diff options
Diffstat (limited to 'nixos')
49 files changed, 928 insertions, 588 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 85c3ee7a1aa07..a2041db2a8744 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -8,6 +8,8 @@ - LXD now supports virtual machine instances to complement the existing container support +- The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details. + ## New Services {#sec-release-23.11-new-services} - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable). @@ -89,6 +91,8 @@ - `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms). +- The `users.users.<name>.passwordFile` has been renamed to `users.users.<name>.hashedPasswordFile` to avoid possible confusions. The option is in fact the file-based version of `hashedPassword`, not `password`, and expects a file containing the {manpage}`crypt(3)` hash of the user password. + - The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`. - JACK tools (`jack_*` except `jack_control`) have moved from the `jack2` package to `jack-example-tools` @@ -187,6 +191,12 @@ - `kratos` has been updated from 0.10.1 to the first stable version 1.0.0, please read the [0.10.1 to 0.11.0](https://github.com/ory/kratos/releases/tag/v0.11.0), [0.11.0 to 0.11.1](https://github.com/ory/kratos/releases/tag/v0.11.1), [0.11.1 to 0.13.0](https://github.com/ory/kratos/releases/tag/v0.13.0) and [0.13.0 to 1.0.0](https://github.com/ory/kratos/releases/tag/v1.0.0) upgrade guides. The most notable breaking change is the introduction of one-time passwords (`code`) and update of the default recovery strategy from `link` to `code`. +- The `hail` NixOS module was removed, as `hail` was unmaintained since 2017. + +- Package `noto-fonts-emoji` was renamed to `noto-fonts-color-emoji`; + see [#221181](https://github.com/NixOS/nixpkgs/issues/221181). + + ## Other Notable Changes {#sec-release-23.11-notable-changes} - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration. @@ -229,6 +239,8 @@ The module update takes care of the new config syntax and the data itself (user - `services.nginx` gained a `defaultListen` option at server-level with support for PROXY protocol listeners, also `proxyProtocol` is now exposed in `services.nginx.virtualHosts.<name>.listen` option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see [#213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more details. +- `services.restic.backups` now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easly be run from the command line. This behavior can be disabled by setting `createWrapper` to `false`, per backup configuration. + - `services.prometheus.exporters` has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called [Scaphandre](https://github.com/hubblo-org/scaphandre), see [#239803](https://github.com/NixOS/nixpkgs/pull/239803) for more details. - The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recomended to review the [upstream release notes](https://mariadb.com/kb/en/mariadb-connector-c-33-release-notes/). @@ -257,6 +269,12 @@ The module update takes care of the new config syntax and the data itself (user - The `cawbird` package is dropped from nixpkgs, as it got broken by the Twitter API closing down and has been abandoned upstream. +- `hardware.nvidia` gained `datacenter` options for enabling NVIDIA Data Center drivers and configuration of NVLink/NVSwitch topologies through `nv-fabricmanager`. + +- Certificate generation via the `security.acme` now limits the concurrent number of running certificate renewals and generation jobs, to avoid spiking resource usage when processing many certificates at once. The limit defaults to *5* and can be adjusted via `maxConcurrentRenewals`. Setting it to *0* disables the limits altogether. + +- New `boot.bcache.enable` (default enabled) allows completely removing `bcache` mount support. + ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals} - The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and similar lines in package derivations using the default `unpackPhase` is deprecated as it requires `unpackPhase` to always produce a directory named "source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`, or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead. @@ -284,3 +302,5 @@ The module update takes care of the new config syntax and the data itself (user ./common/auto-format-root-device.nix ];` When you use the systemd initrd, you can automatically format the root device by setting `virtualisation.fileSystems."