes" else if value == false then "no" @@ -14,8 +16,8 @@ let listsAsDuplicateKeys = true; mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; } cfg.settings); -in -{ + +in { imports = [ (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") @@ -121,6 +123,12 @@ in description = "Set the number of databases."; }; + maxclients = mkOption { + type = types.int; + default = 10000; + description = "Set the max number of connected clients at the same time."; + }; + save = mkOption { type = with types; listOf (listOf int); default = [ [900 1] [300 10] [60 10000] ]; @@ -253,6 +261,7 @@ in logfile = cfg.logfile; syslog-enabled = cfg.syslog; databases = cfg.databases; + maxclients = cfg.maxclients; save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save; dbfilename = "dump.rdb"; dir = "/var/lib/redis"; @@ -295,6 +304,34 @@ in StateDirectoryMode = "0700"; # Access write directories UMask = "0077"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Process Properties + LimitNOFILE = "${toString ulimitNofile}"; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid"; }; }; }; diff --git a/nixos/modules/services/desktops/bamf.nix b/nixos/modules/services/desktops/bamf.nix index 4b35146d08449..37121c219a377 100644 --- a/nixos/modules/services/desktops/bamf.nix +++ b/nixos/modules/services/desktops/bamf.nix @@ -6,7 +6,7 @@ with lib; { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; ###### interface diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index d0f6b66328a4c..7da92cc9f2649 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -15,18 +15,6 @@ in { options = { services.flatpak = { enable = mkEnableOption "flatpak"; - - guiPackages = mkOption { - internal = true; - type = types.listOf types.package; - default = []; - example = literalExample "[ pkgs.gnome3.gnome-software ]"; - description = '' - Packages that provide an interface for flatpak - (like gnome-software) that will be automatically available - to all users when flatpak is enabled. - ''; - }; }; }; @@ -40,7 +28,7 @@ in { } ]; - environment.systemPackages = [ pkgs.flatpak ] ++ cfg.guiPackages; + environment.systemPackages = [ pkgs.flatpak ]; services.dbus.packages = [ pkgs.flatpak ]; diff --git a/nixos/modules/services/desktops/geoclue2.nix b/nixos/modules/services/desktops/geoclue2.nix index 0dc0643afbc9c..e9ec787e5adae 100644 --- a/nixos/modules/services/desktops/geoclue2.nix +++ b/nixos/modules/services/desktops/geoclue2.nix @@ -266,5 +266,5 @@ in } // mapAttrs' appConfigToINICompatible cfg.appConfig); }; - meta.maintainers = with lib.maintainers; [ worldofpeace ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix b/nixos/modules/services/desktops/gnome/at-spi2-core.nix index 492242e3296da..1268a9d49b82d 100644 --- a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix +++ b/nixos/modules/services/desktops/gnome/at-spi2-core.nix @@ -12,9 +12,17 @@ with lib; ###### interface + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "at-spi2-core" "enable" ] + [ "services" "gnome" "at-spi2-core" "enable" ] + ) + ]; + options = { - services.gnome3.at-spi2-core = { + services.gnome.at-spi2-core = { enable = mkOption { type = types.bool; @@ -36,13 +44,13 @@ with lib; ###### implementation config = mkMerge [ - (mkIf config.services.gnome3.at-spi2-core.enable { + (mkIf config.services.gnome.at-spi2-core.enable { environment.systemPackages = [ pkgs.at-spi2-core ]; services.dbus.packages = [ pkgs.at-spi2-core ]; systemd.packages = [ pkgs.at-spi2-core ]; }) - (mkIf (!config.services.gnome3.at-spi2-core.enable) { + (mkIf (!config.services.gnome.at-spi2-core.enable) { environment.variables.NO_AT_BRIDGE = "1"; }) ]; diff --git a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix b/nixos/modules/services/desktops/gnome/chrome-gnome-shell.nix index 3c7f217b18df0..15c5bfbd82109 100644 --- a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix +++ b/nixos/modules/services/desktops/gnome/chrome-gnome-shell.nix @@ -8,9 +8,17 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "chrome-gnome-shell" "enable" ] + [ "services" "gnome" "chrome-gnome-shell" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.chrome-gnome-shell.enable = mkEnableOption '' + services.gnome.chrome-gnome-shell.enable = mkEnableOption '' Chrome GNOME Shell native host connector, a DBus service allowing to install GNOME Shell extensions from a web browser. ''; @@ -18,7 +26,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.chrome-gnome-shell.enable { + config = mkIf config.services.gnome.chrome-gnome-shell.enable { environment.etc = { "chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; "opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; diff --git a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix b/nixos/modules/services/desktops/gnome/evolution-data-server.nix index 749f12b86bc8a..ef5ad797c2781 100644 --- a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix +++ b/nixos/modules/services/desktops/gnome/evolution-data-server.nix @@ -10,11 +10,23 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "evolution-data-server" "enable" ] + [ "services" "gnome" "evolution-data-server" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "evolution-data-server" "plugins" ] + [ "services" "gnome" "evolution-data-server" "plugins" ] + ) + ]; + ###### interface options = { - services.gnome3.evolution-data-server = { + services.gnome.evolution-data-server = { enable = mkEnableOption "Evolution Data Server, a collection of services for storing addressbooks and calendars."; plugins = mkOption { type = types.listOf types.package; @@ -38,10 +50,10 @@ with lib; config = let - bundle = pkgs.evolutionWithPlugins.override { inherit (config.services.gnome3.evolution-data-server) plugins; }; + bundle = pkgs.evolutionWithPlugins.override { inherit (config.services.gnome.evolution-data-server) plugins; }; in mkMerge [ - (mkIf config.services.gnome3.evolution-data-server.enable { + (mkIf config.services.gnome.evolution-data-server.enable { environment.systemPackages = [ bundle ]; services.dbus.packages = [ bundle ]; @@ -49,11 +61,11 @@ with lib; systemd.packages = [ bundle ]; }) (mkIf config.programs.evolution.enable { - services.gnome3.evolution-data-server = { + services.gnome.evolution-data-server = { enable = true; plugins = [ pkgs.evolution ] ++ config.programs.evolution.plugins; }; - services.gnome3.gnome-keyring.enable = true; + services.gnome.gnome-keyring.enable = true; }) ]; } diff --git a/nixos/modules/services/desktops/gnome3/glib-networking.nix b/nixos/modules/services/desktops/gnome/glib-networking.nix index 7e667b6b1f047..4288b6b5de616 100644 --- a/nixos/modules/services/desktops/gnome3/glib-networking.nix +++ b/nixos/modules/services/desktops/gnome/glib-networking.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "glib-networking" "enable" ] + [ "services" "gnome" "glib-networking" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.glib-networking = { + services.gnome.glib-networking = { enable = mkEnableOption "network extensions for GLib"; @@ -24,7 +32,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.glib-networking.enable { + config = mkIf config.services.gnome.glib-networking.enable { services.dbus.packages = [ pkgs.glib-networking ]; diff --git a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix b/nixos/modules/services/desktops/gnome/gnome-initial-setup.nix index c391ad9694c9c..9e9771cf54159 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix +++ b/nixos/modules/services/desktops/gnome/gnome-initial-setup.nix @@ -48,11 +48,19 @@ in maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-initial-setup" "enable" ] + [ "services" "gnome" "gnome-initial-setup" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-initial-setup = { + services.gnome.gnome-initial-setup = { enable = mkEnableOption "GNOME Initial Setup, a Simple, easy, and safe way to prepare a new system"; @@ -63,16 +71,16 @@ in ###### implementation - config = mkIf config.services.gnome3.gnome-initial-setup.enable { + config = mkIf config.services.gnome.gnome-initial-setup.enable { environment.systemPackages = [ - pkgs.gnome3.gnome-initial-setup + pkgs.gnome.gnome-initial-setup ] ++ optional (versionOlder config.system.stateVersion "20.03") createGisStampFilesAutostart ; systemd.packages = [ - pkgs.gnome3.gnome-initial-setup + pkgs.gnome.gnome-initial-setup ]; systemd.user.targets."gnome-session".wants = [ diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome/gnome-keyring.nix index 2916a3c82b343..cda44bab8bfaa 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome/gnome-keyring.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-keyring" "enable" ] + [ "services" "gnome" "gnome-keyring" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-keyring = { + services.gnome.gnome-keyring = { enable = mkOption { type = types.bool; @@ -33,18 +41,18 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-keyring.enable { + config = mkIf config.services.gnome.gnome-keyring.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-keyring ]; + environment.systemPackages = [ pkgs.gnome.gnome-keyring ]; - services.dbus.packages = [ pkgs.gnome3.gnome-keyring pkgs.gcr ]; + services.dbus.packages = [ pkgs.gnome.gnome-keyring pkgs.gcr ]; - xdg.portal.extraPortals = [ pkgs.gnome3.gnome-keyring ]; + xdg.portal.extraPortals = [ pkgs.gnome.gnome-keyring ]; security.pam.services.login.enableGnomeKeyring = true; security.wrappers.gnome-keyring-daemon = { - source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon"; + source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon"; capabilities = "cap_ipc_lock=ep"; }; diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix b/nixos/modules/services/desktops/gnome/gnome-online-accounts.nix index 3f9ced5e86b18..01f7e3695cf04 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix +++ b/nixos/modules/services/desktops/gnome/gnome-online-accounts.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-online-accounts" "enable" ] + [ "services" "gnome" "gnome-online-accounts" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-online-accounts = { + services.gnome.gnome-online-accounts = { enable = mkOption { type = types.bool; @@ -32,7 +40,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-online-accounts.enable { + config = mkIf config.services.gnome.gnome-online-accounts.enable { environment.systemPackages = [ pkgs.gnome-online-accounts ]; diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix b/nixos/modules/services/desktops/gnome/gnome-online-miners.nix index 39d669e8b30f6..5f9039f68c4ee 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix +++ b/nixos/modules/services/desktops/gnome/gnome-online-miners.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-online-miners" "enable" ] + [ "services" "gnome" "gnome-online-miners" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-online-miners = { + services.gnome.gnome-online-miners = { enable = mkOption { type = types.bool; @@ -32,11 +40,11 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-online-miners.enable { + config = mkIf config.services.gnome.gnome-online-miners.enable { - environment.systemPackages = [ pkgs.gnome3.gnome-online-miners ]; + environment.systemPackages = [ pkgs.gnome.gnome-online-miners ]; - services.dbus.packages = [ pkgs.gnome3.gnome-online-miners ]; + services.dbus.packages = [ pkgs.gnome.gnome-online-miners ]; }; diff --git a/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix b/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix new file mode 100644 index 0000000000000..b5573d2fc21bc --- /dev/null +++ b/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix @@ -0,0 +1,32 @@ +# Remote desktop daemon using Pipewire. +{ config, lib, pkgs, ... }: + +with lib; + +{ + meta = { + maintainers = teams.gnome.members; + }; + + # Added 2021-05-07 + imports = [ + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-remote-desktop" "enable" ] + [ "services" "gnome" "gnome-remote-desktop" "enable" ] + ) + ]; + + ###### interface + options = { + services.gnome.gnome-remote-desktop = { + enable = mkEnableOption "Remote Desktop support using Pipewire"; + }; + }; + + ###### implementation + config = mkIf config.services.gnome.gnome-remote-desktop.enable { + services.pipewire.enable = true; + + systemd.packages = [ pkgs.gnome.gnome-remote-desktop ]; + }; +} diff --git a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix b/nixos/modules/services/desktops/gnome/gnome-settings-daemon.nix index 1c33ed064a19a..05b5c86ddcb39 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix +++ b/nixos/modules/services/desktops/gnome/gnome-settings-daemon.nix @@ -6,7 +6,7 @@ with lib; let - cfg = config.services.gnome3.gnome-settings-daemon; + cfg = config.services.gnome.gnome-settings-daemon; in @@ -20,13 +20,19 @@ in (mkRemovedOptionModule ["services" "gnome3" "gnome-settings-daemon" "package"] "") + + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-settings-daemon" "enable" ] + [ "services" "gnome" "gnome-settings-daemon" "enable" ] + ) ]; ###### interface options = { - services.gnome3.gnome-settings-daemon = { + services.gnome.gnome-settings-daemon = { enable = mkEnableOption "GNOME Settings Daemon"; @@ -40,15 +46,15 @@ in config = mkIf cfg.enable { environment.systemPackages = [ - pkgs.gnome3.gnome-settings-daemon + pkgs.gnome.gnome-settings-daemon ]; services.udev.packages = [ - pkgs.gnome3.gnome-settings-daemon + pkgs.gnome.gnome-settings-daemon ]; systemd.packages = [ - pkgs.gnome3.gnome-settings-daemon + pkgs.gnome.gnome-settings-daemon ]; systemd.user.targets."gnome-session-initialized".wants = [ diff --git a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix b/nixos/modules/services/desktops/gnome/gnome-user-share.nix index f2fe8b41a9e2d..38256af309cc5 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix +++ b/nixos/modules/services/desktops/gnome/gnome-user-share.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "gnome-user-share" "enable" ] + [ "services" "gnome" "gnome-user-share" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.gnome-user-share = { + services.gnome.gnome-user-share = { enable = mkEnableOption "GNOME User Share, a user-level file sharing service for GNOME"; @@ -25,14 +33,14 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.gnome-user-share.enable { + config = mkIf config.services.gnome.gnome-user-share.enable { environment.systemPackages = [ - pkgs.gnome3.gnome-user-share + pkgs.gnome.gnome-user-share ]; systemd.packages = [ - pkgs.gnome3.gnome-user-share + pkgs.gnome.gnome-user-share ]; }; diff --git a/nixos/modules/services/desktops/gnome3/rygel.nix b/nixos/modules/services/desktops/gnome/rygel.nix index 917a1d6541e06..7ea9778fc408d 100644 --- a/nixos/modules/services/desktops/gnome3/rygel.nix +++ b/nixos/modules/services/desktops/gnome/rygel.nix @@ -8,9 +8,17 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "rygel" "enable" ] + [ "services" "gnome" "rygel" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.rygel = { + services.gnome.rygel = { enable = mkOption { default = false; description = '' @@ -24,13 +32,13 @@ with lib; }; ###### implementation - config = mkIf config.services.gnome3.rygel.enable { - environment.systemPackages = [ pkgs.gnome3.rygel ]; + config = mkIf config.services.gnome.rygel.enable { + environment.systemPackages = [ pkgs.gnome.rygel ]; - services.dbus.packages = [ pkgs.gnome3.rygel ]; + services.dbus.packages = [ pkgs.gnome.rygel ]; - systemd.packages = [ pkgs.gnome3.rygel ]; + systemd.packages = [ pkgs.gnome.rygel ]; - environment.etc."rygel.conf".source = "${pkgs.gnome3.rygel}/etc/rygel.conf"; + environment.etc."rygel.conf".source = "${pkgs.gnome.rygel}/etc/rygel.conf"; }; } diff --git a/nixos/modules/services/desktops/gnome3/sushi.nix b/nixos/modules/services/desktops/gnome/sushi.nix index 83b17365d5dd7..3133a3a0d9854 100644 --- a/nixos/modules/services/desktops/gnome3/sushi.nix +++ b/nixos/modules/services/desktops/gnome/sushi.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "sushi" "enable" ] + [ "services" "gnome" "sushi" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.sushi = { + services.gnome.sushi = { enable = mkOption { type = types.bool; @@ -31,11 +39,11 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.sushi.enable { + config = mkIf config.services.gnome.sushi.enable { - environment.systemPackages = [ pkgs.gnome3.sushi ]; + environment.systemPackages = [ pkgs.gnome.sushi ]; - services.dbus.packages = [ pkgs.gnome3.sushi ]; + services.dbus.packages = [ pkgs.gnome.sushi ]; }; diff --git a/nixos/modules/services/desktops/gnome3/tracker-miners.nix b/nixos/modules/services/desktops/gnome/tracker-miners.nix index f2af402492719..c9101f0caa63d 100644 --- a/nixos/modules/services/desktops/gnome3/tracker-miners.nix +++ b/nixos/modules/services/desktops/gnome/tracker-miners.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "tracker-miners" "enable" ] + [ "services" "gnome" "tracker-miners" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.tracker-miners = { + services.gnome.tracker-miners = { enable = mkOption { type = types.bool; @@ -31,7 +39,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.tracker-miners.enable { + config = mkIf config.services.gnome.tracker-miners.enable { environment.systemPackages = [ pkgs.tracker-miners ]; diff --git a/nixos/modules/services/desktops/gnome3/tracker.nix b/nixos/modules/services/desktops/gnome/tracker.nix index cd196e385539b..29d9662b0b8fe 100644 --- a/nixos/modules/services/desktops/gnome3/tracker.nix +++ b/nixos/modules/services/desktops/gnome/tracker.nix @@ -10,11 +10,19 @@ with lib; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "tracker" "enable" ] + [ "services" "gnome" "tracker" "enable" ] + ) + ]; + ###### interface options = { - services.gnome3.tracker = { + services.gnome.tracker = { enable = mkOption { type = types.bool; @@ -32,7 +40,7 @@ with lib; ###### implementation - config = mkIf config.services.gnome3.tracker.enable { + config = mkIf config.services.gnome.tracker.enable { environment.systemPackages = [ pkgs.tracker ]; diff --git a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix deleted file mode 100644 index 164a0a44f8c81..0000000000000 --- a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix +++ /dev/null @@ -1,24 +0,0 @@ -# Remote desktop daemon using Pipewire. -{ config, lib, pkgs, ... }: - -with lib; - -{ - meta = { - maintainers = teams.gnome.members; - }; - - ###### interface - options = { - services.gnome3.gnome-remote-desktop = { - enable = mkEnableOption "Remote Desktop support using Pipewire"; - }; - }; - - ###### implementation - config = mkIf config.services.gnome3.gnome-remote-desktop.enable { - services.pipewire.enable = true; - - systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ]; - }; -} diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix index 250ea6d4575fc..966a4d38662bd 100644 --- a/nixos/modules/services/desktops/gvfs.nix +++ b/nixos/modules/services/desktops/gvfs.nix @@ -34,7 +34,7 @@ in # gvfs can be built with multiple configurations package = mkOption { type = types.package; - default = pkgs.gnome3.gvfs; + default = pkgs.gnome.gvfs; description = "Which GVfs package to use."; }; diff --git a/nixos/modules/services/desktops/pipewire/README.md b/nixos/modules/services/desktops/pipewire/README.md deleted file mode 100644 index 87288a81cfe1a..0000000000000 --- a/nixos/modules/services/desktops/pipewire/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Updating - -1. Update the version & hash in pkgs/development/libraries/pipewire/default.nix -2. run `nix build -f /path/to/nixpkgs/checkout pipewire pipewire.mediaSession` -3. copy all JSON files from result/etc/pipewire and result-mediaSession/etc/pipewire/media-session.d to this directory -4. add new files to the module config and passthru tests diff --git a/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json b/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json index bd00571bc35b2..6d1c23e825699 100644 --- a/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json +++ b/nixos/modules/services/desktops/pipewire/bluez-monitor.conf.json @@ -9,7 +9,7 @@ ], "actions": { "update-props": { - "bluez5.reconnect-profiles": [ + "bluez5.auto-connect": [ "hfp_hf", "hsp_hs", "a2dp_sink" diff --git a/nixos/modules/services/desktops/pipewire/media-session.conf.json b/nixos/modules/services/desktops/pipewire/media-session.conf.json index 62e59935dbe5e..24906e767d6d5 100644 --- a/nixos/modules/services/desktops/pipewire/media-session.conf.json +++ b/nixos/modules/services/desktops/pipewire/media-session.conf.json @@ -59,6 +59,7 @@ "with-pulseaudio": [ "with-audio", "bluez5", + "logind", "restore-stream", "streams-follow-default" ] diff --git a/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json b/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json index 3e776fe75a2cd..17bbbdef11793 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json +++ b/nixos/modules/services/desktops/pipewire/pipewire-pulse.conf.json @@ -30,7 +30,10 @@ "args": { "server.address": [ "unix:native" - ] + ], + "vm.overrides": { + "pulse.min.quantum": "1024/48000" + } } } ], diff --git a/nixos/modules/services/desktops/pipewire/pipewire.conf.json b/nixos/modules/services/desktops/pipewire/pipewire.conf.json index bae87dd663773..a9330f54f4f72 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire.conf.json +++ b/nixos/modules/services/desktops/pipewire/pipewire.conf.json @@ -2,7 +2,10 @@ "context.properties": { "link.max-buffers": 16, "core.daemon": true, - "core.name": "pipewire-0" + "core.name": "pipewire-0", + "vm.overrides": { + "default.clock.min-quantum": 1024 + } }, "context.spa-libs": { "audio.convert.*": "audioconvert/libspa-audioconvert", diff --git a/nixos/modules/services/desktops/telepathy.nix b/nixos/modules/services/desktops/telepathy.nix index 8c50d860e5bb2..b5f6a5fcbcfdd 100644 --- a/nixos/modules/services/desktops/telepathy.nix +++ b/nixos/modules/services/desktops/telepathy.nix @@ -39,7 +39,7 @@ with lib; services.dbus.packages = [ pkgs.telepathy-mission-control ]; # Enable runtime optional telepathy in gnome-shell - services.xserver.desktopManager.gnome3.sessionPath = with pkgs; [ + services.xserver.desktopManager.gnome.sessionPath = with pkgs; [ telepathy-glib telepathy-logger ]; diff --git a/nixos/modules/services/desktops/tumbler.nix b/nixos/modules/services/desktops/tumbler.nix index a09079517f042..8d9248cb98398 100644 --- a/nixos/modules/services/desktops/tumbler.nix +++ b/nixos/modules/services/desktops/tumbler.nix @@ -19,7 +19,7 @@ in ]; meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; ###### interface diff --git a/nixos/modules/services/desktops/zeitgeist.nix b/nixos/modules/services/desktops/zeitgeist.nix index cf7dd5fe3a13c..fb0218da3045e 100644 --- a/nixos/modules/services/desktops/zeitgeist.nix +++ b/nixos/modules/services/desktops/zeitgeist.nix @@ -7,7 +7,7 @@ with lib; { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; ###### interface diff --git a/nixos/modules/services/development/jupyter/default.nix b/nixos/modules/services/development/jupyter/default.nix index 6a5fd6b2940e8..21b84b3bcdaa8 100644 --- a/nixos/modules/services/development/jupyter/default.nix +++ b/nixos/modules/services/development/jupyter/default.nix @@ -131,7 +131,7 @@ in { env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ ipykernel pandas - scikitlearn + scikit-learn ])); in { displayName = "Python 3 for machine learning"; diff --git a/nixos/modules/services/development/jupyterhub/default.nix b/nixos/modules/services/development/jupyterhub/default.nix index f1dcab68b0002..a1df4468cfff6 100644 --- a/nixos/modules/services/development/jupyterhub/default.nix +++ b/nixos/modules/services/development/jupyterhub/default.nix @@ -117,7 +117,7 @@ in { env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ ipykernel pandas - scikitlearn + scikit-learn ])); in { displayName = "Python 3 for machine learning"; diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index a1aa5739d06b2..3cb1427579273 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -35,10 +35,10 @@ let auto_pause = true; only_admins_can_pause_the_game = true; autosave_only_on_server = true; - admins = []; non_blocking_saving = cfg.nonBlockingSaving; } // cfg.extraSettings; serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings)); + serverAdminsFile = pkgs.writeText "server-adminlist.json" (builtins.toJSON cfg.admins); modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods; in { @@ -52,6 +52,16 @@ in The port to which the service should bind. ''; }; + + admins = mkOption { + type = types.listOf types.str; + default = []; + example = [ "username" ]; + description = '' + List of player names which will be admin. + ''; + }; + openFirewall = mkOption { type = types.bool; default = false; @@ -234,6 +244,7 @@ in "--start-server=${mkSavePath cfg.saveName}" "--server-settings=${serverSettingsFile}" (optionalString (cfg.mods != []) "--mod-directory=${modDir}") + (optionalString (cfg.admins != []) "--server-adminlist=${serverAdminsFile}") ]; # Sandboxing diff --git a/nixos/modules/services/games/quake3-server.nix b/nixos/modules/services/games/quake3-server.nix new file mode 100644 index 0000000000000..1dc01260e8fad --- /dev/null +++ b/nixos/modules/services/games/quake3-server.nix @@ -0,0 +1,111 @@ +{ config, pkgs, lib, ... }: +with lib; + +let + cfg = config.services.quake3-server; + configFile = pkgs.writeText "q3ds-extra.cfg" '' + set net_port ${builtins.toString cfg.port} + + ${cfg.extraConfig} + ''; + defaultBaseq3 = pkgs.requireFile rec { + name = "baseq3"; + hashMode = "recursive"; + sha256 = "5dd8ee09eabd45e80450f31d7a8b69b846f59738726929298d8a813ce5725ed3"; + message = '' + Unfortunately, we cannot download ${name} automatically. + Please purchase a legitimate copy of Quake 3 and change into the installation directory. + + You can either add all relevant files to the nix-store like this: + mkdir /tmp/baseq3 + cp baseq3/pak*.pk3 /tmp/baseq3 + nix-store --add-fixed sha256 --recursive /tmp/baseq3 + + Alternatively you can set services.quake3-server.baseq3 to a path and copy the baseq3 directory into + $services.quake3-server.baseq3/.q3a/ + ''; + }; + home = pkgs.runCommand "quake3-home" {} '' + mkdir -p $out/.q3a/baseq3 + + for file in ${cfg.baseq3}/*; do + ln -s $file $out/.q3a/baseq3/$(basename $file) + done + + ln -s ${configFile} $out/.q3a/baseq3/nix.cfg + ''; +in { + options = { + services.quake3-server = { + enable = mkEnableOption "Quake 3 dedicated server"; + + port = mkOption { + type = types.port; + default = 27960; + description = '' + UDP Port the server should listen on. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the firewall. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + seta rconPassword "superSecret" // sets RCON password for remote console + seta sv_hostname "My Quake 3 server" // name that appears in server list + ''; + description = '' + Extra configuration options. Note that options changed via RCON will not be persisted. To list all possible + options, use "cvarlist 1" via RCON. + ''; + }; + + baseq3 = mkOption { + type = types.either types.package types.path; + default = defaultBaseq3; + example = "/var/lib/q3ds"; + description = '' + Path to the baseq3 files (pak*.pk3). If this is on the nix store (type = package) all .pk3 files should be saved + in the top-level directory. If this is on another filesystem (e.g /var/lib/baseq3) the .pk3 files are searched in + $baseq3/.q3a/baseq3/ + ''; + }; + }; + }; + + config = let + baseq3InStore = builtins.typeOf cfg.baseq3 == "set"; + in mkIf cfg.enable { + networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + systemd.services.q3ds = { + description = "Quake 3 dedicated server"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ]; + + environment.HOME = if baseq3InStore then home else cfg.baseq3; + + serviceConfig = with lib; { + Restart = "always"; + DynamicUser = true; + WorkingDirectory = home; + + # It is possible to alter configuration files via RCON. To ensure reproducibility we have to prevent this + ReadOnlyPaths = if baseq3InStore then home else cfg.baseq3; + ExecStartPre = optionalString (!baseq3InStore) "+${pkgs.coreutils}/bin/cp ${configFile} ${cfg.baseq3}/.q3a/baseq3/nix.cfg"; + + ExecStart = "${pkgs.ioquake3}/ioq3ded.x86_64 +exec nix.cfg"; + }; + }; + }; + + meta.maintainers = with maintainers; [ f4814n ]; +} diff --git a/nixos/modules/services/games/terraria.nix b/nixos/modules/services/games/terraria.nix index 34c8ff137d6a2..9e8e5ae8759aa 100644 --- a/nixos/modules/services/games/terraria.nix +++ b/nixos/modules/services/games/terraria.nix @@ -111,6 +111,13 @@ in default = false; description = "Disables automatic Universal Plug and Play."; }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Wheter to open ports in the firewall"; + }; + dataDir = mkOption { type = types.str; default = "/var/lib/terraria"; @@ -151,5 +158,11 @@ in ${pkgs.coreutils}/bin/chgrp terraria ${cfg.dataDir}/terraria.sock ''; }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + }; } diff --git a/nixos/modules/services/hardware/brltty.nix b/nixos/modules/services/hardware/brltty.nix index 1266e8f81e5b4..730560175327e 100644 --- a/nixos/modules/services/hardware/brltty.nix +++ b/nixos/modules/services/hardware/brltty.nix @@ -5,6 +5,19 @@ with lib; let cfg = config.services.brltty; + targets = [ + "default.target" "multi-user.target" + "rescue.target" "emergency.target" + ]; + + genApiKey = pkgs.writers.writeDash "generate-brlapi-key" '' + if ! test -f /etc/brlapi.key; then + echo -n generating brlapi key... + ${pkgs.brltty}/bin/brltty-genkey -f /etc/brlapi.key + echo done + fi + ''; + in { options = { @@ -18,33 +31,27 @@ in { }; config = mkIf cfg.enable { - - systemd.services.brltty = { - description = "Braille Device Support"; - unitConfig = { - Documentation = "http://mielke.cc/brltty/"; - DefaultDependencies = "no"; - RequiresMountsFor = "${pkgs.brltty}/var/lib/brltty"; - }; - serviceConfig = { - ExecStart = "${pkgs.brltty}/bin/brltty --no-daemon"; - Type = "notify"; - TimeoutStartSec = 5; - TimeoutStopSec = 10; - Restart = "always"; - RestartSec = 30; - Nice = -10; - OOMScoreAdjust = -900; - ProtectHome = "read-only"; - ProtectSystem = "full"; - SystemCallArchitectures = "native"; - }; - wants = [ "systemd-udev-settle.service" ]; - after = [ "local-fs.target" "systemd-udev-settle.service" ]; - before = [ "sysinit.target" ]; - wantedBy = [ "sysinit.target" ]; + users.users.brltty = { + description = "BRLTTY daemon user"; + group = "brltty"; + }; + users.groups = { + brltty = { }; + brlapi = { }; }; + systemd.services."brltty@".serviceConfig = + { ExecStartPre = "!${genApiKey}"; }; + + # Install all upstream-provided files + systemd.packages = [ pkgs.brltty ]; + systemd.tmpfiles.packages = [ pkgs.brltty ]; + services.udev.packages = [ pkgs.brltty ]; + environment.systemPackages = [ pkgs.brltty ]; + + # Add missing WantedBys (see issue #81138) + systemd.paths.brltty.wantedBy = targets; + systemd.paths."brltty@".wantedBy = targets; }; } diff --git a/nixos/modules/services/hardware/fancontrol.nix b/nixos/modules/services/hardware/fancontrol.nix index e1ce11a5aef62..5574c5a132e59 100644 --- a/nixos/modules/services/hardware/fancontrol.nix +++ b/nixos/modules/services/hardware/fancontrol.nix @@ -6,21 +6,21 @@ let cfg = config.hardware.fancontrol; configFile = pkgs.writeText "fancontrol.conf" cfg.config; -in{ +in +{ options.hardware.fancontrol = { enable = mkEnableOption "software fan control (requires fancontrol.config)"; config = mkOption { - default = null; - type = types.nullOr types.lines; - description = "Fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; + type = types.lines; + description = "Required fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; example = '' # Configuration file generated by pwmconfig INTERVAL=10 DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656 DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input - FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input + FCFANS=hwmon4/device/pwm1=hwmon4/device/fan1_input MINTEMP=hwmon4/device/pwm1=35 MAXTEMP=hwmon4/device/pwm1=65 MINSTART=hwmon4/device/pwm1=150 @@ -30,16 +30,18 @@ in{ }; config = mkIf cfg.enable { + systemd.services.fancontrol = { - unitConfig.Documentation = "man:fancontrol(8)"; + documentation = [ "man:fancontrol(8)" ]; description = "software fan control"; wantedBy = [ "multi-user.target" ]; after = [ "lm_sensors.service" ]; serviceConfig = { - Type = "simple"; ExecStart = "${pkgs.lm_sensors}/sbin/fancontrol ${configFile}"; }; }; }; + + meta.maintainers = [ maintainers.evils ]; } diff --git a/nixos/modules/services/hardware/pcscd.nix b/nixos/modules/services/hardware/pcscd.nix index f3fc4c3cc79e0..4fc1e351f5037 100644 --- a/nixos/modules/services/hardware/pcscd.nix +++ b/nixos/modules/services/hardware/pcscd.nix @@ -10,39 +10,37 @@ let paths = map (p: "${p}/pcsc/drivers") config.services.pcscd.plugins; }; -in { +in +{ ###### interface - options = { - - services.pcscd = { - enable = mkEnableOption "PCSC-Lite daemon"; - - plugins = mkOption { - type = types.listOf types.package; - default = [ pkgs.ccid ]; - defaultText = "[ pkgs.ccid ]"; - example = literalExample "[ pkgs.pcsc-cyberjack ]"; - description = "Plugin packages to be used for PCSC-Lite."; - }; - - readerConfig = mkOption { - type = types.lines; - default = ""; - example = '' - FRIENDLYNAME "Some serial reader" - DEVICENAME /dev/ttyS0 - LIBPATH /path/to/serial_reader.so - CHANNELID 1 - ''; - description = '' - Configuration for devices that aren't hotpluggable. - - See <citerefentry><refentrytitle>reader.conf</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> for valid options. - ''; - }; + options.services.pcscd = { + enable = mkEnableOption "PCSC-Lite daemon"; + + plugins = mkOption { + type = types.listOf types.package; + default = [ pkgs.ccid ]; + defaultText = "[ pkgs.ccid ]"; + example = literalExample "[ pkgs.pcsc-cyberjack ]"; + description = "Plugin packages to be used for PCSC-Lite."; + }; + + readerConfig = mkOption { + type = types.lines; + default = ""; + example = '' + FRIENDLYNAME "Some serial reader" + DEVICENAME /dev/ttyS0 + LIBPATH /path/to/serial_reader.so + CHANNELID 1 + ''; + description = '' + Configuration for devices that aren't hotpluggable. + + See <citerefentry><refentrytitle>reader.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for valid options. + ''; }; }; @@ -50,20 +48,26 @@ in { config = mkIf config.services.pcscd.enable { - systemd.sockets.pcscd = { - description = "PCSC-Lite Socket"; - wantedBy = [ "sockets.target" ]; - before = [ "multi-user.target" ]; - socketConfig.ListenStream = "/run/pcscd/pcscd.comm"; - }; + environment.etc."reader.conf".source = cfgFile; + + environment.systemPackages = [ pkgs.pcsclite ]; + systemd.packages = [ (getBin pkgs.pcsclite) ]; + + systemd.sockets.pcscd.wantedBy = [ "sockets.target" ]; systemd.services.pcscd = { - description = "PCSC-Lite daemon"; environment.PCSCLITE_HP_DROPDIR = pluginEnv; - serviceConfig = { - ExecStart = "${getBin pkgs.pcsclite}/sbin/pcscd -f -x -c ${cfgFile}"; - ExecReload = "${getBin pkgs.pcsclite}/sbin/pcscd -H"; - }; + restartTriggers = [ "/etc/reader.conf" ]; + + # If the cfgFile is empty and not specified (in which case the default + # /etc/reader.conf is assumed), pcscd will happily start going through the + # entire confdir (/etc in our case) looking for a config file and try to + # parse everything it finds. Doesn't take a lot of imagination to see how + # well that works. It really shouldn't do that to begin with, but to work + # around it, we force the path to the cfgFile. + # + # https://github.com/NixOS/nixpkgs/issues/121088 + serviceConfig.ExecStart = [ "" "${getBin pkgs.pcsclite}/bin/pcscd -f -x -c ${cfgFile}" ]; }; }; } diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index e5a01a8a27d92..8c1bde7b41587 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -163,6 +163,7 @@ in users.users.scanner = { uid = config.ids.uids.scanner; group = "scanner"; + extraGroups = [ "lp" ] ++ optionals config.services.avahi.enable [ "avahi" ]; }; }) ]; diff --git a/nixos/modules/services/hardware/spacenavd.nix b/nixos/modules/services/hardware/spacenavd.nix index cecc4d6f029bf..74725dd23d25c 100644 --- a/nixos/modules/services/hardware/spacenavd.nix +++ b/nixos/modules/services/hardware/spacenavd.nix @@ -13,13 +13,12 @@ in { }; config = mkIf cfg.enable { - systemd.services.spacenavd = { + systemd.user.services.spacenavd = { description = "Daemon for the Spacenavigator 6DOF mice by 3Dconnexion"; after = [ "syslog.target" ]; wantedBy = [ "graphical.target" ]; serviceConfig = { ExecStart = "${pkgs.spacenavd}/bin/spacenavd -d -l syslog"; - StandardError = "syslog"; }; }; }; diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 19b12daa41528..34211687dc1db 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -40,6 +40,7 @@ in { serviceConfig = { Restart = "on-failure"; + TimeoutStopSec = 10; ExecStart = "${pkgs.grafana-loki}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}"; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index a2298152b023f..1ccfb357750b3 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -405,7 +405,7 @@ in }; } // optionalAttrs (cfg.createMailUser && cfg.mailUser != null) { ${cfg.mailUser} = - { description = "Virtual Mail User"; } // optionalAttrs (cfg.mailGroup != null) + { description = "Virtual Mail User"; isSystemUser = true; } // optionalAttrs (cfg.mailGroup != null) { group = cfg.mailGroup; }; }; diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 892fbd33214a2..8927d84b478c6 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -67,6 +67,13 @@ in ''; }; + queueRunnerInterval = mkOption { + type = types.str; + default = "5m"; + description = '' + How often to spawn a new queue runner. + ''; + }; }; }; @@ -104,7 +111,7 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."exim.conf".source ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/exim -bdf -q30m"; + ExecStart = "${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; ExecReload = "${coreutils}/bin/kill -HUP $MAINPID"; }; preStart = '' diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index 832b496f31c96..f75d6183c3e31 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -165,7 +165,7 @@ in { baseUrl = mkOption { type = types.str; - default = "http://localhost/hyperkitty/"; + default = "http://localhost:18507/archives/"; description = '' Where can Mailman connect to Hyperkitty's internal API, preferably on localhost? @@ -263,7 +263,8 @@ in { # settings_local.json is loaded. os.environ["SECRET_KEY"] = "" - from mailman_web.settings import * + from mailman_web.settings.base import * + from mailman_web.settings.mailman import * import json @@ -390,6 +391,7 @@ in { plugins = ["python3"]; home = pythonEnv; module = "mailman_web.wsgi"; + http = "127.0.0.1:18507"; }; uwsgiConfigFile = pkgs.writeText "uwsgi-mailman.json" (builtins.toJSON uwsgiConfig); in { @@ -452,7 +454,7 @@ in { }; meta = { - maintainers = with lib.maintainers; [ lheckemann ]; + maintainers = with lib.maintainers; [ lheckemann qyliss ]; doc = ./mailman.xml; }; diff --git a/nixos/modules/services/mail/mailman.xml b/nixos/modules/services/mail/mailman.xml index 8da491ccbe9f6..27247fb064f20 100644 --- a/nixos/modules/services/mail/mailman.xml +++ b/nixos/modules/services/mail/mailman.xml @@ -31,11 +31,11 @@ <link linkend="opt-services.mailman.enable">enable</link> = true; <link linkend="opt-services.mailman.serve.enable">serve.enable</link> = true; <link linkend="opt-services.mailman.hyperkitty.enable">hyperkitty.enable</link> = true; - <link linkend="opt-services.mailman.hyperkitty.enable">webHosts</link> = ["lists.example.org"]; - <link linkend="opt-services.mailman.hyperkitty.enable">siteOwner</link> = "mailman@example.org"; + <link linkend="opt-services.mailman.webHosts">webHosts</link> = ["lists.example.org"]; + <link linkend="opt-services.mailman.siteOwner">siteOwner</link> = "mailman@example.org"; }; <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">services.nginx.virtualHosts."lists.example.org".enableACME</link> = true; - <link linkend="opt-services.mailman.hyperkitty.enable">networking.firewall.allowedTCPPorts</link> = [ 25 80 443 ]; + <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 25 80 443 ]; }</programlisting> </para> <para> diff --git a/nixos/modules/services/mail/nullmailer.nix b/nixos/modules/services/mail/nullmailer.nix index fe3f8ef9b3913..09874ca0ed756 100644 --- a/nixos/modules/services/mail/nullmailer.nix +++ b/nixos/modules/services/mail/nullmailer.nix @@ -204,6 +204,7 @@ with lib; users.${cfg.user} = { description = "Nullmailer relay-only mta user"; group = cfg.group; + isSystemUser = true; }; groups.${cfg.group} = { }; diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 9bf6f338d93ed..beff57613afc5 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -134,7 +134,7 @@ in { ReadWritePaths = [ cfg.keyPath ]; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 63c0961b7568b..35639e1bbc837 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -11,6 +11,7 @@ let haveAliases = cfg.postmasterAlias != "" || cfg.rootAlias != "" || cfg.extraAliases != ""; + haveCanonical = cfg.canonical != ""; haveTransport = cfg.transport != ""; haveVirtual = cfg.virtual != ""; haveLocalRecipients = cfg.localRecipients != null; @@ -244,6 +245,7 @@ let ; aliasesFile = pkgs.writeText "postfix-aliases" aliases; + canonicalFile = pkgs.writeText "postfix-canonical" cfg.canonical; virtualFile = pkgs.writeText "postfix-virtual" cfg.virtual; localRecipientMapFile = pkgs.writeText "postfix-local-recipient-map" (concatMapStrings (x: x + " ACCEPT\n") cfg.localRecipients); checkClientAccessFile = pkgs.writeText "postfix-check-client-access" cfg.dnsBlacklistOverrides; @@ -529,6 +531,15 @@ in "; }; + canonical = mkOption { + type = types.lines; + default = ""; + description = '' + Entries for the <citerefentry><refentrytitle>canonical</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> table. + ''; + }; + virtual = mkOption { type = types.lines; default = ""; @@ -762,7 +773,7 @@ in }; services.postfix.config = (mapAttrs (_: v: mkDefault v) { - compatibility_level = "9999"; + compatibility_level = pkgs.postfix.version; mail_owner = cfg.user; default_privs = "nobody"; @@ -941,6 +952,9 @@ in (mkIf haveAliases { services.postfix.aliasFiles.aliases = aliasesFile; }) + (mkIf haveCanonical { + services.postfix.mapFiles.canonical = canonicalFile; + }) (mkIf haveTransport { services.postfix.mapFiles.transport = transportFile; }) diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 2f9d28195bd83..473ddd52357dd 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -410,7 +410,7 @@ in StateDirectoryMode = "0700"; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; NoNewPrivileges = true; diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix index 4e642542ec666..ac878222b26a2 100644 --- a/nixos/modules/services/mail/spamassassin.nix +++ b/nixos/modules/services/mail/spamassassin.nix @@ -126,19 +126,36 @@ in }; systemd.services.sa-update = { + # Needs to be able to contact the update server. + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "oneshot"; + User = "spamd"; + Group = "spamd"; + StateDirectory = "spamassassin"; + ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service"; + }; + script = '' set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - - v=$? + ${pkgs.spamassassin}/bin/sa-update --verbose --gpghomedir=/var/lib/spamassassin/sa-update-keys/ + rc=$? set -e - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v + + if [[ $rc -gt 1 ]]; then + # sa-update failed. + exit $rc fi - if [ $v -eq 0 ]; then - systemctl reload spamd.service + + if [[ $rc -eq 1 ]]; then + # No update was available, exit successfully. + exit 0 fi + + # An update was available and installed. Compile the rules. + ${pkgs.spamassassin}/bin/sa-compile ''; }; @@ -153,32 +170,22 @@ in }; systemd.services.spamd = { - description = "Spam Assassin Server"; + description = "SpamAssassin Server"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + wants = [ "sa-update.service" ]; + after = [ + "network.target" + "sa-update.service" + ]; serviceConfig = { - ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + User = "spamd"; + Group = "spamd"; + ExecStart = "+${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=%S/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; + ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + StateDirectory = "spamassassin"; }; - - # 0 and 1 no error, exitcode > 1 means error: - # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes - preStart = '' - echo "Recreating '/var/lib/spamasassin' with creating '3.004001' (or similar) and 'sa-update-keys'" - mkdir -p /var/lib/spamassassin - chown spamd:spamd /var/lib/spamassassin -R - set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - v=$? - set -e - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v - fi - chown spamd:spamd /var/lib/spamassassin -R - ''; }; }; } diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 5cc2ff7f4bd12..a572f1f6d6f5a 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -118,7 +118,7 @@ in { ''; serviceConfig = { ExecStart = '' - ${pkgs.jre}/bin/java -Xmx${toString cfg.maxMemory}m \ + ${pkgs.jre8}/bin/java -Xmx${toString cfg.maxMemory}m \ -Dairsonic.home=${cfg.home} \ -Dserver.address=${cfg.listenAddress} \ -Dserver.port=${toString cfg.port} \ diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index dfb418af6edeb..95cee5046e819 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -48,5 +48,5 @@ in { }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/misc/bazarr.nix b/nixos/modules/services/misc/bazarr.nix index d3fd5b08cc84d..99343a146a7ad 100644 --- a/nixos/modules/services/misc/bazarr.nix +++ b/nixos/modules/services/misc/bazarr.nix @@ -64,6 +64,7 @@ in users.users = mkIf (cfg.user == "bazarr") { bazarr = { + isSystemUser = true; group = cfg.group; home = "/var/lib/${config.systemd.services.bazarr.serviceConfig.StateDirectory}"; }; diff --git a/nixos/modules/services/misc/dendrite.nix b/nixos/modules/services/misc/dendrite.nix new file mode 100644 index 0000000000000..c967fc3a362a7 --- /dev/null +++ b/nixos/modules/services/misc/dendrite.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.dendrite; + settingsFormat = pkgs.formats.yaml { }; + configurationYaml = settingsFormat.generate "dendrite.yaml" cfg.settings; + workingDir = "/var/lib/dendrite"; +in +{ + options.services.dendrite = { + enable = lib.mkEnableOption "matrix.org dendrite"; + httpPort = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = 8008; + description = '' + The port to listen for HTTP requests on. + ''; + }; + httpsPort = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = null; + description = '' + The port to listen for HTTPS requests on. + ''; + }; + tlsCert = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/dendrite/server.cert"; + default = null; + description = '' + The path to the TLS certificate. + + <programlisting> + nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + </programlisting> + ''; + }; + tlsKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/dendrite/server.key"; + default = null; + description = '' + The path to the TLS key. + + <programlisting> + nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + </programlisting> + ''; + }; + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/dendrite/registration_secret"; + default = null; + description = '' + Environment file as defined in <citerefentry> + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. + Secrets may be passed to the service without adding them to the world-readable + Nix store, by specifying placeholder variables as the option value in Nix and + setting these variables accordingly in the environment file. Currently only used + for the registration secret to allow secure registration when + client_api.registration_disabled is true. + + <programlisting> + # snippet of dendrite-related config + services.dendrite.settings.client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; + </programlisting> + + <programlisting> + # content of the environment file + REGISTRATION_SHARED_SECRET=verysecretpassword + </programlisting> + + Note that this file needs to be available on the host on which + <literal>dendrite</literal> is running. + ''; + }; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options.global = { + server_name = lib.mkOption { + type = lib.types.str; + example = "example.com"; + description = '' + The domain name of the server, with optional explicit port. + This is used by remote servers to connect to this server. + This is also the last part of your UserID. + ''; + }; + private_key = lib.mkOption { + type = lib.types.path; + example = "${workingDir}/matrix_key.pem"; + description = '' + The path to the signing private key file, used to sign + requests and events. + + <programlisting> + nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem" + </programlisting> + ''; + }; + trusted_third_party_id_servers = lib.mkOption { + type = lib.types.listOf lib.types.str; + example = [ "matrix.org" ]; + default = [ "matrix.org" "vector.im" ]; + description = '' + Lists of domains that the server will trust as identity + servers to verify third party identifiers such as phone + numbers and email addresses + ''; + }; + }; + options.client_api = { + registration_disabled = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to disable user registration to the server + without the shared secret. + ''; + }; + }; + }; + default = { }; + description = '' + Configuration for dendrite, see: + <link xlink:href="https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml"/> + for available options with which to populate settings. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [{ + assertion = cfg.httpsPort != null -> (cfg.tlsCert != null && cfg.tlsKey != null); + message = '' + If Dendrite is configured to use https, tlsCert and tlsKey must be provided. + + nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" + ''; + }]; + + systemd.services.dendrite = { + description = "Dendrite Matrix homeserver"; + after = [ + "network.target" + ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = "dendrite"; + WorkingDirectory = workingDir; + RuntimeDirectory = "dendrite"; + RuntimeDirectoryMode = "0700"; + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStartPre = + if (cfg.environmentFile != null) then '' + ${pkgs.envsubst}/bin/envsubst \ + -i ${configurationYaml} \ + -o /run/dendrite/dendrite.yaml + '' else '' + ${pkgs.coreutils}/bin/cp ${configurationYaml} /run/dendrite/dendrite.yaml + ''; + ExecStart = lib.strings.concatStringsSep " " ([ + "${pkgs.dendrite}/bin/dendrite-monolith-server" + "--config /run/dendrite/dendrite.yaml" + ] ++ lib.optionals (cfg.httpPort != null) [ + "--http-bind-address :${builtins.toString cfg.httpPort}" + ] ++ lib.optionals (cfg.httpsPort != null) [ + "--https-bind-address :${builtins.toString cfg.httpsPort}" + "--tls-cert ${cfg.tlsCert}" + "--tls-key ${cfg.tlsKey}" + ]); + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + }; + }; + }; + meta.maintainers = lib.teams.matrix.members; +} diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index 41483d80a2ddb..24a259bb4d2bd 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -37,7 +37,7 @@ in enableProfilePath = mkEnableOption "exposing the Disnix profiles in the system's PATH"; profiles = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "default" ]; example = [ "default" ]; description = "Names of the Disnix profiles to expose in the system's PATH"; @@ -53,6 +53,7 @@ in environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles); + environment.variables.DISNIX_REMOTE_CLIENT = lib.optionalString (cfg.enableMultiUser) "disnix-client"; services.dbus.enable = true; services.dbus.packages = [ pkgs.disnix ]; diff --git a/nixos/modules/services/misc/duckling.nix b/nixos/modules/services/misc/duckling.nix new file mode 100644 index 0000000000000..77d2a92380b09 --- /dev/null +++ b/nixos/modules/services/misc/duckling.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.duckling; +in { + options = { + services.duckling = { + enable = mkEnableOption "duckling"; + + port = mkOption { + type = types.port; + default = 8080; + description = '' + Port on which duckling will run. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.duckling = { + description = "Duckling server service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment = { + PORT = builtins.toString cfg.port; + }; + + serviceConfig = { + ExecStart = "${pkgs.haskellPackages.duckling}/bin/duckling-example-exe --no-access-log --no-error-log"; + Restart = "always"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/etebase-server.nix b/nixos/modules/services/misc/etebase-server.nix index 31e0952b5b985..b6bd6e9fd37bc 100644 --- a/nixos/modules/services/misc/etebase-server.nix +++ b/nixos/modules/services/misc/etebase-server.nix @@ -192,8 +192,8 @@ in # Auto-migrate on first run or if the package has changed versionFile="${cfg.dataDir}/src-version" if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then - ${pythonEnv}/bin/etebase-server migrate - ${pythonEnv}/bin/etebase-server collectstatic + ${pythonEnv}/bin/etebase-server migrate --no-input + ${pythonEnv}/bin/etebase-server collectstatic --no-input --clear echo ${pkgs.etebase-server} > "$versionFile" fi ''; @@ -211,6 +211,7 @@ in users = optionalAttrs (cfg.user == defaultUser) { users.${defaultUser} = { + isSystemUser = true; group = defaultUser; home = cfg.dataDir; }; diff --git a/nixos/modules/services/misc/fstrim.nix b/nixos/modules/services/misc/fstrim.nix index 5258f5acb410c..a9fc04b46f0ab 100644 --- a/nixos/modules/services/misc/fstrim.nix +++ b/nixos/modules/services/misc/fstrim.nix @@ -42,5 +42,5 @@ in { }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 434e2d2429b5b..95369ff7ee481 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -477,47 +477,49 @@ in in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' - cp -f ${configFile} ${runConfig} - - if [ ! -e ${secretKey} ]; then - ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} - fi - - # Migrate LFS_JWT_SECRET filename - if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then - mv ${oldLfsJwtSecret} ${lfsJwtSecret} - fi - - if [ ! -e ${oauth2JwtSecret} ]; then - ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} - fi - - if [ ! -e ${lfsJwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} - fi - - if [ ! -e ${internalToken} ]; then - ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} - fi - - SECRETKEY="$(head -n1 ${secretKey})" - DBPASS="$(head -n1 ${cfg.database.passwordFile})" - OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" - LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" - INTERNALTOKEN="$(head -n1 ${internalToken})" - ${if (cfg.mailerPasswordFile == null) then '' - MAILERPASSWORD="#mailerpass#" - '' else '' - MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" - ''} - sed -e "s,#secretkey#,$SECRETKEY,g" \ - -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ - -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ - -e "s,#internaltoken#,$INTERNALTOKEN,g" \ - -e "s,#mailerpass#,$MAILERPASSWORD,g" \ - -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken} + function gitea_setup { + cp -f ${configFile} ${runConfig} + + if [ ! -e ${secretKey} ]; then + ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} + fi + + # Migrate LFS_JWT_SECRET filename + if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then + mv ${oldLfsJwtSecret} ${lfsJwtSecret} + fi + + if [ ! -e ${oauth2JwtSecret} ]; then + ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + fi + + if [ ! -e ${lfsJwtSecret} ]; then + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + fi + + if [ ! -e ${internalToken} ]; then + ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} + fi + + SECRETKEY="$(head -n1 ${secretKey})" + DBPASS="$(head -n1 ${cfg.database.passwordFile})" + OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" + LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" + INTERNALTOKEN="$(head -n1 ${internalToken})" + ${if (cfg.mailerPasswordFile == null) then '' + MAILERPASSWORD="#mailerpass#" + '' else '' + MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" + ''} + sed -e "s,#secretkey#,$SECRETKEY,g" \ + -e "s,#dbpass#,$DBPASS,g" \ + -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ + -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ + -e "s,#internaltoken#,$INTERNALTOKEN,g" \ + -e "s,#mailerpass#,$MAILERPASSWORD,g" \ + -i ${runConfig} + } + (umask 027; gitea_setup) ''} # update all hooks' binary paths diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index f86653f3ead2b..253d87537cfe0 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -155,6 +155,7 @@ let GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "redis.yml" (builtins.toJSON redisConfig); prometheus_multiproc_dir = "/run/gitlab"; RAILS_ENV = "production"; + MALLOC_ARENA_MAX = "2"; }; gitlab-rake = pkgs.stdenv.mkDerivation { @@ -588,7 +589,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -604,7 +605,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -620,7 +621,7 @@ in { tokens. If you change or lose this key, users which have 2FA enabled for login won't be able to login anymore. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -652,6 +653,105 @@ in { description = "Extra configuration to merge into shell-config.yml"; }; + puma.workers = mkOption { + type = types.int; + default = 2; + apply = x: builtins.toString x; + description = '' + The number of worker processes Puma should spawn. This + controls the amount of parallel Ruby code can be + executed. GitLab recommends <quote>Number of CPU cores - + 1</quote>, but at least two. + + <note> + <para> + Each worker consumes quite a bit of memory, so + be careful when increasing this. + </para> + </note> + ''; + }; + + puma.threadsMin = mkOption { + type = types.int; + default = 0; + apply = x: builtins.toString x; + description = '' + The minimum number of threads Puma should use per + worker. + + <note> + <para> + Each thread consumes memory and contributes to Global VM + Lock contention, so be careful when increasing this. + </para> + </note> + ''; + }; + + puma.threadsMax = mkOption { + type = types.int; + default = 4; + apply = x: builtins.toString x; + description = '' + The maximum number of threads Puma should use per + worker. This limits how many threads Puma will automatically + spawn in response to requests. In contrast to workers, + threads will never be able to run Ruby code in parallel, but + give higher IO parallelism. + + <note> + <para> + Each thread consumes memory and contributes to Global VM + Lock contention, so be careful when increasing this. + </para> + </note> + ''; + }; + + sidekiq.memoryKiller.