/".autoFormat = true;`. + +- The `electron` packages now places its application files in `$out/libexec/electron` instead of `$out/lib/electron`. Packages using electron-builder will fail to build and need to be adjusted by changing `lib` to `libexec`. diff --git a/nixos/modules/config/fonts/packages.nix b/nixos/modules/config/fonts/packages.nix index 46907d5411ca5..37b705ecb345a 100644 --- a/nixos/modules/config/fonts/packages.nix +++ b/nixos/modules/config/fonts/packages.nix @@ -37,7 +37,7 @@ in gyre-fonts # TrueType substitutes for standard PostScript fonts liberation_ttf unifont - noto-fonts-emoji + noto-fonts-color-emoji ]); }; } diff --git a/nixos/modules/config/terminfo.nix b/nixos/modules/config/terminfo.nix index 82f9ae48372af..1ae8e82c471e6 100644 --- a/nixos/modules/config/terminfo.nix +++ b/nixos/modules/config/terminfo.nix @@ -16,16 +16,24 @@ with lib; config = { - # can be generated with: filter (drv: (builtins.tryEval (drv ? terminfo)).value) (attrValues pkgs) + # can be generated with: + # attrNames (filterAttrs + # (_: drv: (builtins.tryEval (isDerivation drv && drv ? terminfo)).value) + # pkgs) environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [ alacritty + contour foot kitty mtm + rio rxvt-unicode-unwrapped rxvt-unicode-unwrapped-emoji + st termite + tmux wezterm + yaft ])); environment.pathsToLink = [ diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 684b4bc8fbcc5..4893d28924ebd 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -18,11 +18,11 @@ let passwordDescription = '' The options {option}`hashedPassword`, - {option}`password` and {option}`passwordFile` + {option}`password` and {option}`hashedPasswordFile` controls what password is set for the user. {option}`hashedPassword` overrides both - {option}`password` and {option}`passwordFile`. - {option}`password` overrides {option}`passwordFile`. + {option}`password` and {option}`hashedPasswordFile`. + {option}`password` overrides {option}`hashedPasswordFile`. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option {option}`users.mutableUsers` is true, the @@ -250,18 +250,26 @@ let ''; }; - passwordFile = mkOption { + hashedPasswordFile = mkOption { type = with types; nullOr str; - default = null; + default = cfg.users.${name}.passwordFile; + defaultText = literalExpression "null"; description = lib.mdDoc '' - The full path to a file that contains the user's password. The password - file is read on each system activation. The file should contain - exactly one line, which should be the password in an encrypted form - that is suitable for the `chpasswd -e` command. + The full path to a file that contains the hash of the user's + password. The password file is read on each system activation. The + file should contain exactly one line, which should be the password in + an encrypted form that is suitable for the `chpasswd -e` command. ${passwordDescription} ''; }; + passwordFile = mkOption { + type = with types; nullOr (passwdEntry str); + default = null; + visible = false; + description = lib.mdDoc "Deprecated alias of hashedPasswordFile"; + }; + initialHashedPassword = mkOption { type = with types; nullOr (passwdEntry str); default = null; @@ -447,7 +455,7 @@ let users = mapAttrsToList (_: u: { inherit (u) name uid group description home homeMode createHome isSystemUser - password passwordFile hashedPassword + password hashedPasswordFile hashedPassword autoSubUidGidRange subUidRanges subGidRanges initialPassword initialHashedPassword expires; shell = utils.toShellPath u.shell; @@ -756,7 +764,7 @@ in { && (allowsLogin cfg.hashedPassword || cfg.password != null - || cfg.passwordFile != null + || cfg.hashedPasswordFile != null || cfg.openssh.authorizedKeys.keys != [] || cfg.openssh.authorizedKeys.keyFiles != []) ) cfg.users ++ [ @@ -845,9 +853,13 @@ in { The password hash of user "${user.name}" may be invalid. You must set a valid hash or the user will be locked out of their account. Please check the value of option `users.users."${user.name}".hashedPassword`.'' - else null - )); - + else null) + ++ flip mapAttrsToList cfg.users (name: user: + if user.passwordFile != null then + ''The option `users.users."${name}".passwordFile' has been renamed '' + + ''to `users.users."${name}".hashedPasswordFile'.'' + else null) + ); }; } diff --git a/nixos/modules/hardware/decklink.nix b/nixos/modules/hardware/decklink.nix new file mode 100644 index 0000000000000..d179e1d7634ff --- /dev/null +++ b/nixos/modules/hardware/decklink.