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether the Sidekiq MemoryKiller should be turned + on. MemoryKiller kills Sidekiq when its memory consumption + exceeds a certain limit. + + See <link xlink:href="https://docs.gitlab.com/ee/administration/operations/sidekiq_memory_killer.html"/> + for details. + ''; + }; + + sidekiq.memoryKiller.maxMemory = mkOption { + type = types.int; + default = 2000; + apply = x: builtins.toString (x * 1024); + description = '' + The maximum amount of memory, in MiB, a Sidekiq worker is + allowed to consume before being killed. + ''; + }; + + sidekiq.memoryKiller.graceTime = mkOption { + type = types.int; + default = 900; + apply = x: builtins.toString x; + description = '' + The time MemoryKiller waits after noticing excessive memory + consumption before killing Sidekiq. + ''; + }; + + sidekiq.memoryKiller.shutdownWait = mkOption { + type = types.int; + default = 30; + apply = x: builtins.toString x; + description = '' + The time allowed for all jobs to finish before Sidekiq is + killed forcefully. + ''; + }; + extraConfig = mkOption { type = types.attrs; default = {}; @@ -852,7 +952,7 @@ in { path = with pkgs; [ jq openssl - replace + replace-secret git ]; serviceConfig = { @@ -894,8 +994,7 @@ in { ${optionalString cfg.smtp.enable '' install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb ${optionalString (cfg.smtp.passwordFile != null) '' - smtp_password=$(<'${cfg.smtp.passwordFile}') - replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' + replace-secret '@smtpPassword@' '${cfg.smtp.passwordFile}' '${cfg.statePath}/config/initializers/smtp_settings.rb' ''} ''} @@ -993,7 +1092,11 @@ in { ] ++ optional (cfg.databaseHost == "") "postgresql.service"; wantedBy = [ "gitlab.target" ]; partOf = [ "gitlab.target" ]; - environment = gitlabEnv; + environment = gitlabEnv // (optionalAttrs cfg.sidekiq.memoryKiller.enable { + SIDEKIQ_MEMORY_KILLER_MAX_RSS = cfg.sidekiq.memoryKiller.maxMemory; + SIDEKIQ_MEMORY_KILLER_GRACE_TIME = cfg.sidekiq.memoryKiller.graceTime; + SIDEKIQ_MEMORY_KILLER_SHUTDOWN_WAIT = cfg.sidekiq.memoryKiller.shutdownWait; + }); path = with pkgs; [ postgresqlPackage git @@ -1005,13 +1108,15 @@ in { # Needed for GitLab project imports gnutar gzip + + procps # Sidekiq MemoryKiller ]; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.group; TimeoutSec = "infinity"; - Restart = "on-failure"; + Restart = "always"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production"; }; @@ -1145,7 +1250,13 @@ in { TimeoutSec = "infinity"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/puma -C ${cfg.statePath}/config/puma.rb -e production"; + ExecStart = concatStringsSep " " [ + "${cfg.packages.gitlab.rubyEnv}/bin/puma" + "-e production" + "-C ${cfg.statePath}/config/puma.rb" + "-w ${cfg.puma.workers}" + "-t ${cfg.puma.threadsMin}:${cfg.puma.threadsMax}" + ]; }; }; diff --git a/nixos/modules/services/misc/gitweb.nix b/nixos/modules/services/misc/gitweb.nix index ca21366b7796e..13396bf2eb028 100644 --- a/nixos/modules/services/misc/gitweb.nix +++ b/nixos/modules/services/misc/gitweb.nix @@ -54,6 +54,6 @@ in }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 2787c975b352e..1e33381de24c5 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -50,15 +50,10 @@ let # List of components used in config extraComponents = filter useComponent availableComponents; - testedPackage = if (cfg.autoExtraComponents && cfg.config != null) + package = if (cfg.autoExtraComponents && cfg.config != null) then (cfg.package.override { inherit extraComponents; }) else cfg.package; - # overridePythonAttrs has to be applied after override - package = testedPackage.overridePythonAttrs (oldAttrs: { - doCheck = false; - }); - # If you are changing this, please update the description in applyDefaultConfig defaultConfig = { homeassistant.time_zone = config.time.timeZone; @@ -188,9 +183,13 @@ in { }; package = mkOption { - default = pkgs.home-assistant; + default = pkgs.home-assistant.overrideAttrs (oldAttrs: { + doInstallCheck = false; + }); defaultText = literalExample '' - pkgs.home-assistant + pkgs.home-assistant.overrideAttrs (oldAttrs: { + doInstallCheck = false; + }) ''; type = types.package; example = literalExample '' @@ -199,12 +198,11 @@ in { } ''; description = '' - Home Assistant package to use. Tests are automatically disabled, as they take a considerable amout of time to complete. + Home Assistant package to use. By default the tests are disabled, as they take a considerable amout of time to complete. Override <literal>extraPackages</literal> or <literal>extraComponents</literal> in order to add additional dependencies. If you specify <option>config</option> and do not set <option>autoExtraComponents</option> to <literal>false</literal>, overriding <literal>extraComponents</literal> will have no effect. - Avoid <literal>home-assistant.overridePythonAttrs</literal> if you use - <literal>autoExtraComponents</literal>. + Avoid <literal>home-assistant.overridePythonAttrs</literal> if you use <literal>autoExtraComponents</literal>. ''; }; @@ -247,22 +245,86 @@ in { rm -f "${cfg.configDir}/ui-lovelace.yaml" ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml" ''); - serviceConfig = { - ExecStart = "${package}/bin/hass --config '${cfg.configDir}'"; + serviceConfig = let + # List of capabilities to equip home-assistant with, depending on configured components + capabilities = [ + # Empty string first, so we will never accidentally have an empty capability bounding set + # https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115 + "" + ] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + # Required for interaction with hci devices and bluetooth sockets + # https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ] ++ lib.optionals (useComponent "emulated_hue") [ + # Alexa looks for the service on port 80 + # https://www.home-assistant.io/integrations/emulated_hue + "CAP_NET_BIND_SERVICE" + ] ++ lib.optionals (useComponent "nmap_tracker") [ + # https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities + "CAP_NET_ADMIN" + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ])); + in { + ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "hass"; Group = "hass"; Restart = "on-failure"; + RestartForceExitStatus = "100"; + SuccessExitStatus = "100"; + KillSignal = "SIGINT"; + + # Hardening + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + DeviceAllow = [ + "char-ttyACM rw" + "char-ttyAMA rw" + "char-ttyUSB rw" + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateUsers = false; # prevents gaining capabilities in the host namespace + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "all"; ProtectSystem = "strict"; + RemoveIPC = true; ReadWritePaths = let + # Allow rw access to explicitly configured paths cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ]; value = attrByPath cfgPath [] cfg; allowPaths = if isList value then value else singleton value; in [ "${cfg.configDir}" ] ++ allowPaths; - KillSignal = "SIGINT"; - PrivateTmp = true; - RemoveIPC = true; - AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ + "AF_BLUETOOTH" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ "dialout" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; }; path = [ "/run/wrappers" # needed for ping @@ -280,7 +342,6 @@ in { home = cfg.configDir; createHome = true; group = "hass"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.hass; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 6a47dc3628f4a..6d64acc029101 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -18,6 +18,7 @@ in package = mkOption { type = types.package; + default = pkgs.jellyfin; example = literalExample "pkgs.jellyfin"; description = '' Jellyfin package to use. @@ -29,6 +30,16 @@ in default = "jellyfin"; description = "Group under which jellyfin runs."; }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the default ports in the firewall for the media server. The + HTTP/HTTPS ports can be changed in the Web UI, so this option should + only be used if they are unchanged. + ''; + }; }; }; @@ -81,18 +92,11 @@ in SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" - "~@obsolete" "~@privileged" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" ]; }; }; - services.jellyfin.package = mkDefault ( - if versionAtLeast config.system.stateVersion "20.09" then pkgs.jellyfin - else pkgs.jellyfin_10_5 - ); - users.users = mkIf (cfg.user == "jellyfin") { jellyfin = { group = cfg.group; @@ -104,6 +108,12 @@ in jellyfin = {}; }; + networking.firewall = mkIf cfg.openFirewall { + # from https://jellyfin.org/docs/general/networking/index.html + allowedTCPPorts = [ 8096 8920 ]; + allowedUDPPorts = [ 1900 7359 ]; + }; + }; meta.maintainers = with lib.maintainers; [ minijackson ]; diff --git a/nixos/modules/services/misc/mame.nix b/nixos/modules/services/misc/mame.nix index 34a471ea4fe05..4b9a04be7c297 100644 --- a/nixos/modules/services/misc/mame.nix +++ b/nixos/modules/services/misc/mame.nix @@ -63,5 +63,5 @@ in }; }; - meta.maintainers = with lib.maintainers; [ gnidorah ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/misc/matrix-appservice-irc.nix b/nixos/modules/services/misc/matrix-appservice-irc.nix index 63dc313ad10bc..a0a5973d30f26 100644 --- a/nixos/modules/services/misc/matrix-appservice-irc.nix +++ b/nixos/modules/services/misc/matrix-appservice-irc.nix @@ -214,7 +214,8 @@ in { PrivateMounts = true; SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap"; SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_INET AF_INET6"; + # AF_UNIX is required to connect to a postgres socket. + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; }; diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 8e3fa60206c2d..dff587453042d 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -86,7 +86,9 @@ account_threepid_delegates: ${optionalString (cfg.account_threepid_delegates.email != null) "email: ${cfg.account_threepid_delegates.email}"} ${optionalString (cfg.account_threepid_delegates.msisdn != null) "msisdn: ${cfg.account_threepid_delegates.msisdn}"} -room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types} +room_prejoin_state: + disable_default_event_types: ${boolToString cfg.room_prejoin_state.disable_default_event_types} + additional_event_types: ${builtins.toJSON cfg.room_prejoin_state.additional_event_types} ${optionalString (cfg.macaroon_secret_key != null) '' macaroon_secret_key: "${cfg.macaroon_secret_key}" ''} @@ -577,11 +579,28 @@ in { Delegate SMS sending to this local process (https://localhost:8090) ''; }; - room_invite_state_types = mkOption { + room_prejoin_state.additional_event_types = mkOption { + default = []; type = types.listOf types.str; - default = ["m.room.join_rules" "m.room.canonical_alias" "m.room.avatar" "m.room.name"]; description = '' - A list of event types that will be included in the room_invite_state + Additional events to share with users who received an invite. + ''; + }; + room_prejoin_state.disable_default_event_types = mkOption { + default = false; + type = types.bool; + description = '' + Whether to disable the default state-event types for users invited to a room. + These are: + + <itemizedlist> + <listitem><para>m.room.join_rules</para></listitem> + <listitem><para>m.room.canonical_alias</para></listitem> + <listitem><para>m.room.avatar</para></listitem> + <listitem><para>m.room.encryption</para></listitem> + <listitem><para>m.room.name</para></listitem> + <listitem><para>m.room.create</para></listitem> + </itemizedlist> ''; }; macaroon_secret_key = mkOption { @@ -680,12 +699,12 @@ in { ]; users.users.matrix-synapse = { - group = "matrix-synapse"; - home = cfg.dataDir; - createHome = true; - shell = "${pkgs.bash}/bin/bash"; - uid = config.ids.uids.matrix-synapse; - }; + group = "matrix-synapse"; + home = cfg.dataDir; + createHome = true; + shell = "${pkgs.bash}/bin/bash"; + uid = config.ids.uids.matrix-synapse; + }; users.groups.matrix-synapse = { gid = config.ids.gids.matrix-synapse; @@ -707,6 +726,10 @@ in { User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; + ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" '' + chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key + chmod 0600 ${cfg.dataDir}/homeserver.signing.key + '')) ]; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } @@ -714,6 +737,7 @@ in { ''; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; + UMask = "0077"; }; }; }; @@ -728,6 +752,12 @@ in { <nixpkgs/nixos/tests/matrix-synapse.nix> '') (mkRemovedOptionModule [ "services" "matrix-synapse" "web_client" ] "") + (mkRemovedOptionModule [ "services" "matrix-synapse" "room_invite_state_types" ] '' + You may add additional event types via + `services.matrix-synapse.room_prejoin_state.additional_event_types` and + disable the default events via + `services.matrix-synapse.room_prejoin_state.disable_default_event_types`. + '') ]; meta.doc = ./matrix-synapse.xml; diff --git a/nixos/modules/services/misc/matrix-synapse.xml b/nixos/modules/services/misc/matrix-synapse.xml index 358b631eb485b..41a56df0f2b5e 100644 --- a/nixos/modules/services/misc/matrix-synapse.xml +++ b/nixos/modules/services/misc/matrix-synapse.xml @@ -33,11 +33,11 @@ <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation"> installation instructions of Synapse </link>. <programlisting> -{ pkgs, ... }: +{ pkgs, lib, ... }: let fqdn = let - join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; + join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}"; in join config.networking.hostName config.networking.domain; in { networking = { @@ -132,7 +132,7 @@ in { } ]; }; -}; +} </programlisting> </para> diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 64bdbf159d511..133e96da0ec8e 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -21,6 +21,7 @@ let calls in `libstore/build.cc', don't add any supplementary group here except "nixbld". */ uid = builtins.add config.ids.uids.nixbld nr; + isSystemUser = true; group = "nixbld"; extraGroups = [ "nixbld" ]; }; diff --git a/nixos/modules/services/misc/ombi.nix b/nixos/modules/services/misc/ombi.nix index 83f433e0be4a8..b5882168e519b 100644 --- a/nixos/modules/services/misc/ombi.nix +++ b/nixos/modules/services/misc/ombi.nix @@ -70,6 +70,7 @@ in { users.users = mkIf (cfg.user == "ombi") { ombi = { + isSystemUser = true; group = cfg.group; home = cfg.dataDir; }; diff --git a/nixos/modules/services/misc/pinnwand.nix b/nixos/modules/services/misc/pinnwand.nix index aa1ee5cfaa77d..cbc796c9a7c88 100644 --- a/nixos/modules/services/misc/pinnwand.nix +++ b/nixos/modules/services/misc/pinnwand.nix @@ -24,55 +24,80 @@ in Your <filename>pinnwand.toml</filename> as a Nix attribute set. Look up possible options in the <link xlink:href="https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example">pinnwand.toml-example</link>. ''; - default = { - # https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example - database_uri = "sqlite:///var/lib/pinnwand/pinnwand.db"; - preferred_lexeres = []; - paste_size = 262144; - paste_help = '' - <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> - ''; - footer = '' - View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. - ''; - }; + default = {}; }; }; config = mkIf cfg.enable { - systemd.services.pinnwand = { - description = "Pinnwannd HTTP Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + services.pinnwand.settings = { + database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db"; + paste_size = mkDefault 262144; + paste_help = mkDefault '' + <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> + ''; + footer = mkDefault '' + View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. + ''; + }; + + systemd.services = let + hardeningOptions = { + User = "pinnwand"; + DynamicUser = true; - unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; - serviceConfig = { - ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString(cfg.port)}"; StateDirectory = "pinnwand"; StateDirectoryMode = "0700"; AmbientCapabilities = []; CapabilityBoundingSet = ""; DevicePolicy = "closed"; - DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateUsers = true; + ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; - ProtectKernelLogs = true; ProtectHome = true; ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; UMask = "0077"; }; + + command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}"; + in { + pinnwand = { + description = "Pinnwannd HTTP Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; + + serviceConfig = { + ExecStart = "${command} http --port ${toString(cfg.port)}"; + } // hardeningOptions; + }; + + pinnwand-reaper = { + description = "Pinnwand Reaper"; + startAt = "daily"; + + serviceConfig = { + ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes + } // hardeningOptions; + }; }; }; } diff --git a/nixos/modules/services/misc/podgrab.nix b/nixos/modules/services/misc/podgrab.nix new file mode 100644 index 0000000000000..7077408b7942f --- /dev/null +++ b/nixos/modules/services/misc/podgrab.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.podgrab; +in +{ + options.services.podgrab = with lib; { + enable = mkEnableOption "Podgrab, a self-hosted podcast manager"; + + passwordFile = mkOption { + type = with types; nullOr str; + default = null; + example = "/run/secrets/password.env"; + description = '' + The path to a file containing the PASSWORD environment variable + definition for Podgrab's authentification. + ''; + }; + + port = mkOption { + type = types.port; + default = 8080; + example = 4242; + description = "The port on which Podgrab will listen for incoming HTTP traffic."; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.podgrab = { + description = "Podgrab podcast manager"; + wantedBy = [ "multi-user.target" ]; + environment = { + CONFIG = "/var/lib/podgrab/config"; + DATA = "/var/lib/podgrab/data"; + GIN_MODE = "release"; + PORT = toString cfg.port; + }; + serviceConfig = { + DynamicUser = true; + EnvironmentFile = lib.optional (cfg.passwordFile != null) [ + cfg.passwordFile + ]; + ExecStart = "${pkgs.podgrab}/bin/podgrab"; + WorkingDirectory = "${pkgs.podgrab}/share"; + StateDirectory = [ "podgrab/config" "podgrab/data" ]; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ ambroisie ]; +} diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/ssm-agent.nix index e50b07e0b862a..c29d03d199bf4 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/ssm-agent.nix @@ -22,8 +22,8 @@ in { package = mkOption { type = types.path; description = "The SSM agent package to use"; - default = pkgs.ssm-agent; - defaultText = "pkgs.ssm-agent"; + default = pkgs.ssm-agent.override { overrideEtc = false; }; + defaultText = "pkgs.ssm-agent.override { overrideEtc = false; }"; }; }; @@ -37,8 +37,10 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/amazon-ssm-agent"; KillMode = "process"; - Restart = "on-failure"; - RestartSec = "15min"; + # We want this restating pretty frequently. It could be our only means + # of accessing the instance. + Restart = "always"; + RestartSec = "1min"; }; }; @@ -62,5 +64,10 @@ in { isNormalUser = true; group = "ssm-user"; }; + + environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/seelog.xml.template"; + + environment.etc."amazon/ssm/amazon-ssm-agent.json".source = "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template"; + }; } diff --git a/nixos/modules/services/misc/zigbee2mqtt.nix b/nixos/modules/services/misc/zigbee2mqtt.nix index cd987eb76c76c..4458da1346b7d 100644 --- a/nixos/modules/services/misc/zigbee2mqtt.nix +++ b/nixos/modules/services/misc/zigbee2mqtt.nix @@ -5,29 +5,17 @@ with lib; let cfg = config.services.zigbee2mqtt; - configJSON = pkgs.writeText "configuration.json" - (builtins.toJSON (recursiveUpdate defaultConfig cfg.config)); - configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - ''; + format = pkgs.formats.yaml { }; + configFile = format.generate "zigbee2mqtt.yaml" cfg.settings; - # the default config contains all required settings, - # so the service starts up without crashing. - defaultConfig = { - homeassistant = false; - permit_join = false; - mqtt = { - base_topic = "zigbee2mqtt"; - server = "mqtt://localhost:1883"; - }; - serial.port = "/dev/ttyACM0"; - # put device configuration into separate file because configuration.yaml - # is copied from the store on startup - devices = "devices.yaml"; - }; in { - meta.maintainers = with maintainers; [ sweber ]; + meta.maintainers = with maintainers; [ sweber hexa ]; + + imports = [ + # Remove warning before the 21.11 release + (mkRenamedOptionModule [ "services" "zigbee2mqtt" "config" ] [ "services" "zigbee2mqtt" "settings" ]) + ]; options.services.zigbee2mqtt = { enable = mkEnableOption "enable zigbee2mqtt service"; @@ -37,7 +25,11 @@ in default = pkgs.zigbee2mqtt.override { dataDir = cfg.dataDir; }; - defaultText = "pkgs.zigbee2mqtt"; + defaultText = literalExample '' + pkgs.zigbee2mqtt { + dataDir = services.zigbee2mqtt.dataDir + } + ''; type = types.package; }; @@ -47,9 +39,9 @@ in type = types.path; }; - config = mkOption { + settings = mkOption { + type = format.type; default = {}; - type = with types; nullOr attrs; example = literalExample '' { homeassistant = config.services.home-assistant.enable; @@ -61,11 +53,28 @@ in ''; description = '' Your <filename>configuration.yaml</filename> as a Nix attribute set. + Check the <link xlink:href="https://www.zigbee2mqtt.io/information/configuration.html">documentation</link> + for possible options. ''; }; }; config = mkIf (cfg.enable) { + + # preset config values + services.zigbee2mqtt.settings = { + homeassistant = mkDefault config.services.home-assistant.enable; + permit_join = mkDefault false; + mqtt = { + base_topic = mkDefault "zigbee2mqtt"; + server = mkDefault "mqtt://localhost:1883"; + }; + serial.port = mkDefault "/dev/ttyACM0"; + # reference device configuration, that is kept in a separate file + # to prevent it being overwritten in the units ExecStartPre script + devices = mkDefault "devices.yaml"; + }; + systemd.services.zigbee2mqtt = { description = "Zigbee2mqtt Service"; wantedBy = [ "multi-user.target" ]; @@ -76,10 +85,48 @@ in User = "zigbee2mqtt"; WorkingDirectory = cfg.dataDir; Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + DeviceAllow = [ + config.services.zigbee2mqtt.settings.serial.port + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateDevices = false; # prevents access to /dev/serial, because it is set 0700 root:root + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; ProtectSystem = "strict"; ReadWritePaths = cfg.dataDir; - PrivateTmp = true; RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ + "dialout" + ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml" @@ -90,7 +137,6 @@ in home = cfg.dataDir; createHome = true; group = "zigbee2mqtt"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.zigbee2mqtt; }; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 86e306ab404a9..4ebde6f9b107b 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -42,6 +42,9 @@ let AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; + AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable; + AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp; + AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId; ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable; @@ -528,23 +531,46 @@ in { }; }; - auth.anonymous = { - enable = mkOption { - description = "Whether to allow anonymous access."; - default = false; - type = types.bool; - }; - org_name = mkOption { - description = "Which organization to allow anonymous access to."; - default = "Main Org."; - type = types.str; + auth = { + anonymous = { + enable = mkOption { + description = "Whether to allow anonymous access."; + default = false; + type = types.bool; + }; + org_name = mkOption { + description = "Which organization to allow anonymous access to."; + default = "Main Org."; + type = types.str; + }; + org_role = mkOption { + description = "Which role anonymous users have in the organization."; + default = "Viewer"; + type = types.str; + }; }; - org_role = mkOption { - description = "Which role anonymous users have in the organization."; - default = "Viewer"; - type = types.str; + google = { + enable = mkOption { + description = "Whether to allow Google OAuth2."; + default = false; + type = types.bool; + }; + allowSignUp = mkOption { + description = "Whether to allow sign up with Google OAuth2."; + default = false; + type = types.bool; + }; + clientId = mkOption { + description = "Google OAuth2 client ID."; + default = ""; + type = types.str; + }; + clientSecretFile = mkOption { + description = "Google OAuth2 client secret."; + default = null; + type = types.nullOr types.path; + }; }; - }; analytics.reporting = { @@ -609,6 +635,9 @@ in { QT_QPA_PLATFORM = "offscreen"; } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions; script = '' + ${optionalString (cfg.auth.google.clientSecretFile != null) '' + export GF_AUTH_GOOGLE_CLIENT_SECRET="$(cat ${escapeShellArg cfg.auth.google.clientSecretFile})" + ''} ${optionalString (cfg.database.passwordFile != null) '' export GF_DATABASE_PASSWORD="$(cat ${escapeShellArg cfg.database.passwordFile})" ''} diff --git a/nixos/modules/services/monitoring/nagios.nix b/nixos/modules/services/monitoring/nagios.nix index 9ac6869068f2b..61214508a9c6e 100644 --- a/nixos/modules/services/monitoring/nagios.nix +++ b/nixos/modules/services/monitoring/nagios.nix @@ -192,6 +192,7 @@ in path = [ pkgs.nagios ] ++ cfg.plugins; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + restartTriggers = [ nagiosCfgFile ]; serviceConfig = { User = "nagios"; @@ -201,7 +202,6 @@ in LogsDirectory = "nagios"; StateDirectory = "nagios"; ExecStart = "${pkgs.nagios}/bin/nagios /etc/nagios.cfg"; - X-ReloadIfChanged = nagiosCfgFile; }; }; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 007024c04ce5a..561ce3eec6255 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -8,6 +8,7 @@ let wrappedPlugins = pkgs.runCommand "wrapped-plugins" { preferLocalBuild = true; } '' mkdir -p $out/libexec/netdata/plugins.d ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin + ln -s /run/wrappers/bin/cgroup-network $out/libexec/netdata/plugins.d/cgroup-network ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin @@ -26,6 +27,10 @@ let "web files owner" = "root"; "web files group" = "root"; }; + "plugin:cgroups" = { + "script to get cgroup network interfaces" = "${wrappedPlugins}/libexec/netdata/plugins.d/cgroup-network"; + "use unified cgroups" = "yes"; + }; }; mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config); configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig); @@ -149,8 +154,9 @@ in { description = "Real time performance monitoring"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable - (pkgs.python3.withPackages cfg.python.extraPackages); + path = (with pkgs; [ curl gawk iproute2 which ]) + ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages) + ++ lib.optional config.virtualisation.libvirtd.enable (config.virtualisation.libvirtd.package); environment = { PYTHONPATH = "${cfg.package}/libexec/netdata/python.d/python_modules"; } // lib.optionalAttrs (!cfg.enableAnalyticsReporting) { @@ -191,6 +197,8 @@ in { "CAP_SYS_PTRACE" # is required for apps plugin "CAP_SYS_RESOURCE" # is required for ebpf plugin "CAP_NET_RAW" # is required for fping app + "CAP_SYS_CHROOT" # is required for cgroups plugin + "CAP_SETUID" # is required for cgroups and cgroups-network plugins ]; # Sandboxing ProtectSystem = "full"; @@ -208,7 +216,15 @@ in { capabilities = "cap_dac_read_search,cap_sys_ptrace+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rwx"; + permissions = "u+rx,g+x,o-rwx"; + }; + + security.wrappers."cgroup-network" = { + source = "${cfg.package}/libexec/netdata/plugins.d/cgroup-network.org"; + capabilities = "cap_setuid+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; }; security.wrappers."freeipmi.plugin" = { @@ -216,7 +232,7 @@ in { capabilities = "cap_dac_override,cap_fowner+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rwx"; + permissions = "u+rx,g+x,o-rwx"; }; security.wrappers."perf.plugin" = { @@ -224,7 +240,7 @@ in { capabilities = "cap_sys_admin+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rx"; + permissions = "u+rx,g+x,o-rwx"; }; security.wrappers."slabinfo.plugin" = { @@ -232,7 +248,7 @@ in { capabilities = "cap_dac_override+ep"; owner = cfg.user; group = cfg.group; - permissions = "u+rx,g+rx,o-rx"; + permissions = "u+rx,g+x,o-rwx"; }; security.pam.loginLimits = [ diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index bd74e1a9cdb54..e08f23d8eb04d 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -112,7 +112,7 @@ let http://tools.ietf.org/html/rfc4366#section-3.1 ''; }; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote read config, which if specified must be unique among remote read configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote read configs. @@ -174,7 +174,7 @@ let write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' List of remote write relabel configurations. ''; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote write config, which if specified must be unique among remote write configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote write configs. @@ -386,6 +386,10 @@ let List of relabel configurations. ''; + metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' + List of metric relabel configurations. + ''; + sample_limit = mkDefOpt types.int "0" '' Per-scrape limit on number of scraped samples that will be accepted. If more than this number of samples are present after metric relabelling diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index e0c5ceccfcc9e..9fcfe7b52e08a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -34,6 +34,7 @@ let "fritzbox" "json" "jitsi" + "kea" "keylight" "knot" "lnd" @@ -47,6 +48,7 @@ let "node" "openldap" "openvpn" + "pihole" "postfix" "postgres" "py-air-control" @@ -59,6 +61,7 @@ let "surfboard" "systemd" "tor" + "unbound" "unifi" "unifi-poller" "varnish" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix index 972632b5a24a4..16c2920751d95 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix @@ -41,12 +41,12 @@ in serviceConfig = { ExecStart = '' ${pkgs.prometheus-bind-exporter}/bin/bind_exporter \ - -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - -bind.pid-file /var/run/named/named.pid \ - -bind.timeout ${toString cfg.bindTimeout} \ - -bind.stats-url ${cfg.bindURI} \ - -bind.stats-version ${cfg.bindVersion} \ - -bind.stats-groups ${concatStringsSep "," cfg.bindGroups} \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --bind.pid-file /var/run/named/named.pid \ + --bind.timeout ${toString cfg.bindTimeout} \ + --bind.stats-url ${cfg.bindURI} \ + --bind.stats-version ${cfg.bindVersion} \ + --bind.stats-groups ${concatStringsSep "," cfg.bindGroups} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix index a3b2b92bc3479..a7f4d3e096fea 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -41,11 +41,11 @@ in }; logFormat = mkOption { - type = types.str; - default = "logger:stderr"; - example = "logger:syslog?appname=bob&local=7 or logger:stdout?json=true"; + type = types.enum [ "logfmt" "json" ]; + default = "logfmt"; + example = "json"; description = '' - Set the log target and format. + Set the log format. ''; }; @@ -59,16 +59,16 @@ in }; serviceOpts = let collectSettingsArgs = if (cfg.collectdBinary.enable) then '' - -collectd.listen-address ${cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \ - -collectd.security-level ${cfg.collectdBinary.securityLevel} \ + --collectd.listen-address ${cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \ + --collectd.security-level ${cfg.collectdBinary.securityLevel} \ '' else ""; in { serviceConfig = { ExecStart = '' ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \ - -log.format ${escapeShellArg cfg.logFormat} \ - -log.level ${cfg.logLevel} \ - -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --log.format ${escapeShellArg cfg.logFormat} \ + --log.level ${cfg.logLevel} \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ ${collectSettingsArgs} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix new file mode 100644 index 0000000000000..b6cd89c3866b7 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -0,0 +1,38 @@ +{ config +, lib +, pkgs +, options +}: + +with lib; + +let + cfg = config.services.prometheus.exporters.kea; +in { + port = 9547; + extraOpts = { + controlSocketPaths = mkOption { + type = types.listOf types.str; + example = literalExample '' + [ + "/run/kea/kea-dhcp4.socket" + "/run/kea/kea-dhcp6.socket" + ] + ''; + description = '' + Paths to kea control sockets + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \ + --address ${cfg.listenAddress} \ + --port ${toString cfg.port} \ + ${concatStringsSep " \\n" cfg.controlSocketPaths} + ''; + SupplementaryGroups = [ "kea" ]; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/pihole.nix b/nixos/modules/services/monitoring/prometheus/exporters/pihole.nix new file mode 100644 index 0000000000000..21c2e5eab4ca1 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/pihole.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.pihole; +in +{ + port = 9617; + extraOpts = { + apiToken = mkOption { + type = types.str; + default = ""; + example = "580a770cb40511eb85290242ac130003580a770cb40511eb85290242ac130003"; + description = '' + pi-hole API token which can be used instead of a password + ''; + }; + interval = mkOption { + type = types.str; + default = "10s"; + example = "30s"; + description = '' + How often to scrape new data + ''; + }; + password = mkOption { + type = types.str; + default = ""; + example = "password"; + description = '' + The password to login into pihole. An api token can be used instead. + ''; + }; + piholeHostname = mkOption { + type = types.str; + default = "pihole"; + example = "127.0.0.1"; + description = '' + Hostname or address where to find the pihole webinterface + ''; + }; + piholePort = mkOption { + type = types.port; + default = "80"; + example = "443"; + description = '' + The port pihole webinterface is reachable on + ''; + }; + protocol = mkOption { + type = types.enum [ "http" "https" ]; + default = "http"; + example = "https"; + description = '' + The protocol which is used to connect to pihole + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.bash}/bin/bash -c "${pkgs.prometheus-pihole-exporter}/bin/pihole-exporter \ + -interval ${cfg.interval} \ + ${optionalString (cfg.apiToken != "") "-pihole_api_token ${cfg.apiToken}"} \ + -pihole_hostname ${cfg.piholeHostname} \ + ${optionalString (cfg.password != "") "-pihole_password ${cfg.password}"} \ + -pihole_port ${toString cfg.piholePort} \ + -pihole_protocol ${cfg.protocol} \ + -port ${toString cfg.port}" + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix b/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix index 78fe120e4d932..d95e5ed9e83c1 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix @@ -13,7 +13,7 @@ let generateConfig = extraLabels: { metrics = (map (path: { name = "rspamd_${replaceStrings [ "." " " ] [ "_" "_" ] path}"; - path = "$.${path}"; + path = "{ .${path} }"; labels = extraLabels; }) [ "actions.'add header'" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix new file mode 100644 index 0000000000000..56a559531c142 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.unbound; +in +{ + port = 9167; + extraOpts = { + fetchType = mkOption { + # TODO: add shm when upstream implemented it + type = types.enum [ "tcp" "uds" ]; + default = "uds"; + description = '' + Which methods the exporter uses to get the information from unbound. + ''; + }; + + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + + controlInterface = mkOption { + type = types.nullOr types.str; + default = null; + example = "/run/unbound/unbound.socket"; + description = '' + Path to the unbound socket for uds mode or the control interface port for tcp mode. + + Example: + uds-mode: /run/unbound/unbound.socket + tcp-mode: 127.0.0.1:8953 + ''; + }; + }; + + serviceOpts = mkMerge ([{ + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-unbound-exporter}/bin/unbound-telemetry \ + ${cfg.fetchType} \ + --bind ${cfg.listenAddress}:${toString cfg.port} \ + --path ${cfg.telemetryPath} \ + ${optionalString (cfg.controlInterface != null) "--control-interface ${cfg.controlInterface}"} \ + ${toString cfg.extraFlags} + ''; + }; + }] ++ [ + (mkIf config.services.unbound.enable { + after = [ "unbound.service" ]; + requires = [ "unbound.service" ]; + }) + ]); +} diff --git a/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix b/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix index 44b15cb2034c2..980c93c9c4788 100644 --- a/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix +++ b/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix @@ -4,21 +4,29 @@ with lib; let cfg = config.services.prometheus.xmpp-alerts; - - configFile = pkgs.writeText "prometheus-xmpp-alerts.yml" (builtins.toJSON cfg.configuration); - + settingsFormat = pkgs.formats.yaml {}; + configFile = settingsFormat.generate "prometheus-xmpp-alerts.yml" cfg.settings; in - { - options.services.prometheus.xmpp-alerts = { + imports = [ + (mkRenamedOptionModule + [ "services" "prometheus" "xmpp-alerts" "configuration" ] + [ "services" "prometheus" "xmpp-alerts" "settings" ]) + ]; + options.services.prometheus.xmpp-alerts = { enable = mkEnableOption "XMPP Web hook service for Alertmanager"; - configuration = mkOption { - type = types.attrs; - description = "Configuration as attribute set which will be converted to YAML"; - }; + settings = mkOption { + type = settingsFormat.type; + default = {}; + description = '' + Configuration for prometheus xmpp-alerts, see + <link xlink:href="https://github.com/jelmer/prometheus-xmpp-alerts/blob/master/xmpp-alerts.yml.example"/> + for supported values. + ''; + }; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/monitoring/tuptime.nix b/nixos/modules/services/monitoring/tuptime.nix index 8f79d91659901..17c5c1f56eaf6 100644 --- a/nixos/modules/services/monitoring/tuptime.nix +++ b/nixos/modules/services/monitoring/tuptime.nix @@ -34,7 +34,10 @@ in { users = { groups._tuptime.members = [ "_tuptime" ]; - users._tuptime.description = "tuptime database owner"; + users._tuptime = { + isSystemUser = true; + description = "tuptime database owner"; + }; }; systemd = { diff --git a/nixos/modules/services/monitoring/vnstat.nix b/nixos/modules/services/monitoring/vnstat.nix index e9bedb704a43e..5e19c399568d8 100644 --- a/nixos/modules/services/monitoring/vnstat.nix +++ b/nixos/modules/services/monitoring/vnstat.nix @@ -6,21 +6,21 @@ let cfg = config.services.vnstat; in { options.services.vnstat = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable update of network usage statistics via vnstatd. - ''; - }; + enable = mkEnableOption "update of network usage statistics via vnstatd"; }; config = mkIf cfg.enable { - users.users.vnstatd = { - isSystemUser = true; - description = "vnstat daemon user"; - home = "/var/lib/vnstat"; - createHome = true; + + environment.systemPackages = [ pkgs.vnstat ]; + + users = { + groups.vnstatd = {}; + + users.vnstatd = { + isSystemUser = true; + group = "vnstatd"; + description = "vnstat daemon user"; + }; }; systemd.services.vnstat = { @@ -33,7 +33,6 @@ in { "man:vnstat(1)" "man:vnstat.conf(5)" ]; - preStart = "chmod 755 /var/lib/vnstat"; serviceConfig = { ExecStart = "${pkgs.vnstat}/bin/vnstatd -n"; ExecReload = "${pkgs.procps}/bin/kill -HUP $MAINPID"; @@ -52,7 +51,10 @@ in { RestrictNamespaces = true; User = "vnstatd"; + Group = "vnstatd"; }; }; }; + + meta.maintainers = [ maintainers.evils ]; } diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index 2082d513161e3..6d8dfcce933c0 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -216,14 +216,11 @@ in { systemd.packages = [ cfg.package ]; - systemd.services.ipfs-init = { - description = "IPFS Initializer"; - + systemd.services.ipfs = { + path = [ "/run/wrappers" cfg.package ]; environment.IPFS_PATH = cfg.dataDir; - path = [ cfg.package ]; - - script = '' + preStart = '' if [[ ! -f ${cfg.dataDir}/config ]]; then ipfs init ${optionalString cfg.emptyRepo "-e"} \ ${optionalString (! cfg.localDiscovery) "--profile=server"} @@ -233,26 +230,7 @@ in { else "ipfs config profile apply server" } fi - ''; - - wantedBy = [ "default.target" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = cfg.user; - Group = cfg.group; - }; - }; - - systemd.services.ipfs = { - path = [ "/run/wrappers" cfg.package ]; - environment.IPFS_PATH = cfg.dataDir; - - wants = [ "ipfs-init.service" ]; - after = [ "ipfs-init.service" ]; - - preStart = optionalString cfg.autoMount '' + '' + optionalString cfg.autoMount '' ipfs --local config Mounts.FuseAllowOther --json true ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir} ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir} @@ -296,7 +274,7 @@ in { systemd.sockets.ipfs-api = { wantedBy = [ "sockets.target" ]; - # We also include "%t/ipfs.sock" because tere is no way to put the "%t" + # We also include "%t/ipfs.sock" because there is no way to put the "%t" # in the multiaddr. socketConfig.ListenStream = let fromCfg = multiaddrToListenStream cfg.apiAddress; diff --git a/nixos/modules/services/network-filesystems/netatalk.nix b/nixos/modules/services/network-filesystems/netatalk.nix index 33e851210bc6f..06a36eb30c29c 100644 --- a/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixos/modules/services/network-filesystems/netatalk.nix @@ -3,43 +3,10 @@ with lib; let - cfg = config.services.netatalk; - - extmapFile = pkgs.writeText "extmap.conf" cfg.extmap; - - afpToString = x: if builtins.typeOf x == "bool" - then boolToString x - else toString x; - - volumeConfig = name: - let vol = getAttr name cfg.volumes; in - "[${name}]\n " + (toString ( - map - (key: "${key} = ${afpToString (getAttr key vol)}\n") - (attrNames vol) - )); - - afpConf = ''[Global] - extmap file = ${extmapFile} - afp port = ${toString cfg.port} - - ${cfg.extraConfig} - - ${if cfg.homes.enable then ''[Homes] - ${optionalString (cfg.homes.path != "") "path = ${cfg.homes.path}"} - basedir regex = ${cfg.homes.basedirRegex} - ${cfg.homes.extraConfig} - '' else ""} - - ${toString (map volumeConfig (attrNames cfg.volumes))} - ''; - - afpConfFile = pkgs.writeText "afp.conf" afpConf; - -in - -{ + settingsFormat = pkgs.formats.ini { }; + afpConfFile = settingsFormat.generate "afp.conf" cfg.settings; +in { options = { services.netatalk = { @@ -51,61 +18,24 @@ in description = "TCP port to be used for AFP."; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - example = "uam list = uams_guest.so"; - description = '' - Lines of configuration to add to the <literal>[Global]</literal> section. - See <literal>man apf.conf</literal> for more information. - ''; - }; - - homes = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable sharing of the UNIX server user home directories."; - }; - - path = mkOption { - type = types.str; - default = ""; - example = "afp-data"; - description = "Share not the whole user home but this subdirectory path."; - }; - - basedirRegex = mkOption { - example = "/home"; - type = types.str; - description = "Regex which matches the parent directory of the user homes."; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Lines of configuration to add to the <literal>[Homes]</literal> section. - See <literal>man apf.conf</literal> for more information. - ''; - }; - }; - - volumes = mkOption { + settings = mkOption { + inherit (settingsFormat) type; default = { }; - type = types.attrsOf (types.attrsOf types.unspecified); - description = - '' - Set of AFP volumes to export. - See <literal>man apf.conf</literal> for more information. - ''; - example = literalExample '' - { srv = - { path = "/srv"; - "read only" = true; - "hosts allow" = "10.1.0.0/16 10.2.1.100 2001:0db8:1234::/48"; - }; - } + example = { + Global = { "uam list" = "uams_guest.so"; }; + Homes = { + path = "afp-data"; + "basedir regex" = "/home"; + }; + example-volume = { + path = "/srv/volume"; + "read only" = true; + }; + }; + description = '' + Configuration for Netatalk. See + <citerefentry><refentrytitle>afp.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. ''; }; @@ -114,18 +44,33 @@ in default = ""; description = '' File name extension mappings. - See <literal>man extmap.conf</literal> for more information. + See <citerefentry><refentrytitle>extmap.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. for more information. ''; }; }; }; + imports = (map (option: + mkRemovedOptionModule [ "services" "netatalk" option ] + "This option was removed in favor of `services.netatalk.settings`.") [ + "extraConfig" + "homes" + "volumes" + ]); + config = mkIf cfg.enable { + services.netatalk.settings.Global = { + "afp port" = toString cfg.port; + "extmap file" = "${pkgs.writeText "extmap.conf" cfg.extmap}"; + }; + systemd.services.netatalk = { description = "Netatalk AFP fileserver for Macintosh clients"; - unitConfig.Documentation = "man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8)"; + unitConfig.Documentation = + "man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8)"; after = [ "network.target" "avahi-daemon.service" ]; wantedBy = [ "multi-user.target" ]; @@ -135,12 +80,12 @@ in Type = "forking"; GuessMainPID = "no"; PIDFile = "/run/lock/netatalk"; - ExecStartPre = "${pkgs.coreutils}/bin/mkdir -m 0755 -p /var/lib/netatalk/CNID"; - ExecStart = "${pkgs.netatalk}/sbin/netatalk -F ${afpConfFile}"; + ExecStart = "${pkgs.netatalk}/sbin/netatalk -F ${afpConfFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; Restart = "always"; RestartSec = 1; + StateDirectory = [ "netatalk/CNID" ]; }; }; diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index c68039c79e2b7..800ef448d3769 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -117,7 +117,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources"; }; }; }; diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix new file mode 100644 index 0000000000000..4388ef2b7e576 --- /dev/null +++ b/nixos/modules/services/networking/adguardhome.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.adguardhome; + + args = concatStringsSep " " ([ + "--no-check-update" + "--pidfile /run/AdGuardHome/AdGuardHome.pid" + "--work-dir /var/lib/AdGuardHome/" + "--config /var/lib/AdGuardHome/AdGuardHome.yaml" + "--host ${cfg.host}" + "--port ${toString cfg.port}" + ] ++ cfg.extraArgs); + +in +{ + options.services.adguardhome = with types; { + enable = mkEnableOption "AdGuard Home network-wide ad blocker"; + + host = mkOption { + default = "0.0.0.0"; + type = str; + description = '' + Host address to bind HTTP server to. + ''; + }; + + port = mkOption { + default = 3000; + type = port; + description = '' + Port to serve HTTP pages on. + ''; + }; + + openFirewall = mkOption { + default = false; + type = bool; + description = '' + Open ports in the firewall for the AdGuard Home web interface. Does not + open the port needed to access the DNS resolver. + ''; + }; + + extraArgs = mkOption { + default = [ ]; + type = listOf str; + description = '' + Extra command line parameters to be passed to the adguardhome binary. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.adguardhome = { + description = "AdGuard Home: Network-level blocker"; + after = [ "syslog.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + StartLimitIntervalSec = 5; + StartLimitBurst = 10; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.adguardhome}/bin/adguardhome ${args}"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + Restart = "always"; + RestartSec = 10; + RuntimeDirectory = "AdGuardHome"; + StateDirectory = "AdGuardHome"; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + }; +} diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index 272c58ecd7ffb..5e14283179ac3 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -19,7 +19,10 @@ let "interface ${name} ${paramsString interface}\n"; configFile = with cfg; pkgs.writeText "babeld.conf" ( - (optionalString (cfg.interfaceDefaults != null) '' + '' + skip-kernel-setup true + '' + + (optionalString (cfg.interfaceDefaults != null) '' default ${paramsString cfg.interfaceDefaults} '') + (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) @@ -29,6 +32,8 @@ in { + meta.maintainers = with maintainers; [ hexa ]; + ###### interface options = { @@ -84,13 +89,22 @@ in config = mkIf config.services.babeld.enable { + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.all.rp_filter" = 0; + } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces; + systemd.services.babeld = { description = "Babel routing daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + DynamicUser = true; IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; IPAddressDeny = "any"; LockPersonality = true; @@ -98,11 +112,11 @@ in MemoryDenyWriteExecute = true; ProtectSystem = "strict"; ProtectClock = true; - ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system + ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET6" ]; + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET6" "AF_INET" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index e507e8ce9eebc..20eef2c3455b6 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -8,32 +8,37 @@ let bindUser = "named"; - bindZoneOptions = { - name = mkOption { - type = types.str; - description = "Name of the zone."; - }; - master = mkOption { - description = "Master=false means slave server"; - type = types.bool; - }; - file = mkOption { - type = types.either types.str types.path; - description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; - }; - masters = mkOption { - type = types.listOf types.str; - description = "List of servers for inclusion in stub and secondary zones."; - }; - slaves = mkOption { - type = types.listOf types.str; - description = "Addresses who may request zone transfers."; - default = []; - }; - extraConfig = mkOption { - type = types.str; - description = "Extra zone config to be appended at the end of the zone section."; - default = ""; + bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; })); + + bindZoneOptions = { name, config, ... }: { + options = { + name = mkOption { + type = types.str; + default = name; + description = "Name of the zone."; + }; + master = mkOption { + description = "Master=false means slave server"; + type = types.bool; + }; + file = mkOption { + type = types.either types.str types.path; + description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; + }; + masters = mkOption { + type = types.listOf types.str; + description = "List of servers for inclusion in stub and secondary zones."; + }; + slaves = mkOption { + type = types.listOf types.str; + description = "Addresses who may request zone transfers."; + default = [ ]; + }; + extraConfig = mkOption { + type = types.str; + description = "Extra zone config to be appended at the end of the zone section."; + default = ""; + }; }; }; @@ -84,7 +89,7 @@ let ${extraConfig} }; '') - cfg.zones } + (attrValues cfg.zones) } ''; in @@ -100,7 +105,7 @@ in enable = mkEnableOption "BIND domain name server"; cacheNetworks = mkOption { - default = ["127.0.0.0/24"]; + default = [ "127.0.0.0/24" ]; type = types.listOf types.str; description = " What networks are allowed to use us as a resolver. Note @@ -112,7 +117,7 @@ in }; blockedNetworks = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = " What networks are just blocked. @@ -136,7 +141,7 @@ in }; listenOn = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Interfaces to listen on. @@ -144,7 +149,7 @@ in }; listenOnIpv6 = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Ipv6 interfaces to listen on. @@ -152,19 +157,20 @@ in }; zones = mkOption { - default = []; - type = types.listOf (types.submodule [ { options = bindZoneOptions; } ]); + default = [ ]; + type = with types; coercedTo (listOf attrs) bindZoneCoerce (attrsOf (types.submodule bindZoneOptions)); description = " List of zones we claim authority over. "; - example = [{ - name = "example.com"; - master = false; - file = "/var/dns/example.com"; - masters = ["192.168.0.1"]; - slaves = []; - extraConfig = ""; - }]; + example = { + "example.com" = { + master = false; + file = "/var/dns/example.com"; + masters = [ "192.168.0.1" ]; + slaves = [ ]; + extraConfig = ""; + }; + }; }; extraConfig = mkOption { @@ -206,7 +212,8 @@ in networking.resolvconf.useLocalResolver = mkDefault true; users.users.${bindUser} = - { uid = config.ids.uids.bind; + { + uid = config.ids.uids.bind; description = "BIND daemon user"; }; @@ -226,9 +233,9 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; ExecReload = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; - ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; + ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; }; unitConfig.Documentation = "man:named(8)"; diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index 6d7e7760d94e4..1923afdf83f2e 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -73,6 +73,7 @@ let users.${variant} = { description = "BIRD Internet Routing Daemon user"; group = variant; + isSystemUser = true; }; groups.${variant} = {}; }; diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index e9a0e5af1a473..f1a504b3e3f42 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -12,8 +12,18 @@ let { ... }: { options = { password = mkOption { - type = types.str; - description = "Authorized password to the opposite end of the tunnel."; + type = types.str; + description = "Authorized password to the opposite end of the tunnel."; + }; + login = mkOption { + default = ""; + type = types.str; + description = "(optional) name your peer has for you"; + }; + peerName = mkOption { + default = ""; + type = types.str; + description = "(optional) human-readable name for peer"; }; publicKey = mkOption { type = types.str; diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix index b218fab2196d0..9466adf71d8c2 100644 --- a/nixos/modules/services/networking/croc.nix +++ b/nixos/modules/services/networking/croc.nix @@ -72,9 +72,7 @@ in RuntimeDirectoryMode = "700"; SystemCallFilter = [ "@system-service" - "~@aio" "~@chown" "~@keyring" "~@memlock" - "~@privileged" "~@resources" "~@setuid" - "~@sync" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" ]; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix index 3584915d0aa3a..c7c6a79864cb4 100644 --- a/nixos/modules/services/networking/dnsdist.nix +++ b/nixos/modules/services/networking/dnsdist.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.dnsdist; - configFile = pkgs.writeText "dndist.conf" '' + configFile = pkgs.writeText "dnsdist.conf" '' setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/networking/ghostunnel.nix b/nixos/modules/services/networking/ghostunnel.nix new file mode 100644 index 0000000000000..58a51df6cca2a --- /dev/null +++ b/nixos/modules/services/networking/ghostunnel.nix @@ -0,0 +1,242 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) + attrValues + concatMap + concatStringsSep + escapeShellArg + literalExample + mapAttrs' + mkDefault + mkEnableOption + mkIf + mkOption + nameValuePair + optional + types + ; + + mainCfg = config.services.ghostunnel; + + module = { config, name, ... }: + { + options = { + + listen = mkOption { + description = '' + Address and port to listen on (can be HOST:PORT, unix:PATH). + ''; + type = types.str; + }; + + target = mkOption { + description = '' + Address to forward connections to (can be HOST:PORT or unix:PATH). + ''; + type = types.str; + }; + + keystore = mkOption { + description = '' + Path to keystore (combined PEM with cert/key, or PKCS12 keystore). + + NB: storepass is not supported because it would expose credentials via <code>/proc/*/cmdline</code>. + + Specify this or <code>cert</code> and <code>key</code>. + ''; + type = types.nullOr types.str; + default = null; + }; + + cert = mkOption { + description = '' + Path to certificate (PEM with certificate chain). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + key = mkOption { + description = '' + Path to certificate private key (PEM with private key). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + cacert = mkOption { + description = '' + Path to CA bundle file (PEM/X509). Uses system trust store if <code>null</code>. + ''; + type = types.nullOr types.str; + }; + + disableAuthentication = mkOption { + description = '' + Disable client authentication, no client certificate will be required. + ''; + type = types.bool; + default = false; + }; + + allowAll = mkOption { + description = '' + If true, allow all clients, do not check client cert subject. + ''; + type = types.bool; + default = false; + }; + + allowCN = mkOption { + description = '' + Allow client if common name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowOU = mkOption { + description = '' + Allow client if organizational unit name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowDNS = mkOption { + description = '' + Allow client if DNS subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowURI = mkOption { + description = '' + Allow client if URI subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + extraArguments = mkOption { + description = "Extra arguments to pass to <code>ghostunnel server</code>"; + type = types.separatedString " "; + default = ""; + }; + + unsafeTarget = mkOption { + description = '' + If set, does not limit target to localhost, 127.0.0.1, [::1], or UNIX sockets. + + This is meant to protect against accidental unencrypted traffic on + untrusted networks. + ''; + type = types.bool; + default = false; + }; + + # Definitions to apply at the root of the NixOS configuration. + atRoot = mkOption { + internal = true; + }; + }; + + # Clients should not be authenticated with the public root certificates + # (afaict, it doesn't make sense), so we only provide that default when + # client cert auth is disabled. + config.cacert = mkIf config.disableAuthentication (mkDefault null); + + config.atRoot = { + assertions = [ + { message = '' + services.ghostunnel.servers.${name}: At least one access control flag is required. + Set at least one of: + - services.ghostunnel.servers.${name}.disableAuthentication + - services.ghostunnel.servers.${name}.allowAll + - services.ghostunnel.servers.${name}.allowCN + - services.ghostunnel.servers.${name}.allowOU + - services.ghostunnel.servers.${name}.allowDNS + - services.ghostunnel.servers.${name}.allowURI + ''; + assertion = config.disableAuthentication + || config.allowAll + || config.allowCN != [] + || config.allowOU != [] + || config.allowDNS != [] + || config.allowURI != [] + ; + } + ]; + + systemd.services."ghostunnel-server-${name}" = { + after = [ "network.target" ]; + wants = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Restart = "always"; + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + DynamicUser = true; + LoadCredential = optional (config.keystore != null) "keystore:${config.keystore}" + ++ optional (config.cert != null) "cert:${config.cert}" + ++ optional (config.key != null) "key:${config.key}" + ++ optional (config.cacert != null) "cacert:${config.cacert}"; + }; + script = concatStringsSep " " ( + [ "${mainCfg.package}/bin/ghostunnel" ] + ++ optional (config.keystore != null) "--keystore=$CREDENTIALS_DIRECTORY/keystore" + ++ optional (config.cert != null) "--cert=$CREDENTIALS_DIRECTORY/cert" + ++ optional (config.key != null) "--key=$CREDENTIALS_DIRECTORY/key" + ++ optional (config.cacert != null) "--cacert=$CREDENTIALS_DIRECTORY/cacert" + ++ [ + "server" + "--listen ${config.listen}" + "--target ${config.target}" + ] ++ optional config.allowAll "--allow-all" + ++ map (v: "--allow-cn=${escapeShellArg v}") config.allowCN + ++ map (v: "--allow-ou=${escapeShellArg v}") config.allowOU + ++ map (v: "--allow-dns=${escapeShellArg v}") config.allowDNS + ++ map (v: "--allow-uri=${escapeShellArg v}") config.allowURI + ++ optional config.disableAuthentication "--disable-authentication" + ++ optional config.unsafeTarget "--unsafe-target" + ++ [ config.extraArguments ] + ); + }; + }; + }; + +in +{ + + options = { + services.ghostunnel.enable = mkEnableOption "ghostunnel"; + + services.ghostunnel.package = mkOption { + description = "The ghostunnel package to use."; + type = types.package; + default = pkgs.ghostunnel; + defaultText = literalExample ''pkgs.ghostunnel''; + }; + + services.ghostunnel.servers = mkOption { + description = '' + Server mode ghostunnels (TLS listener -> plain TCP/UNIX target) + ''; + type = types.attrsOf (types.submodule module); + default = {}; + }; + }; + + config = mkIf mainCfg.enable { + assertions = lib.mkMerge (map (v: v.atRoot.assertions) (attrValues mainCfg.servers)); + systemd = lib.mkMerge (map (v: v.atRoot.systemd) (attrValues mainCfg.servers)); + }; + + meta.maintainers = with lib.maintainers; [ + roberth + ]; +} diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index 8334dc68d623f..84147db00f619 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -141,5 +141,5 @@ in }; }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/networking/hylafax/faxq-wait.sh b/nixos/modules/services/networking/hylafax/faxq-wait.sh index 8c39e9d20c182..1826aa30e6275 100755 --- a/nixos/modules/services/networking/hylafax/faxq-wait.sh +++ b/nixos/modules/services/networking/hylafax/faxq-wait.sh @@ -1,4 +1,4 @@ -#! @shell@ -e +#! @runtimeShell@ -e # skip this if there are no modems at all if ! stat -t "@spoolAreaPath@"/etc/config.* >/dev/null 2>&1 diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix index 7f18c0d39ab4d..74960e69b9ac2 100644 --- a/nixos/modules/services/networking/hylafax/options.nix +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -3,7 +3,7 @@ let inherit (lib.options) literalExample mkEnableOption mkOption; - inherit (lib.types) bool enum int lines attrsOf nullOr path str submodule; + inherit (lib.types) bool enum ints lines attrsOf nullOr path str submodule; inherit (lib.modules) mkDefault mkIf mkMerge; commonDescr = '' @@ -18,7 +18,6 @@ let ''; str1 = lib.types.addCheck str (s: s!=""); # non-empty string - int1 = lib.types.addCheck int (i: i>0); # positive integer configAttrType = # Options in HylaFAX configuration files can be @@ -27,7 +26,7 @@ let # This type definition resolves all # those types into a list of strings. let - inherit (lib.types) attrsOf coercedTo listOf; + inherit (lib.types) attrsOf coercedTo int listOf; innerType = coercedTo bool (x: if x then "Yes" else "No") (coercedTo int (toString) str); in @@ -290,7 +289,7 @@ in ''; }; faxcron.infoDays = mkOption { - type = int1; + type = ints.positive; default = 30; description = '' Set the expiration time for data in the @@ -298,7 +297,7 @@ in ''; }; faxcron.logDays = mkOption { - type = int1; + type = ints.positive; default = 30; description = '' Set the expiration time for @@ -306,7 +305,7 @@ in ''; }; faxcron.rcvDays = mkOption { - type = int1; + type = ints.positive; default = 7; description = '' Set the expiration time for files in @@ -343,7 +342,7 @@ in ''; }; faxqclean.doneqMinutes = mkOption { - type = int1; + type = ints.positive; default = 15; example = literalExample "24*60"; description = '' @@ -353,7 +352,7 @@ in ''; }; faxqclean.docqMinutes = mkOption { - type = int1; + type = ints.positive; default = 60; example = literalExample "24*60"; description = '' diff --git a/nixos/modules/services/networking/hylafax/spool.sh b/nixos/modules/services/networking/hylafax/spool.sh index 31e930e8c5976..8b723df77df9a 100755 --- a/nixos/modules/services/networking/hylafax/spool.sh +++ b/nixos/modules/services/networking/hylafax/spool.sh @@ -1,4 +1,4 @@ -#! @shell@ -e +#! @runtimeShell@ -e # The following lines create/update the HylaFAX spool directory: # Subdirectories/files with persistent data are kept, @@ -80,7 +80,7 @@ touch clientlog faxcron.lastrun xferfaxlog chown @faxuser@:@faxgroup@ clientlog faxcron.lastrun xferfaxlog # create symlinks for frozen directories/files -lnsym --target-directory=. "@hylafax@"/spool/{COPYRIGHT,bin,config} +lnsym --target-directory=. "@hylafaxplus@"/spool/{COPYRIGHT,bin,config} # create empty temporary directories update --mode=0700 -d client dev status @@ -93,7 +93,7 @@ install -d "@spoolAreaPath@/etc" cd "@spoolAreaPath@/etc" # create symlinks to all files in template's etc -lnsym --target-directory=. "@hylafax@/spool/etc"/* +lnsym --target-directory=. "@hylafaxplus@/spool/etc"/* # set LOCKDIR in setup.cache sed --regexp-extended 's|^(UUCP_LOCKDIR=).*$|\1'"'@lockPath@'|g" --in-place setup.cache diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index f63f7c97ad1ca..4506bbbc5eb73 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -13,11 +13,10 @@ let # creates hylafax config file, # makes sure "Include" is listed *first* let - mkLines = conf: - (lib.concatLists - (lib.flip lib.mapAttrsToList conf - (k: map (v: "${k}: ${v}") - ))); + mkLines = lib.flip lib.pipe [ + (lib.mapAttrsToList (key: map (val: "${key}: ${val}"))) + lib.concatLists + ]; include = mkLines { Include = conf.Include or []; }; other = mkLines ( conf // { Include = []; } ); in @@ -48,13 +47,12 @@ let name = "hylafax-setup-spool.sh"; src = ./spool.sh; isExecutable = true; - inherit (pkgs.stdenv) shell; - hylafax = pkgs.hylafaxplus; faxuser = "uucp"; faxgroup = "uucp"; lockPath = "/var/lock"; inherit globalConfigPath modemConfigPath; inherit (cfg) sendmailPath spoolAreaPath userAccessFile; + inherit (pkgs) hylafaxplus runtimeShell; }; waitFaxqScript = pkgs.substituteAll { @@ -64,8 +62,8 @@ let src = ./faxq-wait.sh; isExecutable = true; timeoutSec = toString 10; - inherit (pkgs.stdenv) shell; inherit (cfg) spoolAreaPath; + inherit (pkgs) runtimeShell; }; sockets.hylafax-hfaxd = { @@ -108,8 +106,10 @@ let PrivateDevices = true; # breaks /dev/tty... PrivateNetwork = true; PrivateTmp = true; + #ProtectClock = true; # breaks /dev/tty... (why?) ProtectControlGroups = true; #ProtectHome = true; # breaks custom spool dirs + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; #ProtectSystem = "strict"; # breaks custom spool dirs diff --git a/nixos/modules/services/networking/iscsi/initiator.nix b/nixos/modules/services/networking/iscsi/initiator.nix new file mode 100644 index 0000000000000..cbc919a2f76c5 --- /dev/null +++ b/nixos/modules/services/networking/iscsi/initiator.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.services.openiscsi; +in +{ + options.services.openiscsi = with types; { + enable = mkEnableOption "the openiscsi iscsi daemon"; + enableAutoLoginOut = mkEnableOption '' + automatic login and logout of all automatic targets. + You probably do not want this. + ''; + discoverPortal = mkOption { + type = nullOr str; + default = null; + description = "Portal to discover targets on"; + }; + name = mkOption { + type = str; + description = "Name of this iscsi initiator"; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + }; + package = mkOption { + type = package; + description = "openiscsi package to use"; + default = pkgs.openiscsi; + defaultText = "pkgs.openiscsi"; + }; + + extraConfig = mkOption { + type = str; + default = ""; + description = "Lines to append to default iscsid.conf"; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to /etc/iscsid.conf. Use a non-store path + and store passwords in this file. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf cfg.enable { + environment.etc."iscsi/iscsid.conf.fragment".source = pkgs.runCommand "iscsid.conf" {} '' + cat "${cfg.package}/etc/iscsi/iscsid.conf" > $out + cat << 'EOF' >> $out + ${cfg.extraConfig} + ${optionalString cfg.enableAutoLoginOut "node.startup = automatic"} + EOF + ''; + environment.etc."iscsi/initiatorname.iscsi".text = "InitiatorName=${cfg.name}"; + + system.activationScripts.iscsid = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ( + cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + ''; + + systemd.packages = [ cfg.package ]; + + systemd.services."iscsid".wantedBy = [ "multi-user.target" ]; + systemd.sockets."iscsid".wantedBy = [ "sockets.target" ]; + + systemd.services."iscsi" = mkIf cfg.enableAutoLoginOut { + wantedBy = [ "remote-fs.target" ]; + serviceConfig.ExecStartPre = mkIf (cfg.discoverPortal != null) "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal ${escapeShellArg cfg.discoverPortal} --discover"; + }; + + environment.systemPackages = [ cfg.package ]; + boot.kernelModules = [ "iscsi_tcp" ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/root-initiator.nix b/nixos/modules/services/networking/iscsi/root-initiator.nix new file mode 100644 index 0000000000000..3274878c4fae4 --- /dev/null +++ b/nixos/modules/services/networking/iscsi/root-initiator.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.boot.iscsi-initiator; +in +{ + # If you're booting entirely off another machine you may want to add + # this snippet to always boot the latest "system" version. It is not + # enabled by default in case you have an initrd on a local disk: + # + # boot.initrd.postMountCommands = '' + # ln -sfn /nix/var/nix/profiles/system/init /mnt-root/init + # stage2Init=/init + # ''; + # + # Note: Theoretically you might want to connect to multiple portals and + # log in to multiple targets, however the authors of this module so far + # don't have the need or expertise to reasonably implement it. Also, + # consider carefully before making your boot chain depend on multiple + # machines to be up. + options.boot.iscsi-initiator = with types; { + name = mkOption { + description = '' + Name of the iSCSI initiator to boot from. Note, booting from iscsi + requires networkd based networking. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + type = nullOr str; + }; + + discoverPortal = mkOption { + description = '' + iSCSI portal to boot from. + ''; + default = null; + example = "192.168.1.1:3260"; + type = nullOr str; + }; + + target = mkOption { + description = '' + Name of the iSCSI target to boot from. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.targethost:example"; + type = nullOr str; + }; + + logLevel = mkOption { + description = '' + Higher numbers elicits more logs. + ''; + default = 1; + example = 8; + type = int; + }; + + loginAll = mkOption { + description = '' + Do not log into a specific target on the portal, but to all that we discover. + This overrides setting target. + ''; + type = bool; + default = false; + }; + + extraConfig = mkOption { + description = "Extra lines to append to /etc/iscsid.conf"; + default = null; + type = nullOr lines; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to `/etc/iscsid.conf`. Use a non-store path + and store passwords in this file. Note: the file specified here must be available + in the initrd, see: `boot.initrd.secrets`. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf (cfg.name != null) { + # The "scripted" networking configuration (ie: non-networkd) + # doesn't properly order the start and stop of the interfaces, and the + # network interfaces are torn down before unmounting disks. Since this + # module is specifically for very-early-boot network mounts, we need + # the network to stay on. + # + # We could probably fix the scripted options to properly order, but I'm + # not inclined to invest that time today. Hopefully this gets users far + # enough along and they can just use networkd. + networking.useNetworkd = true; + networking.useDHCP = false; # Required to set useNetworkd = true + + boot.initrd = { + network.enable = true; + + # By default, the stage-1 disables the network and resets the interfaces + # on startup. Since our startup disks are on the network, we can't let + # the network not work. + network.flushBeforeStage2 = false; + + kernelModules = [ "iscsi_tcp" ]; + + extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsid + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsiadm + ${optionalString (!config.boot.initrd.network.ssh.enable) "cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib"} + + mkdir -p $out/etc/iscsi + cp ${config.environment.etc.hosts.source} $out/etc/hosts + cp ${pkgs.openiscsi}/etc/iscsi/iscsid.conf $out/etc/iscsi/iscsid.fragment.conf + chmod +w $out/etc/iscsi/iscsid.fragment.conf + cat << 'EOF' >> $out/etc/iscsi/iscsid.fragment.conf + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + EOF + ''; + + extraUtilsCommandsTest = '' + $out/bin/iscsiadm --version + ''; + + preLVMCommands = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: boot.iscsi-initiator.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ${optionalString (!config.boot.initrd.network.ssh.enable) '' + # stolen from initrd-ssh.nix + echo 'root:x:0:0:root:/root:/bin/ash' > /etc/passwd + echo 'passwd: files' > /etc/nsswitch.conf + ''} + + cp -f $extraUtils/etc/hosts /etc/hosts + + mkdir -p /etc/iscsi /run/lock/iscsi + echo "InitiatorName=${cfg.name}" > /etc/iscsi/initiatorname.iscsi + + ( + cat "$extraUtils/etc/iscsi/iscsid.fragment.conf" + printf "\n" + ${optionalString cfg.loginAll ''echo "node.startup = automatic"''} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + + iscsid --foreground --no-pid-file --debug ${toString cfg.logLevel} & + iscsiadm --mode discoverydb \ + --type sendtargets \ + --discover \ + --portal ${escapeShellArg cfg.discoverPortal} \ + --debug ${toString cfg.logLevel} + + ${if cfg.loginAll then '' + iscsiadm --mode node --loginall all + '' else '' + iscsiadm --mode node --targetname ${escapeShellArg cfg.target} --login + ''} + pkill -9 iscsid + ''; + }; + + services.openiscsi = { + enable = true; + inherit (cfg) name; + }; + + assertions = [ + { + assertion = cfg.loginAll -> cfg.target == null; + message = "iSCSI target name is set while login on all portals is enabled."; + } + ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/target.nix b/nixos/modules/services/networking/iscsi/target.nix new file mode 100644 index 0000000000000..8a10e7d346ae3 --- /dev/null +++ b/nixos/modules/services/networking/iscsi/target.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.target; +in +{ + ###### interface + options = { + services.target = with types; { + enable = mkEnableOption "the kernel's LIO iscsi target"; + + config = mkOption { + type = attrs; + default = {}; + description = '' + Content of /etc/target/saveconfig.json + This file is normally read and written by targetcli + ''; + }; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + environment.etc."target/saveconfig.json" = { + text = builtins.toJSON cfg.config; + mode = "0600"; + }; + + environment.systemPackages = with pkgs; [ targetcli ]; + + boot.kernelModules = [ "configfs" "target_core_mod" "iscsi_target_mod" ]; + + systemd.services.iscsi-target = { + enable = true; + after = [ "network.target" "local-fs.target" ]; + requires = [ "sys-kernel-config.mount" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.python3.pkgs.rtslib}/bin/targetctl restore"; + ExecStop = "${pkgs.python3.pkgs.rtslib}/bin/targetctl clear"; + RemainAfterExit = "yes"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /etc/target 0700 root root - -" + ]; + }; +} diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index 3f9be6172f1bc..9b94c390e9852 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -29,8 +29,6 @@ let + concatMapStrings (mkListen "doh2") cfg.listenDoH + cfg.extraConfig ); - - package = pkgs.knot-resolver; in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; @@ -58,6 +56,15 @@ in { and give commands interactively to kresd@1.service. ''; }; + package = mkOption { + type = types.package; + description = " + knot-resolver package to use. + "; + default = pkgs.knot-resolver; + defaultText = "pkgs.knot-resolver"; + example = literalExample "pkgs.knot-resolver.override { extraFeatures = true; }"; + }; extraConfig = mkOption { type = types.lines; default = ""; @@ -115,7 +122,7 @@ in { }; users.groups.knot-resolver.gid = null; - systemd.packages = [ package ]; # the units are patched inside the package a bit + systemd.packages = [ cfg.package ]; # the units are patched inside the package a bit systemd.targets.kresd = { # configure units started by default wantedBy = [ "multi-user.target" ]; @@ -123,8 +130,8 @@ in { ++ map (i: "kresd@${toString i}.service") (range 1 cfg.instances); }; systemd.services."kresd@".serviceConfig = { - ExecStart = "${package}/bin/kresd --noninteractive " - + "-c ${package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; + ExecStart = "${cfg.package}/bin/kresd --noninteractive " + + "-c ${cfg.package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; # Ensure /run/knot-resolver exists RuntimeDirectory = "knot-resolver"; RuntimeDirectoryMode = "0770"; diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 81bc4e1cf95cc..1f0423ac3d843 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -9,21 +9,22 @@ let libexec = "${pkgs.libreswan}/libexec/ipsec"; ipsec = "${pkgs.libreswan}/sbin/ipsec"; - trim = chars: str: let - nonchars = filter (x : !(elem x.value chars)) - (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); - in - if length nonchars == 0 then "" - else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; + trim = chars: str: + let + nonchars = filter (x : !(elem x.value chars)) + (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); + in + if length nonchars == 0 then "" + else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); configText = indent (toString cfg.configSetup); connectionText = concatStrings (mapAttrsToList (n: v: '' conn ${n} ${indent v} - '') cfg.connections); - configFile = pkgs.writeText "ipsec.conf" + + configFile = pkgs.writeText "ipsec-nixos.conf" '' config setup ${configText} @@ -31,6 +32,11 @@ let ${connectionText} ''; + policyFiles = mapAttrs' (name: text: + { name = "ipsec.d/policies/${name}"; + value.source = pkgs.writeText "ipsec-policy-${name}" text; + }) cfg.policies; + in { @@ -41,41 +47,71 @@ in services.libreswan = { - enable = mkEnableOption "libreswan ipsec service"; + enable = mkEnableOption "Libreswan IPsec service"; configSetup = mkOption { type = types.lines; default = '' protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; example = '' secretsfile=/root/ipsec.secrets protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; - description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; + description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration"; }; connections = mkOption { type = types.attrsOf types.lines; default = {}; - example = { - myconnection = '' - auto=add - left=%defaultroute - leftid=@user - - right=my.vpn.com - - ikev2=no - ikelifetime=8h - ''; - }; - description = "A set of connections to define for the libreswan ipsec service"; + example = literalExample '' + { myconnection = ''' + auto=add + left=%defaultroute + leftid=@user + + right=my.vpn.com + + ikev2=no + ikelifetime=8h + '''; + } + ''; + description = "A set of connections to define for the Libreswan IPsec service"; + }; + + policies = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = literalExample '' + { private-or-clear = ''' + # Attempt opportunistic IPsec for the entire Internet + 0.0.0.0/0 + ::/0 + '''; + } + ''; + description = '' + A set of policies to apply to the IPsec connections. + + <note><para> + The policy name must match the one of connection it needs to apply to. + </para></note> + ''; }; + + disableRedirects = mkOption { + type = types.bool; + default = true; + description = '' + Whether to disable send and accept redirects for all nework interfaces. + See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F"> + FAQ</link> page for why this is recommended. + ''; + }; + }; }; @@ -85,43 +121,38 @@ in config = mkIf cfg.enable { + # Install package, systemd units, etc. environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; + systemd.packages = [ pkgs.libreswan ]; + systemd.tmpfiles.packages = [ pkgs.libreswan ]; + + # Install configuration files + environment.etc = { + "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets"; + "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf"; + "ipsec.d/01-nixos.conf".source = configFile; + } // policyFiles; + + # Create NSS database directory + systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; - path = [ - "${pkgs.libreswan}" - "${pkgs.iproute2}" - "${pkgs.procps}" - "${pkgs.nssTools}" - "${pkgs.iptables}" - "${pkgs.nettools}" - ]; - - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto"; - ExecStartPre = [ - "${libexec}/addconn --config ${configFile} --checkconfig" - "${libexec}/_stackmanager start" - "${ipsec} --checknss" - "${ipsec} --checknflog" - ]; - ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; - ExecStop = "${libexec}/whack --shutdown"; - ExecStopPost = [ - "${pkgs.iproute2}/bin/ip xfrm policy flush" - "${pkgs.iproute2}/bin/ip xfrm state flush" - "${ipsec} --stopnflog" - ]; - ExecReload = "${libexec}/whack --listen"; - }; - + restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles; + path = with pkgs; [ + libreswan + iproute2 + procps + nssTools + iptables + nettools + ]; + preStart = optionalString cfg.disableRedirects '' + # Disable send/receive redirects + echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects + echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects + ''; }; }; diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix index fde3293fc131f..952d1d47ca672 100644 --- a/nixos/modules/services/networking/monero.nix +++ b/nixos/modules/services/networking/monero.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.monero; - dataDir = "/var/lib/monero"; listToConf = option: list: concatMapStrings (value: "${option}=${value}\n") list; @@ -53,11 +52,19 @@ in enable = mkEnableOption "Monero node daemon"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/monero"; + description = '' + The directory where Monero stores its data files. + ''; + }; + mining.enable = mkOption { type = types.bool; default = false; description = '' - Whether to mine moneroj. + Whether to mine monero. ''; }; @@ -198,15 +205,14 @@ in config = mkIf cfg.enable { users.users.monero = { - uid = config.ids.uids.monero; + isSystemUser = true; + group = "monero"; description = "Monero daemon user"; - home = dataDir; + home = cfg.dataDir; createHome = true; }; - users.groups.monero = { - gid = config.ids.gids.monero; - }; + users.groups.monero = { }; systemd.services.monero = { description = "monero daemon"; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 10b49d9b2206e..8e814ffd0b9b0 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -20,8 +20,7 @@ let acl_file ${aclFile} persistence true allow_anonymous ${boolToString cfg.allowAnonymous} - bind_address ${cfg.host} - port ${toString cfg.port} + listener ${toString cfg.port} ${cfg.host} ${passwordConf} ${listenerConf} ${cfg.extraConf} @@ -233,15 +232,50 @@ in ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ProtectSystem = "strict"; - ProtectHome = true; + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; - ReadWritePaths = "${cfg.dataDir}"; + PrivateUsers = true; + ProtectClock = true; ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - NoNewPrivileges = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ]; + ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [ + certfile + keyfile + cafile + ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' rm -f ${cfg.dataDir}/passwd diff --git a/nixos/modules/services/networking/mxisd.nix b/nixos/modules/services/networking/mxisd.nix index 482d6ff456b16..f29d190c62623 100644 --- a/nixos/modules/services/networking/mxisd.nix +++ b/nixos/modules/services/networking/mxisd.nix @@ -41,8 +41,8 @@ in { package = mkOption { type = types.package; - default = pkgs.mxisd; - defaultText = "pkgs.mxisd"; + default = pkgs.ma1sd; + defaultText = "pkgs.ma1sd"; description = "The mxisd/ma1sd package to use"; }; diff --git a/nixos/modules/services/networking/ncdns.nix b/nixos/modules/services/networking/ncdns.nix index c1832ad175205..d30fe0f6f6d19 100644 --- a/nixos/modules/services/networking/ncdns.nix +++ b/nixos/modules/services/networking/ncdns.nix @@ -243,8 +243,10 @@ in xlog.journal = true; }; - users.users.ncdns = - { description = "ncdns daemon user"; }; + users.users.ncdns = { + isSystemUser = true; + description = "ncdns daemon user"; + }; systemd.services.ncdns = { description = "ncdns daemon"; diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix new file mode 100644 index 0000000000000..e7ebfe1b4db7d --- /dev/null +++ b/nixos/modules/services/networking/nebula.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nebula; + enabledNetworks = filterAttrs (n: v: v.enable) cfg.networks; + + format = pkgs.formats.yaml {}; + + nameToId = netName: "nebula-${netName}"; +in +{ + # Interface + + options = { + services.nebula = { + networks = mkOption { + description = "Nebula network definitions."; + default = {}; + type = types.attrsOf (types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable or disable this network."; + }; + + package = mkOption { + type = types.package; + default = pkgs.nebula; + defaultText = "pkgs.nebula"; + description = "Nebula derivation to use."; + }; + + ca = mkOption { + type = types.path; + description = "Path to the certificate authority certificate."; + example = "/etc/nebula/ca.crt"; + }; + + cert = mkOption { + type = types.path; + description = "Path to the host certificate."; + example = "/etc/nebula/host.crt"; + }; + + key = mkOption { + type = types.path; + description = "Path to the host key."; + example = "/etc/nebula/host.key"; + }; + + staticHostMap = mkOption { + type = types.attrsOf (types.listOf (types.str)); + default = {}; + description = '' + The static host map defines a set of hosts with fixed IP addresses on the internet (or any network). + A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel. + ''; + example = literalExample '' + { "192.168.100.1" = [ "100.64.22.11:4242" ]; } + ''; + }; + + isLighthouse = mkOption { + type = types.bool; + default = false; + description = "Whether this node is a lighthouse."; + }; + + lighthouses = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse + nodes. The IPs should be the lighthouse's Nebula IPs, not their external IPs. + ''; + example = ''[ "192.168.100.1" ]''; + }; + + listen.host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address to listen on."; + }; + + listen.port = mkOption { + type = types.port; + default = 4242; + description = "Port number to listen on."; + }; + + tun.disable = mkOption { + type = types.bool; + default = false; + description = '' + When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root). + ''; + }; + + tun.device = mkOption { + type = types.nullOr types.str; + default = null; + description = "Name of the tun device. Defaults to nebula.\${networkName}."; + }; + + firewall.outbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for outbound traffic."; + example = ''[ { port = "any"; proto = "any"; host = "any"; } ]''; + }; + + firewall.inbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for inbound traffic."; + example = ''[ { port = "any"; proto = "any"; host = "any"; } ]''; + }; + + settings = mkOption { + type = format.type; + default = {}; + description = '' + Nebula configuration. Refer to + <link xlink:href="https://github.com/slackhq/nebula/blob/master/examples/config.yml"/> + for details on supported values. + ''; + example = literalExample '' + { + lighthouse.dns = { + host = "0.0.0.0"; + port = 53; + }; + } + ''; + }; + }; + }); + }; + }; + }; + + # Implementation + config = mkIf (enabledNetworks != {}) { + systemd.services = mkMerge (mapAttrsToList (netName: netCfg: + let + networkId = nameToId netName; + settings = recursiveUpdate { + pki = { + ca = netCfg.ca; + cert = netCfg.cert; + key = netCfg.key; + }; + static_host_map = netCfg.staticHostMap; + lighthouse = { + am_lighthouse = netCfg.isLighthouse; + hosts = netCfg.lighthouses; + }; + listen = { + host = netCfg.listen.host; + port = netCfg.listen.port; + }; + tun = { + disabled = netCfg.tun.disable; + dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}"; + }; + firewall = { + inbound = netCfg.firewall.inbound; + outbound = netCfg.firewall.outbound; + }; + } netCfg.settings; + configFile = format.generate "nebula-config-${netName}.yml" settings; + in + { + # Create systemd service for Nebula. + "nebula@${netName}" = { + description = "Nebula VPN service for ${netName}"; + wants = [ "basic.target" ]; + after = [ "basic.target" "network.target" ]; + before = [ "sshd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = mkMerge [ + { + Type = "simple"; + Restart = "always"; + ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; + } + # The service needs to launch as root to access the tun device, if it's enabled. + (mkIf netCfg.tun.disable { + User = networkId; + Group = networkId; + }) + ]; + }; + }) enabledNetworks); + + # Open the chosen ports for UDP. + networking.firewall.allowedUDPPorts = + unique (mapAttrsToList (netName: netCfg: netCfg.listen.port) enabledNetworks); + + # Create the service users and groups. + users.users = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = { + group = nameToId netName; + description = "Nebula service user for network ${netName}"; + isSystemUser = true; + }; + }) enabledNetworks); + + users.groups = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = {}; + }) enabledNetworks); + }; +} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 119bd09e2fdb5..135f29be58c09 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -484,6 +484,8 @@ in { }) ]; + boot.kernelModules = [ "ctr" ]; + security.polkit.extraConfig = polkitConf; services.dbus.packages = cfg.packages diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index f33c350a257a9..2ac0a8c7922ed 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -20,6 +20,15 @@ let mkZoneFileName = name: if name == "." then "root" else name; + # replaces include: directives for keys with fake keys for nsd-checkconf + injectFakeKeys = keys: concatStrings + (mapAttrsToList + (keyName: keyOptions: '' + fakeKey="$(${pkgs.bind}/bin/tsig-keygen -a ${escapeShellArgs [ keyOptions.algorithm keyName ]} | grep -oP "\s*secret \"\K.*(?=\";)")" + sed "s@^\s*include:\s*\"${stateDir}/private/${keyName}\"\$@secret: $fakeKey@" -i $out/nsd.conf + '') + keys); + nsdEnv = pkgs.buildEnv { name = "nsd-env"; @@ -34,9 +43,9 @@ let echo "|- checking zone '$out/zones/$zoneFile'" ${nsdPkg}/sbin/nsd-checkzone "$zoneFile" "$zoneFile" || { if grep -q \\\\\\$ "$zoneFile"; then - echo zone "$zoneFile" contains escaped dollar signes \\\$ - echo Escaping them is not needed any more. Please make shure \ - to unescape them where they prefix a variable name + echo zone "$zoneFile" contains escaped dollar signs \\\$ + echo Escaping them is not needed any more. Please make sure \ + to unescape them where they prefix a variable name. fi exit 1 @@ -44,7 +53,14 @@ let done echo "checking configuration file" + # Save original config file including key references... + cp $out/nsd.conf{,.orig} + # ...inject mock keys into config + ${injectFakeKeys cfg.keys} + # ...do the checkconf ${nsdPkg}/sbin/nsd-checkconf $out/nsd.conf + # ... and restore original config file. + mv $out/nsd.conf{.orig,} ''; }; diff --git a/nixos/modules/services/networking/pixiecore.nix b/nixos/modules/services/networking/pixiecore.nix index 85aa40784af8f..d2642c82c2d37 100644 --- a/nixos/modules/services/networking/pixiecore.nix +++ b/nixos/modules/services/networking/pixiecore.nix @@ -93,6 +93,7 @@ in users.users.pixiecore = { description = "Pixiecore daemon user"; group = "pixiecore"; + isSystemUser = true; }; networking.firewall = mkIf cfg.openFirewall { diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index 9b2bf9f61244c..2687230a158df 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -75,6 +75,7 @@ in { description = "Pleroma user"; home = cfg.stateDir; extraGroups = [ cfg.group ]; + isSystemUser = true; }; groups."${cfg.group}" = {}; }; diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix index 7c22b7d09b9bd..df818baa465d9 100644 --- a/nixos/modules/services/networking/privoxy.nix +++ b/nixos/modules/services/networking/privoxy.nix @@ -242,7 +242,7 @@ in "default.action" ] ++ optional cfg.inspectHttps (toString inspectAction); } // (optionalAttrs cfg.enableTor { - forward-socks5 = "127.0.0.1:9063 ."; + forward-socks5 = "/ 127.0.0.1:9063 ."; toggle = true; enable-remote-toggle = false; enable-edit-actions = false; diff --git a/nixos/modules/services/networking/quagga.nix b/nixos/modules/services/networking/quagga.nix deleted file mode 100644 index 7c169fe62d8d9..0000000000000 --- a/nixos/modules/services/networking/quagga.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.quagga; - - services = [ "babel" "bgp" "isis" "ospf6" "ospf" "pim" "rip" "ripng" ]; - allServices = services ++ [ "zebra" ]; - - isEnabled = service: cfg.${service}.enable; - - daemonName = service: if service == "zebra" then service else "${service}d"; - - configFile = service: - let - scfg = cfg.${service}; - in - if scfg.configFile != null then scfg.configFile - else pkgs.writeText "${daemonName service}.conf" - '' - ! Quagga ${daemonName service} configuration - ! - hostname ${config.networking.hostName} - log syslog - service password-encryption - ! - ${scfg.config} - ! - end - ''; - - serviceOptions = service: - { - enable = mkEnableOption "the Quagga ${toUpper service} routing protocol"; - - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/quagga/${daemonName service}.conf"; - description = '' - Configuration file to use for Quagga ${daemonName service}. - By default the NixOS generated files are used. - ''; - }; - - config = mkOption { - type = types.lines; - default = ""; - example = - let - examples = { - rip = '' - router rip - network 10.0.0.0/8 - ''; - - ospf = '' - router ospf - network 10.0.0.0/8 area 0 - ''; - - bgp = '' - router bgp 65001 - neighbor 10.0.0.1 remote-as 65001 - ''; - }; - in - examples.${service} or ""; - description = '' - ${daemonName service} configuration statements. - ''; - }; - - vtyListenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - description = '' - Address to bind to for the VTY interface. - ''; - }; - - vtyListenPort = mkOption { - type = types.nullOr types.int; - default = null; - description = '' - TCP Port to bind to for the VTY interface. - ''; - }; - }; - -in - -{ - - ###### interface - imports = [ - { - options.services.quagga = { - zebra = (serviceOptions "zebra") // { - enable = mkOption { - type = types.bool; - default = any isEnabled services; - description = '' - Whether to enable the Zebra routing manager. - - The Zebra routing manager is automatically enabled - if any routing protocols are configured. - ''; - }; - }; - }; - } - { options.services.quagga = (genAttrs services serviceOptions); } - ]; - - ###### implementation - - config = mkIf (any isEnabled allServices) { - - environment.systemPackages = [ - pkgs.quagga # for the vtysh tool - ]; - - users.users.quagga = { - description = "Quagga daemon user"; - isSystemUser = true; - group = "quagga"; - }; - - users.groups = { - quagga = {}; - # Members of the quaggavty group can use vtysh to inspect the Quagga daemons - quaggavty = { members = [ "quagga" ]; }; - }; - - systemd.services = - let - quaggaService = service: - let - scfg = cfg.${service}; - daemon = daemonName service; - in - nameValuePair daemon ({ - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ (configFile service) ]; - - serviceConfig = { - Type = "forking"; - PIDFile = "/run/quagga/${daemon}.pid"; - ExecStart = "@${pkgs.quagga}/libexec/quagga/${daemon} ${daemon} -d -f ${configFile service}" - + optionalString (scfg.vtyListenAddress != "") " -A ${scfg.vtyListenAddress}" - + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "on-abort"; - }; - } // ( - if service == "zebra" then - { - description = "Quagga Zebra routing manager"; - unitConfig.Documentation = "man:zebra(8)"; - after = [ "network.target" ]; - preStart = '' - install -m 0755 -o quagga -g quagga -d /run/quagga - - ${pkgs.iproute2}/bin/ip route flush proto zebra - ''; - } - else - { - description = "Quagga ${toUpper service} routing daemon"; - unitConfig.Documentation = "man:${daemon}(8) man:zebra(8)"; - bindsTo = [ "zebra.service" ]; - after = [ "network.target" "zebra.service" ]; - } - )); - in - listToAttrs (map quaggaService (filter isEnabled allServices)); - - }; - - meta.maintainers = with lib.maintainers; [ tavyc ]; - -} diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index 5af035fd59e05..8c632c319d3c0 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -3,56 +3,103 @@ with lib; let - cfg = config.services.radicale; - confFile = pkgs.writeText "radicale.conf" cfg.config; - - defaultPackage = if versionAtLeast config.system.stateVersion "20.09" then { - pkg = pkgs.radicale3; - text = "pkgs.radicale3"; - } else if versionAtLeast config.system.stateVersion "17.09" then { - pkg = pkgs.radicale2; - text = "pkgs.radicale2"; - } else { - pkg = pkgs.radicale1; - text = "pkgs.radicale1"; + format = pkgs.formats.ini { + listToValue = concatMapStringsSep ", " (generators.mkValueStringDefault { }); }; -in -{ + pkg = if isNull cfg.package then + pkgs.radicale + else + cfg.package; + + confFile = if cfg.settings == { } then + pkgs.writeText "radicale.conf" cfg.config + else + format.generate "radicale.conf" cfg.settings; + + rightsFile = format.generate "radicale.rights" cfg.rights; - options = { - services.radicale.enable = mkOption { - type = types.bool; - default = false; + bindLocalhost = cfg.settings != { } && !hasAttrByPath [ "server" "hosts" ] cfg.settings; + +in { + options.services.radicale = { + enable = mkEnableOption "Radicale CalDAV and CardDAV server"; + + package = mkOption { + description = "Radicale package to use."; + # Default cannot be pkgs.radicale because non-null values suppress + # warnings about incompatible configuration and storage formats. + type = with types; nullOr package // { inherit (package) description; }; + default = null; + defaultText = "pkgs.radicale"; + }; + + config = mkOption { + type = types.str; + default = ""; description = '' - Enable Radicale CalDAV and CardDAV server. + Radicale configuration, this will set the service + configuration file. + This option is mutually exclusive with <option>settings</option>. + This option is deprecated. Use <option>settings</option> instead. ''; }; - services.radicale.package = mkOption { - type = types.package; - default = defaultPackage.pkg; - defaultText = defaultPackage.text; + settings = mkOption { + type = format.type; + default = { }; description = '' - Radicale package to use. This defaults to version 1.x if - <literal>system.stateVersion < 17.09</literal>, version 2.x if - <literal>17.09 ≤ system.stateVersion < 20.09</literal>, and - version 3.x otherwise. + Configuration for Radicale. See + <link xlink:href="https://radicale.org/3.0.html#documentation/configuration" />. + This option is mutually exclusive with <option>config</option>. + ''; + example = literalExample '' + server = { + hosts = [ "0.0.0.0:5232" "[::]:5232" ]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + storage = { + filesystem_folder = "/var/lib/radicale/collections"; + }; ''; }; - services.radicale.config = mkOption { - type = types.str; - default = ""; + rights = mkOption { + type = format.type; description = '' - Radicale configuration, this will set the service - configuration file. + Configuration for Radicale's rights file. See + <link xlink:href="https://radicale.org/3.0.html#documentation/authentication-and-rights" />. + This option only works in conjunction with <option>settings</option>. + Setting this will also set <option>settings.rights.type</option> and + <option>settings.rights.file</option> to approriate values. + ''; + default = { }; + example = literalExample '' + root = { + user = ".+"; + collection = ""; + permissions = "R"; + }; + principal = { + user = ".+"; + collection = "{user}"; + permissions = "RW"; + }; + calendars = { + user = ".+"; + collection = "{user}/[^/]+"; + permissions = "rw"; + }; ''; }; - services.radicale.extraArgs = mkOption { + extraArgs = mkOption { type = types.listOf types.str; default = []; description = "Extra arguments passed to the Radicale daemon."; @@ -60,33 +107,94 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ cfg.package ]; + assertions = [ + { + assertion = cfg.settings == { } || cfg.config == ""; + message = '' + The options services.radicale.config and services.radicale.settings + are mutually exclusive. + ''; + } + ]; - users.users.radicale = - { uid = config.ids.uids.radicale; - description = "radicale user"; - home = "/var/lib/radicale"; - createHome = true; - }; + warnings = optional (isNull cfg.package && versionOlder config.system.stateVersion "17.09") '' + The configuration and storage formats of your existing Radicale + installation might be incompatible with the newest version. + For upgrade instructions see + https://radicale.org/2.1.html#documentation/migration-from-1xx-to-2xx. + Set services.radicale.package to suppress this warning. + '' ++ optional (isNull cfg.package && versionOlder config.system.stateVersion "20.09") '' + The configuration format of your existing Radicale installation might be + incompatible with the newest version. For upgrade instructions see + https://github.com/Kozea/Radicale/blob/3.0.6/NEWS.md#upgrade-checklist. + Set services.radicale.package to suppress this warning. + '' ++ optional (cfg.config != "") '' + The option services.radicale.config is deprecated. + Use services.radicale.settings instead. + ''; + + services.radicale.settings.rights = mkIf (cfg.rights != { }) { + type = "from_file"; + file = toString rightsFile; + }; + + environment.systemPackages = [ pkg ]; + + users.users.radicale.uid = config.ids.uids.radicale; - users.groups.radicale = - { gid = config.ids.gids.radicale; }; + users.groups.radicale.gid = config.ids.gids.radicale; systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; after = [ "network.target" ]; + requires = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = concatStringsSep " " ([ - "${cfg.package}/bin/radicale" "-C" confFile + "${pkg}/bin/radicale" "-C" confFile ] ++ ( map escapeShellArg cfg.extraArgs )); User = "radicale"; Group = "radicale"; + StateDirectory = "radicale/collections"; + StateDirectoryMode = "0750"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "/dev/stdin" ]; + DevicePolicy = "strict"; + IPAddressAllow = mkIf bindLocalhost "localhost"; + IPAddressDeny = mkIf bindLocalhost "any"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = lib.optional + (hasAttrByPath [ "storage" "filesystem_folder" ] cfg.settings) + cfg.settings.storage.filesystem_folder; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; }; }; }; - meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ]; + meta.maintainers = with lib.maintainers; [ aneeshusa infinisil dotlambda ]; } diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index a515e4a3dc3ba..04f7d7e31f467 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -4,23 +4,25 @@ with lib; let runDir = "/run/searx"; + cfg = config.services.searx; + settingsFile = pkgs.writeText "settings.yml" + (builtins.toJSON cfg.settings); + generateConfig = '' cd ${runDir} # write NixOS settings as JSON - cat <<'EOF' > settings.yml - ${builtins.toJSON cfg.settings} - EOF + ( + umask 077 + cp --no-preserve=mode ${settingsFile} settings.yml + ) # substitute environment variables env -0 | while IFS='=' read -r -d ''' n v; do sed "s#@$n@#$v#g" -i settings.yml done - - # set strict permissions - chmod 400 settings.yml ''; settingType = with types; (oneOf diff --git a/nixos/modules/services/networking/solanum.nix b/nixos/modules/services/networking/solanum.nix new file mode 100644 index 0000000000000..989621b204ce6 --- /dev/null +++ b/nixos/modules/services/networking/solanum.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption types; + inherit (pkgs) solanum; + cfg = config.services.solanum; + + configFile = pkgs.writeText "solanum.conf" cfg.config; +in + +{ + + ###### interface + + options = { + + services.solanum = { + + enable = mkEnableOption "Solanum IRC daemon"; + + config = mkOption { + type = types.str; + default = '' + serverinfo { + name = "irc.example.com"; + sid = "1ix"; + description = "irc!"; + + vhost = "0.0.0.0"; + vhost6 = "::"; + }; + + listen { + host = "0.0.0.0"; + port = 6667; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + channel { + default_split_user_count = 0; + }; + ''; + description = '' + Solanum IRC daemon configuration file. + check <link xlink:href="https://github.com/solanum-ircd/solanum/blob/main/doc/reference.conf"/> for all options. + ''; + }; + + openFilesLimit = mkOption { + type = types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; + + motd = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Solanum MOTD text. + + Solanum will read its MOTD from <literal>/etc/solanum/ircd.motd</literal>. + If set, the value of this option will be written to this path. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable (lib.mkMerge [ + { + systemd.services.solanum = { + description = "Solanum IRC daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + BANDB_DBPATH = "/var/lib/solanum/ban.db"; + }; + serviceConfig = { + ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile ${configFile} -pidfile /run/solanum/ircd.pid"; + DynamicUser = true; + User = "solanum"; + StateDirectory = "solanum"; + RuntimeDirectory = "solanum"; + LimitNOFILE = "${toString cfg.openFilesLimit}"; + }; + }; + + } + + (mkIf (cfg.motd != null) { + environment.etc."solanum/ircd.motd".text = cfg.motd; + }) + ]); +} diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix index c4d06df6ad4ab..e0bef9e9628d6 100644 --- a/nixos/modules/services/networking/spacecookie.nix +++ b/nixos/modules/services/networking/spacecookie.nix @@ -4,10 +4,22 @@ with lib; let cfg = config.services.spacecookie; - configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} { - inherit (cfg) hostname port root; - }); + + spacecookieConfig = { + listen = { + inherit (cfg) port; + }; + } // cfg.settings; + + format = pkgs.formats.json {}; + + configFile = format.generate "spacecookie.json" spacecookieConfig; + in { + imports = [ + (mkRenamedOptionModule [ "services" "spacecookie" "root" ] [ "services" "spacecookie" "settings" "root" ]) + (mkRenamedOptionModule [ "services" "spacecookie" "hostname" ] [ "services" "spacecookie" "settings" "hostname" ]) + ]; options = { @@ -15,32 +27,149 @@ in { enable = mkEnableOption "spacecookie"; - hostname = mkOption { - type = types.str; - default = "localhost"; - description = "The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu."; + package = mkOption { + type = types.package; + default = pkgs.spacecookie; + defaultText = literalExample "pkgs.spacecookie"; + example = literalExample "pkgs.haskellPackages.spacecookie"; + description = '' + The spacecookie derivation to use. This can be used to + override the used package or to use another version. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the necessary port in the firewall for spacecookie. + ''; }; port = mkOption { type = types.port; default = 70; - description = "Port the gopher service should be exposed on."; + description = '' + Port the gopher service should be exposed on. + ''; + }; + + address = mkOption { + type = types.str; + default = "[::]"; + description = '' + Address to listen on. Must be in the + <literal>ListenStream=</literal> syntax of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html">systemd.socket(5)</link>. + ''; }; - root = mkOption { - type = types.path; - default = "/srv/gopher"; - description = "The root directory spacecookie serves via gopher."; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options.hostname = mkOption { + type = types.str; + default = "localhost"; + description = '' + The hostname the service is reachable via. Clients + will use this hostname for further requests after + loading the initial gopher menu. + ''; + }; + + options.root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = '' + The directory spacecookie should serve via gopher. + Files in there need to be world-readable since + the spacecookie service file sets + <literal>DynamicUser=true</literal>. + ''; + }; + + options.log = { + enable = mkEnableOption "logging for spacecookie" + // { default = true; example = false; }; + + hide-ips = mkOption { + type = types.bool; + default = true; + description = '' + If enabled, spacecookie will hide personal + information of users like IP addresses from + log output. + ''; + }; + + hide-time = mkOption { + type = types.bool; + # since we are starting with systemd anyways + # we deviate from the default behavior here: + # journald will add timestamps, so no need + # to double up. + default = true; + description = '' + If enabled, spacecookie will not print timestamps + at the beginning of every log line. + ''; + }; + + level = mkOption { + type = types.enum [ + "info" + "warn" + "error" + ]; + default = "info"; + description = '' + Log level for the spacecookie service. + ''; + }; + }; + }; + + description = '' + Settings for spacecookie. The settings set here are + directly translated to the spacecookie JSON config + file. See + <link xlink:href="https://sternenseemann.github.io/spacecookie/spacecookie.json.5.html">spacecookie.json(5)</link> + for explanations of all options. + ''; }; }; }; config = mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.settings ? user); + message = '' + spacecookie is started as a normal user, so the setuid + feature doesn't work. If you want to run spacecookie as + a specific user, set: + systemd.services.spacecookie.serviceConfig = { + DynamicUser = false; + User = "youruser"; + Group = "yourgroup"; + } + ''; + } + { + assertion = !(cfg.settings ? listen || cfg.settings ? port); + message = '' + The NixOS spacecookie module uses socket activation, + so the listen options have no effect. Use the port + and address options in services.spacecookie instead. + ''; + } + ]; systemd.sockets.spacecookie = { description = "Socket for the Spacecookie Gopher Server"; wantedBy = [ "sockets.target" ]; - listenStreams = [ "[::]:${toString cfg.port}" ]; + listenStreams = [ "${cfg.address}:${toString cfg.port}" ]; socketConfig = { BindIPv6Only = "both"; }; @@ -53,7 +182,7 @@ in { serviceConfig = { Type = "notify"; - ExecStart = "${pkgs.haskellPackages.spacecookie}/bin/spacecookie ${configFile}"; + ExecStart = "${lib.getBin cfg.package}/bin/spacecookie ${configFile}"; FileDescriptorStoreMax = 1; DynamicUser = true; @@ -79,5 +208,9 @@ in { RestrictAddressFamilies = "AF_UNIX AF_INET6"; }; }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; }; } diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index 20704be9b36fe..4f4b5cef37413 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -44,19 +44,10 @@ let preStart = '' ${optionalString (suppl.configFile.path!=null) '' - touch -a ${suppl.configFile.path} - chmod 600 ${suppl.configFile.path} + (umask 077 && touch -a "${suppl.configFile.path}") ''} ${optionalString suppl.userControlled.enable '' - if ! test -e ${suppl.userControlled.socketDir}; then - mkdir -m 0770 -p ${suppl.userControlled.socketDir} - chgrp ${suppl.userControlled.group} ${suppl.userControlled.socketDir} - fi - - if test "$(stat --printf '%G' ${suppl.userControlled.socketDir})" != "${suppl.userControlled.group}"; then - echo "ERROR: bad ownership on ${suppl.userControlled.socketDir}" >&2 - exit 1 - fi + install -dm770 -g "${suppl.userControlled.group}" "${suppl.userControlled.socketDir}" ''} ''; diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 622c3d8ea434f..09aef9a1dcf12 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -4,51 +4,28 @@ with lib; let cfg = config.services.unbound; - stateDir = "/var/lib/unbound"; - - access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess; - - interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces; - - isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1"; - - forward = - optionalString (any isLocalAddress cfg.forwardAddresses) '' - do-not-query-localhost: no - '' - + optionalString (cfg.forwardAddresses != []) '' - forward-zone: - name: . - '' - + concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses; - - rootTrustAnchorFile = "${stateDir}/root.key"; - - trustAnchor = optionalString cfg.enableRootTrustAnchor - "auto-trust-anchor-file: ${rootTrustAnchorFile}"; - - confFile = pkgs.writeText "unbound.conf" '' - server: - ip-freebind: yes - directory: "${stateDir}" - username: unbound - chroot: "" - pidfile: "" - # when running under systemd there is no need to daemonize - do-daemonize: no - ${interfaces} - ${access} - ${trustAnchor} - ${lib.optionalString (cfg.localControlSocketPath != null) '' - remote-control: - control-enable: yes - control-interface: ${cfg.localControlSocketPath} - ''} - ${cfg.extraConfig} - ${forward} - ''; -in -{ + yesOrNo = v: if v then "yes" else "no"; + + toOption = indent: n: v: "${indent}${toString n}: ${v}"; + + toConf = indent: n: v: + if builtins.isFloat v then (toOption indent n (builtins.toJSON v)) + else if isInt v then (toOption indent n (toString v)) + else if isBool v then (toOption indent n (yesOrNo v)) + else if isString v then (toOption indent n v) + else if isList v then (concatMapStringsSep "\n" (toConf indent n) v) + else if isAttrs v then (concatStringsSep "\n" ( + ["${indent}${n}:"] ++ ( + mapAttrsToList (toConf "${indent} ") v + ) + )) + else throw (traceSeq v "services.unbound.settings: unexpected type"); + + confFile = pkgs.writeText "unbound.conf" (concatStringsSep "\n" ((mapAttrsToList (toConf "") cfg.settings) ++ [""])); + + rootTrustAnchorFile = "${cfg.stateDir}/root.key"; + +in { ###### interface @@ -64,25 +41,30 @@ in description = "The unbound package to use"; }; - allowedAccess = mkOption { - default = [ "127.0.0.0/24" ]; - type = types.listOf types.str; - description = "What networks are allowed to use unbound as a resolver."; + user = mkOption { + type = types.str; + default = "unbound"; + description = "User account under which unbound runs."; }; - interfaces = mkOption { - default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1"; - type = types.listOf types.str; - description = '' - What addresses the server should listen on. This supports the interface syntax documented in - <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8</manvolnum></citerefentry>. - ''; + group = mkOption { + type = types.str; + default = "unbound"; + description = "Group under which unbound runs."; }; - forwardAddresses = mkOption { - default = []; - type = types.listOf types.str; - description = "What servers to forward queries to."; + stateDir = mkOption { + default = "/var/lib/unbound"; + description = "Directory holding all state for unbound to run."; + }; + + resolveLocalQueries = mkOption { + type = types.bool; + default = true; + description = '' + Whether unbound should resolve local queries (i.e. add 127.0.0.1 to + /etc/resolv.conf). + ''; }; enableRootTrustAnchor = mkOption { @@ -106,23 +88,66 @@ in and group will be <literal>nogroup</literal>. Users that should be permitted to access the socket must be in the - <literal>unbound</literal> group. + <literal>config.services.unbound.group</literal> group. If this option is <literal>null</literal> remote control will not be - configured at all. Unbounds default values apply. + enabled. Unbounds default values apply. ''; }; - extraConfig = mkOption { - default = ""; - type = types.lines; + settings = mkOption { + default = {}; + type = with types; submodule { + + freeformType = let + validSettingsPrimitiveTypes = oneOf [ int str bool float ]; + validSettingsTypes = oneOf [ validSettingsPrimitiveTypes (listOf validSettingsPrimitiveTypes) ]; + settingsType = oneOf [ str (attrsOf validSettingsTypes) ]; + in attrsOf (oneOf [ settingsType (listOf settingsType) ]) + // { description = '' + unbound.conf configuration type. The format consist of an attribute + set of settings. Each settings can be either one value, a list of + values or an attribute set. The allowed values are integers, + strings, booleans or floats. + ''; + }; + + options = { + remote-control.control-enable = mkOption { + type = bool; + default = false; + internal = true; + }; + }; + }; + example = literalExample '' + { + server = { + interface = [ "127.0.0.1" ]; + }; + forward-zone = [ + { + name = "."; + forward-addr = "1.1.1.1@853#cloudflare-dns.com"; + } + { + name = "example.org."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + } + ]; + remote-control.control-enable = true; + }; + ''; description = '' - Extra unbound config. See - <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8 - </manvolnum></citerefentry>. + Declarative Unbound configuration + See the <citerefentry><refentrytitle>unbound.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manpage for a list of + available options. ''; }; - }; }; @@ -130,23 +155,56 @@ in config = mkIf cfg.enable { + services.unbound.settings = { + server = { + directory = mkDefault cfg.stateDir; + username = cfg.user; + chroot = ''""''; + pidfile = ''""''; + # when running under systemd there is no need to daemonize + do-daemonize = false; + interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); + auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; + tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + # prevent race conditions on system startup when interfaces are not yet + # configured + ip-freebind = mkDefault true; + }; + remote-control = { + control-enable = mkDefault false; + control-interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + server-key-file = mkDefault "${cfg.stateDir}/unbound_server.key"; + server-cert-file = mkDefault "${cfg.stateDir}/unbound_server.pem"; + control-key-file = mkDefault "${cfg.stateDir}/unbound_control.key"; + control-cert-file = mkDefault "${cfg.stateDir}/unbound_control.pem"; + } // optionalAttrs (cfg.localControlSocketPath != null) { + control-enable = true; + control-interface = cfg.localControlSocketPath; + }; + }; + environment.systemPackages = [ cfg.package ]; - users.users.unbound = { - description = "unbound daemon user"; - isSystemUser = true; - group = lib.mkIf (cfg.localControlSocketPath != null) (lib.mkDefault "unbound"); + users.users = mkIf (cfg.user == "unbound") { + unbound = { + description = "unbound daemon user"; + isSystemUser = true; + group = cfg.group; + }; }; - # We need a group so that we can give users access to the configured - # control socket. Unbound allows access to the socket only to the unbound - # user and the primary group. - users.groups = lib.mkIf (cfg.localControlSocketPath != null) { + users.groups = mkIf (cfg.group == "unbound") { unbound = {}; }; - networking.resolvconf.useLocalResolver = mkDefault true; + networking = mkIf cfg.resolveLocalQueries { + resolvconf = { + useLocalResolver = mkDefault true; + }; + networkmanager.dns = "unbound"; + }; environment.etc."unbound/unbound.conf".source = confFile; @@ -156,8 +214,15 @@ in before = [ "nss-lookup.target" ]; wantedBy = [ "multi-user.target" "nss-lookup.target" ]; - preStart = lib.mkIf cfg.enableRootTrustAnchor '' - ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + path = mkIf cfg.settings.remote-control.control-enable [ pkgs.openssl ]; + + preStart = '' + ${optionalString cfg.enableRootTrustAnchor '' + ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + ''} + ${optionalString cfg.settings.remote-control.control-enable '' + ${cfg.package}/bin/unbound-control-setup -d ${cfg.stateDir} + ''} ''; restartTriggers = [ @@ -181,8 +246,8 @@ in "CAP_SYS_RESOURCE" ]; - User = "unbound"; - Group = lib.mkIf (cfg.localControlSocketPath != null) (lib.mkDefault "unbound"); + User = cfg.user; + Group = cfg.group; MemoryDenyWriteExecute = true; NoNewPrivileges = true; @@ -211,9 +276,29 @@ in RestrictNamespaces = true; LockPersonality = true; RestrictSUIDSGID = true; + + Restart = "on-failure"; + RestartSec = "5s"; }; }; - # If networkmanager is enabled, ask it to interface with unbound. - networking.networkmanager.dns = "unbound"; }; + + imports = [ + (mkRenamedOptionModule [ "services" "unbound" "interfaces" ] [ "services" "unbound" "settings" "server" "interface" ]) + (mkChangedOptionModule [ "services" "unbound" "allowedAccess" ] [ "services" "unbound" "settings" "server" "access-control" ] ( + config: map (value: "${value} allow") (getAttrFromPath [ "services" "unbound" "allowedAccess" ] config) + )) + (mkRemovedOptionModule [ "services" "unbound" "forwardAddresses" ] '' + Add a new setting: + services.unbound.settings.forward-zone = [{ + name = "."; + forward-addr = [ # Your current services.unbound.forwardAddresses ]; + }]; + If any of those addresses are local addresses (127.0.0.1 or ::1), you must + also set services.unbound.settings.server.do-not-query-localhost to false. + '') + (mkRemovedOptionModule [ "services" "unbound" "extraConfig" ] '' + You can use services.unbound.settings to add any configuration you want. + '') + ]; } diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 34c8693453571..043bce16e542b 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -246,12 +246,15 @@ let }; script = '' - mkdir --mode 0644 -p "${dirOf values.privateKeyFile}" + set -e + + # If the parent dir does not already exist, create it. + # Otherwise, does nothing, keeping existing permisions intact. + mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" + if [ ! -f "${values.privateKeyFile}" ]; then - touch "${values.privateKeyFile}" - chmod 0600 "${values.privateKeyFile}" - wg genkey > "${values.privateKeyFile}" - chmod 0400 "${values.privateKeyFile}" + # Write private key file with atomically-correct permissions. + (set -e; umask 077; wg genkey > "${values.privateKeyFile}") fi ''; }; diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 61482596763a6..8a0685c3d96b2 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -3,6 +3,10 @@ with lib; let + package = if cfg.allowAuxiliaryImperativeNetworks + then pkgs.wpa_supplicant_ro_ssids + else pkgs.wpa_supplicant; + cfg = config.networking.wireless; configFile = if cfg.networks != {} || cfg.extraConfig != "" || cfg.userControlled.enable then pkgs.writeText "wpa_supplicant.conf" '' ${optionalString cfg.userControlled.enable '' @@ -47,6 +51,16 @@ in { description = "Force a specific wpa_supplicant driver."; }; + allowAuxiliaryImperativeNetworks = mkEnableOption "support for imperative & declarative networks" // { + description = '' + Whether to allow configuring networks "imperatively" (e.g. via + <package>wpa_supplicant_gui</package>) and declaratively via + <xref linkend="opt-networking.wireless.networks" />. + + Please note that this adds a custom patch to <package>wpa_supplicant</package>. + ''; + }; + networks = mkOption { type = types.attrsOf (types.submodule { options = { @@ -211,9 +225,9 @@ in { message = ''options networking.wireless."${name}".{psk,pskRaw,auth} are mutually exclusive''; }); - environment.systemPackages = [ pkgs.wpa_supplicant ]; + environment.systemPackages = [ package ]; - services.dbus.packages = [ pkgs.wpa_supplicant ]; + services.dbus.packages = [ package ]; services.udev.packages = [ pkgs.crda ]; # FIXME: start a separate wpa_supplicant instance per interface. @@ -230,13 +244,17 @@ in { wantedBy = [ "multi-user.target" ]; stopIfChanged = false; - path = [ pkgs.wpa_supplicant ]; + path = [ package ]; - script = '' + script = let + configStr = if cfg.allowAuxiliaryImperativeNetworks + then "-c /etc/wpa_supplicant.conf -I ${configFile}" + else "-c ${configFile}"; + in '' if [ -f /etc/wpa_supplicant.conf -a "/etc/wpa_supplicant.conf" != "${configFile}" ] then echo >&2 "<3>/etc/wpa_supplicant.conf present but ignored. Generated ${configFile} is used instead." fi - iface_args="-s -u -D${cfg.driver} -c ${configFile}" + iface_args="-s -u -D${cfg.driver} ${configStr}" ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index a71c635c9f6ef..47a7152f6fe6e 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -64,7 +64,7 @@ in { type = types.str; default = "root"; example = "wheel"; - description = "Group to grant acces to the Yggdrasil control socket."; + description = "Group to grant access to the Yggdrasil control socket."; }; openMulticastPort = mkOption { @@ -122,12 +122,11 @@ in { system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' if [ ! -e ${keysPath} ] then - mkdir -p ${builtins.dirOf keysPath} + mkdir --mode=700 -p ${builtins.dirOf keysPath} ${binYggdrasil} -genconf -json \ | ${pkgs.jq}/bin/jq \ 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ > ${keysPath} - chmod 600 ${keysPath} fi ''; diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index a7315896c5063..aa79ed27dcef7 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -103,8 +103,8 @@ in }; dataDir = mkOption { - default = "/var/lib/znc/"; - example = "/home/john/.znc/"; + default = "/var/lib/znc"; + example = "/home/john/.znc"; type = types.path; description = '' The state directory for ZNC. The config and the modules will be linked @@ -258,6 +258,34 @@ in ExecStart = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${escapeShellArgs cfg.extraFlags}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ cfg.dataDir ]; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; }; preStart = '' mkdir -p ${cfg.dataDir}/configs @@ -271,9 +299,8 @@ in # Ensure essential files exist. if [[ ! -f ${cfg.dataDir}/configs/znc.conf ]]; then echo "No znc.conf file found in ${cfg.dataDir}. Creating one now." - cp --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf + cp --no-preserve=ownership --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf chmod u+rw ${cfg.dataDir}/configs/znc.conf - chown ${cfg.user} ${cfg.dataDir}/configs/znc.conf fi if [[ ! -f ${cfg.dataDir}/znc.pem ]]; then diff --git a/nixos/modules/services/networking/znc/options.nix b/nixos/modules/services/networking/znc/options.nix index 048dbd7386300..7a43b45fabba6 100644 --- a/nixos/modules/services/networking/znc/options.nix +++ b/nixos/modules/services/networking/znc/options.nix @@ -44,7 +44,7 @@ let modules = mkOption { type = types.listOf types.str; default = [ "simple_away" ]; - example = literalExample "[ simple_away sasl ]"; + example = literalExample ''[ "simple_away" "sasl" ]''; description = '' ZNC network modules to load. ''; diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index cefe72b0e999c..37f6651ec4cf2 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -81,14 +81,9 @@ in jobdir=/var/spool/atjobs etcdir=/etc/at - for dir in "$spooldir" "$jobdir" "$etcdir"; do - if [ ! -d "$dir" ]; then - mkdir -p "$dir" - chown atd:atd "$dir" - fi - done - chmod 1770 "$spooldir" "$jobdir" - ${if cfg.allowEveryone then ''chmod a+rwxt "$spooldir" "$jobdir" '' else ""} + install -dm755 -o atd -g atd "$etcdir" + spool_and_job_dir_perms=${if cfg.allowEveryone then "1777" else "1770"} + install -dm"$spool_and_job_dir_perms" -o atd -g atd "$spooldir" "$jobdir" if [ ! -f "$etcdir"/at.deny ]; then touch "$etcdir"/at.deny chown root:atd "$etcdir"/at.deny diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix index a04bc883bf0f7..bed59dbf821f4 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -121,7 +121,6 @@ in { EnvironmentFile = [ configFile ] ++ optional (cfg.environmentFile != null) cfg.environmentFile; ExecStart = "${bitwarden_rs}/bin/bitwarden_rs"; LimitNOFILE = "1048576"; - LimitNPROC = "64"; PrivateTmp = "true"; PrivateDevices = "true"; ProtectHome = "true"; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index b901b19cf3187..0c24972823dd4 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -62,6 +62,22 @@ in description = "The firewall package used by fail2ban service."; }; + extraPackages = mkOption { + default = []; + type = types.listOf types.package; + example = lib.literalExample "[ pkgs.ipset ]"; + description = '' + Extra packages to be made available to the fail2ban service. The example contains + the packages needed by the `iptables-ipset-proto6` action. + ''; + }; + + maxretry = mkOption { + default = 3; + type = types.ints.unsigned; + description = "Number of failures before a host gets banned."; + }; + banaction = mkOption { default = "iptables-multiport"; type = types.str; @@ -243,7 +259,7 @@ in restartTriggers = [ fail2banConf jailConf pathsConf ]; reloadIfChanged = true; - path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ]; + path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages; unitConfig.Documentation = "man:fail2ban(1)"; @@ -291,7 +307,7 @@ in ''} # Miscellaneous options ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP} - maxretry = 3 + maxretry = ${toString cfg.maxretry} backend = systemd # Actions banaction = ${cfg.banaction} diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix index 48f8a9616c3ed..fe0fba5b45d76 100644 --- a/nixos/modules/services/security/fprintd.nix +++ b/nixos/modules/services/security/fprintd.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.fprintd; + fprintdPkg = if cfg.tod.enable then pkgs.fprintd-tod else pkgs.fprintd; in @@ -17,25 +18,30 @@ in services.fprintd = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable fprintd daemon and PAM module for fingerprint readers handling. - ''; - }; + enable = mkEnableOption "fprintd daemon and PAM module for fingerprint readers handling"; package = mkOption { type = types.package; - default = pkgs.fprintd; - defaultText = "pkgs.fprintd"; + default = fprintdPkg; + defaultText = "if cfg.tod.enable then pkgs.fprintd-tod else pkgs.fprintd"; description = '' fprintd package to use. ''; }; - }; + tod = { + + enable = mkEnableOption "Touch OEM Drivers library support"; + driver = mkOption { + type = types.package; + example = literalExample "pkgs.libfprint-2-tod1-goodix"; + description = '' + Touch OEM Drivers (TOD) package to use. + ''; + }; + }; + }; }; @@ -49,6 +55,10 @@ in systemd.packages = [ cfg.package ]; + systemd.services.fprintd.environment = mkIf cfg.tod.enable { + FP_TOD_DRIVERS_DIR = "${cfg.tod.driver}${cfg.tod.driver.driverPath}"; + }; + }; } diff --git a/nixos/modules/services/security/hologram-agent.nix b/nixos/modules/services/security/hologram-agent.nix index e37334b3cf5e3..e29267e50003b 100644 --- a/nixos/modules/services/security/hologram-agent.nix +++ b/nixos/modules/services/security/hologram-agent.nix @@ -54,5 +54,5 @@ in { }; - meta.maintainers = with lib.maintainers; [ nand0p ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 77c579279abe5..e85fd4b75df4f 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -90,10 +90,10 @@ in package = mkOption { type = types.package; - default = pkgs.oauth2_proxy; - defaultText = "pkgs.oauth2_proxy"; + default = pkgs.oauth2-proxy; + defaultText = "pkgs.oauth2-proxy"; description = '' - The package that provides oauth2_proxy. + The package that provides oauth2-proxy. ''; }; diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index 553638ad49658..d82ddb894ea55 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -23,7 +23,8 @@ in config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { enable = true; }; - config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) { + config.services.nginx = mkIf config.services.oauth2_proxy.enable (mkMerge + ((optional (cfg.virtualHosts != []) { recommendedProxySettings = true; # needed because duplicate headers }) ++ (map (vhost: { virtualHosts.${vhost} = { @@ -60,5 +61,5 @@ in ''; }; - }) cfg.virtualHosts)); + }) cfg.virtualHosts))); } diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix index f7b40089a9327..2696dca4c7677 100644 --- a/nixos/modules/services/security/privacyidea.nix +++ b/nixos/modules/services/security/privacyidea.nix @@ -264,6 +264,7 @@ in users.users.privacyidea = mkIf (cfg.user == "privacyidea") { group = cfg.group; + isSystemUser = true; }; users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {}; @@ -294,6 +295,7 @@ in users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") { group = cfg.ldap-proxy.group; + isSystemUser = true; }; users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {}; diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 033ff5ef4b5a2..53bd9efa5ac7b 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -5,6 +5,21 @@ with lib; let cfg = config.services.sshguard; + configFile = let + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + backend = if config.networking.nftables.enable + then "sshg-fw-nft-sets" + else "sshg-fw-ipset"; + in pkgs.writeText "sshguard.conf" '' + BACKEND="${pkgs.sshguard}/libexec/${backend}" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + in { ###### interface @@ -85,20 +100,7 @@ in { config = mkIf cfg.enable { - environment.etc."sshguard.conf".text = let - args = lib.concatStringsSep " " ([ - "-afb" - "-p info" - "-o cat" - "-n1" - ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); - backend = if config.networking.nftables.enable - then "sshg-fw-nft-sets" - else "sshg-fw-ipset"; - in '' - BACKEND="${pkgs.sshguard}/libexec/${backend}" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" - ''; + environment.etc."sshguard.conf".source = configFile; systemd.services.sshguard = { description = "SSHGuard brute-force attacks protection system"; @@ -107,6 +109,8 @@ in { after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; + restartTriggers = [ configFile ]; + path = with pkgs; if config.networking.nftables.enable then [ nftables iproute2 systemd ] else [ iptables ipset iproute2 systemd ]; diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix new file mode 100644 index 0000000000000..64eee11f58805 --- /dev/null +++ b/nixos/modules/services/security/step-ca.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.step-ca; + settingsFormat = (pkgs.formats.json { }); +in +{ + meta.maintainers = with lib.maintainers; [ mohe2015 ]; + + options = { + services.step-ca = { + enable = lib.mkEnableOption "the smallstep certificate authority server"; + openFirewall = lib.mkEnableOption "opening the certificate authority server port"; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.step-ca; + description = "Which step-ca package to use."; + }; + address = lib.mkOption { + type = lib.types.str; + example = "127.0.0.1"; + description = '' + The address (without port) the certificate authority should listen at. + This combined with <option>services.step-ca.port</option> overrides <option>services.step-ca.settings.address</option>. + ''; + }; + port = lib.mkOption { + type = lib.types.port; + example = 8443; + description = '' + The port the certificate authority should listen on. + This combined with <option>services.step-ca.address</option> overrides <option>services.step-ca.settings.address</option>. + ''; + }; + settings = lib.mkOption { + type = with lib.types; attrsOf anything; + description = '' + Settings that go into <filename>ca.json</filename>. See + <link xlink:href="https://smallstep.com/docs/step-ca/configuration"> + the step-ca manual</link> for more information. The easiest way to + configure this module would be to run <literal>step ca init</literal> + to generate <filename>ca.json</filename> and then import it using + <literal>builtins.fromJSON</literal>. + <link xlink:href="https://smallstep.com/docs/step-cli/basic-crypto-operations#run-an-offline-x509-certificate-authority">This article</link> + may also be useful if you want to customize certain aspects of + certificate generation for your CA. + You need to change the database storage path to <filename>/var/lib/step-ca/db</filename>. + + <warning> + <para> + The <option>services.step-ca.settings.address</option> option + will be ignored and overwritten by + <option>services.step-ca.address</option> and + <option>services.step-ca.port</option>. + </para> + </warning> + ''; + }; + intermediatePasswordFile = lib.mkOption { + type = lib.types.path; + example = "/run/keys/smallstep-password"; + description = '' + Path to the file containing the password for the intermediate + certificate private key. + + <warning> + <para> + Make sure to use a quoted absolute path instead of a path literal + to prevent it from being copied to the globally readable Nix + store. + </para> + </warning> + ''; + }; + }; + }; + + config = lib.mkIf config.services.step-ca.enable ( + let + configFile = settingsFormat.generate "ca.json" (cfg.settings // { + address = cfg.address + ":" + toString cfg.port; + }); + in + { + assertions = + [ + { + assertion = !lib.isStorePath cfg.intermediatePasswordFile; + message = '' + <option>services.step-ca.intermediatePasswordFile</option> points to + a file in the Nix store. You should use a quoted absolute path to + prevent this. + ''; + } + ]; + + systemd.packages = [ cfg.package ]; + + # configuration file indirection is needed to support reloading + environment.etc."smallstep/ca.json".source = configFile; + + systemd.services."step-ca" = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + unitConfig = { + ConditionFileNotEmpty = ""; # override upstream + }; + serviceConfig = { + Environment = "HOME=%S/step-ca"; + WorkingDirectory = ""; # override upstream + ReadWriteDirectories = ""; # override upstream + + # LocalCredential handles file permission problems arising from the use of DynamicUser. + LoadCredential = "intermediate_password:${cfg.intermediatePasswordFile}"; + + ExecStart = [ + "" # override upstream + "${cfg.package}/bin/step-ca /etc/smallstep/ca.json --password-file \${CREDENTIALS_DIRECTORY}/intermediate_password" + ]; + + # ProtectProc = "invisible"; # not supported by upstream yet + # ProcSubset = "pid"; # not supported by upstream upstream yet + # PrivateUsers = true; # doesn't work with privileged ports therefore not supported by upstream + + DynamicUser = true; + StateDirectory = "step-ca"; + }; + }; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + } + ); +} diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 54c2c2dea23af..9e8f18e93c85b 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -170,7 +170,7 @@ let else if k == "ServerTransportPlugin" then optionalString (v.transports != []) "${concatStringsSep "," v.transports} exec ${v.exec}" else if k == "HidServAuth" then - concatMapStringsSep "\n${k} " (settings: settings.onion + " " settings.auth) v + v.onion + " " + v.auth else generators.mkValueStringDefault {} v; genTorrc = settings: generators.toKeyValue { @@ -715,7 +715,7 @@ in (submodule { options = { onion = mkOption { - type = strMatching "[a-z2-7]{16}(\\.onion)?"; + type = strMatching "[a-z2-7]{16}\\.onion"; description = "Onion address."; example = "xxxxxxxxxxxxxxxx.onion"; }; @@ -726,6 +726,12 @@ in }; }) ]); + example = [ + { + onion = "xxxxxxxxxxxxxxxx.onion"; + auth = "xxxxxxxxxxxxxxxxxxxxxx"; + } + ]; }; options.HiddenServiceNonAnonymousMode = optionBool "HiddenServiceNonAnonymousMode"; options.HiddenServiceStatistics = optionBool "HiddenServiceStatistics"; diff --git a/nixos/modules/services/system/self-deploy.nix b/nixos/modules/services/system/self-deploy.nix new file mode 100644 index 0000000000000..3c82ed4fc593f --- /dev/null +++ b/nixos/modules/services/system/self-deploy.nix @@ -0,0 +1,170 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.self-deploy; + + workingDirectory = "/var/lib/nixos-self-deploy"; + repositoryDirectory = "${workingDirectory}/repo"; + outPath = "${workingDirectory}/system"; + + gitWithRepo = "git -C ${repositoryDirectory}"; + + renderNixArgs = args: + let + toArg = key: value: + if builtins.isString value + then " --argstr ${lib.escapeShellArg key} ${lib.escapeShellArg value}" + else " --arg ${lib.escapeShellArg key} ${lib.escapeShellArg (toString value)}"; + in + lib.concatStrings (lib.mapAttrsToList toArg args); + + isPathType = x: lib.strings.isCoercibleToString x && builtins.substring 0 1 (toString x) == "/"; + +in +{ + options.services.self-deploy = { + enable = lib.mkEnableOption "self-deploy"; + + nixFile = lib.mkOption { + type = lib.types.path; + + default = "/default.nix"; + + description = '' + Path to nix file in repository. Leading '/' refers to root of + git repository. + ''; + }; + + nixAttribute = lib.mkOption { + type = lib.types.str; + + description = '' + Attribute of `nixFile` that builds the current system. + ''; + }; + + nixArgs = lib.mkOption { + type = lib.types.attrs; + + default = { }; + + description = '' + Arguments to `nix-build` passed as `--argstr` or `--arg` depending on + the type. + ''; + }; + + switchCommand = lib.mkOption { + type = lib.types.enum [ "boot" "switch" "dry-activate" "test" ]; + + default = "switch"; + + description = '' + The `switch-to-configuration` subcommand used. + ''; + }; + + repository = lib.mkOption { + type = with lib.types; oneOf [ path str ]; + + description = '' + The repository to fetch from. Must be properly formatted for git. + + If this value is set to a path (must begin with `/`) then it's + assumed that the repository is local and the resulting service + won't wait for the network to be up. + + If the repository will be fetched over SSH, you must add an + entry to `programs.ssh.knownHosts` for the SSH host for the fetch + to be successful. + ''; + }; + + sshKeyFile = lib.mkOption { + type = with lib.types; nullOr path; + + default = null; + + description = '' + Path to SSH private key used to fetch private repositories over + SSH. + ''; + }; + + branch = lib.mkOption { + type = lib.types.str; + + default = "master"; + + description = '' + Branch to track + + Technically speaking any ref can be specified here, as this is + passed directly to a `git fetch`, but for the use-case of + continuous deployment you're likely to want to specify a branch. + ''; + }; + + startAt = lib.mkOption { + type = with lib.types; either str (listOf str); + + default = "hourly"; + + description = '' + The schedule on which to run the `self-deploy` service. Format + specified by `systemd.time 7`. + + This value can also be a list of `systemd.time 7` formatted + strings, in which case the service will be started on multiple + schedules. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.self-deploy = { + wantedBy = [ "multi-user.target" ]; + + requires = lib.mkIf (!(isPathType cfg.repository)) [ "network-online.target" ]; + + environment.GIT_SSH_COMMAND = lib.mkIf (!(isNull cfg.sshKeyFile)) + "${pkgs.openssh}/bin/ssh -i ${lib.escapeShellArg cfg.sshKeyFile}"; + + restartIfChanged = false; + + path = with pkgs; [ + git + nix + systemd + ]; + + script = '' + if [ ! -e ${repositoryDirectory} ]; then + mkdir --parents ${repositoryDirectory} + git init ${repositoryDirectory} + fi + + ${gitWithRepo} fetch ${lib.escapeShellArg cfg.repository} ${lib.escapeShellArg cfg.branch} + + ${gitWithRepo} checkout FETCH_HEAD + + nix-build${renderNixArgs cfg.nixArgs} ${lib.cli.toGNUCommandLineShell { } { + attr = cfg.nixAttribute; + out-link = outPath; + }} ${lib.escapeShellArg "${repositoryDirectory}${cfg.nixFile}"} + + ${lib.optionalString (cfg.switchCommand != "test") + "nix-env --profile /nix/var/nix/profiles/system --set ${outPath}"} + + ${outPath}/bin/switch-to-configuration ${cfg.switchCommand} + + rm ${outPath} + + ${gitWithRepo} gc --prune=all + + ${lib.optionalString (cfg.switchCommand == "boot") "systemctl reboot"} + ''; + }; + }; +} diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 7bec073e26f71..34a5219c95947 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.transmission; inherit (config.environment) etc; - apparmor = config.security.apparmor.enable; + apparmor = config.security.apparmor; rootDir = "/run/transmission"; homeDir = "/var/lib/transmission"; settingsDir = ".config/transmission-daemon"; @@ -184,8 +184,8 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Service"; - after = [ "network.target" ] ++ optional apparmor "apparmor.service"; - requires = optional apparmor "apparmor.service"; + after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; + requires = optional apparmor.enable "apparmor.service"; wantedBy = [ "multi-user.target" ]; environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; @@ -358,95 +358,39 @@ in }) ]; - security.apparmor.profiles = mkIf apparmor [ - (pkgs.writeText "apparmor-transmission-daemon" '' - include <tunables/global> - - ${pkgs.transmission}/bin/transmission-daemon { - include <abstractions/base> - include <abstractions/nameservice> - - # NOTE: https://github.com/NixOS/nixpkgs/pull/93457 - # will remove the need for these by fixing <abstractions/base> - r ${etc."hosts".source}, - r /etc/ld-nix.so.preload, - ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) '' - r ${etc."ld-nix.so.preload".source}, - ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n")) - (splitString "\n" config.environment.etc."ld-nix.so.preload".text)} - ''} - r ${etc."ssl/certs/ca-certificates.crt".source}, - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, - r ${pkgs.stdenv.cc.libc}/share/locale/**, - - mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*, - mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*, - mr ${getLib pkgs.attr}/lib/libattr*.so*, - mr ${getLib pkgs.c-ares}/lib/libcares*.so*, - mr ${getLib pkgs.curl}/lib/libcurl*.so*, - mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*, - mr ${getLib pkgs.libcap}/lib/libcap*.so*, - mr ${getLib pkgs.libevent}/lib/libevent*.so*, - mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*, - mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*, - mr ${getLib pkgs.libkrb5}/lib/lib*.so*, - mr ${getLib pkgs.libssh2}/lib/libssh2*.so*, - mr ${getLib pkgs.lz4}/lib/liblz4*.so*, - mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*, - mr ${getLib pkgs.openssl}/lib/libcrypto*.so*, - mr ${getLib pkgs.openssl}/lib/libssl*.so*, - mr ${getLib pkgs.systemd}/lib/libsystemd*.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libblkid.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libmount.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*, - mr ${getLib pkgs.xz}/lib/liblzma*.so*, - mr ${getLib pkgs.zlib}/lib/libz*.so*, - - r @{PROC}/sys/kernel/random/uuid, - r @{PROC}/sys/vm/overcommit_memory, - # @{pid} is not a kernel variable yet but a regexp - #r @{PROC}/@{pid}/environ, - r @{PROC}/@{pid}/mounts, - rwk /tmp/tr_session_id_*, - r /run/systemd/resolve/stub-resolv.conf, - - r ${pkgs.openssl.out}/etc/**, - r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, - r ${pkgs.transmission}/share/transmission/**, - - owner rw ${cfg.home}/${settingsDir}/**, - rw ${cfg.settings.download-dir}/**, - ${optionalString cfg.settings.incomplete-dir-enabled '' - rw ${cfg.settings.incomplete-dir}/**, - ''} - ${optionalString cfg.settings.watch-dir-enabled '' - rw ${cfg.settings.watch-dir}/**, - ''} - profile dirs { - rw ${cfg.settings.download-dir}/**, - ${optionalString cfg.settings.incomplete-dir-enabled '' - rw ${cfg.settings.incomplete-dir}/**, - ''} - ${optionalString cfg.settings.watch-dir-enabled '' - rw ${cfg.settings.watch-dir}/**, - ''} - } - - ${optionalString (cfg.settings.script-torrent-done-enabled && - cfg.settings.script-torrent-done-filename != "") '' - # Stack transmission_directories profile on top of - # any existing profile for script-torrent-done-filename - # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= - # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs - px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, - ''} + security.apparmor.policies."bin.transmission-daemon".profile = '' + include "${pkgs.transmission.apparmor}/bin.transmission-daemon" + ''; + security.apparmor.includes."local/bin.transmission-daemon" = '' + r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, + + owner rw ${cfg.home}/${settingsDir}/**, + rw ${cfg.settings.download-dir}/**, + ${optionalString cfg.settings.incomplete-dir-enabled '' + rw ${cfg.settings.incomplete-dir}/**, + ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} + profile dirs { + rw ${cfg.settings.download-dir}/**, + ${optionalString cfg.settings.incomplete-dir-enabled '' + rw ${cfg.settings.incomplete-dir}/**, + ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} + } - # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457 - # include <local/transmission-daemon> - } - '') - ]; + ${optionalString (cfg.settings.script-torrent-done-enabled && + cfg.settings.script-torrent-done-filename != "") '' + # Stack transmission_directories profile on top of + # any existing profile for script-torrent-done-filename + # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= + # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs + px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, + ''} + ''; }; meta.maintainers = with lib.maintainers; [ julm ]; diff --git a/nixos/modules/services/ttys/getty.nix b/nixos/modules/services/ttys/getty.nix index ecfabef5fb131..2480e681de8d0 100644 --- a/nixos/modules/services/ttys/getty.nix +++ b/nixos/modules/services/ttys/getty.nix @@ -5,17 +5,16 @@ with lib; let cfg = config.services.getty; - loginArgs = [ + baseArgs = [ "--login-program" "${pkgs.shadow}/bin/login" ] ++ optionals (cfg.autologinUser != null) [ "--autologin" cfg.autologinUser ] ++ optionals (cfg.loginOptions != null) [ "--login-options" cfg.loginOptions - ]; + ] ++ cfg.extraArgs; - gettyCmd = extraArgs: - "@${pkgs.util-linux}/sbin/agetty agetty ${escapeShellArgs loginArgs} " - + extraArgs; + gettyCmd = args: + "@${pkgs.util-linux}/sbin/agetty agetty ${escapeShellArgs baseArgs} ${args}"; in @@ -54,7 +53,16 @@ in will not be invoked with a <option>--login-options</option> option. ''; - example = "-h darkstar -- \u"; + example = "-h darkstar -- \\u"; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Additional arguments passed to agetty. + ''; + example = [ "--nohostname" ]; }; greetingLine = mkOption { diff --git a/nixos/modules/services/video/mirakurun.nix b/nixos/modules/services/video/mirakurun.nix index ce1dabe6bfa1e..6ea73fa5c679c 100644 --- a/nixos/modules/services/video/mirakurun.nix +++ b/nixos/modules/services/video/mirakurun.nix @@ -8,6 +8,18 @@ let username = config.users.users.mirakurun.name; groupname = config.users.users.mirakurun.group; settingsFmt = pkgs.formats.yaml {}; + + polkitRule = pkgs.writeTextDir "share/polkit-1/rules.d/10-mirakurun.rules" '' + polkit.addRule(function (action, subject) { + if ( + (action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.debian.pcsc-lite.access_card") && + subject.user == "${username}" + ) { + return polkit.Result.YES; + } + }); + ''; in { options = { @@ -48,6 +60,15 @@ in ''; }; + allowSmartCardAccess = mkOption { + type = types.bool; + default = true; + description = '' + Install polkit rules to allow Mirakurun to access smart card readers + which is commonly used along with tuner devices. + ''; + }; + serverSettings = mkOption { type = settingsFmt.type; default = {}; @@ -110,7 +131,7 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ mirakurun ]; + environment.systemPackages = [ mirakurun ] ++ optional cfg.allowSmartCardAccess polkitRule; environment.etc = { "mirakurun/server.yml".source = settingsFmt.generate "server.yml" cfg.serverSettings; "mirakurun/tuners.yml" = mkIf (cfg.tunerSettings != null) { diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index 14d84c4ce0f99..2e71abb69fc44 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -93,6 +93,6 @@ in { systemd.defaultUnit = "graphical.target"; }; - meta.maintainers = with lib.maintainers; [ matthewbauer flokli ]; + meta.maintainers = with lib.maintainers; [ matthewbauer ]; } diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 83d05ffbad9a0..34a31af9c9da1 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -292,6 +292,8 @@ in { WorkingDirectory = "${bookstack}"; }; script = '' + # set permissions + umask 077 # create .env file echo " APP_KEY=base64:$(head -n1 ${cfg.appKeyFile}) @@ -317,13 +319,14 @@ in { ${optionalString (cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME) "SESSION_SECURE_COOKIE=true"} ${toString cfg.extraConfig} " > "${cfg.dataDir}/.env" - # set permissions - chmod 700 "${cfg.dataDir}/.env" # migrate db ${pkgs.php}/bin/php artisan migrate --force - # create caches + # clear & create caches (needed in case of update) + ${pkgs.php}/bin/php artisan cache:clear + ${pkgs.php}/bin/php artisan config:clear + ${pkgs.php}/bin/php artisan view:clear ${pkgs.php}/bin/php artisan config:cache ${pkgs.php}/bin/php artisan route:cache ${pkgs.php}/bin/php artisan view:cache diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 03ea002c9dee2..0e2e182ffe93e 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -661,7 +661,7 @@ in ]; path = cfg.package.runtimeDeps ++ [ postgresqlPackage - pkgs.replace + pkgs.replace-secret cfg.package.rake ]; environment = cfg.package.runtimeEnv // { @@ -688,10 +688,7 @@ in mkSecretReplacement = file: lib.optionalString (file != null) '' - ( - password=$(<'${file}') - replace-literal -fe '${file}' "$password" /run/discourse/config/discourse.conf - ) + replace-secret '${file}' '${file}' /run/discourse/config/discourse.conf ''; in '' set -o errexit -o pipefail -o nounset -o errtrace @@ -702,7 +699,7 @@ in cp -r ${cfg.package}/share/discourse/config.dist/* /run/discourse/config/ cp -r ${cfg.package}/share/discourse/public.dist/* /run/discourse/public/ cp -r ${cfg.package}/share/discourse/plugins.dist/* /run/discourse/plugins/ - ${lib.concatMapStrings (p: "ln -sf ${p} /run/discourse/plugins/") cfg.plugins} + ${lib.concatMapStringsSep "\n" (p: "ln -sf ${p} /run/discourse/plugins/") cfg.plugins} ln -sf /var/lib/discourse/uploads /run/discourse/public/uploads ln -sf /var/lib/discourse/backups /run/discourse/public/backups @@ -713,11 +710,12 @@ in cfg.siteSettings "/run/discourse/config/nixos_site_settings.json" } - install -T -m 0400 -o discourse ${discourseConf} /run/discourse/config/discourse.conf + install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf ${mkSecretReplacement cfg.database.passwordFile} ${mkSecretReplacement cfg.mail.outgoing.passwordFile} ${mkSecretReplacement cfg.redis.passwordFile} ${mkSecretReplacement cfg.secretKeyBaseFile} + chmod 0400 /run/discourse/config/discourse.conf ) discourse-rake db:migrate >>/var/log/discourse/db_migration.log @@ -726,7 +724,8 @@ in export ADMIN_EMAIL="${cfg.admin.email}" export ADMIN_NAME="${cfg.admin.fullName}" export ADMIN_USERNAME="${cfg.admin.username}" - export ADMIN_PASSWORD="$(<${cfg.admin.passwordFile})" + ADMIN_PASSWORD="$(<${cfg.admin.passwordFile})" + export ADMIN_PASSWORD discourse-rake admin:create_noninteractively discourse-rake themes:update @@ -938,7 +937,8 @@ in set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit - export api_key=$(<'${apiKeyPath}') + api_key=$(<'${apiKeyPath}') + export api_key jq <${mail-receiver-json} \ '.DISCOURSE_API_KEY = $ENV.api_key' \ diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index a93e93279331e..f0b9e60116dd9 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -54,6 +54,7 @@ in frontendUrl = lib.mkOption { type = lib.types.str; + apply = x: if lib.hasSuffix "/" x then x else x + "/"; example = "keycloak.example.com/auth"; description = '' The public URL used as base for all frontend requests. Should @@ -84,105 +85,126 @@ in ''; }; - certificatePrivateKeyBundle = lib.mkOption { + sslCertificate = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; example = "/run/keys/ssl_cert"; description = '' - The path to a PEM formatted bundle of the private key and - certificate to use for TLS connections. + The path to a PEM formatted certificate to use for TLS/SSL + connections. This should be a string, not a Nix path, since Nix paths are copied into the world-readable Nix store. ''; }; - databaseType = lib.mkOption { - type = lib.types.enum [ "mysql" "postgresql" ]; - default = "postgresql"; - example = "mysql"; + sslCertificateKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/keys/ssl_key"; description = '' - The type of database Keycloak should connect to. - ''; - }; + The path to a PEM formatted private key to use for TLS/SSL + connections. - databaseHost = lib.mkOption { - type = lib.types.str; - default = "localhost"; - description = '' - Hostname of the database to connect to. + This should be a string, not a Nix path, since Nix paths are + copied into the world-readable Nix store. ''; }; - databasePort = - let - dbPorts = { - postgresql = 5432; - mysql = 3306; - }; - in - lib.mkOption { - type = lib.types.port; - default = dbPorts.${cfg.databaseType}; - description = '' - Port of the database to connect to. - ''; - }; + database = { + type = lib.mkOption { + type = lib.types.enum [ "mysql" "postgresql" ]; + default = "postgresql"; + example = "mysql"; + description = '' + The type of database Keycloak should connect to. + ''; + }; - databaseUseSSL = lib.mkOption { - type = lib.types.bool; - default = cfg.databaseHost != "localhost"; - description = '' - Whether the database connection should be secured by SSL / - TLS. - ''; - }; + host = lib.mkOption { + type = lib.types.str; + default = "localhost"; + description = '' + Hostname of the database to connect to. + ''; + }; - databaseCaCert = lib.mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - description = '' - The SSL / TLS CA certificate that verifies the identity of the - database server. + port = + let + dbPorts = { + postgresql = 5432; + mysql = 3306; + }; + in + lib.mkOption { + type = lib.types.port; + default = dbPorts.${cfg.database.type}; + description = '' + Port of the database to connect to. + ''; + }; - Required when PostgreSQL is used and SSL is turned on. + useSSL = lib.mkOption { + type = lib.types.bool; + default = cfg.database.host != "localhost"; + description = '' + Whether the database connection should be secured by SSL / + TLS. + ''; + }; - For MySQL, if left at <literal>null</literal>, the default - Java keystore is used, which should suffice if the server - certificate is issued by an official CA. - ''; - }; + caCert = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + The SSL / TLS CA certificate that verifies the identity of the + database server. - databaseCreateLocally = lib.mkOption { - type = lib.types.bool; - default = true; - description = '' - Whether a database should be automatically created on the - local host. Set this to false if you plan on provisioning a - local database yourself. This has no effect if - services.keycloak.databaseHost is customized. - ''; - }; + Required when PostgreSQL is used and SSL is turned on. - databaseUsername = lib.mkOption { - type = lib.types.str; - default = "keycloak"; - description = '' - Username to use when connecting to an external or manually - provisioned database; has no effect when a local database is - automatically provisioned. - ''; - }; + For MySQL, if left at <literal>null</literal>, the default + Java keystore is used, which should suffice if the server + certificate is issued by an official CA. + ''; + }; - databasePasswordFile = lib.mkOption { - type = lib.types.path; - example = "/run/keys/db_password"; - description = '' - File containing the database password. + createLocally = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether a database should be automatically created on the + local host. Set this to false if you plan on provisioning a + local database yourself. This has no effect if + services.keycloak.database.host is customized. + ''; + }; - This should be a string, not a Nix path, since Nix paths are - copied into the world-readable Nix store. - ''; + username = lib.mkOption { + type = lib.types.str; + default = "keycloak"; + description = '' + Username to use when connecting to an external or manually + provisioned database; has no effect when a local database is + automatically provisioned. + + To use this with a local database, set <xref + linkend="opt-services.keycloak.database.createLocally" /> to + <literal>false</literal> and create the database and user + manually. The database should be called + <literal>keycloak</literal>. + ''; + }; + + passwordFile = lib.mkOption { + type = lib.types.path; + example = "/run/keys/db_password"; + description = '' + File containing the database password. + + This should be a string, not a Nix path, since Nix paths are + copied into the world-readable Nix store. + ''; + }; }; package = lib.mkOption { @@ -255,12 +277,12 @@ in config = let # We only want to create a database if we're actually going to connect to it. - databaseActuallyCreateLocally = cfg.databaseCreateLocally && cfg.databaseHost == "localhost"; - createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.databaseType == "postgresql"; - createLocalMySQL = databaseActuallyCreateLocally && cfg.databaseType == "mysql"; + databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "localhost"; + createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.database.type == "postgresql"; + createLocalMySQL = databaseActuallyCreateLocally && cfg.database.type == "mysql"; mySqlCaKeystore = pkgs.runCommandNoCC "mysql-ca-keystore" {} '' - ${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.databaseCaCert} -keystore $out -storepass notsosecretpassword -noprompt + ${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.database.caCert} -keystore $out -storepass notsosecretpassword -noprompt ''; keycloakConfig' = builtins.foldl' lib.recursiveUpdate { @@ -276,11 +298,11 @@ in }; "subsystem=datasources"."data-source=KeycloakDS" = { max-pool-size = "20"; - user-name = if databaseActuallyCreateLocally then "keycloak" else cfg.databaseUsername; + user-name = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username; password = "@db-password@"; }; } [ - (lib.optionalAttrs (cfg.databaseType == "postgresql") { + (lib.optionalAttrs (cfg.database.type == "postgresql") { "subsystem=datasources" = { "jdbc-driver=postgresql" = { driver-module-name = "org.postgresql"; @@ -288,16 +310,16 @@ in driver-xa-datasource-class-name = "org.postgresql.xa.PGXADataSource"; }; "data-source=KeycloakDS" = { - connection-url = "jdbc:postgresql://${cfg.databaseHost}:${builtins.toString cfg.databasePort}/keycloak"; + connection-url = "jdbc:postgresql://${cfg.database.host}:${builtins.toString cfg.database.port}/keycloak"; driver-name = "postgresql"; - "connection-properties=ssl".value = lib.boolToString cfg.databaseUseSSL; - } // (lib.optionalAttrs (cfg.databaseCaCert != null) { - "connection-properties=sslrootcert".value = cfg.databaseCaCert; + "connection-properties=ssl".value = lib.boolToString cfg.database.useSSL; + } // (lib.optionalAttrs (cfg.database.caCert != null) { + "connection-properties=sslrootcert".value = cfg.database.caCert; "connection-properties=sslmode".value = "verify-ca"; }); }; }) - (lib.optionalAttrs (cfg.databaseType == "mysql") { + (lib.optionalAttrs (cfg.database.type == "mysql") { "subsystem=datasources" = { "jdbc-driver=mysql" = { driver-module-name = "com.mysql"; @@ -305,22 +327,22 @@ in driver-class-name = "com.mysql.jdbc.Driver"; }; "data-source=KeycloakDS" = { - connection-url = "jdbc:mysql://${cfg.databaseHost}:${builtins.toString cfg.databasePort}/keycloak"; + connection-url = "jdbc:mysql://${cfg.database.host}:${builtins.toString cfg.database.port}/keycloak"; driver-name = "mysql"; - "connection-properties=useSSL".value = lib.boolToString cfg.databaseUseSSL; - "connection-properties=requireSSL".value = lib.boolToString cfg.databaseUseSSL; - "connection-properties=verifyServerCertificate".value = lib.boolToString cfg.databaseUseSSL; + "connection-properties=useSSL".value = lib.boolToString cfg.database.useSSL; + "connection-properties=requireSSL".value = lib.boolToString cfg.database.useSSL; + "connection-properties=verifyServerCertificate".value = lib.boolToString cfg.database.useSSL; "connection-properties=characterEncoding".value = "UTF-8"; valid-connection-checker-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"; validate-on-match = true; exception-sorter-class-name = "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"; - } // (lib.optionalAttrs (cfg.databaseCaCert != null) { + } // (lib.optionalAttrs (cfg.database.caCert != null) { "connection-properties=trustCertificateKeyStoreUrl".value = "file:${mySqlCaKeystore}"; "connection-properties=trustCertificateKeyStorePassword".value = "notsosecretpassword"; }); }; }) - (lib.optionalAttrs (cfg.certificatePrivateKeyBundle != null) { + (lib.optionalAttrs (cfg.sslCertificate != null && cfg.sslCertificateKey != null) { "socket-binding-group=standard-sockets"."socket-binding=https".port = cfg.httpsPort; "core-service=management"."security-realm=UndertowRealm"."server-identity=ssl" = { keystore-path = "/run/keycloak/ssl/certificate_private_key_bundle.p12"; @@ -531,7 +553,9 @@ in jbossCliScript = pkgs.writeText "jboss-cli-script" (mkJbossScript keycloakConfig'); - keycloakConfig = pkgs.runCommandNoCC "keycloak-config" {} '' + keycloakConfig = pkgs.runCommandNoCC "keycloak-config" { + nativeBuildInputs = [ cfg.package ]; + } '' export JBOSS_BASE_DIR="$(pwd -P)"; export JBOSS_MODULEPATH="${cfg.package}/modules"; export JBOSS_LOG_DIR="$JBOSS_BASE_DIR/log"; @@ -541,11 +565,11 @@ in mkdir -p {deployments,ssl} - "${cfg.package}/bin/standalone.sh"& + standalone.sh& attempt=1 max_attempts=30 - while ! ${cfg.package}/bin/jboss-cli.sh --connect ':read-attribute(name=server-state)'; do + while ! jboss-cli.sh --connect ':read-attribute(name=server-state)'; do if [[ "$attempt" == "$max_attempts" ]]; then echo "ERROR: Could not connect to Keycloak after $attempt attempts! Failing.." >&2 exit 1 @@ -555,7 +579,7 @@ in (( attempt++ )) done - ${cfg.package}/bin/jboss-cli.sh --connect --file=${jbossCliScript} --echo-command + jboss-cli.sh --connect --file=${jbossCliScript} --echo-command cp configuration/standalone.xml $out ''; @@ -564,8 +588,8 @@ in assertions = [ { - assertion = (cfg.databaseUseSSL && cfg.databaseType == "postgresql") -> (cfg.databaseCaCert != null); - message = "A CA certificate must be specified (in 'services.keycloak.databaseCaCert') when PostgreSQL is used with SSL"; + assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null); + message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL"; } ]; @@ -575,6 +599,7 @@ in after = [ "postgresql.service" ]; before = [ "keycloak.service" ]; bindsTo = [ "postgresql.service" ]; + path = [ config.services.postgresql.package ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -582,13 +607,15 @@ in Group = "postgres"; }; script = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit - PSQL=${config.services.postgresql.package}/bin/psql + create_role="$(mktemp)" + trap 'rm -f "$create_role"' ERR EXIT - db_password="$(<'${cfg.databasePasswordFile}')" - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tAc "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" - $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' + echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$(<'${cfg.database.passwordFile}')' CREATEDB" > "$create_role" + psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role" + psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' ''; }; @@ -596,6 +623,7 @@ in after = [ "mysql.service" ]; before = [ "keycloak.service" ]; bindsTo = [ "mysql.service" ]; + path = [ config.services.mysql.package ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -603,13 +631,14 @@ in Group = config.services.mysql.group; }; script = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit - db_password="$(<'${cfg.databasePasswordFile}')" + db_password="$(<'${cfg.database.passwordFile}')" ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';" echo "CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;" echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';" - ) | ${config.services.mysql.package}/bin/mysql -N + ) | mysql -N ''; }; @@ -627,6 +656,11 @@ in after = databaseServices; bindsTo = databaseServices; wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + cfg.package + openssl + replace-secret + ]; environment = { JBOSS_LOG_DIR = "/var/log/keycloak"; JBOSS_BASE_DIR = "/run/keycloak"; @@ -635,29 +669,38 @@ in serviceConfig = { ExecStartPre = let startPreFullPrivileges = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit - install -T -m 0400 -o keycloak -g keycloak '${cfg.databasePasswordFile}' /run/keycloak/secrets/db_password - '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) '' - install -T -m 0400 -o keycloak -g keycloak '${cfg.certificatePrivateKeyBundle}' /run/keycloak/secrets/ssl_cert_pk_bundle + umask u=rwx,g=,o= + + install -T -m 0400 -o keycloak -g keycloak '${cfg.database.passwordFile}' /run/keycloak/secrets/db_password + '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' + install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificate}' /run/keycloak/secrets/ssl_cert + install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificateKey}' /run/keycloak/secrets/ssl_key ''; startPre = '' - set -eu + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit + + umask u=rwx,g=,o= install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml - db_password="$(</run/keycloak/secrets/db_password)" - ${pkgs.replace}/bin/replace-literal -fe '@db-password@' "$db_password" /run/keycloak/configuration/standalone.xml + replace-secret '@db-password@' '/run/keycloak/secrets/db_password' /run/keycloak/configuration/standalone.xml export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration - ${cfg.package}/bin/add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}' - '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) '' + add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}' + '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' pushd /run/keycloak/ssl/ - cat /run/keycloak/secrets/ssl_cert_pk_bundle <(echo) /etc/ssl/certs/ca-certificates.crt > allcerts.pem - ${pkgs.openssl}/bin/openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert_pk_bundle -chain \ - -name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \ - -CAfile allcerts.pem -passout pass:notsosecretpassword + cat /run/keycloak/secrets/ssl_cert <(echo) \ + /run/keycloak/secrets/ssl_key <(echo) \ + /etc/ssl/certs/ca-certificates.crt \ + > allcerts.pem + openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert -inkey /run/keycloak/secrets/ssl_key -chain \ + -name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \ + -CAfile allcerts.pem -passout pass:notsosecretpassword popd ''; in [ @@ -689,4 +732,5 @@ in }; meta.doc = ./keycloak.xml; + meta.maintainers = [ lib.maintainers.talyz ]; } diff --git a/nixos/modules/services/web-apps/keycloak.xml b/nixos/modules/services/web-apps/keycloak.xml index ca5e223eee467..7ba656c20f166 100644 --- a/nixos/modules/services/web-apps/keycloak.xml +++ b/nixos/modules/services/web-apps/keycloak.xml @@ -41,31 +41,31 @@ <productname>PostgreSQL</productname> or <productname>MySQL</productname>. Which one is used can be configured in <xref - linkend="opt-services.keycloak.databaseType" />. The selected + linkend="opt-services.keycloak.database.type" />. The selected database will automatically be enabled and a database and role created unless <xref - linkend="opt-services.keycloak.databaseHost" /> is changed from + linkend="opt-services.keycloak.database.host" /> is changed from its default of <literal>localhost</literal> or <xref - linkend="opt-services.keycloak.databaseCreateLocally" /> is set + linkend="opt-services.keycloak.database.createLocally" /> is set to <literal>false</literal>. </para> <para> External database access can also be configured by setting - <xref linkend="opt-services.keycloak.databaseHost" />, <xref - linkend="opt-services.keycloak.databaseUsername" />, <xref - linkend="opt-services.keycloak.databaseUseSSL" /> and <xref - linkend="opt-services.keycloak.databaseCaCert" /> as + <xref linkend="opt-services.keycloak.database.host" />, <xref + linkend="opt-services.keycloak.database.username" />, <xref + linkend="opt-services.keycloak.database.useSSL" /> and <xref + linkend="opt-services.keycloak.database.caCert" /> as appropriate. Note that you need to manually create a database called <literal>keycloak</literal> and allow the configured database user full access to it. </para> <para> - <xref linkend="opt-services.keycloak.databasePasswordFile" /> + <xref linkend="opt-services.keycloak.database.passwordFile" /> must be set to the path to a file containing the password used - to log in to the database. If <xref linkend="opt-services.keycloak.databaseHost" /> - and <xref linkend="opt-services.keycloak.databaseCreateLocally" /> + to log in to the database. If <xref linkend="opt-services.keycloak.database.host" /> + and <xref linkend="opt-services.keycloak.database.createLocally" /> are kept at their defaults, the database role <literal>keycloak</literal> with that password is provisioned on the local database instance. @@ -115,17 +115,17 @@ </para> <para> - For HTTPS support, a TLS certificate and private key is - required. They should be <link + HTTPS support requires a TLS/SSL certificate and a private key, + both <link xlink:href="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM - formatted</link> and concatenated into a single file. The path - to this file should be configured in - <xref linkend="opt-services.keycloak.certificatePrivateKeyBundle" />. + formatted</link>. Their paths should be set through <xref + linkend="opt-services.keycloak.sslCertificate" /> and <xref + linkend="opt-services.keycloak.sslCertificateKey" />. </para> <warning> <para> - The path should be provided as a string, not a Nix path, + The paths should be provided as a strings, not a Nix paths, since Nix paths are copied into the world readable Nix store. </para> </warning> @@ -195,8 +195,9 @@ services.keycloak = { <link linkend="opt-services.keycloak.initialAdminPassword">initialAdminPassword</link> = "e6Wcm0RrtegMEHl"; # change on first login <link linkend="opt-services.keycloak.frontendUrl">frontendUrl</link> = "https://keycloak.example.com/auth"; <link linkend="opt-services.keycloak.forceBackendUrlToFrontendUrl">forceBackendUrlToFrontendUrl</link> = true; - <link linkend="opt-services.keycloak.certificatePrivateKeyBundle">certificatePrivateKeyBundle</link> = "/run/keys/ssl_cert"; - <link linkend="opt-services.keycloak.databasePasswordFile">databasePasswordFile</link> = "/run/keys/db_password"; + <link linkend="opt-services.keycloak.sslCertificate">sslCertificate</link> = "/run/keys/ssl_cert"; + <link linkend="opt-services.keycloak.sslCertificateKey">sslCertificateKey</link> = "/run/keys/ssl_key"; + <link linkend="opt-services.keycloak.database.passwordFile">database.passwordFile</link> = "/run/keys/db_password"; }; </programlisting> </para> diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 16e8ae2ec0b2c..5e24bd06ffdbe 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -31,6 +31,8 @@ let // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; + systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@setuid" "@swap" ]; + cfgService = { # User and group User = cfg.user; @@ -68,7 +70,6 @@ let PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @reboot @resources @setuid @swap"; }; envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") ( @@ -432,6 +433,8 @@ in { serviceConfig = { Type = "oneshot"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; after = [ "network.target" ]; @@ -445,10 +448,10 @@ in { join pg_namespace s on s.oid = c.relnamespace \ where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \ and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then - SAFETY_ASSURED=1 rake db:schema:load - rake db:seed + SAFETY_ASSURED=1 rails db:schema:load + rails db:seed else - rake db:migrate + rails db:migrate fi ''; path = [ cfg.package pkgs.postgresql ]; @@ -457,6 +460,8 @@ in { Type = "oneshot"; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); wantedBy = [ "multi-user.target" ]; @@ -481,6 +486,8 @@ in { # Runtime directory and mode RuntimeDirectory = "mastodon-streaming"; RuntimeDirectoryMode = "0750"; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" "@resources" ]); } // cfgService; }; @@ -503,6 +510,8 @@ in { # Runtime directory and mode RuntimeDirectory = "mastodon-web"; RuntimeDirectoryMode = "0750"; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -522,6 +531,8 @@ in { RestartSec = 20; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 9a541aba6e43b..545deaa905f20 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -10,7 +10,7 @@ let extensions = { enabled, all }: (with all; enabled - ++ optional (!cfg.disableImagemagick) imagick + ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu ++ optional cfg.caching.redis redis @@ -63,6 +63,9 @@ in { Further details about this can be found in the `Nextcloud`-section of the NixOS-manual (which can be openend e.g. by running `nixos-help`). '') + (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] '' + Use services.nextcloud.nginx.enableImagemagick instead. + '') ]; options.services.nextcloud = { @@ -303,16 +306,14 @@ in { }; }; - disableImagemagick = mkOption { - type = types.bool; - default = false; - description = '' - Whether to not load the ImageMagick module into PHP. + enableImagemagick = mkEnableOption '' + Whether to load the ImageMagick module into PHP. This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). You may want to disable it for increased security. In that case, previews will still be available for some images (e.g. JPEG and PNG). See https://github.com/nextcloud/server/issues/13099 - ''; + '' // { + default = true; }; caching = { @@ -607,6 +608,7 @@ in { home = "${cfg.home}"; group = "nextcloud"; createHome = true; + isSystemUser = true; }; users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ]; diff --git a/nixos/modules/services/web-apps/shiori.nix b/nixos/modules/services/web-apps/shiori.nix index 8f96dd9b5dd7a..a15bb9744a9c5 100644 --- a/nixos/modules/services/web-apps/shiori.nix +++ b/nixos/modules/services/web-apps/shiori.nix @@ -86,10 +86,7 @@ in { SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" - "~@module" "~@obsolete" "~@privileged" "~@raw-io" - "~@resources" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index b2bb5055cd4c4..a7b93c9c45984 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -15,11 +15,9 @@ let apachectl = pkgs.runCommand "apachectl" { meta.priority = -1; } '' mkdir -p $out/bin cp ${pkg}/bin/apachectl $out/bin/apachectl - sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f ${httpdConf}|' + sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|' ''; - httpdConf = cfg.configFile; - php = cfg.phpPackage.override { apacheHttpd = pkg; }; phpModuleName = let @@ -682,6 +680,8 @@ in }) (filter (hostOpts: hostOpts.useACMEHost == null) acmeEnabledVhosts); in listToAttrs acmePairs; + # httpd requires a stable path to the configuration file for reloads + environment.etc."httpd/httpd.conf".source = cfg.configFile; environment.systemPackages = [ apachectl pkg @@ -753,6 +753,7 @@ in wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames); after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames; before = map (certName: "acme-${certName}.service") dependentCertNames; + restartTriggers = [ cfg.configFile ]; path = [ pkg pkgs.coreutils pkgs.gnugrep ]; @@ -771,9 +772,9 @@ in ''; serviceConfig = { - ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}"; - ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop"; - ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful"; + ExecStart = "@${pkg}/bin/httpd httpd -f /etc/httpd/httpd.conf"; + ExecStop = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful-stop"; + ExecReload = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; User = cfg.user; Group = cfg.group; Type = "forking"; @@ -800,6 +801,7 @@ in # certs are updated _after_ config has been reloaded. before = sslTargets; after = sslServices; + restartTriggers = [ cfg.configFile ]; # Block reloading if not all certs exist yet. # Happens when config changes add new vhosts/certs. unitConfig.ConditionPathExists = map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames; @@ -807,7 +809,7 @@ in Type = "oneshot"; TimeoutSec = 60; ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active httpd.service"; - ExecStartPre = "${pkg}/bin/httpd -f ${httpdConf} -t"; + ExecStartPre = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -t"; ExecStart = "/run/current-system/systemd/bin/systemctl reload httpd.service"; }; }; diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix index 6ecfc113ca26b..955b9756406d5 100644 --- a/nixos/modules/services/web-servers/caddy.nix +++ b/nixos/modules/services/web-servers/caddy.nix @@ -63,6 +63,18 @@ in { ''; }; + user = mkOption { + default = "caddy"; + type = types.str; + description = "User account under which caddy runs."; + }; + + group = mkOption { + default = "caddy"; + type = types.str; + description = "Group account under which caddy runs."; + }; + adapter = mkOption { default = "caddyfile"; example = "nginx"; @@ -123,8 +135,8 @@ in { ExecStart = "${cfg.package}/bin/caddy run --config ${configJSON}"; ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}"; Type = "simple"; - User = "caddy"; - Group = "caddy"; + User = cfg.user; + Group = cfg.group; Restart = "on-abnormal"; AmbientCapabilities = "cap_net_bind_service"; CapabilityBoundingSet = "cap_net_bind_service"; @@ -142,13 +154,18 @@ in { }; }; - users.users.caddy = { - group = "caddy"; - uid = config.ids.uids.caddy; - home = cfg.dataDir; - createHome = true; + users.users = optionalAttrs (cfg.user == "caddy") { + caddy = { + group = cfg.group; + uid = config.ids.uids.caddy; + home = cfg.dataDir; + createHome = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "caddy") { + caddy.gid = config.ids.gids.caddy; }; - users.groups.caddy.gid = config.ids.uids.caddy; }; } diff --git a/nixos/modules/services/web-servers/minio.nix b/nixos/modules/services/web-servers/minio.nix index cd123000f0094..381a55faff168 100644 --- a/nixos/modules/services/web-servers/minio.nix +++ b/nixos/modules/services/web-servers/minio.nix @@ -18,9 +18,9 @@ in }; dataDir = mkOption { - default = "/var/lib/minio/data"; - type = types.path; - description = "The data directory, for storing the objects."; + default = [ "/var/lib/minio/data" ]; + type = types.listOf types.path; + description = "The list of data directories for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode."; }; configDir = mkOption { @@ -74,15 +74,14 @@ in config = mkIf cfg.enable { systemd.tmpfiles.rules = [ "d '${cfg.configDir}' - minio minio - -" - "d '${cfg.dataDir}' - minio minio - -" - ]; + ] ++ (map (x: "d '" + x + "' - minio minio - - ") cfg.dataDir); systemd.services.minio = { description = "Minio Object Storage"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --config-dir=${cfg.configDir} ${cfg.dataDir}"; + ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}"; Type = "simple"; User = "minio"; Group = "minio"; diff --git a/nixos/modules/services/web-servers/molly-brown.nix b/nixos/modules/services/web-servers/molly-brown.nix index e0587f3b47163..58db9b9beda06 100644 --- a/nixos/modules/services/web-servers/molly-brown.nix +++ b/nixos/modules/services/web-servers/molly-brown.nix @@ -41,7 +41,6 @@ in { As an example: <programlisting> - security.acme.certs."example.com".allowKeysForGroup = true; systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."example.com".group ]; </programlisting> diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 52fcce6d17b41..ebb3c38d6c25b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -154,10 +154,10 @@ let ${optionalString (cfg.recommendedProxySettings) '' proxy_redirect off; - proxy_connect_timeout 60; - proxy_send_timeout 60; - proxy_read_timeout 60; - proxy_http_version 1.0; + proxy_connect_timeout ${cfg.proxyTimeout}; + proxy_send_timeout ${cfg.proxyTimeout}; + proxy_read_timeout ${cfg.proxyTimeout}; + proxy_http_version 1.1; include ${recommendedProxyConfig}; ''} @@ -230,13 +230,13 @@ let defaultListen = if vhost.listen != [] then vhost.listen - else ((optionals hasSSL ( - singleton { addr = "0.0.0.0"; port = 443; ssl = true; } - ++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; } - )) ++ optionals (!onlySSL) ( - singleton { addr = "0.0.0.0"; port = 80; ssl = false; } - ++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; } - )); + else optionals (hasSSL || vhost.rejectSSL) ( + singleton { addr = "0.0.0.0"; port = 443; ssl = true; } + ++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; } + ) ++ optionals (!onlySSL) ( + singleton { addr = "0.0.0.0"; port = 80; ssl = false; } + ++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; } + ); hostListen = if vhost.forceSSL @@ -249,7 +249,15 @@ let + optionalString (ssl && vhost.http2) "http2 " + optionalString vhost.default "default_server " + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) - + ";"; + + ";" + + (if ssl && vhost.http3 then '' + # UDP listener for **QUIC+HTTP/3 + listen ${addr}:${toString port} http3 reuseport; + # Advertise that HTTP/3 is available + add_header Alt-Svc 'h3=":443"'; + # Sent when QUIC was used + add_header QUIC-Status $quic; + '' else ""); redirectListen = filter (x: !x.ssl) defaultListen; @@ -295,6 +303,9 @@ let ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ''} + ${optionalString vhost.rejectSSL '' + ssl_reject_handshake on; + ''} ${mkBasicAuth vhostName vhost} @@ -393,6 +404,15 @@ in "; }; + proxyTimeout = mkOption { + type = types.str; + default = "60s"; + example = "20s"; + description = " + Change the proxy related timeouts in recommendedProxySettings. + "; + }; + package = mkOption { default = pkgs.nginxStable; defaultText = "pkgs.nginxStable"; @@ -676,6 +696,7 @@ in Defines the address and other parameters of the upstream servers. ''; default = {}; + example = { "127.0.0.1:8000" = {}; }; }; extraConfig = mkOption { type = types.lines; @@ -690,6 +711,14 @@ in Defines a group of servers to use as proxy target. ''; default = {}; + example = literalExample '' + "backend_server" = { + servers = { "127.0.0.1:8000" = {}; }; + extraConfig = '''' + keepalive 16; + ''''; + }; + ''; }; virtualHosts = mkOption { @@ -745,20 +774,27 @@ in } { - assertion = all (conf: with conf; - !(addSSL && (onlySSL || enableSSL)) && - !(forceSSL && (onlySSL || enableSSL)) && - !(addSSL && forceSSL) + assertion = all (host: with host; + count id [ addSSL (onlySSL || enableSSL) forceSSL rejectSSL ] <= 1 ) (attrValues virtualHosts); message = '' Options services.nginx.service.virtualHosts.<name>.addSSL, - services.nginx.virtualHosts.<name>.onlySSL and services.nginx.virtualHosts.<name>.forceSSL - are mutually exclusive. + services.nginx.virtualHosts.<name>.onlySSL, + services.nginx.virtualHosts.<name>.forceSSL and + services.nginx.virtualHosts.<name>.rejectSSL are mutually exclusive. + ''; + } + + { + assertion = any (host: host.rejectSSL) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.19.4"; + message = '' + services.nginx.virtualHosts.<name>.rejectSSL requires nginx version + 1.19.4 or above; see the documentation for services.nginx.package. ''; } { - assertion = all (conf: !(conf.enableACME && conf.useACMEHost != null)) (attrValues virtualHosts); + assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); message = '' Options services.nginx.service.virtualHosts.<name>.enableACME and services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. @@ -802,28 +838,38 @@ in # Logs directory and mode LogsDirectory = "nginx"; LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # New file permissions + UMask = "0027"; # 0640 / 0750 # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; # Security NoNewPrivileges = true; - # Sandboxing + # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) ProtectSystem = "strict"; ProtectHome = mkDefault true; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; + ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; + ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; LockPersonality = true; - MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) (optionals (cfg.package ? modules) cfg.package.modules)); + MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules); RestrictRealtime = true; RestrictSUIDSGID = true; + RemoveIPC = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid"; }; }; @@ -831,8 +877,9 @@ in source = configFile; }; - # postRun hooks on cert renew can't be used to restart Nginx since renewal - # runs as the unprivileged acme user. sslTargets are added to wantedBy + before + # This service waits for all certificates to be available + # before reloading nginx configuration. + # sslTargets are added to wantedBy + before # which allows the acme-finished-$cert.target to signify the successful updating # of certs end-to-end. systemd.services.nginx-config-reload = let @@ -870,6 +917,7 @@ in users.users = optionalAttrs (cfg.user == "nginx") { nginx = { group = cfg.group; + isSystemUser = true; uid = config.ids.uids.nginx; }; }; diff --git a/nixos/modules/services/web-servers/nginx/gitweb.nix b/nixos/modules/services/web-servers/nginx/gitweb.nix index f7fb07bb79755..11bf2a309ea81 100644 --- a/nixos/modules/services/web-servers/nginx/gitweb.nix +++ b/nixos/modules/services/web-servers/nginx/gitweb.nix @@ -89,6 +89,6 @@ in }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index cf211ea9a71b6..1c7d402447974 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -118,6 +118,18 @@ with lib; ''; }; + rejectSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to listen for and reject all HTTPS connections to this vhost. Useful in + <link linkend="opt-services.nginx.virtualHosts._name_.default">default</link> + server blocks to avoid serving the certificate for another vhost. Uses the + <literal>ssl_reject_handshake</literal> directive available in nginx versions + 1.19.4 and above. + ''; + }; + sslCertificate = mkOption { type = types.path; example = "/var/host.cert"; @@ -151,6 +163,19 @@ with lib; ''; }; + http3 = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTP 3. + This requires using <literal>pkgs.nginxQuic</literal> package + which can be achived by setting <literal>services.nginx.package = pkgs.nginxQuic;</literal>. + Note that HTTP 3 support is experimental and + *not* yet recommended for production. + Read more at https://quic.nginx.org/ + ''; + }; + root = mkOption { type = types.nullOr types.path; default = null; diff --git a/nixos/modules/services/web-servers/trafficserver.nix b/nixos/modules/services/web-servers/trafficserver.nix new file mode 100644 index 0000000000000..db0e2ac0bd05a --- /dev/null +++ b/nixos/modules/services/web-servers/trafficserver.nix @@ -0,0 +1,318 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.trafficserver; + user = config.users.users.trafficserver.name; + group = config.users.groups.trafficserver.name; + + getManualUrl = name: "https://docs.trafficserver.apache.org/en/latest/admin-guide/files/${name}.en.html"; + getConfPath = name: "${pkgs.trafficserver}/etc/trafficserver/${name}"; + + yaml = pkgs.formats.yaml { }; + + fromYAML = f: + let + jsonFile = pkgs.runCommand "in.json" + { + nativeBuildInputs = [ pkgs.remarshal ]; + } '' + yaml2json < "${f}" > "$out" + ''; + in + builtins.fromJSON (builtins.readFile jsonFile); + + mkYamlConf = name: cfg: + if cfg != null then { + "trafficserver/${name}.yaml".source = yaml.generate "${name}.yaml" cfg; + } else { + "trafficserver/${name}.yaml".text = ""; + }; + + mkRecordLines = path: value: + if isAttrs value then + lib.mapAttrsToList (n: v: mkRecordLines (path ++ [ n ]) v) value + else if isInt value then + "CONFIG ${concatStringsSep "." path} INT ${toString value}" + else if isFloat value then + "CONFIG ${concatStringsSep "." path} FLOAT ${toString value}" + else + "CONFIG ${concatStringsSep "." path} STRING ${toString value}"; + + mkRecordsConfig = cfg: concatStringsSep "\n" (flatten (mkRecordLines [ ] cfg)); + mkPluginConfig = cfg: concatStringsSep "\n" (map (p: "${p.path} ${p.arg}") cfg); +in +{ + options.services.trafficserver = { + enable = mkEnableOption "Apache Traffic Server"; + + cache = mkOption { + type = types.lines; + default = ""; + example = "dest_domain=example.com suffix=js action=never-cache"; + description = '' + Caching rules that overrule the origin's caching policy. + + Consult the <link xlink:href="${getManualUrl "cache.config"}">upstream + documentation</link> for more details. + ''; + }; + + hosting = mkOption { + type = types.lines; + default = ""; + example = "domain=example.com volume=1"; + description = '' + Partition the cache according to origin server or domain + + Consult the <link xlink:href="${getManualUrl "hosting.config"}"> + upstream documentation</link> for more details. + ''; + }; + + ipAllow = mkOption { + type = types.nullOr yaml.type; + default = fromYAML (getConfPath "ip_allow.yaml"); + defaultText = "upstream defaults"; + example = literalExample { + ip_allow = [{ + apply = "in"; + ip_addrs = "127.0.0.1"; + action = "allow"; + methods = "ALL"; + }]; + }; + description = '' + Control client access to Traffic Server and Traffic Server connections + to upstream servers. + + Consult the <link xlink:href="${getManualUrl "ip_allow.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + logging = mkOption { + type = types.nullOr yaml.type; + default = fromYAML (getConfPath "logging.yaml"); + defaultText = "upstream defaults"; + example = literalExample { }; + description = '' + Configure logs. + + Consult the <link xlink:href="${getManualUrl "logging.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + parent = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=. method=get parent="p1.example:8080; p2.example:8080" round_robin=true + ''; + description = '' + Identify the parent proxies used in an cache hierarchy. + + Consult the <link xlink:href="${getManualUrl "parent.config"}">upstream + documentation</link> for more details. + ''; + }; + + plugins = mkOption { + default = [ ]; + + description = '' + Controls run-time loadable plugins available to Traffic Server, as + well as their configuration. + + Consult the <link xlink:href="${getManualUrl "plugin.config"}">upstream + documentation</link> for more details. + ''; + + type = with types; + listOf (submodule { + options.path = mkOption { + type = str; + example = "xdebug.so"; + description = '' + Path to plugin. The path can either be absolute, or relative to + the plugin directory. + ''; + }; + options.arg = mkOption { + type = str; + default = ""; + example = "--header=ATS-My-Debug"; + description = "arguments to pass to the plugin"; + }; + }); + }; + + records = mkOption { + type = with types; + let valueType = (attrsOf (oneOf [ int float str valueType ])) // { + description = "Traffic Server records value"; + }; + in + valueType; + default = { }; + example = literalExample { proxy.config.proxy_name = "my_server"; }; + description = '' + List of configurable variables used by Traffic Server. + + Consult the <link xlink:href="${getManualUrl "records.config"}"> + upstream documentation</link> for more details. + ''; + }; + + remap = mkOption { + type = types.lines; + default = ""; + example = "map http://from.example http://origin.example"; + description = '' + URL remapping rules used by Traffic Server. + + Consult the <link xlink:href="${getManualUrl "remap.config"}"> + upstream documentation</link> for more details. + ''; + }; + + splitDns = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=internal.corp.example named="255.255.255.255:212 255.255.255.254" def_domain=corp.example search_list="corp.example corp1.example" + dest_domain=!internal.corp.example named=255.255.255.253 + ''; + description = '' + Specify the DNS server that Traffic Server should use under specific + conditions. + + Consult the <link xlink:href="${getManualUrl "splitdns.config"}"> + upstream documentation</link> for more details. + ''; + }; + + sslMulticert = mkOption { + type = types.lines; + default = ""; + example = "dest_ip=* ssl_cert_name=default.pem"; + description = '' + Configure SSL server certificates to terminate the SSL sessions. + + Consult the <link xlink:href="${getManualUrl "ssl_multicert.config"}"> + upstream documentation</link> for more details. + ''; + }; + + sni = mkOption { + type = types.nullOr yaml.type; + default = null; + example = literalExample { + sni = [{ + fqdn = "no-http2.example.com"; + https = "off"; + }]; + }; + description = '' + Configure aspects of TLS connection handling for both inbound and + outbound connections. + + Consult the <link xlink:href="${getManualUrl "sni.yaml"}">upstream + documentation</link> for more details. + ''; + }; + + storage = mkOption { + type = types.lines; + default = "/var/cache/trafficserver 256M"; + example = "/dev/disk/by-id/XXXXX volume=1"; + description = '' + List all the storage that make up the Traffic Server cache. + + Consult the <link xlink:href="${getManualUrl "storage.config"}"> + upstream documentation</link> for more details. + ''; + }; + + strategies = mkOption { + type = types.nullOr yaml.type; + default = null; + description = '' + Specify the next hop proxies used in an cache hierarchy and the + algorithms used to select the next proxy. + + Consult the <link xlink:href="${getManualUrl "strategies.yaml"}"> + upstream documentation</link> for more details. + ''; + }; + + volume = mkOption { + type = types.nullOr yaml.type; + default = ""; + example = "volume=1 scheme=http size=20%"; + description = '' + Manage cache space more efficiently and restrict disk usage by + creating cache volumes of different sizes. + + Consult the <link xlink:href="${getManualUrl "volume.config"}"> + upstream documentation</link> for more details. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.etc = { + "trafficserver/cache.config".text = cfg.cache; + "trafficserver/hosting.config".text = cfg.hosting; + "trafficserver/parent.config".text = cfg.parent; + "trafficserver/plugin.config".text = mkPluginConfig cfg.plugins; + "trafficserver/records.config".text = mkRecordsConfig cfg.records; + "trafficserver/remap.config".text = cfg.remap; + "trafficserver/splitdns.config".text = cfg.splitDns; + "trafficserver/ssl_multicert.config".text = cfg.sslMulticert; + "trafficserver/storage.config".text = cfg.storage; + "trafficserver/volume.config".text = cfg.volume; + } // (mkYamlConf "ip_allow" cfg.ipAllow) + // (mkYamlConf "logging" cfg.logging) + // (mkYamlConf "sni" cfg.sni) + // (mkYamlConf "strategies" cfg.strategies); + + environment.systemPackages = [ pkgs.trafficserver ]; + systemd.packages = [ pkgs.trafficserver ]; + + # Traffic Server does privilege handling independently of systemd, and + # therefore should be started as root + systemd.services.trafficserver = { + enable = true; + wantedBy = [ "multi-user.target" ]; + }; + + # These directories can't be created by systemd because: + # + # 1. Traffic Servers starts as root and switches to an unprivileged user + # afterwards. The runtime directories defined below are assumed to be + # owned by that user. + # 2. The bin/trafficserver script assumes these directories exist. + systemd.tmpfiles.rules = [ + "d '/run/trafficserver' - ${user} ${group} - -" + "d '/var/cache/trafficserver' - ${user} ${group} - -" + "d '/var/lib/trafficserver' - ${user} ${group} - -" + "d '/var/log/trafficserver' - ${user} ${group} - -" + ]; + + services.trafficserver = { + records.proxy.config.admin.user_id = user; + records.proxy.config.body_factory.template_sets_dir = + "${pkgs.trafficserver}/etc/trafficserver/body_factory"; + }; + + users.users.trafficserver = { + description = "Apache Traffic Server"; + isSystemUser = true; + inherit group; + }; + users.groups.trafficserver = { }; + }; +} diff --git a/nixos/modules/services/x11/desktop-managers/cde.nix b/nixos/modules/services/x11/desktop-managers/cde.nix index 2d9504fb5f1ef..3f1575a0ca637 100644 --- a/nixos/modules/services/x11/desktop-managers/cde.nix +++ b/nixos/modules/services/x11/desktop-managers/cde.nix @@ -68,5 +68,5 @@ in { }]; }; - meta.maintainers = [ maintainers.gnidorah ]; + meta.maintainers = [ ]; } diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 14dcf009a7d13..101c64c7b3edf 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -26,7 +26,7 @@ in sessionPath = mkOption { default = []; type = types.listOf types.package; - example = literalExample "[ pkgs.gnome3.gpaste ]"; + example = literalExample "[ pkgs.gnome.gpaste ]"; description = '' Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart. @@ -94,8 +94,8 @@ in xapps ]; services.cinnamon.apps.enable = mkDefault true; - services.gnome3.glib-networking.enable = true; - services.gnome3.gnome-keyring.enable = true; + services.gnome.glib-networking.enable = true; + services.gnome.gnome-keyring.enable = true; services.gvfs.enable = true; services.udisks2.enable = true; services.upower.enable = mkDefault config.powerManagement.enable; @@ -110,7 +110,7 @@ in programs.dconf.enable = true; # Enable org.a11y.Bus - services.gnome3.at-spi2-core.enable = true; + services.gnome.at-spi2-core.enable = true; # Fix lockscreen security.pam.services = { @@ -128,6 +128,7 @@ in cinnamon-session cinnamon-desktop cinnamon-menus + cinnamon-translations # utils needed by some scripts killall @@ -135,19 +136,22 @@ in # session requirements cinnamon-screensaver # cinnamon-killer-daemon: provided by cinnamon-common - gnome3.networkmanagerapplet # session requirement - also nm-applet not needed + gnome.networkmanagerapplet # session requirement - also nm-applet not needed + + # For a polkit authentication agent + polkit_gnome # packages nemo cinnamon-control-center cinnamon-settings-daemon - gnome3.libgnomekbd + gnome.libgnomekbd orca # theme - gnome3.adwaita-icon-theme + gnome.adwaita-icon-theme hicolor-icon-theme - gnome3.gnome-themes-extra + gnome.gnome-themes-extra gtk3.out mint-artwork mint-themes @@ -192,7 +196,7 @@ in programs.evince.enable = mkDefault true; programs.file-roller.enable = mkDefault true; - environment.systemPackages = (with pkgs // pkgs.gnome3 // pkgs.cinnamon; pkgs.gnome3.removePackagesByName [ + environment.systemPackages = (with pkgs // pkgs.gnome // pkgs.cinnamon; pkgs.gnome.removePackagesByName [ # cinnamon team apps blueberry warpinator diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index f5559eb535419..6ee5b0fc54f7b 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -19,7 +19,7 @@ in # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix - ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix + ./lxqt.nix ./enlightenment.nix ./gnome.nix ./kodi.nix ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ./cinnamon.nix ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index 99e6edfba26e2..bacada9cbe74c 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -4,8 +4,8 @@ with lib; let - cfg = config.services.xserver.desktopManager.gnome3; - serviceCfg = config.services.gnome3; + cfg = config.services.xserver.desktopManager.gnome; + serviceCfg = config.services.gnome; # Prioritize nautilus by default when opening directories mimeAppsList = pkgs.writeTextFile { @@ -23,7 +23,7 @@ let ''; nixos-gsettings-desktop-schemas = let - defaultPackages = with pkgs; [ gsettings-desktop-schemas gnome3.gnome-shell ]; + defaultPackages = with pkgs; [ gsettings-desktop-schemas gnome.gnome-shell ]; in pkgs.runCommand "nixos-gsettings-desktop-schemas" { preferLocalBuild = true; } '' @@ -33,10 +33,10 @@ let (pkg: "cp -rf ${pkg}/share/gsettings-schemas/*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas\n") (defaultPackages ++ cfg.extraGSettingsOverridePackages)} - cp -f ${pkgs.gnome3.gnome-shell}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + cp -f ${pkgs.gnome.gnome-shell}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas ${optionalString flashbackEnabled '' - cp -f ${pkgs.gnome3.gnome-flashback}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + cp -f ${pkgs.gnome.gnome-flashback}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas ''} chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides @@ -57,19 +57,80 @@ let flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0; - notExcluded = pkg: mkDefault (!(lib.elem pkg config.environment.gnome3.excludePackages)); + notExcluded = pkg: mkDefault (!(lib.elem pkg config.environment.gnome.excludePackages)); in { meta = { + doc = ./gnome.xml; maintainers = teams.gnome.members; }; + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "core-os-services" "enable" ] + [ "services" "gnome" "core-os-services" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "core-shell" "enable" ] + [ "services" "gnome" "core-shell" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "core-utilities" "enable" ] + [ "services" "gnome" "core-utilities" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "core-developer-tools" "enable" ] + [ "services" "gnome" "core-developer-tools" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "games" "enable" ] + [ "services" "gnome" "games" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "gnome3" "experimental-features" "realtime-scheduling" ] + [ "services" "gnome" "experimental-features" "realtime-scheduling" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "enable" ] + [ "services" "xserver" "desktopManager" "gnome" "enable" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "sessionPath" ] + [ "services" "xserver" "desktopManager" "gnome" "sessionPath" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "favoriteAppsOverride" ] + [ "services" "xserver" "desktopManager" "gnome" "favoriteAppsOverride" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "extraGSettingsOverrides" ] + [ "services" "xserver" "desktopManager" "gnome" "extraGSettingsOverrides" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "extraGSettingsOverridePackages" ] + [ "services" "xserver" "desktopManager" "gnome" "extraGSettingsOverridePackages" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "debug" ] + [ "services" "xserver" "desktopManager" "gnome" "debug" ] + ) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "gnome3" "flashback" ] + [ "services" "xserver" "desktopManager" "gnome" "flashback" ] + ) + (mkRenamedOptionModule + [ "environment" "gnome3" "excludePackages" ] + [ "environment" "gnome" "excludePackages" ] + ) + ]; + options = { - services.gnome3 = { + services.gnome = { core-os-services.enable = mkEnableOption "essential services for GNOME3"; core-shell.enable = mkEnableOption "GNOME Shell services"; core-utilities.enable = mkEnableOption "GNOME core utilities"; @@ -109,7 +170,7 @@ in }; }; - services.xserver.desktopManager.gnome3 = { + services.xserver.desktopManager.gnome = { enable = mkOption { type = types.bool; default = false; @@ -119,14 +180,14 @@ in sessionPath = mkOption { default = []; type = types.listOf types.package; - example = literalExample "[ pkgs.gnome3.gpaste ]"; + example = literalExample "[ pkgs.gnome.gpaste ]"; description = '' Additional list of packages to be added to the session search path. Useful for GNOME Shell extensions or GSettings-conditional autostart. Note that this should be a last resort; patching the package is preferred (see GPaste). ''; - apply = list: list ++ [ pkgs.gnome3.gnome-shell pkgs.gnome3.gnome-shell-extensions ]; + apply = list: list ++ [ pkgs.gnome.gnome-shell pkgs.gnome.gnome-shell-extensions ]; }; favoriteAppsOverride = mkOption { @@ -185,9 +246,9 @@ in }; }; - environment.gnome3.excludePackages = mkOption { + environment.gnome.excludePackages = mkOption { default = []; - example = literalExample "[ pkgs.gnome3.totem ]"; + example = literalExample "[ pkgs.gnome.totem ]"; type = types.listOf types.package; description = "Which packages gnome should exclude from the default environment"; }; @@ -200,14 +261,14 @@ in system.nixos-generate-config.desktopConfiguration = ['' # Enable the GNOME 3 Desktop Environment. services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome.enable = true; '']; - services.gnome3.core-os-services.enable = true; - services.gnome3.core-shell.enable = true; - services.gnome3.core-utilities.enable = mkDefault true; + services.gnome.core-os-services.enable = true; + services.gnome.core-shell.enable = true; + services.gnome.core-utilities.enable = mkDefault true; - services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session.sessions ]; + services.xserver.displayManager.sessionPackages = [ pkgs.gnome.gnome-session.sessions ]; environment.extraInit = '' ${concatMapStrings (p: '' @@ -229,30 +290,25 @@ in # Override GSettings schemas environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; - # If gnome3 is installed, build vim for gtk3 too. + # If gnome is installed, build vim for gtk3 too. nixpkgs.config.vim.gui = "gtk3"; - - # Install gnome-software if flatpak is enabled - services.flatpak.guiPackages = [ - pkgs.gnome3.gnome-software - ]; }) (mkIf flashbackEnabled { services.xserver.displayManager.sessionPackages = map - (wm: pkgs.gnome3.gnome-flashback.mkSessionForWm { + (wm: pkgs.gnome.gnome-flashback.mkSessionForWm { inherit (wm) wmName wmLabel wmCommand; }) (optional cfg.flashback.enableMetacity { wmName = "metacity"; wmLabel = "Metacity"; - wmCommand = "${pkgs.gnome3.metacity}/bin/metacity"; + wmCommand = "${pkgs.gnome.metacity}/bin/metacity"; } ++ cfg.flashback.customSessions); security.pam.services.gnome-flashback = { enableGnomeKeyring = true; }; - systemd.packages = with pkgs.gnome3; [ + systemd.packages = with pkgs.gnome; [ gnome-flashback ] ++ (map (wm: gnome-flashback.mkSystemdTargetForWm { @@ -260,9 +316,9 @@ in }) cfg.flashback.customSessions); # gnome-panel needs these for menu applet - environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.gnome3.gnome-flashback}/share" ]; + environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.gnome.gnome-flashback}/share" ]; # TODO: switch to sessionVariables (resolve conflict) - environment.variables.XDG_CONFIG_DIRS = [ "${pkgs.gnome3.gnome-flashback}/etc/xdg" ]; + environment.variables.XDG_CONFIG_DIRS = [ "${pkgs.gnome.gnome-flashback}/etc/xdg" ]; }) (mkIf serviceCfg.core-os-services.enable { @@ -273,13 +329,14 @@ in services.accounts-daemon.enable = true; services.dleyna-renderer.enable = mkDefault true; services.dleyna-server.enable = mkDefault true; - services.gnome3.at-spi2-core.enable = true; - services.gnome3.evolution-data-server.enable = true; - services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-online-accounts.enable = mkDefault true; - services.gnome3.gnome-online-miners.enable = true; - services.gnome3.tracker-miners.enable = mkDefault true; - services.gnome3.tracker.enable = mkDefault true; + services.power-profiles-daemon.enable = mkDefault true; + services.gnome.at-spi2-core.enable = true; + services.gnome.evolution-data-server.enable = true; + services.gnome.gnome-keyring.enable = true; + services.gnome.gnome-online-accounts.enable = mkDefault true; + services.gnome.gnome-online-miners.enable = true; + services.gnome.tracker-miners.enable = mkDefault true; + services.gnome.tracker.enable = mkDefault true; services.hardware.bolt.enable = mkDefault true; services.packagekit.enable = mkDefault true; services.udisks2.enable = true; @@ -307,23 +364,23 @@ in (mkIf serviceCfg.core-shell.enable { services.colord.enable = mkDefault true; - services.gnome3.chrome-gnome-shell.enable = mkDefault true; - services.gnome3.glib-networking.enable = true; - services.gnome3.gnome-initial-setup.enable = mkDefault true; - services.gnome3.gnome-remote-desktop.enable = mkDefault true; - services.gnome3.gnome-settings-daemon.enable = true; - services.gnome3.gnome-user-share.enable = mkDefault true; - services.gnome3.rygel.enable = mkDefault true; + services.gnome.chrome-gnome-shell.enable = mkDefault true; + services.gnome.glib-networking.enable = true; + services.gnome.gnome-initial-setup.enable = mkDefault true; + services.gnome.gnome-remote-desktop.enable = mkDefault true; + services.gnome.gnome-settings-daemon.enable = true; + services.gnome.gnome-user-share.enable = mkDefault true; + services.gnome.rygel.enable = mkDefault true; services.gvfs.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.telepathy.enable = mkDefault true; - systemd.packages = with pkgs.gnome3; [ + systemd.packages = with pkgs.gnome; [ gnome-session gnome-shell ]; - services.udev.packages = with pkgs.gnome3; [ + services.udev.packages = with pkgs.gnome; [ # Force enable KMS modifiers for devices that require them. # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1443 mutter @@ -332,7 +389,7 @@ in services.avahi.enable = mkDefault true; xdg.portal.extraPortals = [ - pkgs.gnome3.gnome-shell + pkgs.gnome.gnome-shell ]; services.geoclue2.enable = mkDefault true; @@ -359,16 +416,16 @@ in ]; # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-shell.bst - environment.systemPackages = with pkgs.gnome3; [ + environment.systemPackages = with pkgs.gnome; [ adwaita-icon-theme gnome-backgrounds gnome-bluetooth gnome-color-manager gnome-control-center - gnome-getting-started-docs gnome-shell gnome-shell-extensions gnome-themes-extra + pkgs.gnome-tour # GNOME Shell detects the .desktop file on first log-in. pkgs.nixos-artwork.wallpapers.simple-dark-gray pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom pkgs.gnome-user-docs @@ -385,12 +442,12 @@ in # Enable soft realtime scheduling, only supported on wayland (mkIf serviceCfg.experimental-features.realtime-scheduling { security.wrappers.".gnome-shell-wrapped" = { - source = "${pkgs.gnome3.gnome-shell}/bin/.gnome-shell-wrapped"; + source = "${pkgs.gnome.gnome-shell}/bin/.gnome-shell-wrapped"; capabilities = "cap_sys_nice=ep"; }; systemd.user.services.gnome-shell-wayland = let - gnomeShellRT = with pkgs.gnome3; pkgs.runCommand "gnome-shell-rt" {} '' + gnomeShellRT = with pkgs.gnome; pkgs.runCommand "gnome-shell-rt" {} '' mkdir -p $out/bin/ cp ${gnome-shell}/bin/gnome-shell $out/bin sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell @@ -405,43 +462,51 @@ in # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-utilities.bst (mkIf serviceCfg.core-utilities.enable { - environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ - baobab - cheese - eog - epiphany - gedit - gnome-calculator - gnome-calendar - gnome-characters - gnome-clocks - gnome-contacts - gnome-font-viewer - gnome-logs - gnome-maps - gnome-music - pkgs.gnome-photos - gnome-screenshot - gnome-system-monitor - gnome-weather - nautilus - pkgs.gnome-connections - simple-scan - totem - yelp - ] config.environment.gnome3.excludePackages); + environment.systemPackages = + with pkgs.gnome; + removePackagesByName + ([ + baobab + cheese + eog + epiphany + gedit + gnome-calculator + gnome-calendar + gnome-characters + gnome-clocks + gnome-contacts + gnome-font-viewer + gnome-logs + gnome-maps + gnome-music + pkgs.gnome-photos + gnome-screenshot + gnome-system-monitor + gnome-weather + nautilus + pkgs.gnome-connections + simple-scan + totem + yelp + ] ++ lib.optionals config.services.flatpak.enable [ + # Since PackageKit Nix support is not there yet, + # only install gnome-software if flatpak is enabled. + gnome-software + ]) + config.environment.gnome.excludePackages; # Enable default program modules # Since some of these have a corresponding package, we only # enable that program module if the package hasn't been excluded - # through `environment.gnome3.excludePackages` - programs.evince.enable = notExcluded pkgs.gnome3.evince; - programs.file-roller.enable = notExcluded pkgs.gnome3.file-roller; - programs.geary.enable = notExcluded pkgs.gnome3.geary; - programs.gnome-disks.enable = notExcluded pkgs.gnome3.gnome-disk-utility; - programs.gnome-terminal.enable = notExcluded pkgs.gnome3.gnome-terminal; - programs.seahorse.enable = notExcluded pkgs.gnome3.seahorse; - services.gnome3.sushi.enable = notExcluded pkgs.gnome3.sushi; + # through `environment.gnome.excludePackages` + programs.evince.enable = notExcluded pkgs.gnome.evince; + programs.file-roller.enable = notExcluded pkgs.gnome.file-roller; + programs.geary.enable = notExcluded pkgs.gnome.geary; + programs.gnome-disks.enable = notExcluded pkgs.gnome.gnome-disk-utility; + programs.gnome-terminal.enable = notExcluded pkgs.gnome.gnome-terminal; + programs.seahorse.enable = notExcluded pkgs.gnome.seahorse; + services.gnome.sushi.enable = notExcluded pkgs.gnome.sushi; # Let nautilus find extensions # TODO: Create nautilus-with-extensions package @@ -456,7 +521,7 @@ in }) (mkIf serviceCfg.games.enable { - environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ + environment.systemPackages = (with pkgs.gnome; removePackagesByName [ aisleriot atomix five-or-more @@ -476,12 +541,12 @@ in quadrapassel swell-foop tali - ] config.environment.gnome3.excludePackages); + ] config.environment.gnome.excludePackages); }) # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/-/blob/3.38.0/elements/core/meta-gnome-core-developer-tools.bst (mkIf serviceCfg.core-developer-tools.enable { - environment.systemPackages = (with pkgs.gnome3; removePackagesByName [ + environment.systemPackages = (with pkgs.gnome; removePackagesByName [ dconf-editor devhelp pkgs.gnome-builder @@ -490,9 +555,9 @@ in # in default configurations. # https://github.com/NixOS/nixpkgs/issues/60908 /* gnome-boxes */ - ] config.environment.gnome3.excludePackages); + ] config.environment.gnome.excludePackages); - services.sysprof.enable = true; + services.sysprof.enable = notExcluded pkgs.sysprof; }) ]; diff --git a/nixos/modules/services/x11/desktop-managers/gnome.xml b/nixos/modules/services/x11/desktop-managers/gnome.xml new file mode 100644 index 0000000000000..624d5c894e74c --- /dev/null +++ b/nixos/modules/services/x11/desktop-managers/gnome.xml @@ -0,0 +1,276 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xml:id="chap-gnome"> + <title>GNOME Desktop</title> + <para> + GNOME provides a simple, yet full-featured desktop environment with a focus on productivity. Its Mutter compositor supports both Wayland and X server, and the GNOME Shell user interface is fully customizable by extensions. + </para> + + <section xml:id="sec-gnome-enable"> + <title>Enabling GNOME</title> + + <para> + All of the core apps, optional apps, games, and core developer tools from GNOME are available. + </para> + + <para> + To enable the GNOME desktop use: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.desktopManager.gnome.enable"/> = true; +<xref linkend="opt-services.xserver.displayManager.gdm.enable"/> = true; +</programlisting> + + <note> + <para> + While it is not strictly necessary to use GDM as the display manager with GNOME, it is recommended, as some features such as screen lock <link xlink:href="#sec-gnome-faq-can-i-use-lightdm-with-gnome">might not work</link> without it. + </para> + </note> + + <para> + The default applications used in NixOS are very minimal, inspired by the defaults used in <link xlink:href="https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/40.0/elements/core/meta-gnome-core-utilities.bst">gnome-build-meta</link>. + </para> + + <section xml:id="sec-gnome-without-the-apps"> + <title>GNOME without the apps</title> + + <para> + If you’d like to only use the GNOME desktop and not the apps, you can disable them with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.core-utilities.enable"/> = false; +</programlisting> + + <para> + and none of them will be installed. + </para> + + <para> + If you’d only like to omit a subset of the core utilities, you can use <xref linkend="opt-environment.gnome.excludePackages"/>. + Note that this mechanism can only exclude core utilities, games and core developer tools. + </para> + </section> + + <section xml:id="sec-gnome-disabling-services"> + <title>Disabling GNOME services</title> + + <para> + It is also possible to disable many of the <link xlink:href="https://github.com/NixOS/nixpkgs/blob/b8ec4fd2a4edc4e30d02ba7b1a2cc1358f3db1d5/nixos/modules/services/x11/desktop-managers/gnome.nix#L329-L348">core services</link>. For example, if you do not need indexing files, you can disable Tracker with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.tracker-miners.enable"/> = false; +<xref linkend="opt-services.gnome.tracker.enable"/> = false; +</programlisting> + + <para> + Note, however, that doing so is not supported and might break some applications. Notably, GNOME Music cannot work without Tracker. + </para> + </section> + + <section xml:id="sec-gnome-games"> + <title>GNOME games</title> + + <para> + You can install all of the GNOME games with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.games.enable"/> = true; +</programlisting> + </section> + + <section xml:id="sec-gnome-core-developer-tools"> + <title>GNOME core developer tools</title> + + <para> + You can install GNOME core developer tools with: + </para> + +<programlisting> +<xref linkend="opt-services.gnome.core-developer-tools.enable"/> = true; +</programlisting> + </section> + </section> + + <section xml:id="sec-gnome-enable-flashback"> + <title>Enabling GNOME Flashback</title> + + <para> + GNOME Flashback provides a desktop environment based on the classic GNOME 2 architecture. You can enable the default GNOME Flashback session, which uses the Metacity window manager, with: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.desktopManager.gnome.flashback.enableMetacity"/> = true; +</programlisting> + + <para> + It is also possible to create custom sessions that replace Metacity with a different window manager using <xref linkend="opt-services.xserver.desktopManager.gnome.flashback.customSessions"/>. + </para> + + <para> + The following example uses <literal>xmonad</literal> window manager: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.desktopManager.gnome.flashback.customSessions"/> = [ + { + wmName = "xmonad"; + wmLabel = "XMonad"; + wmCommand = "${pkgs.haskellPackages.xmonad}/bin/xmonad"; + } +]; +</programlisting> + + </section> + <section xml:id="sec-gnome-gdm"> + <title>GDM</title> + + <para> + If you want to use GNOME Wayland session on Nvidia hardware, you need to enable: + </para> + +<programlisting> +<xref linkend="opt-services.xserver.displayManager.gdm.nvidiaWayland"/> = true; +</programlisting> + + <para> + as the default configuration will forbid this. + </para> + </section> + + <section xml:id="sec-gnome-icons-and-gtk-themes"> + <title>Icons and GTK Themes</title> + + <para> + Icon themes and GTK themes don’t require any special option to install in NixOS. + </para> + + <para> + You can add them to <xref linkend="opt-environment.systemPackages"/> and switch to them with GNOME Tweaks. + If you’d like to do this manually in dconf, change the values of the following keys: + </para> + +<programlisting> +/org/gnome/desktop/interface/gtk-theme +/org/gnome/desktop/interface/icon-theme +</programlisting> + + <para> + in <literal>dconf-editor</literal> + </para> + </section> + + <section xml:id="sec-gnome-shell-extensions"> + <title>Shell Extensions</title> + + <para> + Most Shell extensions are packaged under the <literal>gnomeExtensions</literal> attribute. + Some packages that include Shell extensions, like <literal>gnome.gpaste</literal>, don’t have their extension decoupled under this attribute. + </para> + + <para> + You can install them like any other package: + </para> + +<programlisting> +<xref linkend="opt-environment.systemPackages"/> = [ + gnomeExtensions.dash-to-dock + gnomeExtensions.gsconnect + gnomeExtensions.mpris-indicator-button +]; +</programlisting> + + <para> + Unfortunately, we lack a way for these to be managed in a completely declarative way. + So you have to enable them manually with an Extensions application. + It is possible to use a <link xlink:href="#sec-gnome-gsettings-overrides">GSettings override</link> for this on <literal>org.gnome.shell.enabled-extensions</literal>, but that will only influence the default value. + </para> + </section> + + <section xml:id="sec-gnome-gsettings-overrides"> + <title>GSettings Overrides</title> + + <para> + Majority of software building on the GNOME platform use GLib’s <link xlink:href="https://developer.gnome.org/gio/unstable/GSettings.html">GSettings</link> system to manage runtime configuration. For our purposes, the system consists of XML schemas describing the individual configuration options, stored in the package, and a settings backend, where the values of the settings are stored. On NixOS, like on most Linux distributions, dconf database is used as the backend. + </para> + + <para> + <link xlink:href="https://developer.gnome.org/gio/unstable/GSettings.html#id-1.4.19.2.9.25">GSettings vendor overrides</link> can be used to adjust the default values for settings of the GNOME desktop and apps by replacing the default values specified in the XML schemas. Using overrides will allow you to pre-seed user settings before you even start the session. + </para> + + <warning> + <para> + Overrides really only change the default values for GSettings keys so if you or an application changes the setting value, the value set by the override will be ignored. Until <link xlink:href="https://github.com/NixOS/nixpkgs/issues/54150">NixOS’s dconf module implements changing values</link>, you will either need to keep that in mind and clear the setting from the backend using <literal>dconf reset</literal> command when that happens, or use the <link xlink:href="https://nix-community.github.io/home-manager/options.html#opt-dconf.settings">module from home-manager</link>. + </para> + </warning> + + <para> + You can override the default GSettings values using the <xref linkend="opt-services.xserver.desktopManager.gnome.extraGSettingsOverrides"/> option. + </para> + + <para> + Take note that whatever packages you want to override GSettings for, you need to add them to + <xref linkend="opt-services.xserver.desktopManager.gnome.extraGSettingsOverridePackages"/>. + </para> + + <para> + You can use <literal>dconf-editor</literal> tool to explore which GSettings you can set. + </para> + + <section xml:id="sec-gnome-gsettings-overrides-example"> + <title>Example</title> + +<programlisting> +services.xserver.desktopManager.gnome = { + <link xlink:href="#opt-services.xserver.desktopManager.gnome.extraGSettingsOverrides">extraGSettingsOverrides</link> = '' + # Change default background + [org.gnome.desktop.background] + picture-uri='file://${pkgs.nixos-artwork.wallpapers.mosaic-blue.gnomeFilePath}' + + # Favorite apps in gnome-shell + [org.gnome.shell] + favorite-apps=['org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop'] + ''; + + <link xlink:href="#opt-services.xserver.desktopManager.gnome.extraGSettingsOverridePackages">extraGSettingsOverridePackages</link> = [ + pkgs.gsettings-desktop-schemas # for org.gnome.desktop + pkgs.gnome.gnome-shell # for org.gnome.shell + ]; +}; +</programlisting> + </section> + </section> + + <section xml:id="sec-gnome-faq"> + <title>Frequently Asked Questions</title> + + <section xml:id="sec-gnome-faq-can-i-use-lightdm-with-gnome"> + <title>Can I use LightDM with GNOME?</title> + + <para> + Yes you can, and any other display-manager in NixOS. + </para> + + <para> + However, it doesn’t work correctly for the Wayland session of GNOME Shell yet, and + won’t be able to lock your screen. + </para> + + <para> + See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/56342">this issue.</link> + </para> + </section> + + <section xml:id="sec-gnome-faq-nixos-rebuild-switch-kills-session"> + <title>Why does <literal>nixos-rebuild switch</literal> sometimes kill my session?</title> + + <para> + This is a known <link xlink:href="https://github.com/NixOS/nixpkgs/issues/44344">issue</link> without any workarounds. + If you are doing a fairly large upgrade, it is probably safer to use <literal>nixos-rebuild boot</literal>. + </para> + </section> + </section> +</chapter> diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index bf53082b267d1..71dfad5c7ca02 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -51,15 +51,15 @@ in environment.systemPackages = pkgs.lxqt.preRequisitePackages ++ pkgs.lxqt.corePackages ++ - (pkgs.gnome3.removePackagesByName + (pkgs.gnome.removePackagesByName pkgs.lxqt.optionalPackages config.environment.lxqt.excludePackages); # Link some extra directories in /run/current-system/software/share environment.pathsToLink = [ "/share" ]; + # virtual file systems support for PCManFM-QT services.gvfs.enable = true; - services.gvfs.package = pkgs.gvfs; services.upower.enable = config.powerManagement.enable; }; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index f236c14fcf3e9..19ab9edb7324f 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -76,7 +76,7 @@ in environment.systemPackages = pkgs.mate.basePackages ++ - (pkgs.gnome3.removePackagesByName + (pkgs.gnome.removePackagesByName pkgs.mate.extraPackages config.environment.mate.excludePackages) ++ [ @@ -97,8 +97,8 @@ in # Mate uses this for printing programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.gnome3.at-spi2-core.enable = true; - services.gnome3.gnome-keyring.enable = true; + services.gnome.at-spi2-core.enable = true; + services.gnome.gnome-keyring.enable = true; services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 195da75e74437..e492073b80ffd 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -43,7 +43,7 @@ in sessionPath = mkOption { default = []; type = types.listOf types.package; - example = literalExample "[ pkgs.gnome3.gpaste ]"; + example = literalExample "[ pkgs.gnome.gpaste ]"; description = '' Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart. @@ -142,12 +142,12 @@ in ]; services.pantheon.apps.enable = mkDefault true; services.pantheon.contractor.enable = mkDefault true; - services.gnome3.at-spi2-core.enable = true; - services.gnome3.evolution-data-server.enable = true; - services.gnome3.glib-networking.enable = true; - services.gnome3.gnome-keyring.enable = true; + services.gnome.at-spi2-core.enable = true; + services.gnome.evolution-data-server.enable = true; + services.gnome.glib-networking.enable = true; + services.gnome.gnome-keyring.enable = true; services.gvfs.enable = true; - services.gnome3.rygel.enable = mkDefault true; + services.gnome.rygel.enable = mkDefault true; services.gsignond.enable = mkDefault true; services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; services.udisks2.enable = true; @@ -177,7 +177,7 @@ in desktop-file-utils glib gnome-menus - gnome3.adwaita-icon-theme + gnome.adwaita-icon-theme gtk3.out hicolor-icon-theme lightlocker @@ -213,10 +213,10 @@ in elementary-settings-daemon pantheon-agent-geoclue2 pantheon-agent-polkit - ]) ++ (gnome3.removePackagesByName [ - gnome3.geary - gnome3.epiphany - gnome3.gnome-font-viewer + ]) ++ (gnome.removePackagesByName [ + gnome.geary + gnome.epiphany + gnome.gnome-font-viewer ] config.environment.pantheon.excludePackages); programs.evince.enable = mkDefault true; @@ -265,7 +265,7 @@ in }) (mkIf serviceCfg.apps.enable { - environment.systemPackages = (with pkgs.pantheon; pkgs.gnome3.removePackagesByName [ + environment.systemPackages = (with pkgs.pantheon; pkgs.gnome.removePackagesByName [ elementary-calculator elementary-calendar elementary-camera diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 44ee079b81737..b6be524aea663 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -8,7 +8,7 @@ let cfg = xcfg.desktopManager.plasma5; libsForQt5 = pkgs.plasma5Packages; - inherit (libsForQt5) kdeApplications kdeFrameworks plasma5; + inherit (libsForQt5) kdeGear kdeFrameworks plasma5; inherit (pkgs) writeText; pulseaudio = config.hardware.pulseaudio; @@ -213,7 +213,7 @@ in environment.systemPackages = with libsForQt5; - with plasma5; with kdeApplications; with kdeFrameworks; + with plasma5; with kdeGear; with kdeFrameworks; [ frameworkintegration kactivities @@ -316,6 +316,7 @@ in ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt pkgs.openobex pkgs.obexftp ] ++ lib.optional config.networking.networkmanager.enable plasma-nm ++ lib.optional config.hardware.pulseaudio.enable plasma-pa + ++ lib.optional config.services.pipewire.pulse.enable plasma-pa ++ lib.optional config.powerManagement.enable powerdevil ++ lib.optional config.services.colord.enable pkgs.colord-kde ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ] diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index fc7f7bea4e444..bbfdea2225b58 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -9,7 +9,7 @@ in { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; imports = [ @@ -74,8 +74,8 @@ in glib # for gsettings gtk3.out # gtk-update-icon-cache - gnome3.gnome-themes-extra - gnome3.adwaita-icon-theme + gnome.gnome-themes-extra + gnome.adwaita-icon-theme hicolor-icon-theme tango-icon-theme xfce4-icon-theme @@ -149,9 +149,8 @@ in security.polkit.enable = true; services.accounts-daemon.enable = true; services.upower.enable = config.powerManagement.enable; - services.gnome3.glib-networking.enable = true; + services.gnome.glib-networking.enable = true; services.gvfs.enable = true; - services.gvfs.package = pkgs.xfce.gvfs; services.tumbler.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager diff --git a/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixos/modules/services/x11/display-managers/account-service-util.nix index 2b08c62d0ad13..dec5c06cb3ca0 100644 --- a/nixos/modules/services/x11/display-managers/account-service-util.nix +++ b/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -39,6 +39,6 @@ python3.pkgs.buildPythonApplication { ''; meta = with lib; { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; } diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index f79eb64b5a6a2..e1b9a21eb9f0b 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.xserver.displayManager; - gdm = pkgs.gnome3.gdm; + gdm = pkgs.gnome.gdm; xSessionWrapper = if (cfg.setupCommands == "") then null else pkgs.writeScript "gdm-x-session-wrapper" '' @@ -154,14 +154,14 @@ in ] ++ optionals config.hardware.pulseaudio.enable [ "d /run/gdm/.config/pulse 0711 gdm gdm" "L+ /run/gdm/.config/pulse/${pulseConfig.name} - - - - ${pulseConfig}" - ] ++ optionals config.services.gnome3.gnome-initial-setup.enable [ + ] ++ optionals config.services.gnome.gnome-initial-setup.enable [ # Create stamp file for gnome-initial-setup to prevent it starting in GDM. "f /run/gdm/.config/gnome-initial-setup-done 0711 gdm gdm - yes" ]; # Otherwise GDM will not be able to start correctly and display Wayland sessions - systemd.packages = with pkgs.gnome3; [ gdm gnome-session gnome-shell ]; - environment.systemPackages = [ pkgs.gnome3.adwaita-icon-theme ]; + systemd.packages = with pkgs.gnome; [ gdm gnome-session gnome-shell ]; + environment.systemPackages = [ pkgs.gnome.adwaita-icon-theme ]; systemd.services.display-manager.wants = [ # Because sd_login_monitor_new requires /run/systemd/machines @@ -208,7 +208,7 @@ in EnvironmentFile = "-/etc/locale.conf"; }; - systemd.services.display-manager.path = [ pkgs.gnome3.gnome-session ]; + systemd.services.display-manager.path = [ pkgs.gnome.gnome-session ]; # Allow choosing an user account services.accounts-daemon.enable = true; @@ -218,14 +218,14 @@ in # We duplicate upstream's udev rules manually to make wayland with nvidia configurable services.udev.extraRules = '' # disable Wayland on Cirrus chipsets - ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-disable-wayland" + ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" # disable Wayland on Hi1710 chipsets - ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-disable-wayland" + ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ${optionalString (!cfg.gdm.nvidiaWayland) '' - DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-disable-wayland" + DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ''} # disable Wayland when modesetting is disabled - IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-disable-wayland" + IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ''; systemd.user.services.dbus.wantedBy = [ "default.target" ]; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix index 129df139c61ab..ecd46a9ee6d25 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix @@ -34,8 +34,8 @@ in { theme = { package = mkOption { type = types.package; - default = pkgs.gnome3.gnome-themes-extra; - defaultText = "pkgs.gnome3.gnome-themes-extra"; + default = pkgs.gnome.gnome-themes-extra; + defaultText = "pkgs.gnome.gnome-themes-extra"; description = '' The package path that contains the theme given in the name option. ''; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix index 9c1dc1d1c12d9..fe5a16bc60f15 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix @@ -47,8 +47,8 @@ in package = mkOption { type = types.package; - default = pkgs.gnome3.gnome-themes-extra; - defaultText = "pkgs.gnome3.gnome-themes-extra"; + default = pkgs.gnome.gnome-themes-extra; + defaultText = "pkgs.gnome.gnome-themes-extra"; description = '' The package path that contains the theme given in the name option. ''; @@ -68,8 +68,8 @@ in package = mkOption { type = types.package; - default = pkgs.gnome3.adwaita-icon-theme; - defaultText = "pkgs.gnome3.adwaita-icon-theme"; + default = pkgs.gnome.adwaita-icon-theme; + defaultText = "pkgs.gnome.adwaita-icon-theme"; description = '' The package path that contains the icon theme given in the name option. ''; @@ -89,8 +89,8 @@ in package = mkOption { type = types.package; - default = pkgs.gnome3.adwaita-icon-theme; - defaultText = "pkgs.gnome3.adwaita-icon-theme"; + default = pkgs.gnome.adwaita-icon-theme; + defaultText = "pkgs.gnome.adwaita-icon-theme"; description = '' The package path that contains the cursor theme given in the name option. ''; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 9bc9e2bf6162c..76f16646cf5e8 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -11,7 +11,7 @@ let in { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; options = { diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 2dafee9e36e3d..3d497c9f25eed 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -70,7 +70,7 @@ let in { meta = { - maintainers = with maintainers; [ worldofpeace ]; + maintainers = with maintainers; [ ]; }; # Note: the order in which lightdm greeter modules are imported diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index 9ca24310e5673..53285fbce8770 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -15,6 +15,7 @@ in ./cwm.nix ./clfswm.nix ./dwm.nix + ./e16.nix ./evilwm.nix ./exwm.nix ./fluxbox.nix @@ -37,6 +38,7 @@ in ./tinywm.nix ./twm.nix ./windowmaker.nix + ./wmderland.nix ./wmii.nix ./xmonad.nix ./yeahwm.nix diff --git a/nixos/modules/services/x11/window-managers/e16.nix b/nixos/modules/services/x11/window-managers/e16.nix new file mode 100644 index 0000000000000..3e1a22c4dabd8 --- /dev/null +++ b/nixos/modules/services/x11/window-managers/e16.nix @@ -0,0 +1,26 @@ +{ config , lib , pkgs , ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.e16; +in +{ + ###### interface + options = { + services.xserver.windowManager.e16.enable = mkEnableOption "e16"; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "E16"; + start = '' + ${pkgs.e16}/bin/e16 & + waitPID=$! + ''; + }; + + environment.systemPackages = [ pkgs.e16 ]; + }; +} diff --git a/nixos/modules/services/x11/window-managers/metacity.nix b/nixos/modules/services/x11/window-managers/metacity.nix index 5175fd7f3b1f8..600afe759b2c9 100644 --- a/nixos/modules/services/x11/window-managers/metacity.nix +++ b/nixos/modules/services/x11/window-managers/metacity.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.xserver.windowManager.metacity; - inherit (pkgs) gnome3; + inherit (pkgs) gnome; in { @@ -18,12 +18,12 @@ in services.xserver.windowManager.session = singleton { name = "metacity"; start = '' - ${gnome3.metacity}/bin/metacity & + ${gnome.metacity}/bin/metacity & waitPID=$! ''; }; - environment.systemPackages = [ gnome3.metacity ]; + environment.systemPackages = [ gnome.metacity ]; }; diff --git a/nixos/modules/services/x11/window-managers/wmderland.nix b/nixos/modules/services/x11/window-managers/wmderland.nix new file mode 100644 index 0000000000000..a6864a827719b --- /dev/null +++ b/nixos/modules/services/x11/window-managers/wmderland.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.wmderland; +in + +{ + options.services.xserver.windowManager.wmderland = { + enable = mkEnableOption "wmderland"; + + extraSessionCommands = mkOption { + default = ""; + type = types.lines; + description = '' + Shell commands executed just before wmderland is started. + ''; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = with pkgs; [ + rofi + dunst + light + hsetroot + feh + rxvt-unicode + ]; + example = literalExample '' + with pkgs; [ + rofi + dunst + light + hsetroot + feh + rxvt-unicode + ] + ''; + description = '' + Extra packages to be installed system wide. + ''; + }; + }; + + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "wmderland"; + start = '' + ${cfg.extraSessionCommands} + + ${pkgs.wmderland}/bin/wmderland & + waitPID=$! + ''; + }; + environment.systemPackages = [ + pkgs.wmderland pkgs.wmderlandc + ] ++ cfg.extraPackages; + }; +} diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 35bd4dabb6738..4dde4476d2c49 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -666,6 +666,7 @@ in # The default max inotify watches is 8192. # Nowadays most apps require a good number of inotify watches, # the value below is used by default on several other distros. + boot.kernel.sysctl."fs.inotify.max_user_instances" = mkDefault 524288; boot.kernel.sysctl."fs.inotify.max_user_watches" = mkDefault 524288; systemd.defaultUnit = mkIf cfg.autorun "graphical.target"; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 9dbca4e33f383..6751ca3f2ee72 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modules, baseModules, ... }: +{ config, lib, pkgs, modules, baseModules, specialArgs, ... }: with lib; @@ -13,7 +13,7 @@ let # !!! fix this children = mapAttrs (childName: childConfig: (import ../../../lib/eval-config.nix { - inherit baseModules; + inherit baseModules specialArgs; system = config.nixpkgs.initialSystem; modules = (optionals childConfig.inheritParentConfig modules) diff --git a/nixos/modules/system/boot/kexec.nix b/nixos/modules/system/boot/kexec.nix index 27a8e0217c558..03312aa26edc3 100644 --- a/nixos/modules/system/boot/kexec.nix +++ b/nixos/modules/system/boot/kexec.nix @@ -1,7 +1,7 @@ { pkgs, lib, ... }: { - config = lib.mkIf (lib.any (lib.meta.platformMatch pkgs.stdenv.hostPlatform) pkgs.kexectools.meta.platforms) { + config = lib.mkIf (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.kexectools) { environment.systemPackages = [ pkgs.kexectools ]; systemd.services.prepare-kexec = diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 2ea191426ce98..63e01dd054a50 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -236,9 +236,12 @@ def main() -> None: gens += get_generations(profile) remove_old_entries(gens) for gen in gens: - write_entry(*gen, machine_id) - if os.readlink(system_dir(*gen)) == args.default_config: - write_loader_conf(*gen) + try: + write_entry(*gen, machine_id) + if os.readlink(system_dir(*gen)) == args.default_config: + write_loader_conf(*gen) + except OSError as e: + print("ignoring profile '{}' in the list of boot entries because of the following error:\n{}".format(profile, e), file=sys.stderr) memtest_entry_file = "@efiSysMountPoint@/loader/entries/memtest86.conf" if os.path.exists(memtest_entry_file): diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index bbdd5a4070600..1de58b3d2c4a8 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -716,10 +716,17 @@ let "NTP" "EmitSIP" "SIP" + "EmitPOP3" + "POP3" + "EmitSMTP" + "SMTP" + "EmitLPR" + "LPR" "EmitRouter" "EmitTimezone" "Timezone" "SendOption" + "SendVendorOption" ]) (assertInt "PoolOffset") (assertMinimum "PoolOffset" 0) @@ -728,6 +735,9 @@ let (assertValueOneOf "EmitDNS" boolValues) (assertValueOneOf "EmitNTP" boolValues) (assertValueOneOf "EmitSIP" boolValues) + (assertValueOneOf "EmitPOP3" boolValues) + (assertValueOneOf "EmitSMTP" boolValues) + (assertValueOneOf "EmitLPR" boolValues) (assertValueOneOf "EmitRouter" boolValues) (assertValueOneOf "EmitTimezone" boolValues) ]; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 7fe8f4dfb7e3a..84bc9b78076cf 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, lib, ... }: with lib; let @@ -150,9 +150,6 @@ in wantedBy = [ "multi-user.target" ]; aliases = [ "dbus-org.freedesktop.resolve1.service" ]; restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ]; - # Upstream bug: https://github.com/systemd/systemd/issues/18078 - # systemd-resolved without libidn2 is broken - environment.LD_LIBRARY_PATH = "${lib.getLib pkgs.libidn2}/lib"; }; environment.etc = { diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index d4ae4c93468f4..6be7b7e6846cd 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -90,6 +90,7 @@ let "systemd-fsck@.service" "systemd-fsck-root.service" "systemd-remount-fs.service" + "systemd-pstore.service" "local-fs.target" "local-fs-pre.target" "remote-fs.target" @@ -1183,6 +1184,7 @@ in systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.network-online.wantedBy = [ "multi-user.target" ]; systemd.services.systemd-importd.environment = proxy_env; + systemd.services.systemd-pstore.wantedBy = [ "sysinit.target" ]; # see #81138 # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; diff --git a/nixos/modules/tasks/cpu-freq.nix b/nixos/modules/tasks/cpu-freq.nix index 513382936e477..f1219c07c5013 100644 --- a/nixos/modules/tasks/cpu-freq.nix +++ b/nixos/modules/tasks/cpu-freq.nix @@ -19,7 +19,7 @@ in default = null; example = "ondemand"; description = '' - Configure the governor used to regulate the frequence of the + Configure the governor used to regulate the frequency of the available CPUs. By default, the kernel configures the performance governor, although this may be overwritten in your hardware-configuration.nix file. diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index e468cb880039c..065d6cc95d18b 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -272,10 +272,10 @@ in wants = [ "local-fs.target" "remote-fs.target" ]; }; - # Emit systemd services to format requested filesystems. systemd.services = - let + # Emit systemd services to format requested filesystems. + let formatDevice = fs: let mountPoint' = "${escapeSystemdPath fs.mountPoint}.mount"; @@ -302,8 +302,35 @@ in unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig.Type = "oneshot"; }; - - in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems)); + in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems)) // { + # Mount /sys/fs/pstore for evacuating panic logs and crashdumps from persistent storage onto the disk using systemd-pstore. + # This cannot be done with the other special filesystems because the pstore module (which creates the mount point) is not loaded then. + # Since the pstore filesystem is usually empty right after mounting because the backend isn't registered yet, and a path unit cannot detect files inside of it, the same service waits for that to happen. systemd's restart mechanism can't be used here because the first failure also fails all dependent units. + "mount-pstore" = { + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.util-linux}/bin/mount -t pstore -o nosuid,noexec,nodev pstore /sys/fs/pstore"; + ExecStartPost = pkgs.writeShellScript "wait-for-pstore.sh" '' + set -eu + TRIES=0 + while [ $TRIES -lt 20 ] && [ "$(cat /sys/module/pstore/parameters/backend)" = "(null)" ]; do + sleep 0.1 + TRIES=$((TRIES+1)) + done + ''; + RemainAfterExit = true; + }; + unitConfig = { + ConditionPathIsMountPoint = "!/sys/fs/pstore"; + ConditionVirtualization = "!container"; + DefaultDependencies = false; # needed to prevent a cycle + }; + after = [ "modprobe@pstore.service" ]; + requires = [ "modprobe@pstore.service" ]; + before = [ "systemd-pstore.service" ]; + wantedBy = [ "systemd-pstore.service" ]; + }; + }; systemd.tmpfiles.rules = [ "d /run/keys 0750 root ${toString config.ids.gids.keys}" diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 97fab6f11ea21..376d6530f363d 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -103,6 +103,7 @@ in readOnly = true; type = types.package; default = if config.boot.zfs.enableUnstable then pkgs.zfsUnstable else pkgs.zfs; + defaultText = "if config.boot.zfs.enableUnstable then pkgs.zfsUnstable else pkgs.zfs"; description = "Configured ZFS userland tools package."; }; @@ -446,7 +447,8 @@ in '') rootPools)); }; - boot.loader.grub = mkIf inInitrd { + # TODO FIXME See https://github.com/NixOS/nixpkgs/pull/99386#issuecomment-798813567. To not break people's bootloader and as probably not everybody would read release notes that thoroughly add inSystem. + boot.loader.grub = mkIf (inInitrd || inSystem) { zfsSupport = true; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f501f85b2a92c..879f077332e38 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -144,33 +144,20 @@ let }; tempAddress = mkOption { - type = types.enum [ "default" "enabled" "disabled" ]; - default = if cfg.enableIPv6 then "default" else "disabled"; - defaultText = literalExample ''if cfg.enableIPv6 then "default" else "disabled"''; + type = types.enum (lib.attrNames tempaddrValues); + default = cfg.tempAddresses; + defaultText = literalExample ''config.networking.tempAddresses''; description = '' When IPv6 is enabled with SLAAC, this option controls the use of - temporary address (aka privacy extensions). This is used to reduce tracking. - The three possible values are: - - <itemizedlist> - <listitem> - <para> - <literal>"default"</literal> to generate temporary addresses and use - them by default; - </para> - </listitem> - <listitem> - <para> - <literal>"enabled"</literal> to generate temporary addresses but keep - using the standard EUI-64 ones by default; - </para> - </listitem> - <listitem> - <para> - <literal>"disabled"</literal> to completely disable temporary addresses. - </para> - </listitem> - </itemizedlist> + temporary address (aka privacy extensions) on this + interface. This is used to reduce tracking. + + See also the global option + <xref linkend="opt-networking.tempAddresses"/>, which + applies to all interfaces where this is not set. + + Possible values are: + ${tempaddrDoc} ''; }; @@ -366,6 +353,32 @@ let isHexString = s: all (c: elem c hexChars) (stringToCharacters (toLower s)); + tempaddrValues = { + disabled = { + sysctl = "0"; + description = "completely disable IPv6 temporary addresses"; + }; + enabled = { + sysctl = "1"; + description = "generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses"; + }; + default = { + sysctl = "2"; + description = "generate IPv6 temporary addresses and use these as source addresses in routing"; + }; + }; + tempaddrDoc = '' + <itemizedlist> + ${concatStringsSep "\n" (mapAttrsToList (name: { description, ... }: '' + <listitem> + <para> + <literal>"${name}"</literal> to ${description}; + </para> + </listitem> + '') tempaddrValues)} + </itemizedlist> + ''; + in { @@ -1039,6 +1052,21 @@ in ''; }; + networking.tempAddresses = mkOption { + default = if cfg.enableIPv6 then "default" else "disabled"; + type = types.enum (lib.attrNames tempaddrValues); + description = '' + Whether to enable IPv6 Privacy Extensions for interfaces not + configured explicitly in + <xref linkend="opt-networking.interfaces._name_.tempAddress" />. + + This sets the ipv6.conf.*.use_tempaddr sysctl for all + interfaces. Possible values are: + + ${tempaddrDoc} + ''; + }; + }; @@ -1098,7 +1126,7 @@ in // listToAttrs (forEach interfaces (i: let opt = i.tempAddress; - val = { disabled = 0; enabled = 1; default = 2; }.${opt}; + val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val)); # Capabilities won't work unless we have at-least a 4.3 Linux @@ -1111,6 +1139,21 @@ in } else { ping.source = "${pkgs.iputils.out}/bin/ping"; }; + security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' + /run/wrappers/bin/ping { + include <abstractions/base> + include <nixos/security.wrappers> + rpx /run/wrappers/wrappers.*/ping, + } + /run/wrappers/wrappers.*/ping { + include <abstractions/base> + include <nixos/security.wrappers> + r /run/wrappers/wrappers.*/ping.real, + mrpx ${config.security.wrappers.ping.source}, + capability net_raw, + capability setpcap, + } + ''); # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, @@ -1188,9 +1231,11 @@ in (pkgs.writeTextFile rec { name = "ipv6-privacy-extensions.rules"; destination = "/etc/udev/rules.d/98-${name}"; - text = '' + text = let + sysctl-value = tempaddrValues.${cfg.tempAddresses}.sysctl; + in '' # enable and prefer IPv6 privacy addresses by default - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo 2 > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo ${sysctl-value} > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" ''; }) (pkgs.writeTextFile rec { @@ -1199,15 +1244,13 @@ in text = concatMapStrings (i: let opt = i.tempAddress; - val = if opt == "disabled" then 0 else 1; - msg = if opt == "disabled" - then "completely disable IPv6 privacy addresses" - else "enable IPv6 privacy addresses but prefer EUI-64 addresses"; + val = tempaddrValues.${opt}.sysctl; + msg = tempaddrValues.${opt}.description; in '' # override to ${msg} for ${i.name} - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${toString val}" - '') (filter (i: i.tempAddress != "default") interfaces); + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${val}" + '') (filter (i: i.tempAddress != cfg.tempAddresses) interfaces); }) ] ++ lib.optional (cfg.wlanInterfaces != {}) (pkgs.writeTextFile { diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index be83607c0af72..4f2f8df90eb8a 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -16,6 +16,16 @@ let userData=/etc/ec2-metadata/user-data + # Check if user-data looks like a shell script and execute it with the + # runtime shell if it does. Otherwise treat it as a nixos configuration + # expression + if IFS= LC_ALL=C read -rN2 shebang < $userData && [ "$shebang" = '#!' ]; then + # NB: we cannot chmod the $userData file, this is why we execute it via + # `pkgs.runtimeShell`. This means we have only limited support for shell + # scripts compatible with the `pkgs.runtimeShell`. + exec ${pkgs.runtimeShell} $userData + fi + if [ -s "$userData" ]; then # If the user-data looks like it could be a nix expression, # copy it over. Also, look for a magic three-hash comment and set diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index 60fed3222ef3a..03dd3c0513091 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -9,8 +9,9 @@ in options = { virtualisation.azureImage.diskSize = mkOption { - type = with types; int; - default = 2048; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 2048; description = '' Size of disk image. Unit is MB. ''; diff --git a/nixos/modules/virtualisation/containerd.nix b/nixos/modules/virtualisation/containerd.nix index 194276d169588..b554bc6ea245f 100644 --- a/nixos/modules/virtualisation/containerd.nix +++ b/nixos/modules/virtualisation/containerd.nix @@ -44,9 +44,7 @@ in KillMode = "process"; Type = "notify"; Restart = "always"; - RestartSec = "5"; - StartLimitBurst = "8"; - StartLimitIntervalSec = "120s"; + RestartSec = "10"; # "limits" defined below are adopted from upstream: https://github.com/containerd/containerd/blob/master/containerd.service LimitNPROC = "infinity"; @@ -54,6 +52,13 @@ in LimitNOFILE = "infinity"; TasksMax = "infinity"; OOMScoreAdjust = "-999"; + + StateDirectory = "containerd"; + RuntimeDirectory = "containerd"; + }; + unitConfig = { + StartLimitBurst = "16"; + StartLimitIntervalSec = "120s"; }; }; }; diff --git a/nixos/modules/virtualisation/digital-ocean-image.nix b/nixos/modules/virtualisation/digital-ocean-image.nix index b582e235d4351..0ff2ee591f24a 100644 --- a/nixos/modules/virtualisation/digital-ocean-image.nix +++ b/nixos/modules/virtualisation/digital-ocean-image.nix @@ -10,8 +10,9 @@ in options = { virtualisation.digitalOceanImage.diskSize = mkOption { - type = with types; int; - default = 4096; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 4096; description = '' Size of disk image. Unit is MB. ''; diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 3eb0de3a85599..29f133786d8dd 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -150,6 +150,10 @@ in config = mkIf cfg.enable (mkMerge [{ boot.kernelModules = [ "bridge" "veth" ]; + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = mkOverride 98 true; + "net.ipv4.conf.default.forwarding" = mkOverride 98 true; + }; environment.systemPackages = [ cfg.package ] ++ optional cfg.enableNvidia pkgs.nvidia-docker; users.groups.docker.gid = config.ids.gids.docker; diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix index dca5c2abd4e0c..760f024f33fbd 100644 --- a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix @@ -71,7 +71,7 @@ } wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index e2332df611aa0..79c3921669edd 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -18,8 +18,9 @@ in options = { virtualisation.googleComputeImage.diskSize = mkOption { - type = with types; int; - default = 1536; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 1536; description = '' Size of disk image. Unit is MB. ''; diff --git a/nixos/modules/virtualisation/hyperv-guest.nix b/nixos/modules/virtualisation/hyperv-guest.nix index a3656c307f963..b3bcfff19807f 100644 --- a/nixos/modules/virtualisation/hyperv-guest.nix +++ b/nixos/modules/virtualisation/hyperv-guest.nix @@ -56,6 +56,8 @@ in { systemd = { packages = [ config.boot.kernelPackages.hyperv-daemons.lib ]; + services.hv-vss.unitConfig.ConditionPathExists = [ "/dev/vmbus/hv_vss" ]; + targets.hyperv-daemons = { wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/virtualisation/hyperv-image.nix b/nixos/modules/virtualisation/hyperv-image.nix index fabc9113dfc4b..6845d6750092d 100644 --- a/nixos/modules/virtualisation/hyperv-image.nix +++ b/nixos/modules/virtualisation/hyperv-image.nix @@ -9,8 +9,9 @@ in { options = { hyperv = { baseImageSize = mkOption { - type = types.int; - default = 2048; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 2048; description = '' The size of the hyper-v base image in MiB. ''; diff --git a/nixos/modules/virtualisation/kvmgt.nix b/nixos/modules/virtualisation/kvmgt.nix index e08ad3446281a..72bd2c24e5664 100644 --- a/nixos/modules/virtualisation/kvmgt.nix +++ b/nixos/modules/virtualisation/kvmgt.nix @@ -82,5 +82,5 @@ in { }; }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index f43c44f5dcaba..d12169787c5ad 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -11,9 +11,10 @@ let auth_unix_rw = "polkit" ${cfg.extraConfig} ''; + ovmfFilePrefix = if pkgs.stdenv.isAarch64 then "AAVMF" else "OVMF"; qemuConfigFile = pkgs.writeText "qemu.conf" '' ${optionalString cfg.qemuOvmf '' - nvram = ["/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd"] + nvram = [ "/run/libvirt/nix-ovmf/${ovmfFilePrefix}_CODE.fd:/run/libvirt/nix-ovmf/${ovmfFilePrefix}_VARS.fd" ] ''} ${optionalString (!cfg.qemuRunAsRoot) '' user = "qemu-libvirtd" @@ -206,8 +207,8 @@ in { done ${optionalString cfg.qemuOvmf '' - ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd /run/${dirName}/nix-ovmf/ - ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_VARS.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${pkgs.OVMF.fd}/FV/${ovmfFilePrefix}_CODE.fd /run/${dirName}/nix-ovmf/ + ln -s --force ${pkgs.OVMF.fd}/FV/${ovmfFilePrefix}_VARS.fd /run/${dirName}/nix-ovmf/ ''} ''; diff --git a/nixos/modules/virtualisation/lxc.nix b/nixos/modules/virtualisation/lxc.nix index f484d5ee59a88..0f8b22a45df0c 100644 --- a/nixos/modules/virtualisation/lxc.nix +++ b/nixos/modules/virtualisation/lxc.nix @@ -74,9 +74,13 @@ in systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; security.apparmor.packages = [ pkgs.lxc ]; - security.apparmor.profiles = [ - "${pkgs.lxc}/etc/apparmor.d/lxc-containers" - "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start" - ]; + security.apparmor.policies = { + "bin.lxc-start".profile = '' + include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start + ''; + "lxc-containers".profile = '' + include ${pkgs.lxc}/etc/apparmor.d/lxc-containers + ''; + }; }; } diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 96e8d68ae50e9..6b6f4b6e65247 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -97,11 +97,17 @@ in { # does a bunch of unrelated things. systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; - security.apparmor.packages = [ cfg.lxcPackage ]; - security.apparmor.profiles = [ - "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers" - "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start" - ]; + security.apparmor = { + packages = [ cfg.lxcPackage ]; + policies = { + "bin.lxc-start".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start + ''; + "lxc-containers".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers + ''; + }; + }; # TODO: remove once LXD gets proper support for cgroupsv2 # (currently most of the e.g. CPU accounting stuff doesn't work) diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index f15d587584124..f3f318412df1b 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -35,6 +35,9 @@ let '' #! ${pkgs.runtimeShell} -e + # Exit early if we're asked to shut down. + trap "exit 0" SIGRTMIN+3 + # Initialise the container side of the veth pair. if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] || @@ -60,8 +63,12 @@ let ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} - # Start the regular stage 1 script. - exec "$1" + # Start the regular stage 2 script. + # We source instead of exec to not lose an early stop signal, which is + # also the only _reliable_ shutdown signal we have since early stop + # does not execute ExecStop* commands. + set +e + . "$1" '' ); @@ -127,12 +134,16 @@ let ''} # Run systemd-nspawn without startup notification (we'll - # wait for the container systemd to signal readiness). + # wait for the container systemd to signal readiness) + # Kill signal handling means systemd-nspawn will pass a system-halt signal + # to the container systemd when it receives SIGTERM for container shutdown; + # containerInit and stage2 have to handle this as well. exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ $EXTRA_NSPAWN_FLAGS \ --notify-ready=yes \ + --kill-signal=SIGRTMIN+3 \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ @@ -259,13 +270,10 @@ let Slice = "machine.slice"; Delegate = true; - # Hack: we don't want to kill systemd-nspawn, since we call - # "machinectl poweroff" in preStop to shut down the - # container cleanly. But systemd requires sending a signal - # (at least if we want remaining processes to be killed - # after the timeout). So send an ignored signal. + # We rely on systemd-nspawn turning a SIGTERM to itself into a shutdown + # signal (SIGRTMIN+3) for the inner container. KillMode = "mixed"; - KillSignal = "WINCH"; + KillSignal = "TERM"; DevicePolicy = "closed"; DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; @@ -420,7 +428,7 @@ let extraVeths = {}; additionalCapabilities = []; ephemeral = false; - timeoutStartSec = "15s"; + timeoutStartSec = "1min"; allowedDevices = []; hostAddress = null; hostAddress6 = null; @@ -439,21 +447,16 @@ in default = false; description = '' Whether this NixOS machine is a lightweight container running - in another NixOS system. If set to true, support for nested - containers is disabled by default, but can be reenabled by - setting <option>boot.enableContainers</option> to true. + in another NixOS system. ''; }; boot.enableContainers = mkOption { type = types.bool; - default = !config.boot.isContainer; + default = true; description = '' Whether to enable support for NixOS containers. Defaults to true - (at no cost if containers are not actually used), but only if the - system is not itself a lightweight container of a host. - To enable support for nested containers, this option has to be - explicitly set to true (in the outer container). + (at no cost if containers are not actually used). ''; }; @@ -752,8 +755,6 @@ in postStart = postStartScript dummyConfig; - preStop = "machinectl poweroff $INSTANCE"; - restartIfChanged = false; serviceConfig = serviceDirectives dummyConfig; diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index 2dd15e3aba455..ad436ed301462 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -59,6 +59,18 @@ let ''; }; + environmentFiles = mkOption { + type = with types; listOf path; + default = []; + description = "Environment files for this container."; + example = literalExample '' + [ + /path/to/.env + /path/to/.env.secret + ] + ''; + }; + log-driver = mkOption { type = types.str; default = "journald"; @@ -236,6 +248,7 @@ let ] ++ optional (container.entrypoint != null) "--entrypoint=${escapeShellArg container.entrypoint}" ++ (mapAttrsToList (k: v: "-e ${escapeShellArg k}=${escapeShellArg v}") container.environment) + ++ map (f: "--env-file ${escapeShellArg f}") container.environmentFiles ++ map (p: "-p ${escapeShellArg p}") container.ports ++ optional (container.user != null) "-u ${escapeShellArg container.user}" ++ map (v: "-v ${escapeShellArg v}") container.volumes diff --git a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix index 8c191397cf9a5..133cd4c0e9f91 100644 --- a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix @@ -15,7 +15,7 @@ } wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/nixos/modules/virtualisation/qemu-guest-agent.nix b/nixos/modules/virtualisation/qemu-guest-agent.nix index 6a735f451a7e3..3824d0c168f78 100644 --- a/nixos/modules/virtualisation/qemu-guest-agent.nix +++ b/nixos/modules/virtualisation/qemu-guest-agent.nix @@ -30,9 +30,12 @@ in { systemd.services.qemu-guest-agent = { description = "Run the QEMU Guest Agent"; serviceConfig = { - ExecStart = "${cfg.package}/bin/qemu-ga"; + ExecStart = "${cfg.package}/bin/qemu-ga --statedir /run/qemu-ga"; Restart = "always"; RestartSec = 0; + # Runtime directory and mode + RuntimeDirectory = "qemu-ga"; + RuntimeDirectoryMode = "0755"; }; }; } diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index fa580e8b42d6b..071edda826935 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -11,8 +11,9 @@ in { options = { virtualbox = { baseImageSize = mkOption { - type = types.int; - default = 50 * 1024; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 50 * 1024; description = '' The size of the VirtualBox base image in MiB. ''; diff --git a/nixos/modules/virtualisation/vmware-image.nix b/nixos/modules/virtualisation/vmware-image.nix index 9da9e145f7a9c..f6cd12e2bb799 100644 --- a/nixos/modules/virtualisation/vmware-image.nix +++ b/nixos/modules/virtualisation/vmware-image.nix @@ -18,8 +18,9 @@ in { options = { vmware = { baseImageSize = mkOption { - type = types.int; - default = 2048; + type = with types; either (enum [ "auto" ]) int; + default = "auto"; + example = 2048; description = '' The size of the VMWare base image in MiB. ''; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 24df1b6ad7c1a..fea43727f2fb3 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -161,9 +161,6 @@ in environment.systemPackages = [ cfg.package ]; - # Make sure Domain 0 gets the required configuration - #boot.kernelPackages = pkgs.boot.kernelPackages.override { features={xen_dom0=true;}; }; - boot.kernelModules = [ "xen-evtchn" "xen-gntdev" "xen-gntalloc" "xen-blkback" "xen-netback" "xen-pciback" "evtchn" "gntdev" "netbk" "blkbk" "xen-scsibk" diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index ea82adf09ad1d..34183c0ba9ff9 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -70,8 +70,8 @@ in rec { (onFullSupported "nixos.tests.firefox") (onFullSupported "nixos.tests.firewall") (onFullSupported "nixos.tests.fontconfig-default-fonts") - (onFullSupported "nixos.tests.gnome3") - (onFullSupported "nixos.tests.gnome3-xorg") + (onFullSupported "nixos.tests.gnome") + (onFullSupported "nixos.tests.gnome-xorg") (onSystems ["x86_64-linux"] "nixos.tests.hibernate") (onFullSupported "nixos.tests.i3wm") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSimple") @@ -90,7 +90,7 @@ in rec { (onFullSupported "nixos.tests.keymap.azerty") (onFullSupported "nixos.tests.keymap.colemak") (onFullSupported "nixos.tests.keymap.dvorak") - (onFullSupported "nixos.tests.keymap.dvp") + (onFullSupported "nixos.tests.keymap.dvorak-programmer") (onFullSupported "nixos.tests.keymap.neo") (onFullSupported "nixos.tests.keymap.qwertz") (onFullSupported "nixos.tests.latestKernel.login") diff --git a/nixos/release.nix b/nixos/release.nix index 327a259de7faf..2367e79e4ad07 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -138,7 +138,7 @@ in rec { # Build the initial ramdisk so Hydra can keep track of its size over time. initialRamdisk = buildFromConfig ({ ... }: { }) (config: config.system.build.initialRamdisk); - netboot = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: makeNetboot { + netboot = forMatchingSystems supportedSystems (system: makeNetboot { module = ./modules/installer/netboot/netboot-minimal.nix; inherit system; }); @@ -186,11 +186,6 @@ in rec { inherit system; }); - sd_image_raspberrypi4 = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage { - module = ./modules/installer/sd-card/sd-image-raspberrypi4-installer.nix; - inherit system; - }); - # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). ova = forMatchingSystems [ "x86_64-linux" ] (system: @@ -224,6 +219,25 @@ in rec { ); + # Test job for https://github.com/NixOS/nixpkgs/issues/121354 to test + # automatic sizing without blocking the channel. + amazonImageAutomaticSize = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: + + with import ./.. { inherit system; }; + + hydraJob ((import lib/eval-config.nix { + inherit system; + modules = + [ configuration + versionModule + ./maintainers/scripts/ec2/amazon-image.nix + ({ ... }: { amazonImage.sizeMB = "auto"; }) + ]; + }).config.system.build.amazonImage) + + ); + + # Ensure that all packages used by the minimal NixOS config end up in the channel. dummy = forAllSystems (system: pkgs.runCommand "dummy" { toplevel = (import lib/eval-config.nix { @@ -304,10 +318,10 @@ in rec { services.xserver.desktopManager.xfce.enable = true; }); - gnome3 = makeClosure ({ ... }: + gnome = makeClosure ({ ... }: { services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome.enable = true; }); pantheon = makeClosure ({ ... }: diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 99dd8ec6fd3c1..6f98b0da37805 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -245,7 +245,7 @@ in import ./make-test-python.nix ({ lib, ... }: { ) for line in subject_data.lower().split("\n"): if "subject" in line: - print(f"First subject in fullchain.pem: ", line) + print(f"First subject in fullchain.pem: {line}") assert cert_name.lower() in line return diff --git a/nixos/tests/airsonic.nix b/nixos/tests/airsonic.nix new file mode 100644 index 0000000000000..59bd84877c61c --- /dev/null +++ b/nixos/tests/airsonic.nix @@ -0,0 +1,32 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "airsonic"; + meta = with pkgs.lib.maintainers; { + maintainers = [ sumnerevans ]; + }; + + machine = + { pkgs, ... }: + { + services.airsonic = { + enable = true; + maxMemory = 800; + }; + + # Airsonic is a Java application, and unfortunately requires a significant + # amount of memory. + virtualisation.memorySize = 1024; + }; + + testScript = '' + def airsonic_is_up(_) -> bool: + return machine.succeed("curl --fail http://localhost:4040/login") + + + machine.start() + machine.wait_for_unit("airsonic.service") + machine.wait_for_open_port(4040) + + with machine.nested("Waiting for UI to work"): + retry(airsonic_is_up) + ''; +}) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 2b6012c1aff34..99393e5b18421 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -24,8 +24,12 @@ in _3proxy = handleTest ./3proxy.nix {}; acme = handleTest ./acme.nix {}; agda = handleTest ./agda.nix {}; + airsonic = handleTest ./airsonic.nix {}; + amazon-init-shell = handleTest ./amazon-init-shell.nix {}; ammonite = handleTest ./ammonite.nix {}; + apparmor = handleTest ./apparmor.nix {}; atd = handleTest ./atd.nix {}; + atop = handleTest ./atop.nix {}; avahi = handleTest ./avahi.nix {}; avahi-with-resolved = handleTest ./avahi.nix { networkd = true; }; awscli = handleTest ./awscli.nix { }; @@ -43,11 +47,12 @@ in boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; + botamusique = handleTest ./botamusique.nix {}; buildbot = handleTest ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; caddy = handleTest ./caddy.nix {}; cadvisor = handleTestOn ["x86_64-linux"] ./cadvisor.nix {}; - cage = handleTest ./cage.nix {}; + cage = handleTestOn ["x86_64-linux"] ./cage.nix {}; cagebreak = handleTest ./cagebreak.nix {}; calibre-web = handleTest ./calibre-web.nix {}; cassandra_2_1 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_2_1; }; @@ -75,6 +80,7 @@ in containers-ip = handleTest ./containers-ip.nix {}; containers-macvlans = handleTest ./containers-macvlans.nix {}; containers-names = handleTest ./containers-names.nix {}; + containers-nested = handleTest ./containers-nested.nix {}; containers-physical_interfaces = handleTest ./containers-physical_interfaces.nix {}; containers-portforward = handleTest ./containers-portforward.nix {}; containers-reloadable = handleTest ./containers-reloadable.nix {}; @@ -87,6 +93,7 @@ in custom-ca = handleTest ./custom-ca.nix {}; croc = handleTest ./croc.nix {}; deluge = handleTest ./deluge.nix {}; + dendrite = handleTest ./dendrite.nix {}; dhparams = handleTest ./dhparams.nix {}; discourse = handleTest ./discourse.nix {}; dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; @@ -129,14 +136,15 @@ in fsck = handleTest ./fsck.nix {}; ft2-clone = handleTest ./ft2-clone.nix {}; gerrit = handleTest ./gerrit.nix {}; + ghostunnel = handleTest ./ghostunnel.nix {}; gitdaemon = handleTest ./gitdaemon.nix {}; gitea = handleTest ./gitea.nix {}; gitlab = handleTest ./gitlab.nix {}; gitolite = handleTest ./gitolite.nix {}; gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {}; glusterfs = handleTest ./glusterfs.nix {}; - gnome3 = handleTest ./gnome3.nix {}; - gnome3-xorg = handleTest ./gnome3-xorg.nix {}; + gnome = handleTest ./gnome.nix {}; + gnome-xorg = handleTest ./gnome-xorg.nix {}; go-neb = handleTest ./go-neb.nix {}; gobgpd = handleTest ./gobgpd.nix {}; gocd-agent = handleTest ./gocd-agent.nix {}; @@ -185,6 +193,7 @@ in iodine = handleTest ./iodine.nix {}; ipfs = handleTest ./ipfs.nix {}; ipv6 = handleTest ./ipv6.nix {}; + iscsi-root = handleTest ./iscsi-root.nix {}; jackett = handleTest ./jackett.nix {}; jellyfin = handleTest ./jellyfin.nix {}; jenkins = handleTest ./jenkins.nix {}; @@ -210,6 +219,7 @@ in latestKernel.login = handleTest ./login.nix { latestKernel = true; }; leaps = handleTest ./leaps.nix {}; lidarr = handleTest ./lidarr.nix {}; + libreswan = handleTest ./libreswan.nix {}; lightdm = handleTest ./lightdm.nix {}; limesurvey = handleTest ./limesurvey.nix {}; locate = handleTest ./locate.nix {}; @@ -262,6 +272,7 @@ in nat.standalone = handleTest ./nat.nix { withFirewall = false; }; ncdns = handleTest ./ncdns.nix {}; ndppd = handleTest ./ndppd.nix {}; + nebula = handleTest ./nebula.nix {}; neo4j = handleTest ./neo4j.nix {}; netdata = handleTest ./netdata.nix {}; networking.networkd = handleTest ./networking.nix { networkd = true; }; @@ -294,6 +305,7 @@ in openarena = handleTest ./openarena.nix {}; openldap = handleTest ./openldap.nix {}; opensmtpd = handleTest ./opensmtpd.nix {}; + opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {}; openssh = handleTest ./openssh.nix {}; openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {}; openstack-image-userdata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).userdata or {}; @@ -321,6 +333,7 @@ in pleroma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./pleroma.nix {}; plikd = handleTest ./plikd.nix {}; plotinus = handleTest ./plotinus.nix {}; + podgrab = handleTest ./podgrab.nix {}; podman = handleTestOn ["x86_64-linux"] ./podman.nix {}; pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {}; postfix = handleTest ./postfix.nix {}; @@ -341,7 +354,6 @@ in proxy = handleTest ./proxy.nix {}; pt2-clone = handleTest ./pt2-clone.nix {}; qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {}; - quagga = handleTest ./quagga.nix {}; quorum = handleTest ./quorum.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; radarr = handleTest ./radarr.nix {}; @@ -373,6 +385,7 @@ in snapcast = handleTest ./snapcast.nix {}; snapper = handleTest ./snapper.nix {}; sogo = handleTest ./sogo.nix {}; + solanum = handleTest ./solanum.nix {}; solr = handleTest ./solr.nix {}; sonarr = handleTest ./sonarr.nix {}; spacecookie = handleTest ./spacecookie.nix {}; @@ -382,6 +395,7 @@ in sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {}; strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; sudo = handleTest ./sudo.nix {}; + sway = handleTest ./sway.nix {}; switchTest = handleTest ./switch-test.nix {}; sympa = handleTest ./sympa.nix {}; syncthing = handleTest ./syncthing.nix {}; @@ -410,6 +424,7 @@ in # traefik test relies on docker-containers trac = handleTest ./trac.nix {}; traefik = handleTestOn ["x86_64-linux"] ./traefik.nix {}; + trafficserver = handleTest ./trafficserver.nix {}; transmission = handleTest ./transmission.nix {}; trezord = handleTest ./trezord.nix {}; trickster = handleTest ./trickster.nix {}; @@ -433,6 +448,7 @@ in wasabibackend = handleTest ./wasabibackend.nix {}; wiki-js = handleTest ./wiki-js.nix {}; wireguard = handleTest ./wireguard {}; + wmderland = handleTest ./wmderland.nix {}; wordpress = handleTest ./wordpress.nix {}; xandikos = handleTest ./xandikos.nix {}; xautolock = handleTest ./xautolock.nix {}; diff --git a/nixos/tests/amazon-init-shell.nix b/nixos/tests/amazon-init-shell.nix new file mode 100644 index 0000000000000..f9268b2f3a009 --- /dev/null +++ b/nixos/tests/amazon-init-shell.nix @@ -0,0 +1,40 @@ +# This test verifies that the amazon-init service can treat the `user-data` ec2 +# metadata file as a shell script. If amazon-init detects that `user-data` is a +# script (based on the presence of the shebang #! line) it executes it and +# exits. +# Note that other tests verify that amazon-init can treat user-data as a nixos +# configuration expression. + +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +makeTest { + name = "amazon-init"; + meta = with maintainers; { + maintainers = [ urbas ]; + }; + machine = { ... }: + { + imports = [ ../modules/profiles/headless.nix ../modules/virtualisation/amazon-init.nix ]; + services.openssh.enable = true; + networking.hostName = ""; + environment.etc."ec2-metadata/user-data" = { + text = '' + #!/usr/bin/bash + + echo successful > /tmp/evidence + ''; + }; + }; + testScript = '' + # To wait until amazon-init terminates its run + unnamed.wait_for_unit("amazon-init.service") + + unnamed.succeed("grep -q successful /tmp/evidence") + ''; +} diff --git a/nixos/tests/apparmor.nix b/nixos/tests/apparmor.nix new file mode 100644 index 0000000000000..c6daa8e67de3f --- /dev/null +++ b/nixos/tests/apparmor.nix @@ -0,0 +1,82 @@ +import ./make-test-python.nix ({ pkgs, ... } : { + name = "apparmor"; + meta = with pkgs.lib.maintainers; { + maintainers = [ julm ]; + }; + + machine = + { lib, pkgs, config, ... }: + with lib; + { + security.apparmor.enable = mkDefault true; + }; + + testScript = + '' + machine.wait_for_unit("multi-user.target") + + with subtest("AppArmor profiles are loaded"): + machine.succeed("systemctl status apparmor.service") + + # AppArmor securityfs + with subtest("AppArmor securityfs is mounted"): + machine.succeed("mountpoint -q /sys/kernel/security") + machine.succeed("cat /sys/kernel/security/apparmor/profiles") + + # Test apparmorRulesFromClosure by: + # 1. Prepending a string of the relevant packages' name and version on each line. + # 2. Sorting according to those strings. + # 3. Removing those prepended strings. + # 4. Using `diff` against the expected output. + with subtest("apparmorRulesFromClosure"): + machine.succeed( + "${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" '' + mr ${pkgs.bash}/lib/**.so*, + r ${pkgs.bash}, + r ${pkgs.bash}/etc/**, + r ${pkgs.bash}/lib/**, + r ${pkgs.bash}/share/**, + x ${pkgs.bash}/foo/**, + mr ${pkgs.glibc}/lib/**.so*, + r ${pkgs.glibc}, + r ${pkgs.glibc}/etc/**, + r ${pkgs.glibc}/lib/**, + r ${pkgs.glibc}/share/**, + x ${pkgs.glibc}/foo/**, + mr ${pkgs.libcap}/lib/**.so*, + r ${pkgs.libcap}, + r ${pkgs.libcap}/etc/**, + r ${pkgs.libcap}/lib/**, + r ${pkgs.libcap}/share/**, + x ${pkgs.libcap}/foo/**, + mr ${pkgs.libcap.lib}/lib/**.so*, + r ${pkgs.libcap.lib}, + r ${pkgs.libcap.lib}/etc/**, + r ${pkgs.libcap.lib}/lib/**, + r ${pkgs.libcap.lib}/share/**, + x ${pkgs.libcap.lib}/foo/**, + mr ${pkgs.libidn2.out}/lib/**.so*, + r ${pkgs.libidn2.out}, + r ${pkgs.libidn2.out}/etc/**, + r ${pkgs.libidn2.out}/lib/**, + r ${pkgs.libidn2.out}/share/**, + x ${pkgs.libidn2.out}/foo/**, + mr ${pkgs.libunistring}/lib/**.so*, + r ${pkgs.libunistring}, + r ${pkgs.libunistring}/etc/**, + r ${pkgs.libunistring}/lib/**, + r ${pkgs.libunistring}/share/**, + x ${pkgs.libunistring}/foo/**, + ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } '' + ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${ + pkgs.apparmorRulesFromClosure { + name = "ping"; + additionalRules = ["x $path/foo/**"]; + } [ pkgs.libcap ] + } | + ${pkgs.coreutils}/bin/sort -n -k1 | + ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out + ''}" + ) + ''; +}) diff --git a/nixos/tests/atop.nix b/nixos/tests/atop.nix new file mode 100644 index 0000000000000..1f8b005041f0b --- /dev/null +++ b/nixos/tests/atop.nix @@ -0,0 +1,236 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let assertions = rec { + path = program: path: '' + with subtest("The path of ${program} should be ${path}"): + p = machine.succeed("type -p \"${program}\" | head -c -1") + assert p == "${path}", f"${program} is {p}, expected ${path}" + ''; + unit = name: state: '' + with subtest("Unit ${name} should be ${state}"): + if "${state}" == "active": + machine.wait_for_unit("${name}") + else: + machine.require_unit_state("${name}", "${state}") + ''; + version = '' + import re + + with subtest("binary should report the correct version"): + pkgver = "${pkgs.atop.version}" + ver = re.sub(r'(?s)^Version: (\d\.\d\.\d).*', r'\1', machine.succeed("atop -V")) + assert ver == pkgver, f"Version is `{ver}`, expected `{pkgver}`" + ''; + atoprc = contents: + if builtins.stringLength contents > 0 then '' + with subtest("/etc/atoprc should have the correct contents"): + f = machine.succeed("cat /etc/atoprc") + assert f == "${contents}", f"/etc/atoprc contents: '{f}', expected '${contents}'" + '' else '' + with subtest("/etc/atoprc should not be present"): + machine.succeed("test ! -e /etc/atoprc") + ''; + wrapper = present: + if present then path "atop" "/run/wrappers/bin/atop" + '' + with subtest("Wrapper should be setuid root"): + stat = machine.succeed("stat --printf '%a %u' /run/wrappers/bin/atop") + assert stat == "4511 0", f"Wrapper stat is {stat}, expected '4511 0'" + '' + else path "atop" "/run/current-system/sw/bin/atop"; + atopService = present: + if present then + unit "atop.service" "active" + + '' + with subtest("atop.service should write some data to /var/log/atop"): + + def has_data_files(last: bool) -> bool: + files = int(machine.succeed("ls -1 /var/log/atop | wc -l")) + if files == 0: + machine.log("Did not find at least one 1 data file") + if not last: + machine.log("Will retry...") + return False + return True + + with machine.nested("Waiting for data files"): + retry(has_data_files) + '' else unit "atop.service" "inactive"; + atopRotateTimer = present: + unit "atop-rotate.timer" (if present then "active" else "inactive"); + atopacctService = present: + if present then + unit "atopacct.service" "active" + + '' + with subtest("atopacct.service should enable process accounting"): + machine.wait_until_succeeds("test -f /run/pacct_source") + + with subtest("atopacct.service should write data to /run/pacct_shadow.d"): + + def has_data_files(last: bool) -> bool: + files = int(machine.succeed("ls -1 /run/pacct_shadow.d | wc -l")) + if files == 0: + machine.log("Did not find at least one 1 data file") + if not last: + machine.log("Will retry...") + return False + return True + + with machine.nested("Waiting for data files"): + retry(has_data_files) + '' else unit "atopacct.service" "inactive"; + netatop = present: + if present then + unit "netatop.service" "active" + + '' + with subtest("The netatop kernel module should be loaded"): + out = machine.succeed("modprobe -n -v netatop") + assert out == "", f"Module should be loaded already, but modprobe would have done {out}." + '' else '' + with subtest("The netatop kernel module should be absent"): + machine.fail("modprobe -n -v netatop") + ''; + atopgpu = present: + if present then + (unit "atopgpu.service" "active") + (path "atopgpud" "/run/current-system/sw/bin/atopgpud") + else (unit "atopgpu.service" "inactive") + '' + with subtest("atopgpud should not be present"): + machine.fail("type -p atopgpud") + ''; +}; +in +{ + name = "atop"; + + justThePackage = makeTest { + name = "atop-justThePackage"; + machine = { + environment.systemPackages = [ pkgs.atop ]; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService false) + (atopRotateTimer false) + (atopacctService false) + (netatop false) + (atopgpu false) + ]; + }; + defaults = makeTest { + name = "atop-defaults"; + machine = { + programs.atop = { + enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop false) + (atopgpu false) + ]; + }; + minimal = makeTest { + name = "atop-minimal"; + machine = { + programs.atop = { + enable = true; + atopService.enable = false; + atopRotateTimer.enable = false; + atopacctService.enable = false; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService false) + (atopRotateTimer false) + (atopacctService false) + (netatop false) + (atopgpu false) + ]; + }; + netatop = makeTest { + name = "atop-netatop"; + machine = { + programs.atop = { + enable = true; + netatop.enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop true) + (atopgpu false) + ]; + }; + atopgpu = makeTest { + name = "atop-atopgpu"; + machine = { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (getName pkg) [ + "cudatoolkit" + ]; + + programs.atop = { + enable = true; + atopgpu.enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "") + (wrapper false) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop false) + (atopgpu true) + ]; + }; + everything = makeTest { + name = "atop-everthing"; + machine = { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (getName pkg) [ + "cudatoolkit" + ]; + + programs.atop = { + enable = true; + settings = { + flags = "faf1"; + interval = 2; + }; + setuidWrapper.enable = true; + netatop.enable = true; + atopgpu.enable = true; + }; + }; + testScript = with assertions; builtins.concatStringsSep "\n" [ + version + (atoprc "flags faf1\\ninterval 2\\n") + (wrapper true) + (atopService true) + (atopRotateTimer true) + (atopacctService true) + (netatop true) + (atopgpu true) + ]; + }; +} diff --git a/nixos/tests/babeld.nix b/nixos/tests/babeld.nix index 5817ea4ce142d..d4df6f86d089d 100644 --- a/nixos/tests/babeld.nix +++ b/nixos/tests/babeld.nix @@ -25,9 +25,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { { virtualisation.vlans = [ 10 20 ]; - boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - networking = { useDHCP = false; firewall.enable = false; @@ -74,9 +71,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { { virtualisation.vlans = [ 20 30 ]; - boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - networking = { useDHCP = false; firewall.enable = false; diff --git a/nixos/tests/botamusique.nix b/nixos/tests/botamusique.nix new file mode 100644 index 0000000000000..ccb105dc142f2 --- /dev/null +++ b/nixos/tests/botamusique.nix @@ -0,0 +1,47 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "botamusique"; + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + machine = { config, ... }: { + services.murmur = { + enable = true; + registerName = "NixOS tests"; + }; + + services.botamusique = { + enable = true; + settings = { + server = { + channel = "NixOS tests"; + }; + bot = { + version = false; + auto_check_update = false; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("murmur.service") + machine.wait_for_unit("botamusique.service") + + machine.sleep(10) + + machine.wait_until_succeeds( + "journalctl -u murmur.service -e | grep -q '<1:botamusique(-1)> Authenticated'" + ) + + with subtest("Check systemd hardening"): + output = machine.execute("systemctl show botamusique.service")[1] + machine.log(output) + output = machine.execute("systemd-analyze security botamusique.service")[1] + machine.log(output) + ''; +}) diff --git a/nixos/tests/buildbot.nix b/nixos/tests/buildbot.nix index 11f9fbef635ed..977c728835f03 100644 --- a/nixos/tests/buildbot.nix +++ b/nixos/tests/buildbot.nix @@ -109,5 +109,5 @@ import ./make-test-python.nix { bbworker.fail("nc -z bbmaster 8011") ''; - meta.maintainers = with pkgs.lib.maintainers; [ nand0p ]; + meta.maintainers = with pkgs.lib.maintainers; [ ]; } {} diff --git a/nixos/tests/cage.nix b/nixos/tests/cage.nix index 1ae07b6fd2ff9..80ce1e0d8b3a7 100644 --- a/nixos/tests/cage.nix +++ b/nixos/tests/cage.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "cage"; meta = with pkgs.lib.maintainers; { - maintainers = [ matthewbauer flokli ]; + maintainers = [ matthewbauer ]; }; machine = { ... }: @@ -13,19 +13,15 @@ import ./make-test-python.nix ({ pkgs, ...} : services.cage = { enable = true; user = "alice"; - program = "${pkgs.xterm}/bin/xterm -cm -pc"; # disable color and bold to make OCR easier + # Disable color and bold and use a larger font to make OCR easier: + program = "${pkgs.xterm}/bin/xterm -cm -pc -fa Monospace -fs 24"; }; - # this needs a fairly recent kernel, otherwise: - # [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory - # [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory - # [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory - # [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory - # [backend/drm/drm.c:618] Failed to initialize renderer on connector 'Virtual-1': initial page-flip failed - # [backend/drm/drm.c:701] Failed to initialize renderer for plane - boot.kernelPackages = pkgs.linuxPackages_latest; - virtualisation.memorySize = 1024; + # Need to switch to a different VGA card / GPU driver because Cage segfaults with the default one (std): + # machine # [ 14.355893] .cage-wrapped[736]: segfault at 20 ip 00007f035fa0d8c7 sp 00007ffce9e4a2f0 error 4 in libwlroots.so.8[7f035fa07000+5a000] + # machine # [ 14.358108] Code: 4f a8 ff ff eb aa 0f 1f 44 00 00 c3 0f 1f 80 00 00 00 00 41 54 49 89 f4 55 31 ed 53 48 89 fb 48 8d 7f 18 48 8d 83 b8 00 00 00 <80> 7f 08 00 75 0d 48 83 3f 00 0f 85 91 00 00 00 48 89 fd 48 83 c7 + virtualisation.qemu.options = [ "-vga virtio" ]; }; enableOCR = true; diff --git a/nixos/tests/cagebreak.nix b/nixos/tests/cagebreak.nix index 87f43cc3c3216..e343cd88e7f57 100644 --- a/nixos/tests/cagebreak.nix +++ b/nixos/tests/cagebreak.nix @@ -17,56 +17,27 @@ in let alice = config.users.users.alice; in { + # Automatically login on tty1 as a normal user: imports = [ ./common/user-account.nix ]; + services.getty.autologinUser = "alice"; + programs.bash.loginShellInit = '' + if [ "$(tty)" = "/dev/tty1" ]; then + set -e - environment.systemPackages = [ pkgs.cagebreak pkgs.wallutils ]; - services.xserver = { - enable = true; - displayManager.autoLogin = { - enable = true; - user = alice.name; - }; - }; - services.xserver.windowManager.session = lib.singleton { - manage = "desktop"; - name = "cagebreak"; - start = '' - export XDG_RUNTIME_DIR="/run/user/${toString alice.uid}" - ${pkgs.cagebreak}/bin/cagebreak & - waitPID=$! - ''; - }; + mkdir -p ~/.config/cagebreak + cp -f ${cagebreakConfigfile} ~/.config/cagebreak/config - systemd.services.setupCagebreakConfig = { - wantedBy = [ "multi-user.target" ]; - before = [ "multi-user.target" ]; - environment = { - HOME = alice.home; - }; - unitConfig = { - type = "oneshot"; - RemainAfterExit = true; - user = alice.name; - }; - script = '' - cd $HOME - CONFFILE=$HOME/.config/cagebreak/config - mkdir -p $(dirname $CONFFILE) - cp ${cagebreakConfigfile} $CONFFILE - ''; - }; + cagebreak + fi + ''; - # Copied from cage: - # this needs a fairly recent kernel, otherwise: - # [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory - # [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory - # [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory - # [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory - # [backend/drm/drm.c:618] Failed to initialize renderer on connector 'Virtual-1': initial page-flip failed - # [backend/drm/drm.c:701] Failed to initialize renderer for plane - boot.kernelPackages = pkgs.linuxPackages_latest; + hardware.opengl.enable = true; + programs.xwayland.enable = true; + environment.systemPackages = [ pkgs.cagebreak pkgs.wayland-utils ]; virtualisation.memorySize = 1024; + # Need to switch to a different VGA card / GPU driver than the default one (std) so that Cagebreak can launch: + virtualisation.qemu.options = [ "-vga virtio" ]; }; enableOCR = true; @@ -80,14 +51,15 @@ in machine.wait_for_file("${XDG_RUNTIME_DIR}/wayland-0") with subtest("ensure wayland works with wayinfo from wallutils"): - machine.succeed("env XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR} wayinfo") + print(machine.succeed("env XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR} wayland-info")) - with subtest("ensure xwayland works with xterm"): - machine.send_key("ctrl-t") - machine.send_key("t") - machine.wait_until_succeeds("pgrep xterm") - machine.wait_for_text("${user.name}@machine") - machine.screenshot("screen") - machine.send_key("ctrl-d") + # TODO: Fix the XWayland test (log the cagebreak output to debug): + # with subtest("ensure xwayland works with xterm"): + # machine.send_key("ctrl-t") + # machine.send_key("t") + # machine.wait_until_succeeds("pgrep xterm") + # machine.wait_for_text("${user.name}@machine") + # machine.screenshot("screen") + # machine.send_key("ctrl-d") ''; }) diff --git a/nixos/tests/ceph-multi-node.nix b/nixos/tests/ceph-multi-node.nix index 4e6d644f96c8a..33736e27b984d 100644 --- a/nixos/tests/ceph-multi-node.nix +++ b/nixos/tests/ceph-multi-node.nix @@ -37,7 +37,7 @@ let generateHost = { pkgs, cephConfig, networkConfig, ... }: { virtualisation = { - memorySize = 512; + memorySize = 1024; emptyDiskImages = [ 20480 ]; vlans = [ 1 ]; }; @@ -120,6 +120,7 @@ let ) monA.wait_for_unit("ceph-mon-${cfg.monA.name}") monA.succeed("ceph mon enable-msgr2") + monA.succeed("ceph config set mon auth_allow_insecure_global_id_reclaim false") # Can't check ceph status until a mon is up monA.succeed("ceph -s | grep 'mon: 1 daemons'") diff --git a/nixos/tests/ceph-single-node-bluestore.nix b/nixos/tests/ceph-single-node-bluestore.nix index cc873e8aee576..f706d4d56fcfd 100644 --- a/nixos/tests/ceph-single-node-bluestore.nix +++ b/nixos/tests/ceph-single-node-bluestore.nix @@ -34,7 +34,7 @@ let generateHost = { pkgs, cephConfig, networkConfig, ... }: { virtualisation = { - memorySize = 512; + memorySize = 1024; emptyDiskImages = [ 20480 20480 20480 ]; vlans = [ 1 ]; }; @@ -95,6 +95,7 @@ let ) monA.wait_for_unit("ceph-mon-${cfg.monA.name}") monA.succeed("ceph mon enable-msgr2") + monA.succeed("ceph config set mon auth_allow_insecure_global_id_reclaim false") # Can't check ceph status until a mon is up monA.succeed("ceph -s | grep 'mon: 1 daemons'") diff --git a/nixos/tests/ceph-single-node.nix b/nixos/tests/ceph-single-node.nix index 19919371a3ca7..d1d56ea6708cc 100644 --- a/nixos/tests/ceph-single-node.nix +++ b/nixos/tests/ceph-single-node.nix @@ -34,7 +34,7 @@ let generateHost = { pkgs, cephConfig, networkConfig, ... }: { virtualisation = { - memorySize = 512; + memorySize = 1024; emptyDiskImages = [ 20480 20480 20480 ]; vlans = [ 1 ]; }; @@ -95,6 +95,7 @@ let ) monA.wait_for_unit("ceph-mon-${cfg.monA.name}") monA.succeed("ceph mon enable-msgr2") + monA.succeed("ceph config set mon auth_allow_insecure_global_id_reclaim false") # Can't check ceph status until a mon is up monA.succeed("ceph -s | grep 'mon: 1 daemons'") diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 8429d932ae694..60ecf986d6eed 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -54,7 +54,8 @@ mapAttrs (channel: chromiumPkg: makeTest rec { in "${pkgs.xdotool}/bin/xdotool ${xdoScript}"; in '' import shlex - from contextlib import contextmanager, _GeneratorContextManager + import re + from contextlib import contextmanager # Run as user alice diff --git a/nixos/tests/clickhouse.nix b/nixos/tests/clickhouse.nix index 98d8b4b465257..017f2ee35dab0 100644 --- a/nixos/tests/clickhouse.nix +++ b/nixos/tests/clickhouse.nix @@ -4,6 +4,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine = { services.clickhouse.enable = true; + virtualisation.memorySize = 4096; }; testScript = diff --git a/nixos/tests/containers-custom-pkgs.nix b/nixos/tests/containers-custom-pkgs.nix index c050e49bc29d2..1627a2c70c3ca 100644 --- a/nixos/tests/containers-custom-pkgs.nix +++ b/nixos/tests/containers-custom-pkgs.nix @@ -30,5 +30,5 @@ in { }; # This test only consists of evaluating the test machine - testScript = ""; + testScript = "pass"; }) diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 0ff0d3f954528..1dcccfc306a35 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -111,6 +111,26 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.succeed(f"nixos-container stop {id1}") machine.succeed(f"nixos-container start {id1}") + # clear serial backlog for next tests + machine.succeed("logger eat console backlog 3ea46eb2-7f82-4f70-b810-3f00e3dd4c4d") + machine.wait_for_console_text( + "eat console backlog 3ea46eb2-7f82-4f70-b810-3f00e3dd4c4d" + ) + + with subtest("Stop a container early"): + machine.succeed(f"nixos-container stop {id1}") + machine.succeed(f"nixos-container start {id1} &") + machine.wait_for_console_text("Stage 2") + machine.succeed(f"nixos-container stop {id1}") + machine.wait_for_console_text(f"Container {id1} exited successfully") + machine.succeed(f"nixos-container start {id1}") + + with subtest("Stop a container without machined (regression test for #109695)"): + machine.systemctl("stop systemd-machined") + machine.succeed(f"nixos-container stop {id1}") + machine.wait_for_console_text(f"Container {id1} has been shut down") + machine.succeed(f"nixos-container start {id1}") + with subtest("tmpfiles are present"): machine.log("creating container tmpfiles") machine.succeed( @@ -142,6 +162,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.fail( "nixos-container create b0rk --config-file ${brokenCfg}" ) - machine.succeed(f"test ! -e /var/lib/containers/b0rk") + machine.succeed("test ! -e /var/lib/containers/b0rk") ''; }) diff --git a/nixos/tests/containers-nested.nix b/nixos/tests/containers-nested.nix new file mode 100644 index 0000000000000..a653361494f96 --- /dev/null +++ b/nixos/tests/containers-nested.nix @@ -0,0 +1,30 @@ +# Test for NixOS' container nesting. + +import ./make-test-python.nix ({ pkgs, ... }: { + name = "nested"; + + meta = with pkgs.lib.maintainers; { maintainers = [ sorki ]; }; + + machine = { lib, ... }: + let + makeNested = subConf: { + containers.nested = { + autoStart = true; + privateNetwork = true; + config = subConf; + }; + }; + in makeNested (makeNested { }); + + testScript = '' + machine.start() + machine.wait_for_unit("container@nested.service") + machine.succeed("systemd-run --pty --machine=nested -- machinectl list | grep nested") + print( + machine.succeed( + "systemd-run --pty --machine=nested -- systemd-run --pty --machine=nested -- systemctl status" + ) + ) + ''; +}) + diff --git a/nixos/tests/couchdb.nix b/nixos/tests/couchdb.nix index d038ee7d890dc..049532481b15f 100644 --- a/nixos/tests/couchdb.nix +++ b/nixos/tests/couchdb.nix @@ -24,8 +24,6 @@ with lib; }; nodes = { - couchdb1 = makeNode pkgs.couchdb testuser testpass; - couchdb2 = makeNode pkgs.couchdb2 testuser testpass; couchdb3 = makeNode pkgs.couchdb3 testuser testpass; }; @@ -41,42 +39,6 @@ with lib; in '' start_all() - couchdb1.wait_for_unit("couchdb.service") - couchdb1.wait_until_succeeds( - "${curlJqCheck "" "GET" "" ".couchdb" "Welcome"}" - ) - couchdb1.wait_until_succeeds( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "2"}" - ) - couchdb1.succeed("${curlJqCheck testlogin "PUT" "foo" ".ok" "true"}") - couchdb1.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "3"}" - ) - couchdb1.succeed( - "${curlJqCheck testlogin "DELETE" "foo" ".ok" "true"}" - ) - couchdb1.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "2"}" - ) - - couchdb2.wait_for_unit("couchdb.service") - couchdb2.wait_until_succeeds( - "${curlJqCheck "" "GET" "" ".couchdb" "Welcome"}" - ) - couchdb2.wait_until_succeeds( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "0"}" - ) - couchdb2.succeed("${curlJqCheck testlogin "PUT" "foo" ".ok" "true"}") - couchdb2.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "1"}" - ) - couchdb2.succeed( - "${curlJqCheck testlogin "DELETE" "foo" ".ok" "true"}" - ) - couchdb2.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "0"}" - ) - couchdb3.wait_for_unit("couchdb.service") couchdb3.wait_until_succeeds( "${curlJqCheck testlogin "GET" "" ".couchdb" "Welcome"}" diff --git a/nixos/tests/custom-ca.nix b/nixos/tests/custom-ca.nix index 67f7b3ff1f161..7ce1101911db0 100644 --- a/nixos/tests/custom-ca.nix +++ b/nixos/tests/custom-ca.nix @@ -92,13 +92,19 @@ in { onlySSL = true; sslCertificate = "${example-good-cert}/server.crt"; sslCertificateKey = "${example-good-cert}/server.key"; - locations."/".extraConfig = "return 200 'It works!';"; + locations."/".extraConfig = '' + add_header Content-Type text/plain; + return 200 'It works!'; + ''; }; services.nginx.virtualHosts."bad.example.com" = { onlySSL = true; sslCertificate = "${example-bad-cert}/server.crt"; sslCertificateKey = "${example-bad-cert}/server.key"; - locations."/".extraConfig = "return 200 'It does not work!';"; + locations."/".extraConfig = '' + add_header Content-Type text/plain; + return 200 'It does not work!'; + ''; }; environment.systemPackages = with pkgs; @@ -106,6 +112,7 @@ in }; testScript = '' + from typing import Tuple def execute_as(user: str, cmd: str) -> Tuple[int, str]: """ Run a shell command as a specific user. diff --git a/nixos/tests/dendrite.nix b/nixos/tests/dendrite.nix new file mode 100644 index 0000000000000..a444c9b200189 --- /dev/null +++ b/nixos/tests/dendrite.nix @@ -0,0 +1,99 @@ +import ./make-test-python.nix ( + { pkgs, ... }: + let + homeserverUrl = "http://homeserver:8008"; + + private_key = pkgs.runCommand "matrix_key.pem" { + buildInputs = [ pkgs.dendrite ]; + } "generate-keys --private-key $out"; + in + { + name = "dendrite"; + meta = with pkgs.lib; { + maintainers = teams.matrix.members; + }; + + nodes = { + homeserver = { pkgs, ... }: { + services.dendrite = { + enable = true; + settings = { + global.server_name = "test-dendrite-server.com"; + global.private_key = private_key; + client_api.registration_disabled = false; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8008 ]; + }; + + client = { pkgs, ... }: { + environment.systemPackages = [ + ( + pkgs.writers.writePython3Bin "do_test" + { libraries = [ pkgs.python3Packages.matrix-nio ]; } '' + import asyncio + + from nio import AsyncClient + + + async def main() -> None: + # Connect to dendrite + client = AsyncClient("http://homeserver:8008", "alice") + + # Register as user alice + response = await client.register("alice", "my-secret-password") + + # Log in as user alice + response = await client.login("my-secret-password") + + # Create a new room + response = await client.room_create(federate=False) + room_id = response.room_id + + # Join the room + response = await client.join(room_id) + + # Send a message to the room + response = await client.room_send( + room_id=room_id, + message_type="m.room.message", + content={ + "msgtype": "m.text", + "body": "Hello world!" + } + ) + + # Sync responses + response = await client.sync(timeout=30000) + + # Check the message was received by dendrite + last_message = response.rooms.join[room_id].timeline.events[-1].body + assert last_message == "Hello world!" + + # Leave the room + response = await client.room_leave(room_id) + + # Close the client + await client.close() + + asyncio.get_event_loop().run_until_complete(main()) + '' + ) + ]; + }; + }; + + testScript = '' + start_all() + + with subtest("start the homeserver"): + homeserver.wait_for_unit("dendrite.service") + homeserver.wait_for_open_port(8008) + + with subtest("ensure messages can be exchanged"): + client.succeed("do_test") + ''; + + } +) diff --git a/nixos/tests/docker-tools-overlay.nix b/nixos/tests/docker-tools-overlay.nix index 98eb728661565..6781388e639b6 100644 --- a/nixos/tests/docker-tools-overlay.nix +++ b/nixos/tests/docker-tools-overlay.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "docker-tools-overlay"; meta = with pkgs.lib.maintainers; { - maintainers = [ lnl7 ]; + maintainers = [ lnl7 roberth ]; }; nodes = { diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 80d527b453fa4..39b97b4cb997f 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "docker-tools"; meta = with pkgs.lib.maintainers; { - maintainers = [ lnl7 ]; + maintainers = [ lnl7 roberth ]; }; nodes = { @@ -321,5 +321,48 @@ import ./make-test-python.nix ({ pkgs, ... }: { docker.succeed( "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/jane | grep -E ^1000$'" ) + + with subtest("Ensure docker load on merged images loads all of the constituent images"): + docker.succeed( + "docker load --input='${examples.mergedBashAndRedis}'" + ) + docker.succeed( + "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bash.imageName}-${examples.bash.imageTag}'" + ) + docker.succeed( + "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'" + ) + docker.succeed("docker run --rm ${examples.bash.imageName} bash --version") + docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version") + docker.succeed("docker rmi ${examples.bash.imageName}") + docker.succeed("docker rmi ${examples.redis.imageName}") + + with subtest( + "Ensure docker load on merged images loads all of the constituent images (missing tags)" + ): + docker.succeed( + "docker load --input='${examples.mergedBashNoTagAndRedis}'" + ) + docker.succeed( + "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bashNoTag.imageName}-${examples.bashNoTag.imageTag}'" + ) + docker.succeed( + "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'" + ) + # we need to explicitly specify the generated tag here + docker.succeed( + "docker run --rm ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag} bash --version" + ) + docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version") + docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}") + docker.succeed("docker rmi ${examples.redis.imageName}") + + with subtest("mergeImages preserves owners of the original images"): + docker.succeed( + "docker load --input='${examples.mergedBashFakeRoot}'" + ) + docker.succeed( + "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/jane | grep -E ^1000$'" + ) ''; }) diff --git a/nixos/tests/docker.nix b/nixos/tests/docker.nix index 58e33535ed31e..dee7480eb4a96 100644 --- a/nixos/tests/docker.nix +++ b/nixos/tests/docker.nix @@ -45,5 +45,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { # Must match version 4 times to ensure client and server git commits and versions are correct docker.succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "4" ]') + docker.succeed("systemctl restart systemd-sysctl") + docker.succeed("grep 1 /proc/sys/net/ipv4/conf/all/forwarding") + docker.succeed("grep 1 /proc/sys/net/ipv4/conf/default/forwarding") ''; }) diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix index 1129e3b45d9d6..8913c2a6a7e82 100644 --- a/nixos/tests/dovecot.nix +++ b/nixos/tests/dovecot.nix @@ -8,6 +8,8 @@ import ./make-test-python.nix { enable = true; protocols = [ "imap" "pop3" ]; modules = [ pkgs.dovecot_pigeonhole ]; + mailUser = "vmail"; + mailGroup = "vmail"; }; environment.systemPackages = let sendTestMail = pkgs.writeScriptBin "send-testmail" '' diff --git a/nixos/tests/fancontrol.nix b/nixos/tests/fancontrol.nix index 356cd57ffa1a3..296c680264150 100644 --- a/nixos/tests/fancontrol.nix +++ b/nixos/tests/fancontrol.nix @@ -1,28 +1,34 @@ import ./make-test-python.nix ({ pkgs, ... } : { name = "fancontrol"; + meta = with pkgs.lib.maintainers; { + maintainers = [ evils ]; + }; - machine = - { ... }: - { hardware.fancontrol.enable = true; - hardware.fancontrol.config = '' - INTERVAL=42 - DEVPATH=hwmon1=devices/platform/dummy - DEVNAME=hwmon1=dummy - FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input - FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input - MINTEMP=hwmon1/device/pwm1=25 - MAXTEMP=hwmon1/device/pwm1=65 - MINSTART=hwmon1/device/pwm1=150 - MINSTOP=hwmon1/device/pwm1=0 - ''; + machine = { ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + hardware.fancontrol.enable = true; + hardware.fancontrol.config = '' + INTERVAL=42 + DEVPATH=hwmon1=devices/platform/dummy + DEVNAME=hwmon1=dummy + FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input + FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input + MINTEMP=hwmon1/device/pwm1=25 + MAXTEMP=hwmon1/device/pwm1=65 + MINSTART=hwmon1/device/pwm1=150 + MINSTOP=hwmon1/device/pwm1=0 + ''; }; # This configuration cannot be valid for the test VM, so it's expected to get an 'outdated' error. testScript = '' start_all() - machine.wait_for_unit("fancontrol.service") - machine.wait_until_succeeds( - "journalctl -eu fancontrol | grep 'Configuration appears to be outdated'" + # can't wait for unit fancontrol.service because it doesn't become active due to invalid config + # fancontrol.service is WantedBy multi-user.target + machine.wait_for_unit("multi-user.target") + machine.succeed( + "journalctl -eu fancontrol | tee /dev/stderr | grep 'Configuration appears to be outdated'" ) + machine.shutdown() ''; }) diff --git a/nixos/tests/fontconfig-default-fonts.nix b/nixos/tests/fontconfig-default-fonts.nix index 68c6ac9e9c833..58d0f6227cc7b 100644 --- a/nixos/tests/fontconfig-default-fonts.nix +++ b/nixos/tests/fontconfig-default-fonts.nix @@ -4,7 +4,6 @@ import ./make-test-python.nix ({ lib, ... }: meta.maintainers = with lib.maintainers; [ jtojnar - worldofpeace ]; machine = { config, pkgs, ... }: { diff --git a/nixos/tests/ghostunnel.nix b/nixos/tests/ghostunnel.nix new file mode 100644 index 0000000000000..a82cff8082b75 --- /dev/null +++ b/nixos/tests/ghostunnel.nix @@ -0,0 +1,104 @@ +{ pkgs, ... }: import ./make-test-python.nix { + + nodes = { + backend = { pkgs, ... }: { + services.nginx.enable = true; + services.nginx.virtualHosts."backend".root = pkgs.runCommand "webroot" {} '' + mkdir $out + echo hi >$out/hi.txt + ''; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + service = { ... }: { + services.ghostunnel.enable = true; + services.ghostunnel.servers."plain-old" = { + listen = "0.0.0.0:443"; + cert = "/root/service-cert.pem"; + key = "/root/service-key.pem"; + disableAuthentication = true; + target = "backend:80"; + unsafeTarget = true; + }; + services.ghostunnel.servers."client-cert" = { + listen = "0.0.0.0:1443"; + cert = "/root/service-cert.pem"; + key = "/root/service-key.pem"; + cacert = "/root/ca.pem"; + target = "backend:80"; + allowCN = ["client"]; + unsafeTarget = true; + }; + networking.firewall.allowedTCPPorts = [ 443 1443 ]; + }; + client = { pkgs, ... }: { + environment.systemPackages = [ + pkgs.curl + ]; + }; + }; + + testScript = '' + + # prepare certificates + + def cmd(command): + print(f"+{command}") + r = os.system(command) + if r != 0: + raise Exception(f"Command {command} failed with exit code {r}") + + # Create CA + cmd("${pkgs.openssl}/bin/openssl genrsa -out ca-key.pem 4096") + cmd("${pkgs.openssl}/bin/openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem") + + # Create service + cmd("${pkgs.openssl}/bin/openssl genrsa -out service-key.pem 4096") + cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=service' -sha256 -new -key service-key.pem -out service.csr") + cmd("echo subjectAltName = DNS:service,IP:127.0.0.1 >> extfile.cnf") + cmd("echo extendedKeyUsage = serverAuth >> extfile.cnf") + cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out service-cert.pem -extfile extfile.cnf") + + # Create client + cmd("${pkgs.openssl}/bin/openssl genrsa -out client-key.pem 4096") + cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr") + cmd("echo extendedKeyUsage = clientAuth > extfile-client.cnf") + cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf") + + cmd("ls -al") + + start_all() + + # Configuration + service.copy_from_host("ca.pem", "/root/ca.pem") + service.copy_from_host("service-cert.pem", "/root/service-cert.pem") + service.copy_from_host("service-key.pem", "/root/service-key.pem") + client.copy_from_host("ca.pem", "/root/ca.pem") + client.copy_from_host("service-cert.pem", "/root/service-cert.pem") + client.copy_from_host("client-cert.pem", "/root/client-cert.pem") + client.copy_from_host("client-key.pem", "/root/client-key.pem") + + backend.wait_for_unit("nginx.service") + service.wait_for_unit("multi-user.target") + service.wait_for_unit("multi-user.target") + client.wait_for_unit("multi-user.target") + + # Check assumptions before the real test + client.succeed("bash -c 'diff <(curl -v --no-progress-meter http://backend/hi.txt) <(echo hi)'") + + # Plain old simple TLS can connect, ignoring cert + client.succeed("bash -c 'diff <(curl -v --no-progress-meter --insecure https://service/hi.txt) <(echo hi)'") + + # Plain old simple TLS provides correct signature with its cert + client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service/hi.txt) <(echo hi)'") + + # Client can authenticate with certificate + client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cert /root/client-cert.pem --key /root/client-key.pem --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'") + + # Client must authenticate with certificate + client.fail("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'") + ''; + + meta.maintainers = with pkgs.lib.maintainers; [ + roberth + ]; +} diff --git a/nixos/tests/gitdaemon.nix b/nixos/tests/gitdaemon.nix index d0156fb9a49fb..bb07b6e97b7fb 100644 --- a/nixos/tests/gitdaemon.nix +++ b/nixos/tests/gitdaemon.nix @@ -18,6 +18,11 @@ in { environment.systemPackages = [ pkgs.git ]; + systemd.tmpfiles.rules = [ + # type path mode user group age arg + " d /git 0755 root root - -" + ]; + services.gitDaemon = { enable = true; basePath = "/git"; @@ -35,7 +40,6 @@ in { with subtest("create project.git"): server.succeed( - "mkdir /git", "git init --bare /git/project.git", "touch /git/project.git/git-daemon-export-ok", ) diff --git a/nixos/tests/gitea.nix b/nixos/tests/gitea.nix index 1fb27593f0569..037fc7b31bfa7 100644 --- a/nixos/tests/gitea.nix +++ b/nixos/tests/gitea.nix @@ -61,7 +61,7 @@ let + "Please contact your site administrator.'" ) server.succeed( - "su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea admin create-user " + "su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea admin user create " + "--username test --password totallysafe --email test@localhost'" ) diff --git a/nixos/tests/gitlab.nix b/nixos/tests/gitlab.nix index 582f5faf9bc0f..af2ab12bf4bd4 100644 --- a/nixos/tests/gitlab.nix +++ b/nixos/tests/gitlab.nix @@ -57,9 +57,9 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { }; }; secrets = { - secretFile = pkgs.writeText "secret" "r8X9keSKynU7p4aKlh4GO1Bo77g5a7vj"; - otpFile = pkgs.writeText "otpsecret" "Zu5hGx3YvQx40DvI8WoZJQpX2paSDOlG"; - dbFile = pkgs.writeText "dbsecret" "lsGltKWTejOf6JxCVa7nLDenzkO9wPLR"; + secretFile = pkgs.writeText "secret" "Aig5zaic"; + otpFile = pkgs.writeText "otpsecret" "Riew9mue"; + dbFile = pkgs.writeText "dbsecret" "we2quaeZ"; jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; }; }; diff --git a/nixos/tests/gnome3-xorg.nix b/nixos/tests/gnome-xorg.nix index 0d05c12384f32..55f9c90c20a08 100644 --- a/nixos/tests/gnome3-xorg.nix +++ b/nixos/tests/gnome-xorg.nix @@ -1,5 +1,5 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { - name = "gnome3-xorg"; + name = "gnome-xorg"; meta = with lib; { maintainers = teams.gnome.members; }; @@ -21,8 +21,8 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { }; }; - services.xserver.desktopManager.gnome3.enable = true; - services.xserver.desktopManager.gnome3.debug = true; + services.xserver.desktopManager.gnome.enable = true; + services.xserver.desktopManager.gnome.debug = true; services.xserver.displayManager.defaultSession = "gnome-xorg"; virtualisation.memorySize = 1024; diff --git a/nixos/tests/gnome3.nix b/nixos/tests/gnome.nix index 7e301be49d109..e8d18a41bd064 100644 --- a/nixos/tests/gnome3.nix +++ b/nixos/tests/gnome.nix @@ -1,5 +1,5 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { - name = "gnome3"; + name = "gnome"; meta = with lib; { maintainers = teams.gnome.members; }; @@ -20,13 +20,13 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { }; }; - services.xserver.desktopManager.gnome3.enable = true; - services.xserver.desktopManager.gnome3.debug = true; + services.xserver.desktopManager.gnome.enable = true; + services.xserver.desktopManager.gnome.debug = true; environment.systemPackages = [ (pkgs.makeAutostartItem { name = "org.gnome.Terminal"; - package = pkgs.gnome3.gnome-terminal; + package = pkgs.gnome.gnome-terminal; }) ]; diff --git a/nixos/tests/hibernate.nix b/nixos/tests/hibernate.nix index 8251c6e7ef85e..ae506c8542fe0 100644 --- a/nixos/tests/hibernate.nix +++ b/nixos/tests/hibernate.nix @@ -1,44 +1,120 @@ # Test whether hibernation from partition works. -import ./make-test-python.nix (pkgs: { - name = "hibernate"; +{ system ? builtins.currentSystem +, config ? {} +, pkgs ? import ../.. { inherit system config; } +}: - nodes = { - machine = { config, lib, pkgs, ... }: with lib; { - virtualisation.emptyDiskImages = [ config.virtualisation.memorySize ]; +with import ../lib/testing-python.nix { inherit system pkgs; }; - systemd.services.backdoor.conflicts = [ "sleep.target" ]; +let + # System configuration of the installed system, which is used for the actual + # hibernate testing. + installedConfig = with pkgs.lib; { + imports = [ + ../modules/testing/test-instrumentation.nix + ../modules/profiles/qemu-guest.nix + ../modules/profiles/minimal.nix + ]; - swapDevices = mkOverride 0 [ { device = "/dev/vdb"; } ]; + hardware.enableAllFirmware = mkForce false; + documentation.nixos.enable = false; + boot.loader.grub.device = "/dev/vda"; - networking.firewall.allowedTCPPorts = [ 4444 ]; + systemd.services.backdoor.conflicts = [ "sleep.target" ]; - systemd.services.listener.serviceConfig.ExecStart = "${pkgs.netcat}/bin/nc -l 4444 -k"; + powerManagement.resumeCommands = "systemctl --no-block restart backdoor.service"; + + fileSystems = { + "/".device = "/dev/vda2"; }; + swapDevices = mkOverride 0 [ { device = "/dev/vda1"; } ]; + }; + installedSystem = (import ../lib/eval-config.nix { + inherit system; + modules = [ installedConfig ]; + }).config.system.build.toplevel; +in makeTest { + name = "hibernate"; + + nodes = { + # System configuration used for installing the installedConfig from above. + machine = { config, lib, pkgs, ... }: with lib; { + imports = [ + ../modules/profiles/installation-device.nix + ../modules/profiles/base.nix + ]; - probe = { pkgs, ...}: { - environment.systemPackages = [ pkgs.netcat ]; + nix.binaryCaches = mkForce [ ]; + nix.extraOptions = '' + hashed-mirrors = + connect-timeout = 1 + ''; + + virtualisation.diskSize = 8 * 1024; + virtualisation.emptyDiskImages = [ + # Small root disk for installer + 512 + ]; + virtualisation.bootDevice = "/dev/vdb"; }; }; # 9P doesn't support reconnection to virtio transport after a hibernation. # Therefore, machine just hangs on any Nix store access. - # To work around it we run a daemon which listens to a TCP connection and - # try to connect to it as a test. + # To avoid this, we install NixOS onto a temporary disk with everything we need + # included into the store. testScript = '' + def create_named_machine(name): + return create_machine( + { + "qemuFlags": "-cpu max ${ + if system == "x86_64-linux" then "-m 1024" + else "-m 768 -enable-kvm -machine virt,gic-version=host"}", + "hdaInterface": "virtio", + "hda": "vm-state-machine/machine.qcow2", + "name": name, + } + ) + + + # Install NixOS machine.start() - machine.wait_for_unit("multi-user.target") - machine.succeed("mkswap /dev/vdb") - machine.succeed("swapon -a") - machine.start_job("listener") - machine.wait_for_open_port(4444) - machine.succeed("systemctl hibernate &") - machine.wait_for_shutdown() - probe.wait_for_unit("multi-user.target") - machine.start() - probe.wait_until_succeeds("echo test | nc machine 4444 -N") + machine.succeed( + # Partition /dev/vda + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" + + " mkpart primary linux-swap 1M 1024M" + + " mkpart primary ext2 1024M -1s", + "udevadm settle", + "mkfs.ext3 -L nixos /dev/vda2", + "mount LABEL=nixos /mnt", + "mkswap /dev/vda1 -L swap", + # Install onto /mnt + "nix-store --load-db < ${pkgs.closureInfo {rootPaths = [installedSystem];}}/registration", + "nixos-install --root /mnt --system ${installedSystem} --no-root-passwd", + ) + machine.shutdown() + + # Start up + hibernate = create_named_machine("hibernate") + + # Drop in file that checks if we un-hibernated properly (and not booted fresh) + hibernate.succeed( + "mkdir /run/test", + "mount -t ramfs -o size=1m ramfs /run/test", + "echo not persisted to disk > /run/test/suspended", + ) + + # Hibernate machine + hibernate.succeed("systemctl hibernate &") + hibernate.wait_for_shutdown() + + # Restore machine from hibernation, validate our ramfs file is there. + resume = create_named_machine("resume") + resume.start() + resume.succeed("grep 'not persisted to disk' /run/test/suspended") ''; -}) +} diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 3b7295324a186..c75dd248ecb32 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let configDir = "/var/lib/foobar"; @@ -6,9 +6,7 @@ let mqttPassword = "secret"; in { name = "home-assistant"; - meta = with pkgs.lib; { - maintainers = with maintainers; [ dotlambda ]; - }; + meta.maintainers = lib.teams.home-assistant.members; nodes.hass = { pkgs, ... }: { environment.systemPackages = with pkgs; [ mosquitto ]; @@ -47,6 +45,10 @@ in { payload_on = "let_there_be_light"; payload_off = "off"; }]; + emulated_hue = { + host_ip = "127.0.0.1"; + listen_port = 80; + }; logger = { default = "info"; logs."homeassistant.components.mqtt" = "debug"; @@ -82,6 +84,9 @@ in { hass.succeed( "mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light" ) + with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"): + hass.wait_for_open_port(80) + hass.succeed("curl --fail http://localhost:80/description.xml") with subtest("Print log to ease debugging"): output_log = hass.succeed("cat ${configDir}/home-assistant.log") print("\n### home-assistant.log ###\n") @@ -93,5 +98,8 @@ in { # example line: 2020-06-20 10:01:32 DEBUG (MainThread) [homeassistant.components.mqtt] Received message on home-assistant/test: b'let_there_be_light' with subtest("Check we received the mosquitto message"): assert "let_there_be_light" in output_log + + with subtest("Check systemd unit hardening"): + hass.log(hass.succeed("systemd-analyze security home-assistant.service")) ''; }) diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix index e5d7009bb7b9a..6c2846a1636bd 100644 --- a/nixos/tests/installed-tests/default.nix +++ b/nixos/tests/installed-tests/default.nix @@ -97,6 +97,7 @@ in gsconnect = callInstalledTest ./gsconnect.nix {}; ibus = callInstalledTest ./ibus.nix {}; libgdata = callInstalledTest ./libgdata.nix {}; + librsvg = callInstalledTest ./librsvg.nix {}; glib-testing = callInstalledTest ./glib-testing.nix {}; libjcat = callInstalledTest ./libjcat.nix {}; libxmlb = callInstalledTest ./libxmlb.nix {}; diff --git a/nixos/tests/installed-tests/gnome-photos.nix b/nixos/tests/installed-tests/gnome-photos.nix index 05e7ccb65ad52..bcb6479ee89c6 100644 --- a/nixos/tests/installed-tests/gnome-photos.nix +++ b/nixos/tests/installed-tests/gnome-photos.nix @@ -7,7 +7,7 @@ makeInstalledTest { testConfig = { programs.dconf.enable = true; - services.gnome3.at-spi2-core.enable = true; # needed for dogtail + services.gnome.at-spi2-core.enable = true; # needed for dogtail environment.systemPackages = with pkgs; [ # gsettings tool with access to gsettings-desktop-schemas (stdenv.mkDerivation { diff --git a/nixos/tests/installed-tests/libgdata.nix b/nixos/tests/installed-tests/libgdata.nix index f11a7bc1bc511..b0d39c042be4e 100644 --- a/nixos/tests/installed-tests/libgdata.nix +++ b/nixos/tests/installed-tests/libgdata.nix @@ -6,6 +6,6 @@ makeInstalledTest { testConfig = { # # GLib-GIO-DEBUG: _g_io_module_get_default: Found default implementation dummy (GDummyTlsBackend) for ‘gio-tls-backend’ # Bail out! libgdata:ERROR:../gdata/tests/common.c:134:gdata_test_init: assertion failed (child_error == NULL): TLS support is not available (g-tls-error-quark, 0) - services.gnome3.glib-networking.enable = true; + services.gnome.glib-networking.enable = true; }; } diff --git a/nixos/tests/installed-tests/librsvg.nix b/nixos/tests/installed-tests/librsvg.nix new file mode 100644 index 0000000000000..378e7cce3ff4c --- /dev/null +++ b/nixos/tests/installed-tests/librsvg.nix @@ -0,0 +1,9 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.librsvg; + + testConfig = { + virtualisation.memorySize = 2047; + }; +} diff --git a/nixos/tests/installed-tests/pipewire.nix b/nixos/tests/installed-tests/pipewire.nix index f4154b5d2fd7d..b04265658fcf4 100644 --- a/nixos/tests/installed-tests/pipewire.nix +++ b/nixos/tests/installed-tests/pipewire.nix @@ -2,4 +2,14 @@ makeInstalledTest { tested = pkgs.pipewire; + testConfig = { + hardware.pulseaudio.enable = false; + services.pipewire = { + enable = true; + pulse.enable = true; + jack.enable = true; + alsa.enable = true; + alsa.support32Bit = true; + }; + }; } diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 904ec17229e1c..48f0f59342557 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -75,7 +75,7 @@ let else '' def assemble_qemu_flags(): flags = "-cpu max" - ${if system == "x86_64-linux" + ${if (system == "x86_64-linux" || system == "i686-linux") then ''flags += " -m 1024"'' else ''flags += " -m 768 -enable-kvm -machine virt,gic-version=host"'' } @@ -294,7 +294,7 @@ let # the same during and after installation. virtualisation.emptyDiskImages = [ 512 ]; virtualisation.bootDevice = - if grubVersion == 1 then "/dev/sdb" else "/dev/vdb"; + if grubVersion == 1 then "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive2" else "/dev/vdb"; virtualisation.qemu.diskInterface = if grubVersion == 1 then "scsi" else "virtio"; @@ -695,22 +695,23 @@ in { }; # Test a basic install using GRUB 1. - grub1 = makeInstallerTest "grub1" { + grub1 = makeInstallerTest "grub1" rec { createPartitions = '' machine.succeed( - "flock /dev/sda parted --script /dev/sda -- mklabel msdos" + "flock ${grubDevice} parted --script ${grubDevice} -- mklabel msdos" + " mkpart primary linux-swap 1M 1024M" + " mkpart primary ext2 1024M -1s", "udevadm settle", - "mkswap /dev/sda1 -L swap", + "mkswap ${grubDevice}-part1 -L swap", "swapon -L swap", - "mkfs.ext3 -L nixos /dev/sda2", + "mkfs.ext3 -L nixos ${grubDevice}-part2", "mount LABEL=nixos /mnt", "mkdir -p /mnt/tmp", ) ''; grubVersion = 1; - grubDevice = "/dev/sda"; + # /dev/sda is not stable, even when the SCSI disk number is. + grubDevice = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive1"; }; # Test using labels to identify volumes in grub diff --git a/nixos/tests/ipv6.nix b/nixos/tests/ipv6.nix index f9d6d82b54acf..75faa6f602010 100644 --- a/nixos/tests/ipv6.nix +++ b/nixos/tests/ipv6.nix @@ -8,12 +8,34 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { }; nodes = - # Remove the interface configuration provided by makeTest so that the - # interfaces are all configured implicitly - { client = { ... }: { networking.interfaces = lib.mkForce {}; }; + { + # We use lib.mkForce here to remove the interface configuration + # provided by makeTest, so that the interfaces are all configured + # implicitly. + + # This client should use privacy extensions fully, having a + # completely-default network configuration. + client_defaults.networking.interfaces = lib.mkForce {}; + + # Both of these clients should obtain temporary addresses, but + # not use them as the default source IP. We thus run the same + # checks against them — but the configuration resulting in this + # behaviour is different. + + # Here, by using an altered default value for the global setting... + client_global_setting = { + networking.interfaces = lib.mkForce {}; + networking.tempAddresses = "enabled"; + }; + # and here, by setting this on the interface explicitly. + client_interface_setting = { + networking.tempAddresses = "disabled"; + networking.interfaces = lib.mkForce { + eth1.tempAddress = "enabled"; + }; + }; server = - { ... }: { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; @@ -40,9 +62,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { # Start the router first so that it respond to router solicitations. router.wait_for_unit("radvd") + clients = [client_defaults, client_global_setting, client_interface_setting] + start_all() - client.wait_for_unit("network.target") + for client in clients: + client.wait_for_unit("network.target") server.wait_for_unit("network.target") server.wait_for_unit("httpd.service") @@ -64,28 +89,42 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { with subtest("Loopback address can be pinged"): - client.succeed("ping -c 1 ::1 >&2") - client.fail("ping -c 1 ::2 >&2") + client_defaults.succeed("ping -c 1 ::1 >&2") + client_defaults.fail("ping -c 1 2001:db8:: >&2") with subtest("Local link addresses can be obtained and pinged"): - client_ip = wait_for_address(client, "eth1", "link") - server_ip = wait_for_address(server, "eth1", "link") - client.succeed(f"ping -c 1 {client_ip}%eth1 >&2") - client.succeed(f"ping -c 1 {server_ip}%eth1 >&2") + for client in clients: + client_ip = wait_for_address(client, "eth1", "link") + server_ip = wait_for_address(server, "eth1", "link") + client.succeed(f"ping -c 1 {client_ip}%eth1 >&2") + client.succeed(f"ping -c 1 {server_ip}%eth1 >&2") with subtest("Global addresses can be obtained, pinged, and reached via http"): - client_ip = wait_for_address(client, "eth1", "global") - server_ip = wait_for_address(server, "eth1", "global") - client.succeed(f"ping -c 1 {client_ip} >&2") - client.succeed(f"ping -c 1 {server_ip} >&2") - client.succeed(f"curl --fail -g http://[{server_ip}]") - client.fail(f"curl --fail -g http://[{client_ip}]") - - with subtest("Privacy extensions: Global temporary address can be obtained and pinged"): - ip = wait_for_address(client, "eth1", "global", temporary=True) + for client in clients: + client_ip = wait_for_address(client, "eth1", "global") + server_ip = wait_for_address(server, "eth1", "global") + client.succeed(f"ping -c 1 {client_ip} >&2") + client.succeed(f"ping -c 1 {server_ip} >&2") + client.succeed(f"curl --fail -g http://[{server_ip}]") + client.fail(f"curl --fail -g http://[{client_ip}]") + + with subtest( + "Privacy extensions: Global temporary address is used as default source address" + ): + ip = wait_for_address(client_defaults, "eth1", "global", temporary=True) # Default route should have "src <temporary address>" in it - client.succeed(f"ip r g ::2 | grep {ip}") - - # TODO: test reachability of a machine on another network. + client_defaults.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'") + + for client, setting_desc in ( + (client_global_setting, "global"), + (client_interface_setting, "interface"), + ): + with subtest(f'Privacy extensions: "enabled" through {setting_desc} setting)'): + # We should be obtaining both a temporary address and an EUI-64 address... + ip = wait_for_address(client, "eth1", "global") + assert "ff:fe" in ip + ip_temp = wait_for_address(client, "eth1", "global", temporary=True) + # But using the EUI-64 one. + client.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'") ''; }) diff --git a/nixos/tests/iscsi-root.nix b/nixos/tests/iscsi-root.nix new file mode 100644 index 0000000000000..bda51d2c2e42f --- /dev/null +++ b/nixos/tests/iscsi-root.nix @@ -0,0 +1,161 @@ +import ./make-test-python.nix ( + { pkgs, lib, ... }: + let + initiatorName = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + targetName = "iqn.2003-01.org.linux-iscsi.target.x8664:sn.acf8fd9c23af"; + in + { + name = "iscsi"; + meta = { + maintainers = pkgs.lib.teams.deshaw.members + ++ (with pkgs.lib.maintainers; [ ajs124 ]); + }; + + nodes = { + target = { config, pkgs, lib, ... }: { + services.target = { + enable = true; + config = { + fabric_modules = []; + storage_objects = [ + { + dev = "/dev/vdb"; + name = "test"; + plugin = "block"; + write_back = true; + wwn = "92b17c3f-6b40-4168-b082-ceeb7b495522"; + } + ]; + targets = [ + { + fabric = "iscsi"; + tpgs = [ + { + enable = true; + attributes = { + authentication = 0; + generate_node_acls = 1; + }; + luns = [ + { + alias = "94dfe06967"; + alua_tg_pt_gp_name = "default_tg_pt_gp"; + index = 0; + storage_object = "/backstores/block/test"; + } + ]; + node_acls = [ + { + mapped_luns = [ + { + alias = "d42f5bdf8a"; + index = 0; + tpg_lun = 0; + write_protect = false; + } + ]; + node_wwn = initiatorName; + } + ]; + portals = [ + { + ip_address = "0.0.0.0"; + iser = false; + offload = false; + port = 3260; + } + ]; + tag = 1; + } + ]; + wwn = targetName; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 3260 ]; + networking.firewall.allowedUDPPorts = [ 3260 ]; + + virtualisation.memorySize = 2048; + virtualisation.emptyDiskImages = [ 2048 ]; + }; + + initiatorAuto = { nodes, config, pkgs, ... }: { + services.openiscsi = { + enable = true; + enableAutoLoginOut = true; + discoverPortal = "target"; + name = initiatorName; + }; + + environment.systemPackages = with pkgs; [ + xfsprogs + ]; + + system.extraDependencies = [ nodes.initiatorRootDisk.config.system.build.toplevel ]; + + nix.binaryCaches = lib.mkForce []; + nix.extraOptions = '' + hashed-mirrors = + connect-timeout = 1 + ''; + }; + + initiatorRootDisk = { config, pkgs, modulesPath, lib, ... }: { + boot.loader.grub.enable = false; + boot.kernelParams = lib.mkOverride 5 ( + [ + "boot.shell_on_fail" + "console=tty1" + "ip=${config.networking.primaryIPAddress}:::255.255.255.0::ens9:none" + ] + ); + + # defaults to true, puts some code in the initrd that tries to mount an overlayfs on /nix/store + virtualisation.writableStore = false; + + fileSystems = lib.mkOverride 5 { + "/" = { + fsType = "xfs"; + device = "/dev/sda"; + options = [ "_netdev" ]; + }; + }; + + boot.iscsi-initiator = { + discoverPortal = "target"; + name = initiatorName; + target = targetName; + }; + }; + }; + + testScript = { nodes, ... }: '' + target.start() + target.wait_for_unit("iscsi-target.service") + + initiatorAuto.start() + + initiatorAuto.wait_for_unit("iscsid.service") + initiatorAuto.wait_for_unit("iscsi.service") + initiatorAuto.get_unit_info("iscsi") + + initiatorAuto.succeed("set -x; while ! test -e /dev/sda; do sleep 1; done") + + initiatorAuto.succeed("mkfs.xfs /dev/sda") + initiatorAuto.succeed("mkdir /mnt && mount /dev/sda /mnt") + initiatorAuto.succeed( + "nixos-install --no-bootloader --no-root-passwd --system ${nodes.initiatorRootDisk.config.system.build.toplevel}" + ) + initiatorAuto.succeed("umount /mnt && rmdir /mnt") + initiatorAuto.shutdown() + + initiatorRootDisk.start() + initiatorRootDisk.wait_for_unit("multi-user.target") + initiatorRootDisk.wait_for_unit("iscsid") + initiatorRootDisk.succeed("touch test") + initiatorRootDisk.shutdown() + ''; + } +) diff --git a/nixos/tests/jellyfin.nix b/nixos/tests/jellyfin.nix index 65360624d4875..cae31a7192582 100644 --- a/nixos/tests/jellyfin.nix +++ b/nixos/tests/jellyfin.nix @@ -1,16 +1,155 @@ -import ./make-test-python.nix ({ lib, ...}: - -{ - name = "jellyfin"; - meta.maintainers = with lib.maintainers; [ minijackson ]; - - machine = - { ... }: - { services.jellyfin.enable = true; }; - - testScript = '' - machine.wait_for_unit("jellyfin.service") - machine.wait_for_open_port(8096) - machine.succeed("curl --fail http://localhost:8096/") - ''; -}) +import ./make-test-python.nix ({ lib, pkgs, ... }: + + { + name = "jellyfin"; + meta.maintainers = with lib.maintainers; [ minijackson ]; + + machine = + { ... }: + { + services.jellyfin.enable = true; + environment.systemPackages = with pkgs; [ ffmpeg ]; + }; + + # Documentation of the Jellyfin API: https://api.jellyfin.org/ + # Beware, this link can be resource intensive + testScript = + let + payloads = { + auth = pkgs.writeText "auth.json" (builtins.toJSON { + Username = "jellyfin"; + }); + empty = pkgs.writeText "empty.json" (builtins.toJSON { }); + }; + in + '' + import json + from urllib.parse import urlencode + + machine.wait_for_unit("jellyfin.service") + machine.wait_for_open_port(8096) + machine.succeed("curl --fail http://localhost:8096/") + + machine.wait_until_succeeds("curl --fail http://localhost:8096/health | grep Healthy") + + auth_header = 'MediaBrowser Client="NixOS Integration Tests", DeviceId="1337", Device="Apple II", Version="20.09"' + + + def api_get(path): + return f"curl --fail 'http://localhost:8096{path}' -H 'X-Emby-Authorization:{auth_header}'" + + + def api_post(path, json_file=None): + if json_file: + return f"curl --fail -X post 'http://localhost:8096{path}' -d '@{json_file}' -H Content-Type:application/json -H 'X-Emby-Authorization:{auth_header}'" + else: + return f"curl --fail -X post 'http://localhost:8096{path}' -H 'X-Emby-Authorization:{auth_header}'" + + + with machine.nested("Wizard completes"): + machine.wait_until_succeeds(api_get("/Startup/Configuration")) + machine.succeed(api_get("/Startup/FirstUser")) + machine.succeed(api_post("/Startup/Complete")) + + with machine.nested("Can login"): + auth_result = machine.succeed( + api_post( + "/Users/AuthenticateByName", + "${payloads.auth}", + ) + ) + auth_result = json.loads(auth_result) + auth_token = auth_result["AccessToken"] + auth_header += f", Token={auth_token}" + + sessions_result = machine.succeed(api_get("/Sessions")) + sessions_result = json.loads(sessions_result) + + this_session = [ + session for session in sessions_result if session["DeviceId"] == "1337" + ] + if len(this_session) != 1: + raise Exception("Session not created") + + me = machine.succeed(api_get("/Users/Me")) + me = json.loads(me)["Id"] + + with machine.nested("Can add library"): + tempdir = machine.succeed("mktemp -d -p /var/lib/jellyfin").strip() + machine.succeed(f"chmod 755 '{tempdir}'") + + # Generate a dummy video that we can test later + videofile = f"{tempdir}/Big Buck Bunny (2008) [1080p].mkv" + machine.succeed(f"ffmpeg -f lavfi -i testsrc2=duration=5 '{videofile}'") + + add_folder_query = urlencode( + { + "name": "My Library", + "collectionType": "Movies", + "paths": tempdir, + "refreshLibrary": "true", + } + ) + + machine.succeed( + api_post( + f"/Library/VirtualFolders?{add_folder_query}", + "${payloads.empty}", + ) + ) + + + def is_refreshed(_): + folders = machine.succeed(api_get("/Library/VirtualFolders")) + folders = json.loads(folders) + print(folders) + return all(folder["RefreshStatus"] == "Idle" for folder in folders) + + + retry(is_refreshed) + + with machine.nested("Can identify videos"): + items = [] + + # For some reason, having the folder refreshed doesn't mean the + # movie was scanned + def has_movie(_): + global items + + items = machine.succeed( + api_get(f"/Users/{me}/Items?IncludeItemTypes=Movie&Recursive=true") + ) + items = json.loads(items)["Items"] + + return len(items) == 1 + + retry(has_movie) + + video = items[0]["Id"] + + item_info = machine.succeed(api_get(f"/Users/{me}/Items/{video}")) + item_info = json.loads(item_info) + + if item_info["Name"] != "Big Buck Bunny": + raise Exception("Jellyfin failed to properly identify file") + + with machine.nested("Can read videos"): + media_source_id = item_info["MediaSources"][0]["Id"] + + machine.succeed( + "ffmpeg" + + f" -headers 'X-Emby-Authorization:{auth_header}'" + + f" -i http://localhost:8096/Videos/{video}/master.m3u8?mediaSourceId={media_source_id}" + + " /tmp/test.mkv" + ) + + duration = machine.succeed( + "ffprobe /tmp/test.mkv" + + " -show_entries format=duration" + + " -of compact=print_section=0:nokey=1" + ) + + if duration.strip() != "5.000000": + raise Exception("Downloaded video has wrong duration") + ''; + }) diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index fbead1dc23b76..a300609cf2bfc 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -1,7 +1,7 @@ { system ? builtins.currentSystem , config ? { } , pkgs ? import ../.. { inherit system config; } -}: +}@args: with pkgs.lib; @@ -22,7 +22,7 @@ let assert "Linux" in machine.succeed("uname -s") assert "${linuxPackages.kernel.modDirVersion}" in machine.succeed("uname -a") ''; - })); + }) args); in with pkgs; { linux_4_4 = makeKernelTest "4.4" linuxPackages_4_4; @@ -32,6 +32,7 @@ with pkgs; { linux_5_4 = makeKernelTest "5.4" linuxPackages_5_4; linux_5_10 = makeKernelTest "5.10" linuxPackages_5_10; linux_5_11 = makeKernelTest "5.11" linuxPackages_5_11; + linux_5_12 = makeKernelTest "5.12" linuxPackages_5_12; linux_testing = makeKernelTest "testing" linuxPackages_testing; } diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 45d8677af5675..fc321b8902f1d 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -3,7 +3,8 @@ # client using their Keycloak login. let - frontendUrl = "http://keycloak/auth"; + certs = import ./common/acme/server/snakeoil-certs.nix; + frontendUrl = "https://${certs.domain}/auth"; initialAdminPassword = "h4IhoJFnt2iQIR9"; keycloakTest = import ./make-test-python.nix ( @@ -17,11 +18,27 @@ let nodes = { keycloak = { ... }: { virtualisation.memorySize = 1024; + + security.pki.certificateFiles = [ + certs.ca.cert + ]; + + networking.extraHosts = '' + 127.0.0.1 ${certs.domain} + ''; + services.keycloak = { enable = true; - inherit frontendUrl databaseType initialAdminPassword; - databasePasswordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"; + inherit frontendUrl initialAdminPassword; + sslCertificate = certs.${certs.domain}.cert; + sslCertificateKey = certs.${certs.domain}.key; + database = { + type = databaseType; + username = "bogus"; + passwordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"; + }; }; + environment.systemPackages = with pkgs; [ xmlstarlet libtidy diff --git a/nixos/tests/keymap.nix b/nixos/tests/keymap.nix index 09d5d2a6c9e14..a18a05f90c6d3 100644 --- a/nixos/tests/keymap.nix +++ b/nixos/tests/keymap.nix @@ -107,17 +107,32 @@ in pkgs.lib.mapAttrs mkKeyboardTest { altgr.expect = [ "~" "#" "{" "[" "|" ]; }; - extraConfig.console.keyMap = "azerty/fr"; + extraConfig.console.keyMap = "fr"; extraConfig.services.xserver.layout = "fr"; }; + bone = { + tests = { + layer1.qwerty = [ "f" "j" ]; + layer1.expect = [ "e" "n" ]; + layer2.qwerty = [ "shift-f" "shift-j" "shift-6" ]; + layer2.expect = [ "E" "N" "$" ]; + layer3.qwerty = [ "caps_lock-d" "caps_lock-f" ]; + layer3.expect = [ "{" "}" ]; + }; + + extraConfig.console.keyMap = "bone"; + extraConfig.services.xserver.layout = "de"; + extraConfig.services.xserver.xkbVariant = "bone"; + }; + colemak = { tests = { homerow.qwerty = [ "a" "s" "d" "f" "j" "k" "l" "semicolon" ]; homerow.expect = [ "a" "r" "s" "t" "n" "e" "i" "o" ]; }; - extraConfig.console.keyMap = "colemak/colemak"; + extraConfig.console.keyMap = "colemak"; extraConfig.services.xserver.layout = "us"; extraConfig.services.xserver.xkbVariant = "colemak"; }; @@ -129,9 +144,13 @@ in pkgs.lib.mapAttrs mkKeyboardTest { symbols.qwerty = [ "q" "w" "e" "minus" "equal" ]; symbols.expect = [ "'" "," "." "[" "]" ]; }; + + extraConfig.console.keyMap = "dvorak"; + extraConfig.services.xserver.layout = "us"; + extraConfig.services.xserver.xkbVariant = "dvorak"; }; - dvp = { + dvorak-programmer = { tests = { homerow.qwerty = [ "a" "s" "d" "f" "j" "k" "l" "semicolon" ]; homerow.expect = [ "a" "o" "e" "u" "h" "t" "n" "s" ]; @@ -142,6 +161,7 @@ in pkgs.lib.mapAttrs mkKeyboardTest { symbols.expect = [ "&" "[" "{" "}" "(" "=" "*" ")" "+" "]" "!" ]; }; + extraConfig.console.keyMap = "dvorak-programmer"; extraConfig.services.xserver.layout = "us"; extraConfig.services.xserver.xkbVariant = "dvp"; }; @@ -156,6 +176,7 @@ in pkgs.lib.mapAttrs mkKeyboardTest { layer3.expect = [ "{" "}" ]; }; + extraConfig.console.keyMap = "neo"; extraConfig.services.xserver.layout = "de"; extraConfig.services.xserver.xkbVariant = "neo"; }; diff --git a/nixos/tests/libreswan.nix b/nixos/tests/libreswan.nix new file mode 100644 index 0000000000000..17ae60af8eed4 --- /dev/null +++ b/nixos/tests/libreswan.nix @@ -0,0 +1,134 @@ +# This test sets up a host-to-host IPsec VPN between Alice and Bob, each on its +# own network and with Eve as the only route between each other. We check that +# Eve can eavesdrop the plaintext traffic between Alice and Bob, but once they +# enable the secure tunnel Eve's spying becomes ineffective. + +import ./make-test-python.nix ({ lib, pkgs, ... }: + +let + + # IPsec tunnel between Alice and Bob + tunnelConfig = { + services.libreswan.enable = true; + services.libreswan.connections.tunnel = + '' + leftid=@alice + left=fd::a + rightid=@bob + right=fd::b + authby=secret + auto=add + ''; + environment.etc."ipsec.d/tunnel.secrets" = + { text = ''@alice @bob : PSK "j1JbIi9WY07rxwcNQ6nbyThKCf9DGxWOyokXIQcAQUnafsNTUJxfsxwk9WYK8fHj"''; + mode = "600"; + }; + }; + + # Common network setup + baseNetwork = { + # shared hosts file + extraHosts = lib.mkVMOverride '' + fd::a alice + fd::b bob + fd::e eve + ''; + # remove all automatic addresses + useDHCP = false; + interfaces.eth1.ipv4.addresses = lib.mkVMOverride []; + interfaces.eth2.ipv4.addresses = lib.mkVMOverride []; + # open a port for testing + firewall.allowedUDPPorts = [ 1234 ]; + }; + + # Adds an address and route from a to b via Eve + addRoute = a: b: { + interfaces.eth1.ipv6.addresses = + [ { address = a; prefixLength = 64; } ]; + interfaces.eth1.ipv6.routes = + [ { address = b; prefixLength = 128; via = "fd::e"; } ]; + }; + +in + +{ + name = "libreswan"; + meta = with lib.maintainers; { + maintainers = [ rnhmjoj ]; + }; + + # Our protagonist + nodes.alice = { ... }: { + virtualisation.vlans = [ 1 ]; + networking = baseNetwork // addRoute "fd::a" "fd::b"; + } // tunnelConfig; + + # Her best friend + nodes.bob = { ... }: { + virtualisation.vlans = [ 2 ]; + networking = baseNetwork // addRoute "fd::b" "fd::a"; + } // tunnelConfig; + + # The malicious network operator + nodes.eve = { ... }: { + virtualisation.vlans = [ 1 2 ]; + networking = lib.mkMerge + [ baseNetwork + { interfaces.br0.ipv6.addresses = + [ { address = "fd::e"; prefixLength = 64; } ]; + bridges.br0.interfaces = [ "eth1" "eth2" ]; + } + ]; + environment.systemPackages = [ pkgs.tcpdump ]; + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + }; + + testScript = + '' + def alice_to_bob(msg: str): + """ + Sends a message as Alice to Bob + """ + bob.execute("nc -lu ::0 1234 >/tmp/msg &") + alice.sleep(1) + alice.succeed(f"echo '{msg}' | nc -uw 0 bob 1234") + bob.succeed(f"grep '{msg}' /tmp/msg") + + + def eavesdrop(): + """ + Starts eavesdropping on Alice and Bob + """ + match = "src host alice and dst host bob" + eve.execute(f"tcpdump -i br0 -c 1 -Avv {match} >/tmp/log &") + + + start_all() + + with subtest("Network is up"): + alice.wait_until_succeeds("ping -c1 bob") + + with subtest("Eve can eavesdrop cleartext traffic"): + eavesdrop() + alice_to_bob("I secretly love turnip") + eve.sleep(1) + eve.succeed("grep turnip /tmp/log") + + with subtest("Libreswan is ready"): + alice.wait_for_unit("ipsec") + bob.wait_for_unit("ipsec") + alice.succeed("ipsec verify 1>&2") + + with subtest("Alice and Bob can start the tunnel"): + alice.execute("ipsec auto --start tunnel &") + bob.succeed("ipsec auto --start tunnel") + # apparently this is needed to "wake" the tunnel + bob.execute("ping -c1 alice") + + with subtest("Eve no longer can eavesdrop"): + eavesdrop() + alice_to_bob("Just kidding, I actually like rhubarb") + eve.sleep(1) + eve.fail("grep rhubarb /tmp/log") + ''; +}) diff --git a/nixos/tests/lightdm.nix b/nixos/tests/lightdm.nix index 9611bdbdafec3..e98230ecb1794 100644 --- a/nixos/tests/lightdm.nix +++ b/nixos/tests/lightdm.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "lightdm"; meta = with pkgs.lib.maintainers; { - maintainers = [ aszlig worldofpeace ]; + maintainers = [ aszlig ]; }; machine = { ... }: { diff --git a/nixos/tests/minecraft-server.nix b/nixos/tests/minecraft-server.nix index e6e0bca972a97..dbe2cd6d56fe1 100644 --- a/nixos/tests/minecraft-server.nix +++ b/nixos/tests/minecraft-server.nix @@ -24,7 +24,7 @@ in import ./make-test-python.nix ({ pkgs, ... }: { }; }; - virtualisation.memorySize = 2048; + virtualisation.memorySize = 2047; }; testScript = '' diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix index 308c1396013d6..e29bd559ed9bb 100644 --- a/nixos/tests/mosquitto.nix +++ b/nixos/tests/mosquitto.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 1888; @@ -30,6 +30,9 @@ in { ]; }; }; + + # disable private /tmp for this test + systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false; }; client1 = client; diff --git a/nixos/tests/mxisd.nix b/nixos/tests/mxisd.nix index 22755ea353b64..354612a8a53d0 100644 --- a/nixos/tests/mxisd.nix +++ b/nixos/tests/mxisd.nix @@ -6,25 +6,16 @@ import ./make-test-python.nix ({ pkgs, ... } : { }; nodes = { - server_mxisd = args : { + server = args : { services.mxisd.enable = true; services.mxisd.matrix.domain = "example.org"; }; - - server_ma1sd = args : { - services.mxisd.enable = true; - services.mxisd.matrix.domain = "example.org"; - services.mxisd.package = pkgs.ma1sd; - }; }; testScript = '' start_all() - server_mxisd.wait_for_unit("mxisd.service") - server_mxisd.wait_for_open_port(8090) - server_mxisd.succeed("curl -Ssf 'http://127.0.0.1:8090/_matrix/identity/api/v1'") - server_ma1sd.wait_for_unit("mxisd.service") - server_ma1sd.wait_for_open_port(8090) - server_ma1sd.succeed("curl -Ssf 'http://127.0.0.1:8090/_matrix/identity/api/v1'") + server.wait_for_unit("mxisd.service") + server.wait_for_open_port(8090) + server.succeed("curl -Ssf 'http://127.0.0.1:8090/_matrix/identity/api/v1'") ''; }) diff --git a/nixos/tests/mysql/mariadb-galera-mariabackup.nix b/nixos/tests/mysql/mariadb-galera-mariabackup.nix index 0a40c010a4717..1c73bc854a57b 100644 --- a/nixos/tests/mysql/mariadb-galera-mariabackup.nix +++ b/nixos/tests/mysql/mariadb-galera-mariabackup.nix @@ -31,7 +31,7 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { }; + users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-mariabackup ]; }; @@ -89,7 +89,7 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { }; + users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-mariabackup ]; }; @@ -136,7 +136,7 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { }; + users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-mariabackup ]; }; diff --git a/nixos/tests/mysql/mariadb-galera-rsync.nix b/nixos/tests/mysql/mariadb-galera-rsync.nix index 6fb3cfef8d731..709a8b5085cb0 100644 --- a/nixos/tests/mysql/mariadb-galera-rsync.nix +++ b/nixos/tests/mysql/mariadb-galera-rsync.nix @@ -31,7 +31,7 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { }; + users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-rsync ]; }; @@ -84,7 +84,7 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { }; + users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-rsync ]; }; @@ -130,7 +130,7 @@ in { firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; firewall.allowedUDPPorts = [ 4567 ]; }; - users.users.testuser = { }; + users.users.testuser = { isSystemUser = true; }; systemd.services.mysql = with pkgs; { path = [ mysqlenv-common mysqlenv-rsync ]; }; diff --git a/nixos/tests/mysql/mysql.nix b/nixos/tests/mysql/mysql.nix index 50ad5c68aef1d..c21136416d47d 100644 --- a/nixos/tests/mysql/mysql.nix +++ b/nixos/tests/mysql/mysql.nix @@ -9,8 +9,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { - users.users.testuser = { }; - users.users.testuser2 = { }; + users.users.testuser = { isSystemUser = true; }; + users.users.testuser2 = { isSystemUser = true; }; services.mysql.enable = true; services.mysql.initialDatabases = [ { name = "testdb3"; schema = ./testdb.sql; } @@ -44,8 +44,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : { # Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled virtualisation.memorySize = 1024; - users.users.testuser = { }; - users.users.testuser2 = { }; + users.users.testuser = { isSystemUser = true; }; + users.users.testuser2 = { isSystemUser = true; }; services.mysql.enable = true; services.mysql.initialDatabases = [ { name = "testdb3"; schema = ./testdb.sql; } @@ -75,8 +75,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { - users.users.testuser = { }; - users.users.testuser2 = { }; + users.users.testuser = { isSystemUser = true; }; + users.users.testuser2 = { isSystemUser = true; }; services.mysql.enable = true; services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED WITH unix_socket; diff --git a/nixos/tests/nebula.nix b/nixos/tests/nebula.nix new file mode 100644 index 0000000000000..372cfebdf801b --- /dev/null +++ b/nixos/tests/nebula.nix @@ -0,0 +1,223 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: let + + # We'll need to be able to trade cert files between nodes via scp. + inherit (import ./ssh-keys.nix pkgs) + snakeOilPrivateKey snakeOilPublicKey; + + makeNebulaNode = { config, ... }: name: extraConfig: lib.mkMerge [ + { + # Expose nebula for doing cert signing. + environment.systemPackages = [ pkgs.nebula ]; + users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; + services.openssh.enable = true; + + services.nebula.networks.smoke = { + # Note that these paths won't exist when the machine is first booted. + ca = "/etc/nebula/ca.crt"; + cert = "/etc/nebula/${name}.crt"; + key = "/etc/nebula/${name}.key"; + listen = { host = "0.0.0.0"; port = 4242; }; + }; + } + extraConfig + ]; + +in +{ + name = "nebula"; + + nodes = { + + lighthouse = { ... } @ args: + makeNebulaNode args "lighthouse" { + networking.interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.1"; + prefixLength = 24; + }]; + + services.nebula.networks.smoke = { + isLighthouse = true; + firewall = { + outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + }; + }; + }; + + node2 = { ... } @ args: + makeNebulaNode args "node2" { + networking.interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.2"; + prefixLength = 24; + }]; + + services.nebula.networks.smoke = { + staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; + isLighthouse = false; + lighthouses = [ "10.0.100.1" ]; + firewall = { + outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + }; + }; + }; + + node3 = { ... } @ args: + makeNebulaNode args "node3" { + networking.interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.3"; + prefixLength = 24; + }]; + + services.nebula.networks.smoke = { + staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; + isLighthouse = false; + lighthouses = [ "10.0.100.1" ]; + firewall = { + outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + inbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ]; + }; + }; + }; + + node4 = { ... } @ args: + makeNebulaNode args "node4" { + networking.interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.4"; + prefixLength = 24; + }]; + + services.nebula.networks.smoke = { + enable = true; + staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; + isLighthouse = false; + lighthouses = [ "10.0.100.1" ]; + firewall = { + outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ]; + inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + }; + }; + }; + + node5 = { ... } @ args: + makeNebulaNode args "node5" { + networking.interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.5"; + prefixLength = 24; + }]; + + services.nebula.networks.smoke = { + enable = false; + staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; }; + isLighthouse = false; + lighthouses = [ "10.0.100.1" ]; + firewall = { + outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ]; + inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + }; + }; + }; + + }; + + testScript = let + + setUpPrivateKey = name: '' + ${name}.succeed( + "mkdir -p /root/.ssh", + "chown 700 /root/.ssh", + "cat '${snakeOilPrivateKey}' > /root/.ssh/id_snakeoil", + "chown 600 /root/.ssh/id_snakeoil", + ) + ''; + + # From what I can tell, StrictHostKeyChecking=no is necessary for ssh to work between machines. + sshOpts = "-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -oIdentityFile=/root/.ssh/id_snakeoil"; + + restartAndCheckNebula = name: ip: '' + ${name}.systemctl("restart nebula@smoke.service") + ${name}.succeed("ping -c5 ${ip}") + ''; + + # Create a keypair on the client node, then use the public key to sign a cert on the lighthouse. + signKeysFor = name: ip: '' + lighthouse.wait_for_unit("sshd.service") + ${name}.wait_for_unit("sshd.service") + ${name}.succeed( + "mkdir -p /etc/nebula", + "nebula-cert keygen -out-key /etc/nebula/${name}.key -out-pub /etc/nebula/${name}.pub", + "scp ${sshOpts} /etc/nebula/${name}.pub 192.168.1.1:/tmp/${name}.pub", + ) + lighthouse.succeed( + 'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "${name}" -groups "${name}" -ip "${ip}" -in-pub /tmp/${name}.pub -out-crt /tmp/${name}.crt', + ) + ${name}.succeed( + "scp ${sshOpts} 192.168.1.1:/tmp/${name}.crt /etc/nebula/${name}.crt", + "scp ${sshOpts} 192.168.1.1:/etc/nebula/ca.crt /etc/nebula/ca.crt", + ) + ''; + + in '' + start_all() + + # Create the certificate and sign the lighthouse's keys. + ${setUpPrivateKey "lighthouse"} + lighthouse.succeed( + "mkdir -p /etc/nebula", + 'nebula-cert ca -name "Smoke Test" -out-crt /etc/nebula/ca.crt -out-key /etc/nebula/ca.key', + 'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "lighthouse" -groups "lighthouse" -ip "10.0.100.1/24" -out-crt /etc/nebula/lighthouse.crt -out-key /etc/nebula/lighthouse.key', + ) + + # Reboot the lighthouse and verify that the nebula service comes up on boot. + # Since rebooting takes a while, we'll just restart the service on the other nodes. + lighthouse.shutdown() + lighthouse.start() + lighthouse.wait_for_unit("nebula@smoke.service") + lighthouse.succeed("ping -c5 10.0.100.1") + + # Create keys for node2's nebula service and test that it comes up. + ${setUpPrivateKey "node2"} + ${signKeysFor "node2" "10.0.100.2/24"} + ${restartAndCheckNebula "node2" "10.0.100.2"} + + # Create keys for node3's nebula service and test that it comes up. + ${setUpPrivateKey "node3"} + ${signKeysFor "node3" "10.0.100.3/24"} + ${restartAndCheckNebula "node3" "10.0.100.3"} + + # Create keys for node4's nebula service and test that it comes up. + ${setUpPrivateKey "node4"} + ${signKeysFor "node4" "10.0.100.4/24"} + ${restartAndCheckNebula "node4" "10.0.100.4"} + + # Create keys for node4's nebula service and test that it does not come up. + ${setUpPrivateKey "node5"} + ${signKeysFor "node5" "10.0.100.5/24"} + node5.fail("systemctl status nebula@smoke.service") + node5.fail("ping -c5 10.0.100.5") + + # The lighthouse can ping node2 and node3 but not node5 + lighthouse.succeed("ping -c3 10.0.100.2") + lighthouse.succeed("ping -c3 10.0.100.3") + lighthouse.fail("ping -c3 10.0.100.5") + + # node2 can ping the lighthouse, but not node3 because of its inbound firewall + node2.succeed("ping -c3 10.0.100.1") + node2.fail("ping -c3 10.0.100.3") + + # node3 can ping the lighthouse and node2 + node3.succeed("ping -c3 10.0.100.1") + node3.succeed("ping -c3 10.0.100.2") + + # node4 can ping the lighthouse but not node2 or node3 + node4.succeed("ping -c3 10.0.100.1") + node4.fail("ping -c3 10.0.100.2") + node4.fail("ping -c3 10.0.100.3") + + # node2 can ping node3 now that node3 pinged it first + node2.succeed("ping -c3 10.0.100.3") + # node4 can ping node2 if node2 pings it first + node2.succeed("ping -c3 10.0.100.4") + node4.succeed("ping -c3 10.0.100.2") + ''; +}) diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 1ea61f99a9513..c8756207f27b6 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -511,7 +511,7 @@ let machine.sleep(10) residue = machine.succeed("ip tuntap list") assert ( - residue is "" + residue == "" ), "Some virtual interface has not been properly cleaned:\n{}".format(residue) ''; }; @@ -665,10 +665,10 @@ let ipv4Residue = machine.succeed("ip -4 route list dev eth0 | head -n-3").strip() ipv6Residue = machine.succeed("ip -6 route list dev eth0 | head -n-3").strip() assert ( - ipv4Residue is "" + ipv4Residue == "" ), "The IPv4 routing table has not been properly cleaned:\n{}".format(ipv4Residue) assert ( - ipv6Residue is "" + ipv6Residue == "" ), "The IPv6 routing table has not been properly cleaned:\n{}".format(ipv6Residue) ''; }; diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index 5074b6cdafefe..76f7f68dc960d 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -51,7 +51,7 @@ in { nextcloudWithoutMagick = args@{ config, pkgs, lib, ... }: lib.mkMerge [ (nextcloud args) - { services.nextcloud.disableImagemagick = true; } ]; + { services.nextcloud.enableImagemagick = false; } ]; }; testScript = { nodes, ... }: let diff --git a/nixos/tests/nfs/kerberos.nix b/nixos/tests/nfs/kerberos.nix index 75d1210496b00..5684131f671b1 100644 --- a/nixos/tests/nfs/kerberos.nix +++ b/nixos/tests/nfs/kerberos.nix @@ -88,8 +88,8 @@ in "kdb5_util create -s -r NFS.TEST -P master_key", "systemctl restart kadmind.service kdc.service", ) - server.wait_for_unit(f"kadmind.service") - server.wait_for_unit(f"kdc.service") + server.wait_for_unit("kadmind.service") + server.wait_for_unit("kdc.service") # create principals server.succeed( @@ -102,8 +102,8 @@ in # add principals to server keytab server.succeed("kadmin.local ktadd nfs/server.nfs.test") server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service") - server.wait_for_unit(f"rpc-gssd.service") - server.wait_for_unit(f"rpc-svcgssd.service") + server.wait_for_unit("rpc-gssd.service") + server.wait_for_unit("rpc-svcgssd.service") client.wait_for_unit("network-online.target") diff --git a/nixos/tests/nixos-generate-config.nix b/nixos/tests/nixos-generate-config.nix index 7bf8d4da7b6d4..1dadf4992ed00 100644 --- a/nixos/tests/nixos-generate-config.nix +++ b/nixos/tests/nixos-generate-config.nix @@ -14,7 +14,7 @@ import ./make-test-python.nix ({ lib, ... } : { system.nixos-generate-config.desktopConfiguration = ['' # DESKTOP services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome.enable = true; '']; }; testScript = '' @@ -35,7 +35,7 @@ import ./make-test-python.nix ({ lib, ... } : { # Test if the Perl variable $desktopConfiguration is spliced correctly machine.succeed( - "grep 'services\\.xserver\\.desktopManager\\.gnome3\\.enable = true;' /etc/nixos/configuration.nix" + "grep 'services\\.xserver\\.desktopManager\\.gnome\\.enable = true;' /etc/nixos/configuration.nix" ) ''; }) diff --git a/nixos/tests/nsd.nix b/nixos/tests/nsd.nix index a558ee0a42542..7387f4f1dfa10 100644 --- a/nixos/tests/nsd.nix +++ b/nixos/tests/nsd.nix @@ -43,6 +43,10 @@ in import ./make-test-python.nix ({ pkgs, ...} : { services.nsd.enable = true; services.nsd.rootServer = true; services.nsd.interfaces = lib.mkForce []; + services.nsd.keys."tsig.example.com." = { + algorithm = "hmac-sha256"; + keyFile = pkgs.writeTextFile { name = "tsig.example.com."; text = "aR3FJA92+bxRSyosadsJ8Aeeav5TngQW/H/EF9veXbc="; }; + }; services.nsd.zones."example.com.".data = '' @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600 ipv4 A 1.2.3.4 @@ -51,6 +55,7 @@ in import ./make-test-python.nix ({ pkgs, ...} : { ns A 192.168.0.1 ns AAAA dead:beef::1 ''; + services.nsd.zones."example.com.".provideXFR = [ "0.0.0.0 tsig.example.com." ]; services.nsd.zones."deleg.example.com.".data = '' @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600 @ A 9.8.7.6 @@ -71,6 +76,10 @@ in import ./make-test-python.nix ({ pkgs, ...} : { clientv6.wait_for_unit("network.target") server.wait_for_unit("nsd.service") + with subtest("server tsig.example.com."): + expected_tsig = " secret: \"aR3FJA92+bxRSyosadsJ8Aeeav5TngQW/H/EF9veXbc=\"\n" + tsig=server.succeed("cat /var/lib/nsd/private/tsig.example.com.") + assert expected_tsig == tsig, f"Expected /var/lib/nsd/private/tsig.example.com. to contain '{expected_tsig}', but found '{tsig}'" def assert_host(type, rr, query, expected): self = clientv4 if type == 4 else clientv6 diff --git a/nixos/tests/oci-containers.nix b/nixos/tests/oci-containers.nix index 0dfc7ffb276be..68077e3540a5e 100644 --- a/nixos/tests/oci-containers.nix +++ b/nixos/tests/oci-containers.nix @@ -12,7 +12,7 @@ let name = "oci-containers-${backend}"; meta = { - maintainers = with lib.maintainers; [ adisbladis benley mkaito ]; + maintainers = with lib.maintainers; [ adisbladis benley ] ++ lib.teams.serokell.members; }; nodes = { diff --git a/nixos/tests/opensmtpd-rspamd.nix b/nixos/tests/opensmtpd-rspamd.nix new file mode 100644 index 0000000000000..9cb2624e6c4e9 --- /dev/null +++ b/nixos/tests/opensmtpd-rspamd.nix @@ -0,0 +1,142 @@ +import ./make-test-python.nix { + name = "opensmtpd-rspamd"; + + nodes = { + smtp1 = { pkgs, ... }: { + imports = [ common/user-account.nix ]; + networking = { + firewall.allowedTCPPorts = [ 25 143 ]; + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + }; + environment.systemPackages = [ pkgs.opensmtpd ]; + services.opensmtpd = { + enable = true; + extraServerArgs = [ "-v" ]; + serverConfiguration = '' + listen on 0.0.0.0 + action dovecot_deliver mda \ + "${pkgs.dovecot}/libexec/dovecot/deliver -d %{user.username}" + match from any for local action dovecot_deliver + + action do_relay relay + # DO NOT DO THIS IN PRODUCTION! + # Setting up authentication requires a certificate which is painful in + # a test environment, but THIS WOULD BE DANGEROUS OUTSIDE OF A + # WELL-CONTROLLED ENVIRONMENT! + match from any for any action do_relay + ''; + }; + services.dovecot2 = { + enable = true; + enableImap = true; + mailLocation = "maildir:~/mail"; + protocols = [ "imap" ]; + }; + }; + + smtp2 = { pkgs, ... }: { + imports = [ common/user-account.nix ]; + virtualisation.memorySize = 512; + networking = { + firewall.allowedTCPPorts = [ 25 143 ]; + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.2"; prefixLength = 24; } + ]; + }; + environment.systemPackages = [ pkgs.opensmtpd ]; + services.rspamd = { + enable = true; + locals."worker-normal.inc".text = '' + bind_socket = "127.0.0.1:11333"; + ''; + }; + services.opensmtpd = { + enable = true; + extraServerArgs = [ "-v" ]; + serverConfiguration = '' + filter rspamd proc-exec "${pkgs.opensmtpd-filter-rspamd}/bin/filter-rspamd" + listen on 0.0.0.0 filter rspamd + action dovecot_deliver mda \ + "${pkgs.dovecot}/libexec/dovecot/deliver -d %{user.username}" + match from any for local action dovecot_deliver + ''; + }; + services.dovecot2 = { + enable = true; + enableImap = true; + mailLocation = "maildir:~/mail"; + protocols = [ "imap" ]; + }; + }; + + client = { pkgs, ... }: { + networking = { + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.3"; prefixLength = 24; } + ]; + }; + environment.systemPackages = let + sendTestMail = pkgs.writeScriptBin "send-a-test-mail" '' + #!${pkgs.python3.interpreter} + import smtplib, sys + + with smtplib.SMTP('192.168.1.1') as smtp: + smtp.sendmail('alice@[192.168.1.1]', 'bob@[192.168.1.2]', """ + From: alice@smtp1 + To: bob@smtp2 + Subject: Test + + Hello World + Here goes the spam test + XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X + """) + ''; + + checkMailBounced = pkgs.writeScriptBin "check-mail-bounced" '' + #!${pkgs.python3.interpreter} + import imaplib + + with imaplib.IMAP4('192.168.1.1', 143) as imap: + imap.login('alice', 'foobar') + imap.select() + status, refs = imap.search(None, 'ALL') + assert status == 'OK' + assert len(refs) == 1 + status, msg = imap.fetch(refs[0], 'BODY[TEXT]') + assert status == 'OK' + content = msg[0][1] + print("===> content:", content) + assert b"An error has occurred while attempting to deliver a message" in content + ''; + in [ sendTestMail checkMailBounced ]; + }; + }; + + testScript = '' + start_all() + + client.wait_for_unit("network-online.target") + smtp1.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("rspamd") + smtp2.wait_for_unit("dovecot2") + + # To prevent sporadic failures during daemon startup, make sure + # services are listening on their ports before sending requests + smtp1.wait_for_open_port(25) + smtp2.wait_for_open_port(25) + smtp2.wait_for_open_port(143) + smtp2.wait_for_open_port(11333) + + client.succeed("send-a-test-mail") + smtp1.wait_until_fails("smtpctl show queue | egrep .") + client.succeed("check-mail-bounced >&2") + ''; + + meta.timeout = 1800; +} diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index f778d30bdc06c..3cc38ebe34716 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -69,6 +69,9 @@ in { imports = [ ../modules/profiles/installation-device.nix ../modules/profiles/base.nix ]; virtualisation.memorySize = 1300; + # To add the secondary disk: + virtualisation.qemu.options = [ "-drive index=2,file=${debianImage}/disk-image.qcow2,read-only,if=virtio" ]; + # The test cannot access the network, so any packages # nixos-rebuild needs must be included in the VM. system.extraDependencies = with pkgs; @@ -95,11 +98,6 @@ in { }); testScript = '' - # hack to add the secondary disk - os.environ[ - "QEMU_OPTS" - ] = "-drive index=2,file=${debianImage}/disk-image.qcow2,read-only,if=virtio" - machine.start() machine.succeed("udevadm settle") machine.wait_for_unit("multi-user.target") diff --git a/nixos/tests/packagekit.nix b/nixos/tests/packagekit.nix index 28d1374bf92cd..020a4e65e6d8f 100644 --- a/nixos/tests/packagekit.nix +++ b/nixos/tests/packagekit.nix @@ -8,7 +8,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { environment.systemPackages = with pkgs; [ dbus ]; services.packagekit = { enable = true; - backend = "test_nop"; }; }; diff --git a/nixos/tests/pinnwand.nix b/nixos/tests/pinnwand.nix index 0c583e1104dec..0391c4133111b 100644 --- a/nixos/tests/pinnwand.nix +++ b/nixos/tests/pinnwand.nix @@ -61,7 +61,7 @@ in client.wait_until_succeeds("ping -c1 server") # make sure pinnwand is listening - server.wait_until_succeeds("ss -lnp | grep ${toString port}") + server.wait_for_open_port(${toString port}) # send the contents of /etc/machine-id response = client.succeed("steck paste /etc/machine-id") @@ -75,6 +75,12 @@ in if line.startswith("Removal link:"): removal_link = line.split(":", 1)[1] + + # start the reaper, it shouldn't do anything meaningful here + server.systemctl("start pinnwand-reaper.service") + server.wait_until_fails("systemctl is-active -q pinnwand-reaper.service") + server.log(server.execute("journalctl -u pinnwand-reaper -e --no-pager")[1]) + # check whether paste matches what we sent client.succeed(f"curl {raw_url} > /tmp/machine-id") client.succeed("diff /tmp/machine-id /etc/machine-id") @@ -82,5 +88,7 @@ in # remove paste and check that it's not available any more client.succeed(f"curl {removal_link}") client.fail(f"curl --fail {raw_url}") + + server.log(server.succeed("systemd-analyze security pinnwand")) ''; }) diff --git a/nixos/tests/plotinus.nix b/nixos/tests/plotinus.nix index 39a4234dbf73a..ddd6a4c119461 100644 --- a/nixos/tests/plotinus.nix +++ b/nixos/tests/plotinus.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { { imports = [ ./common/x11.nix ]; programs.plotinus.enable = true; - environment.systemPackages = [ pkgs.gnome3.gnome-calculator pkgs.xdotool ]; + environment.systemPackages = [ pkgs.gnome.gnome-calculator pkgs.xdotool ]; }; testScript = '' diff --git a/nixos/tests/podgrab.nix b/nixos/tests/podgrab.nix new file mode 100644 index 0000000000000..e927e25fea569 --- /dev/null +++ b/nixos/tests/podgrab.nix @@ -0,0 +1,34 @@ +let + defaultPort = 8080; + customPort = 4242; +in +import ./make-test-python.nix ({ pkgs, ... }: { + name = "podgrab"; + + nodes = { + default = { ... }: { + services.podgrab.enable = true; + }; + + customized = { ... }: { + services.podgrab = { + enable = true; + port = customPort; + }; + }; + }; + + testScript = '' + start_all() + + default.wait_for_unit("podgrab") + default.wait_for_open_port("${toString defaultPort}") + default.succeed("curl --fail http://localhost:${toString defaultPort}") + + customized.wait_for_unit("podgrab") + customized.wait_for_open_port("${toString customPort}") + customized.succeed("curl --fail http://localhost:${toString customPort}") + ''; + + meta.maintainers = with pkgs.lib.maintainers; [ ambroisie ]; +}) diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index 6a1801fb28840..b2f2540fb7a13 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -50,7 +50,6 @@ in { testScript = '' import os import re - import sys start_all() diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 62c0080dd5169..e3bfff218adb0 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -1,65 +1,65 @@ { system ? builtins.currentSystem -, config ? {} +, config ? { } , pkgs ? import ../.. { inherit system config; } }: let inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; inherit (pkgs.lib) concatStringsSep maintainers mapAttrs mkMerge - removeSuffix replaceChars singleton splitString; + removeSuffix replaceChars singleton splitString; -/* - * The attrset `exporterTests` contains one attribute - * for each exporter test. Each of these attributes - * is expected to be an attrset containing: - * - * `exporterConfig`: - * this attribute set contains config for the exporter itself - * - * `exporterTest` - * this attribute set contains test instructions - * - * `metricProvider` (optional) - * this attribute contains additional machine config - * - * `nodeName` (optional) - * override an incompatible testnode name - * - * Example: - * exporterTests.<exporterName> = { - * exporterConfig = { - * enable = true; - * }; - * metricProvider = { - * services.<metricProvider>.enable = true; - * }; - * exporterTest = '' - * wait_for_unit("prometheus-<exporterName>-exporter.service") - * wait_for_open_port("1234") - * succeed("curl -sSf 'localhost:1234/metrics'") - * ''; - * }; - * - * # this would generate the following test config: - * - * nodes.<exporterName> = { - * services.prometheus.<exporterName> = { - * enable = true; - * }; - * services.<metricProvider>.enable = true; - * }; - * - * testScript = '' - * <exporterName>.start() - * <exporterName>.wait_for_unit("prometheus-<exporterName>-exporter.service") - * <exporterName>.wait_for_open_port("1234") - * <exporterName>.succeed("curl -sSf 'localhost:1234/metrics'") - * <exporterName>.shutdown() - * ''; - */ + /* + * The attrset `exporterTests` contains one attribute + * for each exporter test. Each of these attributes + * is expected to be an attrset containing: + * + * `exporterConfig`: + * this attribute set contains config for the exporter itself + * + * `exporterTest` + * this attribute set contains test instructions + * + * `metricProvider` (optional) + * this attribute contains additional machine config + * + * `nodeName` (optional) + * override an incompatible testnode name + * + * Example: + * exporterTests.<exporterName> = { + * exporterConfig = { + * enable = true; + * }; + * metricProvider = { + * services.<metricProvider>.enable = true; + * }; + * exporterTest = '' + * wait_for_unit("prometheus-<exporterName>-exporter.service") + * wait_for_open_port("1234") + * succeed("curl -sSf 'localhost:1234/metrics'") + * ''; + * }; + * + * # this would generate the following test config: + * + * nodes.<exporterName> = { + * services.prometheus.<exporterName> = { + * enable = true; + * }; + * services.<metricProvider>.enable = true; + * }; + * + * testScript = '' + * <exporterName>.start() + * <exporterName>.wait_for_unit("prometheus-<exporterName>-exporter.service") + * <exporterName>.wait_for_open_port("1234") + * <exporterName>.succeed("curl -sSf 'localhost:1234/metrics'") + * <exporterName>.shutdown() + * ''; + */ exporterTests = { - apcupsd = { + apcupsd = { exporterConfig = { enable = true; }; @@ -118,6 +118,8 @@ let metricProvider = { services.bird2.enable = true; services.bird2.config = '' + router id 127.0.0.1; + protocol kernel MyObviousTestString { ipv4 { import all; @@ -132,7 +134,9 @@ let exporterTest = '' wait_for_unit("prometheus-bird-exporter.service") wait_for_open_port(9324) - succeed("curl -sSf http://localhost:9324/metrics | grep -q 'MyObviousTestString'") + wait_until_succeeds( + "curl -sSf http://localhost:9324/metrics | grep -q 'MyObviousTestString'" + ) ''; }; @@ -188,20 +192,21 @@ let "plugin":"testplugin", "time":DATE }] - ''; in '' - wait_for_unit("prometheus-collectd-exporter.service") - wait_for_open_port(9103) - succeed( - 'echo \'${postData}\'> /tmp/data.json' - ) - succeed('sed -ie "s DATE $(date +%s) " /tmp/data.json') - succeed( - "curl -sSfH 'Content-Type: application/json' -X POST --data @/tmp/data.json localhost:9103/collectd" - ) - succeed( - "curl -sSf localhost:9103/metrics | grep -q 'collectd_testplugin_gauge{instance=\"testhost\"} 23'" - ) - ''; + ''; in + '' + wait_for_unit("prometheus-collectd-exporter.service") + wait_for_open_port(9103) + succeed( + 'echo \'${postData}\'> /tmp/data.json' + ) + succeed('sed -ie "s DATE $(date +%s) " /tmp/data.json') + succeed( + "curl -sSfH 'Content-Type: application/json' -X POST --data @/tmp/data.json localhost:9103/collectd" + ) + succeed( + "curl -sSf localhost:9103/metrics | grep -q 'collectd_testplugin_gauge{instance=\"testhost\"} 23'" + ) + ''; }; dnsmasq = { @@ -254,7 +259,8 @@ let ''; }; - fritzbox = { # TODO add proper test case + fritzbox = { + # TODO add proper test case exporterConfig = { enable = true; }; @@ -296,7 +302,7 @@ let url = "http://localhost"; configFile = pkgs.writeText "json-exporter-conf.json" (builtins.toJSON { metrics = [ - { name = "json_test_metric"; path = "$.test"; } + { name = "json_test_metric"; path = "{ .test }"; } ]; }); }; @@ -320,6 +326,57 @@ let ''; }; + kea = { + exporterConfig = { + enable = true; + controlSocketPaths = [ + "/run/kea/kea-dhcp6.sock" + ]; + }; + metricProvider = { + users.users.kea = { + isSystemUser = true; + }; + users.groups.kea = {}; + + systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6.service" ]; + + systemd.services.kea-dhcp6 = let + configFile = pkgs.writeText "kea-dhcp6.conf" (builtins.toJSON { + Dhcp6 = { + "control-socket" = { + "socket-type" = "unix"; + "socket-name" = "/run/kea/kea-dhcp6.sock"; + }; + }; + }); + in + { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = false; + User = "kea"; + Group = "kea"; + ExecStart = "${pkgs.kea}/bin/kea-dhcp6 -c ${configFile}"; + StateDirectory = "kea"; + RuntimeDirectory = "kea"; + UMask = "0007"; + }; + }; + }; + exporterTest = '' + wait_for_unit("kea-dhcp6.service") + wait_for_file("/run/kea/kea-dhcp6.sock") + wait_for_unit("prometheus-kea-exporter.service") + wait_for_open_port(9547) + succeed( + "curl --fail localhost:9547/metrics | grep 'packets_received_total'" + ) + ''; + }; + knot = { exporterConfig = { enable = true; @@ -328,13 +385,48 @@ let services.knot = { enable = true; extraArgs = [ "-v" ]; + extraConfig = '' + server: + listen: 127.0.0.1@53 + + template: + - id: default + global-module: mod-stats + dnssec-signing: off + zonefile-sync: -1 + journal-db: /var/lib/knot/journal + kasp-db: /var/lib/knot/kasp + timer-db: /var/lib/knot/timer + zonefile-load: difference + storage: ${pkgs.buildEnv { + name = "foo"; + paths = [ + (pkgs.writeTextDir "test.zone" '' + @ SOA ns.example.com. noc.example.com. 2019031301 86400 7200 3600000 172800 + @ NS ns1 + @ NS ns2 + ns1 A 192.168.0.1 + '') + ]; + }} + + mod-stats: + - id: custom + edns-presence: on + query-type: on + + zone: + - domain: test + file: test.zone + module: mod-stats/custom + ''; }; }; exporterTest = '' wait_for_unit("knot.service") wait_for_unit("prometheus-knot-exporter.service") wait_for_open_port(9433) - succeed("curl -sSf 'localhost:9433' | grep -q 'knot_server_zone_count 0.0'") + succeed("curl -sSf 'localhost:9433' | grep -q 'knot_server_zone_count 1.0'") ''; }; @@ -365,27 +457,27 @@ let }; metricProvider = { systemd.services.prometheus-lnd-exporter.serviceConfig.DynamicUser = false; - services.bitcoind.enable = true; - services.bitcoind.extraConfig = '' + services.bitcoind.main.enable = true; + services.bitcoind.main.extraConfig = '' rpcauth=bitcoinrpc:e8fe33f797e698ac258c16c8d7aadfbe$872bdb8f4d787367c26bcfd75e6c23c4f19d44a69f5d1ad329e5adf3f82710f7 bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333 ''; systemd.services.lnd = { serviceConfig.ExecStart = '' - ${pkgs.lnd}/bin/lnd \ - --datadir=/var/lib/lnd \ - --tlscertpath=/var/lib/lnd/tls.cert \ - --tlskeypath=/var/lib/lnd/tls.key \ - --logdir=/var/log/lnd \ - --bitcoin.active \ - --bitcoin.mainnet \ - --bitcoin.node=bitcoind \ - --bitcoind.rpcuser=bitcoinrpc \ - --bitcoind.rpcpass=hunter2 \ - --bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 \ - --bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333 \ - --readonlymacaroonpath=/var/lib/lnd/readonly.macaroon + ${pkgs.lnd}/bin/lnd \ + --datadir=/var/lib/lnd \ + --tlscertpath=/var/lib/lnd/tls.cert \ + --tlskeypath=/var/lib/lnd/tls.key \ + --logdir=/var/log/lnd \ + --bitcoin.active \ + --bitcoin.mainnet \ + --bitcoin.node=bitcoind \ + --bitcoind.rpcuser=bitcoinrpc \ + --bitcoind.rpcpass=hunter2 \ + --bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 \ + --bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333 \ + --readonlymacaroonpath=/var/lib/lnd/readonly.macaroon ''; serviceConfig.StateDirectory = "lnd"; wantedBy = [ "multi-user.target" ]; @@ -407,14 +499,14 @@ let configuration = { monitoringInterval = "2s"; mailCheckTimeout = "10s"; - servers = [ { + servers = [{ name = "testserver"; server = "localhost"; port = 25; from = "mail-exporter@localhost"; to = "mail-exporter@localhost"; detectionDir = "/var/spool/mail/mail-exporter/new"; - } ]; + }]; }; }; metricProvider = { @@ -516,15 +608,17 @@ let url = "http://localhost"; }; metricProvider = { - systemd.services.nc-pwfile = let - passfile = (pkgs.writeText "pwfile" "snakeoilpw"); - in { - requiredBy = [ "prometheus-nextcloud-exporter.service" ]; - before = [ "prometheus-nextcloud-exporter.service" ]; - serviceConfig.ExecStart = '' - ${pkgs.coreutils}/bin/install -o nextcloud-exporter -m 0400 ${passfile} /var/nextcloud-pwfile - ''; - }; + systemd.services.nc-pwfile = + let + passfile = (pkgs.writeText "pwfile" "snakeoilpw"); + in + { + requiredBy = [ "prometheus-nextcloud-exporter.service" ]; + before = [ "prometheus-nextcloud-exporter.service" ]; + serviceConfig.ExecStart = '' + ${pkgs.coreutils}/bin/install -o nextcloud-exporter -m 0400 ${passfile} /var/nextcloud-pwfile + ''; + }; services.nginx = { enable = true; virtualHosts."localhost" = { @@ -581,7 +675,7 @@ let syslog = { listen_address = "udp://127.0.0.1:10000"; format = "rfc3164"; - tags = ["nginx"]; + tags = [ "nginx" ]; }; }; } @@ -701,10 +795,10 @@ let exporterConfig = { enable = true; group = "openvpn"; - statusPaths = ["/run/openvpn-test"]; + statusPaths = [ "/run/openvpn-test" ]; }; metricProvider = { - users.groups.openvpn = {}; + users.groups.openvpn = { }; services.openvpn.servers.test = { config = '' dev tun @@ -824,19 +918,21 @@ let }; metricProvider = { # Mock rtl_433 binary to return a dummy metric stream. - nixpkgs.overlays = [ (self: super: { - rtl_433 = self.runCommand "rtl_433" {} '' - mkdir -p "$out/bin" - cat <<EOF > "$out/bin/rtl_433" - #!/bin/sh - while true; do - printf '{"time" : "2020-04-26 13:37:42", "model" : "zopieux", "id" : 55, "channel" : 3, "temperature_C" : 18.000}\n' - sleep 4 - done - EOF - chmod +x "$out/bin/rtl_433" - ''; - }) ]; + nixpkgs.overlays = [ + (self: super: { + rtl_433 = self.runCommand "rtl_433" { } '' + mkdir -p "$out/bin" + cat <<EOF > "$out/bin/rtl_433" + #!/bin/sh + while true; do + printf '{"time" : "2020-04-26 13:37:42", "model" : "zopieux", "id" : 55, "channel" : 3, "temperature_C" : 18.000}\n' + sleep 4 + done + EOF + chmod +x "$out/bin/rtl_433" + ''; + }) + ]; }; exporterTest = '' wait_for_unit("prometheus-rtl_433-exporter.service") @@ -852,7 +948,7 @@ let smokeping = { exporterConfig = { enable = true; - hosts = ["127.0.0.1"]; + hosts = [ "127.0.0.1" ]; }; exporterTest = '' wait_for_unit("prometheus-smokeping-exporter.service") @@ -976,7 +1072,7 @@ let # Note: this does not connect the test environment to the Tor network. # Client, relay, bridge or exit connectivity are disabled by default. services.tor.enable = true; - services.tor.controlPort = 9051; + services.tor.settings.ControlPort = 9051; }; exporterTest = '' wait_for_unit("tor.service") @@ -990,7 +1086,7 @@ let unifi-poller = { nodeName = "unifi_poller"; exporterConfig.enable = true; - exporterConfig.controllers = [ { } ]; + exporterConfig.controllers = [{ }]; exporterTest = '' wait_for_unit("prometheus-unifi-poller-exporter.service") wait_for_open_port(9130) @@ -1000,6 +1096,29 @@ let ''; }; + unbound = { + exporterConfig = { + enable = true; + fetchType = "uds"; + controlInterface = "/run/unbound/unbound.ctl"; + }; + metricProvider = { + services.unbound = { + enable = true; + localControlSocketPath = "/run/unbound/unbound.ctl"; + }; + systemd.services.prometheus-unbound-exporter.serviceConfig = { + SupplementaryGroups = [ "unbound" ]; + }; + }; + exporterTest = '' + wait_for_unit("unbound.service") + wait_for_unit("prometheus-unbound-exporter.service") + wait_for_open_port(9167) + succeed("curl -sSf localhost:9167/metrics | grep -q 'unbound_up 1'") + ''; + }; + varnish = { exporterConfig = { enable = true; @@ -1029,54 +1148,60 @@ let ''; }; - wireguard = let snakeoil = import ./wireguard/snakeoil-keys.nix; in { - exporterConfig.enable = true; - metricProvider = { - networking.wireguard.interfaces.wg0 = { - ips = [ "10.23.42.1/32" "fc00::1/128" ]; - listenPort = 23542; + wireguard = let snakeoil = import ./wireguard/snakeoil-keys.nix; in + { + exporterConfig.enable = true; + metricProvider = { + networking.wireguard.interfaces.wg0 = { + ips = [ "10.23.42.1/32" "fc00::1/128" ]; + listenPort = 23542; - inherit (snakeoil.peer0) privateKey; + inherit (snakeoil.peer0) privateKey; - peers = singleton { - allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ]; + peers = singleton { + allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ]; - inherit (snakeoil.peer1) publicKey; + inherit (snakeoil.peer1) publicKey; + }; }; + systemd.services.prometheus-wireguard-exporter.after = [ "wireguard-wg0.service" ]; }; - systemd.services.prometheus-wireguard-exporter.after = [ "wireguard-wg0.service" ]; + exporterTest = '' + wait_for_unit("prometheus-wireguard-exporter.service") + wait_for_open_port(9586) + wait_until_succeeds( + "curl -sSf http://localhost:9586/metrics | grep '${snakeoil.peer1.publicKey}'" + ) + ''; }; - exporterTest = '' - wait_for_unit("prometheus-wireguard-exporter.service") - wait_for_open_port(9586) - wait_until_succeeds( - "curl -sSf http://localhost:9586/metrics | grep '${snakeoil.peer1.publicKey}'" - ) - ''; - }; }; in -mapAttrs (exporter: testConfig: (makeTest (let - nodeName = testConfig.nodeName or exporter; +mapAttrs + (exporter: testConfig: (makeTest ( + let + nodeName = testConfig.nodeName or exporter; -in { - name = "prometheus-${exporter}-exporter"; + in + { + name = "prometheus-${exporter}-exporter"; - nodes.${nodeName} = mkMerge [{ - services.prometheus.exporters.${exporter} = testConfig.exporterConfig; - } testConfig.metricProvider or {}]; + nodes.${nodeName} = mkMerge [{ + services.prometheus.exporters.${exporter} = testConfig.exporterConfig; + } testConfig.metricProvider or { }]; - testScript = '' - ${nodeName}.start() - ${concatStringsSep "\n" (map (line: - if (builtins.substring 0 1 line == " " || builtins.substring 0 1 line == ")") - then line - else "${nodeName}.${line}" - ) (splitString "\n" (removeSuffix "\n" testConfig.exporterTest)))} - ${nodeName}.shutdown() - ''; + testScript = '' + ${nodeName}.start() + ${concatStringsSep "\n" (map (line: + if (builtins.substring 0 1 line == " " || builtins.substring 0 1 line == ")") + then line + else "${nodeName}.${line}" + ) (splitString "\n" (removeSuffix "\n" testConfig.exporterTest)))} + ${nodeName}.shutdown() + ''; - meta = with maintainers; { - maintainers = [ willibutz elseym ]; - }; -}))) exporterTests + meta = with maintainers; { + maintainers = [ willibutz elseym ]; + }; + } + ))) + exporterTests diff --git a/nixos/tests/quagga.nix b/nixos/tests/quagga.nix deleted file mode 100644 index 9aed49bf452f6..0000000000000 --- a/nixos/tests/quagga.nix +++ /dev/null @@ -1,96 +0,0 @@ -# This test runs Quagga and checks if OSPF routing works. -# -# Network topology: -# [ client ]--net1--[ router1 ]--net2--[ router2 ]--net3--[ server ] -# -# All interfaces are in OSPF Area 0. - -import ./make-test-python.nix ({ pkgs, ... }: - let - - ifAddr = node: iface: (pkgs.lib.head node.config.networking.interfaces.${iface}.ipv4.addresses).address; - - ospfConf = '' - interface eth2 - ip ospf hello-interval 1 - ip ospf dead-interval 5 - ! - router ospf - network 192.168.0.0/16 area 0 - ''; - - in - { - name = "quagga"; - - meta = with pkgs.lib.maintainers; { - maintainers = [ tavyc ]; - }; - - nodes = { - - client = - { nodes, ... }: - { - virtualisation.vlans = [ 1 ]; - networking.defaultGateway = ifAddr nodes.router1 "eth1"; - }; - - router1 = - { ... }: - { - virtualisation.vlans = [ 1 2 ]; - boot.kernel.sysctl."net.ipv4.ip_forward" = "1"; - networking.firewall.extraCommands = "iptables -A nixos-fw -i eth2 -p ospf -j ACCEPT"; - services.quagga.ospf = { - enable = true; - config = ospfConf; - }; - }; - - router2 = - { ... }: - { - virtualisation.vlans = [ 3 2 ]; - boot.kernel.sysctl."net.ipv4.ip_forward" = "1"; - networking.firewall.extraCommands = "iptables -A nixos-fw -i eth2 -p ospf -j ACCEPT"; - services.quagga.ospf = { - enable = true; - config = ospfConf; - }; - }; - - server = - { nodes, ... }: - { - virtualisation.vlans = [ 3 ]; - networking.defaultGateway = ifAddr nodes.router2 "eth1"; - networking.firewall.allowedTCPPorts = [ 80 ]; - services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.com"; - }; - }; - - testScript = - { ... }: - '' - start_all() - - # Wait for the networking to start on all machines - for machine in client, router1, router2, server: - machine.wait_for_unit("network.target") - - with subtest("Wait for OSPF to form adjacencies"): - for gw in router1, router2: - gw.wait_for_unit("ospfd") - gw.wait_until_succeeds("vtysh -c 'show ip ospf neighbor' | grep Full") - gw.wait_until_succeeds("vtysh -c 'show ip route' | grep '^O>'") - - with subtest("Test ICMP"): - client.wait_until_succeeds("ping -c 3 server >&2") - - with subtest("Test whether HTTP works"): - server.wait_for_unit("httpd") - client.succeed("curl --fail http://server/ >&2") - ''; - }) diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix index 1d3679c82a20c..5101628a682c6 100644 --- a/nixos/tests/radicale.nix +++ b/nixos/tests/radicale.nix @@ -1,140 +1,95 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: + let user = "someuser"; password = "some_password"; - port = builtins.toString 5232; + port = "5232"; + filesystem_folder = "/data/radicale"; + + cli = "${pkgs.calendar-cli}/bin/calendar-cli --caldav-user ${user} --caldav-pass ${password}"; +in { + name = "radicale3"; + meta.maintainers = with lib.maintainers; [ dotlambda ]; - common = { pkgs, ... }: { + machine = { pkgs, ... }: { services.radicale = { enable = true; - config = '' - [auth] - type = htpasswd - htpasswd_filename = /etc/radicale/htpasswd - htpasswd_encryption = bcrypt - - [storage] - filesystem_folder = /tmp/collections - ''; + settings = { + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + storage = { + inherit filesystem_folder; + hook = "git add -A && (git diff --cached --quiet || git commit -m 'Changes by '%(user)s)"; + }; + logging.level = "info"; + }; + rights = { + principal = { + user = ".+"; + collection = "{user}"; + permissions = "RW"; + }; + calendars = { + user = ".+"; + collection = "{user}/[^/]+"; + permissions = "rw"; + }; + }; }; + systemd.services.radicale.path = [ pkgs.git ]; + environment.systemPackages = [ pkgs.git ]; + systemd.tmpfiles.rules = [ "d ${filesystem_folder} 0750 radicale radicale -" ]; # WARNING: DON'T DO THIS IN PRODUCTION! # This puts unhashed secrets directly into the Nix store for ease of testing. - environment.etc."radicale/htpasswd".source = pkgs.runCommand "htpasswd" {} '' + environment.etc."radicale/users".source = pkgs.runCommand "htpasswd" {} '' ${pkgs.apacheHttpd}/bin/htpasswd -bcB "$out" ${user} ${password} ''; }; - -in - - import ./make-test-python.nix ({ lib, ... }@args: { - name = "radicale"; - meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ]; - - nodes = rec { - radicale = radicale1; # Make the test script read more nicely - radicale1 = lib.recursiveUpdate (common args) { - nixpkgs.overlays = [ - (self: super: { - radicale1 = super.radicale1.overrideAttrs (oldAttrs: { - propagatedBuildInputs = with self.pythonPackages; - (oldAttrs.propagatedBuildInputs or []) ++ [ passlib ]; - }); - }) - ]; - system.stateVersion = "17.03"; - }; - radicale1_export = lib.recursiveUpdate radicale1 { - services.radicale.extraArgs = [ - "--export-storage" "/tmp/collections-new" - ]; - system.stateVersion = "17.03"; - }; - radicale2_verify = lib.recursiveUpdate radicale2 { - services.radicale.extraArgs = [ "--debug" "--verify-storage" ]; - system.stateVersion = "17.09"; - }; - radicale2 = lib.recursiveUpdate (common args) { - system.stateVersion = "17.09"; - }; - radicale3 = lib.recursiveUpdate (common args) { - system.stateVersion = "20.09"; - }; - }; - - # This tests whether the web interface is accessible to an authenticated user - testScript = { nodes }: let - switchToConfig = nodeName: let - newSystem = nodes.${nodeName}.config.system.build.toplevel; - in "${newSystem}/bin/switch-to-configuration test"; - in '' - with subtest("Check Radicale 1 functionality"): - radicale.succeed( - "${switchToConfig "radicale1"} >&2" - ) - radicale.wait_for_unit("radicale.service") - radicale.wait_for_open_port(${port}) - radicale.succeed( - "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" - ) - - with subtest("Export data in Radicale 2 format"): - radicale.succeed("systemctl stop radicale") - radicale.succeed("ls -al /tmp/collections") - radicale.fail("ls -al /tmp/collections-new") - - with subtest("Radicale exits immediately after exporting storage"): - radicale.succeed( - "${switchToConfig "radicale1_export"} >&2" - ) - radicale.wait_until_fails("systemctl status radicale") - radicale.succeed("ls -al /tmp/collections") - radicale.succeed("ls -al /tmp/collections-new") - - with subtest("Verify data in Radicale 2 format"): - radicale.succeed("rm -r /tmp/collections/${user}") - radicale.succeed("mv /tmp/collections-new/collection-root /tmp/collections") - radicale.succeed( - "${switchToConfig "radicale2_verify"} >&2" - ) - radicale.wait_until_fails("systemctl status radicale") - - (retcode, logs) = radicale.execute("journalctl -u radicale -n 10") - assert ( - retcode == 0 and "Verifying storage" in logs - ), "Radicale 2 didn't verify storage" - assert ( - "failed" not in logs and "exception" not in logs - ), "storage verification failed" - - with subtest("Check Radicale 2 functionality"): - radicale.succeed( - "${switchToConfig "radicale2"} >&2" - ) - radicale.wait_for_unit("radicale.service") - radicale.wait_for_open_port(${port}) - - (retcode, output) = radicale.execute( - "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" - ) - assert ( - retcode == 0 and "VCALENDAR" in output - ), "Could not read calendar from Radicale 2" - - radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/") - - with subtest("Check Radicale 3 functionality"): - radicale.succeed( - "${switchToConfig "radicale3"} >&2" - ) - radicale.wait_for_unit("radicale.service") - radicale.wait_for_open_port(${port}) - - (retcode, output) = radicale.execute( - "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" - ) - assert ( - retcode == 0 and "VCALENDAR" in output - ), "Could not read calendar from Radicale 3" - - radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/") - ''; + testScript = '' + machine.wait_for_unit("radicale.service") + machine.wait_for_open_port(${port}) + + machine.succeed("sudo -u radicale git -C ${filesystem_folder} init") + machine.succeed( + "sudo -u radicale git -C ${filesystem_folder} config --local user.email radicale@example.com" + ) + machine.succeed( + "sudo -u radicale git -C ${filesystem_folder} config --local user.name radicale" + ) + + with subtest("Test calendar and event creation"): + machine.succeed( + "${cli} --caldav-url http://localhost:${port}/${user} calendar create cal" + ) + machine.succeed("test -d ${filesystem_folder}/collection-root/${user}/cal") + machine.succeed('test -z "$(ls ${filesystem_folder}/collection-root/${user}/cal)"') + machine.succeed( + "${cli} --caldav-url http://localhost:${port}/${user}/cal calendar add 2021-04-23 testevent" + ) + machine.succeed('test -n "$(ls ${filesystem_folder}/collection-root/${user}/cal)"') + (status, stdout) = machine.execute( + "sudo -u radicale git -C ${filesystem_folder} log --format=oneline | wc -l" + ) + assert status == 0, "git log failed" + assert stdout == "3\n", "there should be exactly 3 commits" + + with subtest("Test rights file"): + machine.fail( + "${cli} --caldav-url http://localhost:${port}/${user} calendar create sub/cal" + ) + machine.fail( + "${cli} --caldav-url http://localhost:${port}/otheruser calendar create cal" + ) + + with subtest("Test web interface"): + machine.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/") + + with subtest("Test security"): + output = machine.succeed("systemd-analyze security radicale.service") + machine.log(output) + assert output[-9:-1] == "SAFE :-}" + ''; }) diff --git a/nixos/tests/redis.nix b/nixos/tests/redis.nix index 79a7847414a90..28b6058c2c026 100644 --- a/nixos/tests/redis.nix +++ b/nixos/tests/redis.nix @@ -22,11 +22,10 @@ in users.users."member" = { createHome = false; description = "A member of the redis group"; + isNormalUser = true; extraGroups = [ "redis" ]; - group = "users"; - shell = "/bin/sh"; }; }; }; diff --git a/nixos/tests/rspamd.nix b/nixos/tests/rspamd.nix index 7f41e1a795667..3fd55444fd8a5 100644 --- a/nixos/tests/rspamd.nix +++ b/nixos/tests/rspamd.nix @@ -25,6 +25,7 @@ let machine = { services.rspamd.enable = true; networking.enableIPv6 = enableIPv6; + virtualisation.memorySize = 1024; }; testScript = '' start_all() @@ -68,6 +69,7 @@ in group = "rspamd"; }]; }; + virtualisation.memorySize = 1024; }; testScript = '' @@ -116,6 +118,7 @@ in ''; }; }; + virtualisation.memorySize = 1024; }; testScript = '' @@ -221,6 +224,7 @@ in rspamd_logger.infox(rspamd_config, 'Work dammit!!!') ''; }; + virtualisation.memorySize = 1024; }; testScript = '' ${initMachine} @@ -274,7 +278,10 @@ in I find cows to be evil don't you? ''; - users.users.tester.password = "test"; + users.users.tester = { + isNormalUser = true; + password = "test"; + }; services.postfix = { enable = true; destination = ["example.com"]; @@ -284,6 +291,7 @@ in postfix.enable = true; workers.rspamd_proxy.type = "rspamd_proxy"; }; + virtualisation.memorySize = 1024; }; testScript = '' ${initMachine} diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix index da6d4c9ffe828..c691bfc08ef72 100644 --- a/nixos/tests/sanoid.nix +++ b/nixos/tests/sanoid.nix @@ -33,14 +33,22 @@ in { autosnap = true; }; - datasets."pool/test".useTemplate = [ "test" ]; + datasets."pool/sanoid".useTemplate = [ "test" ]; + extraArgs = [ "--verbose" ]; }; services.syncoid = { enable = true; sshKey = "/var/lib/syncoid/id_ecdsa"; - commonArgs = [ "--no-sync-snap" ]; - commands."pool/test".target = "root@target:pool/test"; + commands = { + # Sync snapshot taken by sanoid + "pool/sanoid" = { + target = "root@target:pool/sanoid"; + extraArgs = [ "--no-sync-snap" ]; + }; + # Take snapshot and sync + "pool/syncoid".target = "root@target:pool/syncoid"; + }; }; }; target = { ... }: { @@ -54,18 +62,19 @@ in { testScript = '' source.succeed( - "mkdir /tmp/mnt", + "mkdir /mnt", "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s", "udevadm settle", - "zpool create pool /dev/vdb1", - "zfs create -o mountpoint=legacy pool/test", - "mount -t zfs pool/test /tmp/mnt", + "zpool create pool -R /mnt /dev/vdb1", + "zfs create pool/sanoid", + "zfs create pool/syncoid", "udevadm settle", ) target.succeed( + "mkdir /mnt", "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s", "udevadm settle", - "zpool create pool /dev/vdb1", + "zpool create pool -R /mnt /dev/vdb1", "udevadm settle", ) @@ -76,16 +85,15 @@ in { "chown -R syncoid:syncoid /var/lib/syncoid/", ) - source.succeed("touch /tmp/mnt/test.txt") + # Take snapshot with sanoid + source.succeed("touch /mnt/pool/sanoid/test.txt") source.systemctl("start --wait sanoid.service") + # Sync snapshots target.wait_for_open_port(22) + source.succeed("touch /mnt/pool/syncoid/test.txt") source.systemctl("start --wait syncoid.service") - target.succeed( - "mkdir /tmp/mnt", - "zfs set mountpoint=legacy pool/test", - "mount -t zfs pool/test /tmp/mnt", - ) - target.succeed("cat /tmp/mnt/test.txt") + target.succeed("cat /mnt/pool/sanoid/test.txt") + target.succeed("cat /mnt/pool/syncoid/test.txt") ''; }) diff --git a/nixos/tests/searx.nix b/nixos/tests/searx.nix index 7c28eea30d207..2f808cb65266e 100644 --- a/nixos/tests/searx.nix +++ b/nixos/tests/searx.nix @@ -108,7 +108,7 @@ import ./make-test-python.nix ({ pkgs, ...} : "${pkgs.curl}/bin/curl --fail http://localhost/searx >&2" ) fancy.succeed( - "${pkgs.curl}/bin/curl --fail http://localhost/searx/static/js/bootstrap.min.js >&2" + "${pkgs.curl}/bin/curl --fail http://localhost/searx/static/themes/oscar/js/bootstrap.min.js >&2" ) ''; }) diff --git a/nixos/tests/shadow.nix b/nixos/tests/shadow.nix index e5755e8e0878c..dd2a575b1935a 100644 --- a/nixos/tests/shadow.nix +++ b/nixos/tests/shadow.nix @@ -13,14 +13,17 @@ in import ./make-test-python.nix ({ pkgs, ... }: { users = { mutableUsers = true; users.emma = { + isNormalUser = true; password = password1; shell = pkgs.bash; }; users.layla = { + isNormalUser = true; password = password2; shell = pkgs.shadow; }; users.ash = { + isNormalUser = true; password = password4; shell = pkgs.bash; }; @@ -33,9 +36,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Normal login"): shadow.send_key("alt-f2") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 2 ]") - shadow.wait_for_unit(f"getty@tty2.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty2'") + shadow.wait_until_succeeds("[ $(fgconsole) = 2 ]") + shadow.wait_for_unit("getty@tty2.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty2'") shadow.wait_until_tty_matches(2, "login: ") shadow.send_chars("emma\n") shadow.wait_until_tty_matches(2, "login: emma") @@ -57,9 +60,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Change password"): shadow.send_key("alt-f3") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 3 ]") - shadow.wait_for_unit(f"getty@tty3.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty3'") + shadow.wait_until_succeeds("[ $(fgconsole) = 3 ]") + shadow.wait_for_unit("getty@tty3.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty3'") shadow.wait_until_tty_matches(3, "login: ") shadow.send_chars("emma\n") shadow.wait_until_tty_matches(3, "login: emma") @@ -75,9 +78,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { shadow.send_chars("${password3}\n") shadow.sleep(2) shadow.send_key("alt-f4") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 4 ]") - shadow.wait_for_unit(f"getty@tty4.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty4'") + shadow.wait_until_succeeds("[ $(fgconsole) = 4 ]") + shadow.wait_for_unit("getty@tty4.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty4'") shadow.wait_until_tty_matches(4, "login: ") shadow.send_chars("emma\n") shadow.wait_until_tty_matches(4, "login: emma") @@ -103,9 +106,9 @@ in import ./make-test-python.nix ({ pkgs, ... }: { with subtest("nologin shell"): shadow.send_key("alt-f5") - shadow.wait_until_succeeds(f"[ $(fgconsole) = 5 ]") - shadow.wait_for_unit(f"getty@tty5.service") - shadow.wait_until_succeeds(f"pgrep -f 'agetty.*tty5'") + shadow.wait_until_succeeds("[ $(fgconsole) = 5 ]") + shadow.wait_for_unit("getty@tty5.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty5'") shadow.wait_until_tty_matches(5, "login: ") shadow.send_chars("layla\n") shadow.wait_until_tty_matches(5, "login: layla") diff --git a/nixos/tests/signal-desktop.nix b/nixos/tests/signal-desktop.nix index c424288e00a90..42485cd0da7ed 100644 --- a/nixos/tests/signal-desktop.nix +++ b/nixos/tests/signal-desktop.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "signal-desktop"; meta = with pkgs.lib.maintainers; { - maintainers = [ flokli ]; + maintainers = [ flokli primeos ]; }; machine = { ... }: @@ -16,7 +16,7 @@ import ./make-test-python.nix ({ pkgs, ...} : services.xserver.enable = true; test-support.displayManager.auto.user = "alice"; - environment.systemPackages = [ pkgs.signal-desktop ]; + environment.systemPackages = with pkgs; [ signal-desktop file ]; virtualisation.memorySize = 1024; }; @@ -39,5 +39,16 @@ import ./make-test-python.nix ({ pkgs, ...} : machine.wait_for_text("Signal") machine.wait_for_text("File Edit View Window Help") machine.screenshot("signal_desktop") + + # Test if the database is encrypted to prevent these issues: + # - https://github.com/NixOS/nixpkgs/issues/108772 + # - https://github.com/NixOS/nixpkgs/pull/117555 + print(machine.succeed("su - alice -c 'file ~/.config/Signal/sql/db.sqlite'")) + machine.succeed( + "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep 'db.sqlite: data'" + ) + machine.fail( + "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -e SQLite -e database" + ) ''; }) diff --git a/nixos/tests/solanum.nix b/nixos/tests/solanum.nix new file mode 100644 index 0000000000000..aabfb906aa818 --- /dev/null +++ b/nixos/tests/solanum.nix @@ -0,0 +1,89 @@ +let + clients = [ + "ircclient1" + "ircclient2" + ]; + server = "solanum"; + ircPort = 6667; + channel = "nixos-cat"; + iiDir = "/tmp/irc"; +in + +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "solanum"; + nodes = { + "${server}" = { + networking.firewall.allowedTCPPorts = [ ircPort ]; + services.solanum = { + enable = true; + }; + }; + } // lib.listToAttrs (builtins.map (client: lib.nameValuePair client { + imports = [ + ./common/user-account.nix + ]; + + systemd.services.ii = { + requires = [ "network.target" ]; + wantedBy = [ "default.target" ]; + + serviceConfig = { + Type = "simple"; + ExecPreStartPre = "mkdir -p ${iiDir}"; + ExecStart = '' + ${lib.getBin pkgs.ii}/bin/ii -n ${client} -s ${server} -i ${iiDir} + ''; + User = "alice"; + }; + }; + }) clients); + + testScript = + let + msg = client: "Hello, my name is ${client}"; + clientScript = client: [ + '' + ${client}.wait_for_unit("network.target") + ${client}.systemctl("start ii") + ${client}.wait_for_unit("ii") + ${client}.wait_for_file("${iiDir}/${server}/out") + '' + # wait until first PING from server arrives before joining, + # so we don't try it too early + '' + ${client}.wait_until_succeeds("grep 'PING' ${iiDir}/${server}/out") + '' + # join ${channel} + '' + ${client}.succeed("echo '/j #${channel}' > ${iiDir}/${server}/in") + ${client}.wait_for_file("${iiDir}/${server}/#${channel}/in") + '' + # send a greeting + '' + ${client}.succeed( + "echo '${msg client}' > ${iiDir}/${server}/#${channel}/in" + ) + '' + # check that all greetings arrived on all clients + ] ++ builtins.map (other: '' + ${client}.succeed( + "grep '${msg other}$' ${iiDir}/${server}/#${channel}/out" + ) + '') clients; + + # foldl', but requires a non-empty list instead of a start value + reduce = f: list: + builtins.foldl' f (builtins.head list) (builtins.tail list); + in '' + start_all() + ${server}.systemctl("status solanum") + ${server}.wait_for_open_port(${toString ircPort}) + + # run clientScript for all clients so that every list + # entry is executed by every client before advancing + # to the next one. + '' + lib.concatStrings + (reduce + (lib.zipListsWith (cs: c: cs + c)) + (builtins.map clientScript clients)); +}) diff --git a/nixos/tests/spacecookie.nix b/nixos/tests/spacecookie.nix index 5b5022a742787..a640657d8a6b6 100644 --- a/nixos/tests/spacecookie.nix +++ b/nixos/tests/spacecookie.nix @@ -1,47 +1,52 @@ let - gopherRoot = "/tmp/gopher"; - gopherHost = "gopherd"; - fileContent = "Hello Gopher!"; - fileName = "file.txt"; + gopherRoot = "/tmp/gopher"; + gopherHost = "gopherd"; + gopherClient = "client"; + fileContent = "Hello Gopher!\n"; + fileName = "file.txt"; in import ./make-test-python.nix ({...}: { name = "spacecookie"; nodes = { ${gopherHost} = { - networking.firewall.allowedTCPPorts = [ 70 ]; systemd.services.spacecookie = { preStart = '' mkdir -p ${gopherRoot}/directory - echo "${fileContent}" > ${gopherRoot}/${fileName} + printf "%s" "${fileContent}" > ${gopherRoot}/${fileName} ''; }; services.spacecookie = { enable = true; - root = gopherRoot; - hostname = gopherHost; + openFirewall = true; + settings = { + root = gopherRoot; + hostname = gopherHost; + }; }; }; - client = {}; + ${gopherClient} = {}; }; testScript = '' start_all() - ${gopherHost}.wait_for_open_port(70) + + # with daemon type notify, the unit being started + # should also mean the port is open ${gopherHost}.wait_for_unit("spacecookie.service") - client.wait_for_unit("network.target") + ${gopherClient}.wait_for_unit("network.target") - fileResponse = client.succeed("curl -f -s gopher://${gopherHost}//${fileName}") + fileResponse = ${gopherClient}.succeed("curl -f -s gopher://${gopherHost}/0/${fileName}") # the file response should return our created file exactly - if not (fileResponse == "${fileContent}\n"): + if not (fileResponse == "${builtins.replaceStrings [ "\n" ] [ "\\n" ] fileContent}"): raise Exception("Unexpected file response") # sanity check on the directory listing: we serve a directory and a file # via gopher, so the directory listing should have exactly two entries, # one with gopher file type 0 (file) and one with file type 1 (directory). - dirResponse = client.succeed("curl -f -s gopher://${gopherHost}") + dirResponse = ${gopherClient}.succeed("curl -f -s gopher://${gopherHost}") dirEntries = [l[0] for l in dirResponse.split("\n") if len(l) > 0] dirEntries.sort() diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix index 2a85c490665a9..4885d6e17b829 100644 --- a/nixos/tests/sudo.nix +++ b/nixos/tests/sudo.nix @@ -10,7 +10,7 @@ in maintainers = [ lschuermann ]; }; - machine = + nodes.machine = { lib, ... }: with lib; { @@ -48,6 +48,19 @@ in }; }; + nodes.strict = { ... }: { + users.users = { + admin = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + noadmin = { isNormalUser = true; }; + }; + + security.sudo = { + enable = true; + wheelNeedsPassword = false; + execWheelOnly = true; + }; + }; + testScript = '' with subtest("users in wheel group should have passwordless sudo"): @@ -79,5 +92,11 @@ in with subtest("users in group 'barfoo' should not be able to keep their environment"): machine.fail("sudo -u test3 sudo -n -E -u root true") + + with subtest("users in wheel should be able to run sudo despite execWheelOnly"): + strict.succeed('su - admin -c "sudo -u root true"') + + with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"): + strict.fail('su - noadmin -c "sudo --help"') ''; }) diff --git a/nixos/tests/sway.nix b/nixos/tests/sway.nix new file mode 100644 index 0000000000000..1d23b0e94313e --- /dev/null +++ b/nixos/tests/sway.nix @@ -0,0 +1,106 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "sway"; + meta = { + maintainers = with lib.maintainers; [ primeos synthetica ]; + }; + + machine = { config, ... }: { + # Automatically login on tty1 as a normal user: + imports = [ ./common/user-account.nix ]; + services.getty.autologinUser = "alice"; + + environment = { + # For glinfo and wayland-info: + systemPackages = with pkgs; [ mesa-demos wayland-utils ]; + # Use a fixed SWAYSOCK path (for swaymsg): + variables."SWAYSOCK" = "/tmp/sway-ipc.sock"; + # For convenience: + shellAliases = { + test-x11 = "glinfo | head -n 3 | tee /tmp/test-x11.out && touch /tmp/test-x11-exit-ok"; + test-wayland = "wayland-info | tee /tmp/test-wayland.out && touch /tmp/test-wayland-exit-ok"; + }; + }; + + # Automatically configure and start Sway when logging in on tty1: + programs.bash.loginShellInit = '' + if [ "$(tty)" = "/dev/tty1" ]; then + set -e + + mkdir -p ~/.config/sway + sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config + + sway --validate + sway && touch /tmp/sway-exit-ok + fi + ''; + + programs.sway.enable = true; + + # To test pinentry via gpg-agent: + programs.gnupg.agent.enable = true; + + virtualisation.memorySize = 1024; + # Need to switch to a different VGA card / GPU driver than the default one (std) so that Sway can launch: + virtualisation.qemu.options = [ "-vga virtio" ]; + }; + + enableOCR = true; + + testScript = { nodes, ... }: '' + start_all() + machine.wait_for_unit("multi-user.target") + + # To check the version: + print(machine.succeed("sway --version")) + + # Wait for Sway to complete startup: + machine.wait_for_file("/run/user/1000/wayland-1") + machine.wait_for_file("/tmp/sway-ipc.sock") + + # Test XWayland: + machine.succeed( + "su - alice -c 'swaymsg exec WINIT_UNIX_BACKEND=x11 WAYLAND_DISPLAY=invalid alacritty'" + ) + machine.wait_for_text("alice@machine") + machine.send_chars("test-x11\n") + machine.wait_for_file("/tmp/test-x11-exit-ok") + print(machine.succeed("cat /tmp/test-x11.out")) + machine.screenshot("alacritty_glinfo") + machine.succeed("pkill alacritty") + + # Start a terminal (Alacritty) on workspace 3: + machine.send_key("alt-3") + machine.succeed( + "su - alice -c 'swaymsg exec WINIT_UNIX_BACKEND=wayland DISPLAY=invalid alacritty'" + ) + machine.wait_for_text("alice@machine") + machine.send_chars("test-wayland\n") + machine.wait_for_file("/tmp/test-wayland-exit-ok") + print(machine.succeed("cat /tmp/test-wayland.out")) + machine.screenshot("alacritty_wayland_info") + machine.send_key("alt-shift-q") + machine.wait_until_fails("pgrep alacritty") + + # Test gpg-agent starting pinentry-gnome3 via D-Bus (tests if + # $WAYLAND_DISPLAY is correctly imported into the D-Bus user env): + machine.succeed( + "su - alice -c 'swaymsg -- exec gpg --no-tty --yes --quick-generate-key test'" + ) + machine.wait_until_succeeds("pgrep --exact gpg") + machine.wait_for_text("Passphrase") + machine.screenshot("gpg_pinentry") + machine.send_key("alt-shift-q") + machine.wait_until_fails("pgrep --exact gpg") + + # Test swaynag: + machine.send_key("alt-shift-e") + machine.wait_for_text("You pressed the exit shortcut.") + machine.screenshot("sway_exit") + + # Exit Sway and verify process exit status 0: + machine.succeed("su - alice -c 'swaymsg exit || true'") + machine.wait_for_file("/tmp/sway-exit-ok") + ''; +}) diff --git a/nixos/tests/systemd-confinement.nix b/nixos/tests/systemd-confinement.nix index ebf6d218fd68c..e6a308f46d27d 100644 --- a/nixos/tests/systemd-confinement.nix +++ b/nixos/tests/systemd-confinement.nix @@ -59,7 +59,8 @@ import ./make-test-python.nix { "chroot-exec chown 65534 /bin", ) machine.succeed( - 'test "$(chroot-exec id -u)" = 0', "chroot-exec chown 0 /bin", + 'test "$(chroot-exec id -u)" = 0', + "chroot-exec chown 0 /bin", ) ''; } @@ -150,6 +151,7 @@ import ./make-test-python.nix { config.users.groups.chroot-testgroup = {}; config.users.users.chroot-testuser = { + isSystemUser = true; description = "Chroot Test User"; group = "chroot-testgroup"; }; diff --git a/nixos/tests/systemd-networkd.nix b/nixos/tests/systemd-networkd.nix index 4f2cb75f5a0cb..7faeae3704eca 100644 --- a/nixos/tests/systemd-networkd.nix +++ b/nixos/tests/systemd-networkd.nix @@ -6,7 +6,6 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { networking.firewall.enable = false; virtualisation.vlans = [ 1 ]; environment.systemPackages = with pkgs; [ wireguard-tools ]; - boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; systemd.network = { enable = true; netdevs = { diff --git a/nixos/tests/trafficserver.nix b/nixos/tests/trafficserver.nix new file mode 100644 index 0000000000000..3979a1b4a4825 --- /dev/null +++ b/nixos/tests/trafficserver.nix @@ -0,0 +1,176 @@ +# verifies: +# 1. Traffic Server is able to start +# 2. Traffic Server spawns traffic_crashlog upon startup +# 3. Traffic Server proxies HTTP requests according to URL remapping rules +# in 'services.trafficserver.remap' +# 4. Traffic Server applies per-map settings specified with the conf_remap +# plugin +# 5. Traffic Server caches HTTP responses +# 6. Traffic Server processes HTTP PUSH requests +# 7. Traffic Server can load the healthchecks plugin +# 8. Traffic Server logs HTTP traffic as configured +# +# uses: +# - bin/traffic_manager +# - bin/traffic_server +# - bin/traffic_crashlog +# - bin/traffic_cache_tool +# - bin/traffic_ctl +# - bin/traffic_logcat +# - bin/traffic_logstats +# - bin/tspush +import ./make-test-python.nix ({ pkgs, ... }: { + name = "trafficserver"; + meta = with pkgs.lib.maintainers; { + maintainers = [ midchildan ]; + }; + + nodes = { + ats = { pkgs, lib, config, ... }: let + user = config.users.users.trafficserver.name; + group = config.users.groups.trafficserver.name; + healthchecks = pkgs.writeText "healthchecks.conf" '' + /status /tmp/ats.status text/plain 200 500 + ''; + in { + services.trafficserver.enable = true; + + services.trafficserver.records = { + proxy.config.http.server_ports = "80 80:ipv6"; + proxy.config.hostdb.host_file.path = "/etc/hosts"; + proxy.config.log.max_space_mb_headroom = 0; + proxy.config.http.push_method_enabled = 1; + + # check that cache storage is usable before accepting traffic + proxy.config.http.wait_for_cache = 2; + }; + + services.trafficserver.plugins = [ + { path = "healthchecks.so"; arg = toString healthchecks; } + { path = "xdebug.so"; } + ]; + + services.trafficserver.remap = '' + map http://httpbin.test http://httpbin + map http://pristine-host-hdr.test http://httpbin \ + @plugin=conf_remap.so \ + @pparam=proxy.config.url_remap.pristine_host_hdr=1 + map http://ats/tspush http://httpbin/cache \ + @plugin=conf_remap.so \ + @pparam=proxy.config.http.cache.required_headers=0 + ''; + + services.trafficserver.storage = '' + /dev/vdb volume=1 + ''; + + networking.firewall.allowedTCPPorts = [ 80 ]; + virtualisation.emptyDiskImages = [ 256 ]; + services.udev.extraRules = '' + KERNEL=="vdb", OWNER="${user}", GROUP="${group}" + ''; + }; + + httpbin = { pkgs, lib, ... }: let + python = pkgs.python3.withPackages + (ps: with ps; [ httpbin gunicorn gevent ]); + in { + systemd.services.httpbin = { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${python}/bin/gunicorn -b 0.0.0.0:80 httpbin:app -k gevent"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + + client = { pkgs, lib, ... }: { + environment.systemPackages = with pkgs; [ curl ]; + }; + }; + + testScript = { nodes, ... }: let + sampleFile = pkgs.writeText "sample.txt" '' + It's the season of White Album. + ''; + in '' + import json + import re + + ats.wait_for_unit("trafficserver") + ats.wait_for_open_port(80) + httpbin.wait_for_unit("httpbin") + httpbin.wait_for_open_port(80) + + with subtest("Traffic Server is running"): + out = ats.succeed("traffic_ctl server status") + assert out.strip() == "Proxy -- on" + + with subtest("traffic_crashlog is running"): + ats.succeed("pgrep -f traffic_crashlog") + + with subtest("basic remapping works"): + out = client.succeed("curl -vv -H 'Host: httpbin.test' http://ats/headers") + assert json.loads(out)["headers"]["Host"] == "httpbin" + + with subtest("conf_remap plugin works"): + out = client.succeed( + "curl -vv -H 'Host: pristine-host-hdr.test' http://ats/headers" + ) + assert json.loads(out)["headers"]["Host"] == "pristine-host-hdr.test" + + with subtest("caching works"): + out = client.succeed( + "curl -vv -D - -H 'Host: httpbin.test' -H 'X-Debug: X-Cache' http://ats/cache/60 -o /dev/null" + ) + assert "X-Cache: miss" in out + + out = client.succeed( + "curl -vv -D - -H 'Host: httpbin.test' -H 'X-Debug: X-Cache' http://ats/cache/60 -o /dev/null" + ) + assert "X-Cache: hit-fresh" in out + + with subtest("pushing to cache works"): + url = "http://ats/tspush" + + ats.succeed(f"echo {url} > /tmp/urls.txt") + out = ats.succeed( + f"tspush -f '${sampleFile}' -u {url}" + ) + assert "HTTP/1.0 201 Created" in out, "cache push failed" + + out = ats.succeed( + "traffic_cache_tool --spans /etc/trafficserver/storage.config find --input /tmp/urls.txt" + ) + assert "Span: /dev/vdb" in out, "cache not stored on disk" + + out = client.succeed(f"curl {url}").strip() + expected = ( + open("${sampleFile}").read().strip() + ) + assert out == expected, "cache content mismatch" + + with subtest("healthcheck plugin works"): + out = client.succeed("curl -vv http://ats/status -o /dev/null -w '%{http_code}'") + assert out.strip() == "500" + + ats.succeed("touch /tmp/ats.status") + + out = client.succeed("curl -vv http://ats/status -o /dev/null -w '%{http_code}'") + assert out.strip() == "200" + + with subtest("logging works"): + access_log_path = "/var/log/trafficserver/squid.blog" + ats.wait_for_file(access_log_path) + + out = ats.succeed(f"traffic_logcat {access_log_path}").split("\n")[0] + expected = "^\S+ \S+ \S+ TCP_MISS/200 \S+ GET http://httpbin/headers - DIRECT/httpbin application/json$" + assert re.fullmatch(expected, out) is not None, "no matching logs" + + out = json.loads(ats.succeed(f"traffic_logstats -jf {access_log_path}")) + assert out["total"]["error.total"]["req"] == "0", "unexpected log stat" + ''; +}) diff --git a/nixos/tests/unbound.nix b/nixos/tests/unbound.nix index d4b8bb15ced6d..fcfa222299c88 100644 --- a/nixos/tests/unbound.nix +++ b/nixos/tests/unbound.nix @@ -61,13 +61,16 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - interfaces = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ]; - allowedAccess = [ "192.168.0.0/24" "fd21::/64" "::1" "127.0.0.0/8" ]; - extraConfig = '' - server: - local-data: "example.local. IN A 1.2.3.4" - local-data: "example.local. IN AAAA abcd::eeff" - ''; + settings = { + server = { + interface = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ]; + access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ]; + local-data = [ + ''"example.local. IN A 1.2.3.4"'' + ''"example.local. IN AAAA abcd::eeff"'' + ]; + }; + }; }; }; @@ -90,19 +93,25 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - allowedAccess = [ "192.168.0.0/24" "fd21::/64" "::1" "127.0.0.0/8" ]; - interfaces = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" - "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" - "192.168.0.2@443" "fd21::2@443" "::1@443" "127.0.0.1@443" ]; - forwardAddresses = [ - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address - ]; - extraConfig = '' - server: - tls-service-pem: ${cert}/cert.pem - tls-service-key: ${cert}/key.pem - ''; + settings = { + server = { + interface = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" + "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" + "192.168.0.2@443" "fd21::2@443" "::1@443" "127.0.0.1@443" ]; + access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ]; + tls-service-pem = "${cert}/cert.pem"; + tls-service-key = "${cert}/key.pem"; + }; + forward-zone = [ + { + name = "."; + forward-addr = [ + (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address + (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address + ]; + } + ]; + }; }; }; @@ -122,30 +131,36 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - allowedAccess = [ "::1" "127.0.0.0/8" ]; - interfaces = [ "::1" "127.0.0.1" ]; + settings = { + server = { + interface = [ "::1" "127.0.0.1" ]; + access-control = [ "::1 allow" "127.0.0.0/8 allow" ]; + }; + include = "/etc/unbound/extra*.conf"; + }; localControlSocketPath = "/run/unbound/unbound.ctl"; - extraConfig = '' - include: "/etc/unbound/extra*.conf" - ''; }; users.users = { # user that is permitted to access the unix socket - someuser.extraGroups = [ - config.users.users.unbound.group - ]; + someuser = { + isSystemUser = true; + extraGroups = [ + config.users.users.unbound.group + ]; + }; # user that is not permitted to access the unix socket - unauthorizeduser = {}; + unauthorizeduser = { isSystemUser = true; }; }; + # Used for testing configuration reloading environment.etc = { "unbound-extra1.conf".text = '' forward-zone: - name: "example.local." - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address} + name: "example.local." + forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} + forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address} ''; "unbound-extra2.conf".text = '' auth-zone: @@ -177,7 +192,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: testScript = { nodes, ... }: '' import typing - import json zone = "example.local." records = [("AAAA", "abcd::eeff"), ("A", "1.2.3.4")] diff --git a/nixos/tests/v2ray.nix b/nixos/tests/v2ray.nix index f1b2570cc8604..4808e149d31ed 100644 --- a/nixos/tests/v2ray.nix +++ b/nixos/tests/v2ray.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: let v2rayUser = { # A random UUID. id = "a6a46834-2150-45f8-8364-0f6f6ab32384"; - alterId = 4; + alterId = 0; # Non-zero support will be disabled in the future. }; # 1080 [http proxy] -> 1081 [vmess] -> direct diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 0a7369b0fa2aa..09314d93b7d04 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -226,18 +226,16 @@ let def create_vm_${name}(): - # fmt: off - vbm(f"createvm --name ${name} ${createFlags}") - vbm(f"modifyvm ${name} ${vmFlags}") - vbm(f"setextradata ${name} VBoxInternal/PDM/HaltOnReset 1") - vbm(f"storagectl ${name} ${controllerFlags}") - vbm(f"storageattach ${name} ${diskFlags}") - vbm(f"sharedfolder add ${name} ${sharedFlags}") - vbm(f"sharedfolder add ${name} ${nixstoreFlags}") + vbm("createvm --name ${name} ${createFlags}") + vbm("modifyvm ${name} ${vmFlags}") + vbm("setextradata ${name} VBoxInternal/PDM/HaltOnReset 1") + vbm("storagectl ${name} ${controllerFlags}") + vbm("storageattach ${name} ${diskFlags}") + vbm("sharedfolder add ${name} ${sharedFlags}") + vbm("sharedfolder add ${name} ${nixstoreFlags}") cleanup_${name}() ${mkLog "$HOME/VirtualBox VMs/${name}/Logs/VBox.log" "HOST-${name}"} - # fmt: on def destroy_vm_${name}(): @@ -259,9 +257,7 @@ let def wait_for_ip_${name}(interface): property = f"/VirtualBox/GuestInfo/Net/{interface}/V4/IP" - # fmt: off getip = f"VBoxManage guestproperty get ${name} {property} | sed -n -e 's/^Value: //p'" - # fmt: on ip = machine.succeed( ru( @@ -394,9 +390,7 @@ let machine.wait_for_x() - # fmt: off ${mkLog "$HOME/.config/VirtualBox/VBoxSVC.log" "HOST-SVC"} - # fmt: on ${testScript} # (keep black happy) diff --git a/nixos/tests/web-servers/unit-php.nix b/nixos/tests/web-servers/unit-php.nix index 24d6f5f16a72c..c4e89f069f16d 100644 --- a/nixos/tests/web-servers/unit-php.nix +++ b/nixos/tests/web-servers/unit-php.nix @@ -34,7 +34,7 @@ in { }; users = { users.testuser = { - isNormalUser = false; + isSystemUser = true; uid = 1074; group = "testgroup"; }; diff --git a/nixos/tests/wmderland.nix b/nixos/tests/wmderland.nix new file mode 100644 index 0000000000000..6de0cd9212eea --- /dev/null +++ b/nixos/tests/wmderland.nix @@ -0,0 +1,54 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "wmderland"; + meta = with pkgs.lib.maintainers; { + maintainers = [ takagiy ]; + }; + + machine = { lib, ... }: { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + test-support.displayManager.auto.user = "alice"; + services.xserver.displayManager.defaultSession = lib.mkForce "none+wmderland"; + services.xserver.windowManager.wmderland.enable = true; + + systemd.services.setupWmderlandConfig = { + wantedBy = [ "multi-user.target" ]; + before = [ "multi-user.target" ]; + environment = { + HOME = "/home/alice"; + }; + unitConfig = { + type = "oneshot"; + RemainAfterExit = true; + user = "alice"; + }; + script = let + config = pkgs.writeText "config" '' + set $Mod = Mod1 + bindsym $Mod+Return exec ${pkgs.xterm}/bin/xterm -cm -pc + ''; + in '' + mkdir -p $HOME/.config/wmderland + cp ${config} $HOME/.config/wmderland/config + ''; + }; + }; + + testScript = { ... }: '' + with subtest("ensure x starts"): + machine.wait_for_x() + machine.wait_for_file("/home/alice/.Xauthority") + machine.succeed("xauth merge ~alice/.Xauthority") + + with subtest("ensure we can open a new terminal"): + machine.send_key("alt-ret") + machine.wait_until_succeeds("pgrep xterm") + machine.wait_for_window(r"alice.*?machine") + machine.screenshot("terminal") + + with subtest("ensure we can communicate through ipc with wmderlandc"): + # Kills the previously open xterm + machine.succeed("pgrep xterm") + machine.execute("DISPLAY=:0 wmderlandc kill") + machine.fail("pgrep xterm") + ''; +}) diff --git a/nixos/tests/yggdrasil.nix b/nixos/tests/yggdrasil.nix index 0b58ad29aa2b1..0e75ed54db281 100644 --- a/nixos/tests/yggdrasil.nix +++ b/nixos/tests/yggdrasil.nix @@ -147,7 +147,7 @@ in import ./make-test-python.nix ({ pkgs, ...} : { # If Alice can talk to Carol, then Bob's outbound peering and Carol's # local peering have succeeded and everybody is connected. alice.wait_until_succeeds(f"ping -c 1 {carol_ip6}") - alice.succeed(f"ping -c 1 ${bobIp6}") + alice.succeed("ping -c 1 ${bobIp6}") bob.succeed("ping -c 1 ${aliceIp6}") bob.succeed(f"ping -c 1 {carol_ip6}") diff --git a/nixos/tests/zigbee2mqtt.nix b/nixos/tests/zigbee2mqtt.nix index b7bb21f9227af..98aadbb699bdf 100644 --- a/nixos/tests/zigbee2mqtt.nix +++ b/nixos/tests/zigbee2mqtt.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { machine = { pkgs, ... }: @@ -6,6 +6,8 @@ import ./make-test-python.nix ({ pkgs, ... }: services.zigbee2mqtt = { enable = true; }; + + systemd.services.zigbee2mqtt.serviceConfig.DevicePolicy = lib.mkForce "auto"; }; testScript = '' @@ -14,6 +16,8 @@ import ./make-test-python.nix ({ pkgs, ... }: machine.succeed( "journalctl -eu zigbee2mqtt | grep \"Error: Error while opening serialport 'Error: Error: No such file or directory, cannot open /dev/ttyACM0'\"" ) + + machine.log(machine.succeed("systemd-analyze security zigbee2mqtt.service")) ''; } ) |