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.hardware.decklink; + kernelPackages = config.boot.kernelPackages; +in +{ + options.hardware.decklink.enable = lib.mkEnableOption "hardware support for the Blackmagic Design Decklink audio/video interfaces"; + + config = lib.mkIf cfg.enable { + boot.kernelModules = [ "blackmagic" "blackmagic-io" "snd_blackmagic-io" ]; + boot.extraModulePackages = [ kernelPackages.decklink ]; + systemd.packages = [ pkgs.blackmagic-desktop-video ]; + systemd.services.DesktopVideoHelper.wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 67c3afcf320a9..0b1238dd888a5 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -4,8 +4,10 @@ pkgs, ... }: let + x11Enabled = config.services.xserver.enable + && (lib.elem "nvidia" config.services.xserver.videoDrivers); nvidia_x11 = - if (lib.elem "nvidia" config.services.xserver.videoDrivers) + if x11Enabled || cfg.datacenter.enable then cfg.package else null; @@ -18,9 +20,64 @@ primeEnabled = syncCfg.enable || reverseSyncCfg.enable || offloadCfg.enable; busIDType = lib.types.strMatching "([[:print:]]+[\:\@][0-9]{1,3}\:[0-9]{1,2}\:[0-9])?"; ibtSupport = cfg.open || (nvidia_x11.ibtSupport or false); + settingsFormat = pkgs.formats.keyValue {}; in { options = { hardware.nvidia = { + datacenter.enable = lib.mkEnableOption (lib.mdDoc '' + Data Center drivers for NVIDIA cards on a NVLink topology. + ''); + datacenter.settings = lib.mkOption { + type = settingsFormat.type; + default = { + LOG_LEVEL=4; + LOG_FILE_NAME="/var/log/fabricmanager.log"; + LOG_APPEND_TO_LOG=1; + LOG_FILE_MAX_SIZE=1024; + LOG_USE_SYSLOG=0; + DAEMONIZE=1; + BIND_INTERFACE_IP="127.0.0.1"; + STARTING_TCP_PORT=16000; + FABRIC_MODE=0; + FABRIC_MODE_RESTART=0; + STATE_FILE_NAME="/var/tmp/fabricmanager.state"; + FM_CMD_BIND_INTERFACE="127.0.0.1"; + FM_CMD_PORT_NUMBER=6666; + FM_STAY_RESIDENT_ON_FAILURES=0; + ACCESS_LINK_FAILURE_MODE=0; + TRUNK_LINK_FAILURE_MODE=0; + NVSWITCH_FAILURE_MODE=0; + ABORT_CUDA_JOBS_ON_FM_EXIT=1; + TOPOLOGY_FILE_PATH=nvidia_x11.fabricmanager + "/share/nvidia-fabricmanager/nvidia/nvswitch"; + }; + defaultText = lib.literalExpression '' + { + LOG_LEVEL=4; + LOG_FILE_NAME="/var/log/fabricmanager.log"; + LOG_APPEND_TO_LOG=1; + LOG_FILE_MAX_SIZE=1024; + LOG_USE_SYSLOG=0; + DAEMONIZE=1; + BIND_INTERFACE_IP="127.0.0.1"; + STARTING_TCP_PORT=16000; + FABRIC_MODE=0; + FABRIC_MODE_RESTART=0; + STATE_FILE_NAME="/var/tmp/fabricmanager.state"; + FM_CMD_BIND_INTERFACE="127.0.0.1"; + FM_CMD_PORT_NUMBER=6666; + FM_STAY_RESIDENT_ON_FAILURES=0; + ACCESS_LINK_FAILURE_MODE=0; + TRUNK_LINK_FAILURE_MODE=0; + NVSWITCH_FAILURE_MODE=0; + ABORT_CUDA_JOBS_ON_FM_EXIT=1; + TOPOLOGY_FILE_PATH=nvidia_x11.fabricmanager + "/share/nvidia-fabricmanager/nvidia/nvswitch"; + } + ''; + description = lib.mdDoc '' + Additional configuration options for fabricmanager. + ''; + }; + powerManagement.enable = lib.mkEnableOption (lib.mdDoc '' experimental power management through systemd. For more information, see the NVIDIA docs, on Chapter 21. Configuring Power Management Support. @@ -167,9 +224,15 @@ in { It also drastically increases the time the driver needs to clock down after load. ''); - package = lib.mkPackageOptionMD config.boot.kernelPackages.nvidiaPackages "nvidia_x11" { - default = "stable"; + package = lib.mkOption { + default = config.boot.kernelPackages.nvidiaPackages."${if cfg.datacenter.enable then "dc" else "stable"}"; + defaultText = lib.literalExpression '' + config.boot.kernelPackages.nvidiaPackages."\$\{if cfg.datacenter.enable then "dc" else "stable"}" + ''; example = lib.mdDoc "config.boot.kernelPackages.nvidiaPackages.legacy_470"; + description = lib.mdDoc '' + The NVIDIA driver package to use. + ''; }; open = lib.mkEnableOption (lib.mdDoc '' @@ -188,8 +251,46 @@ in { then pCfg.intelBusId else pCfg.amdgpuBusId; in - lib.mkIf (nvidia_x11 != null) { - assertions = [ + lib.mkIf (nvidia_x11 != null) (lib.mkMerge [ + # Common + ({ + assertions = [ + { + assertion = !(x11Enabled && cfg.datacenter.enable); + message = "You cannot configure both X11 and Data Center drivers at the same time."; + } + ]; + boot = { + blacklistedKernelModules = ["nouveau" "nvidiafb"]; + kernelModules = [ "nvidia-uvm" ]; + }; + systemd.tmpfiles.rules = + lib.optional config.virtualisation.docker.enableNvidia + "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"; + services.udev.extraRules = + '' + # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'for i in $$(cat /proc/driver/nvidia/gpus/*/information | grep Minor | cut -d \ -f 4); do mknod -m 666 /dev/nvidia$${i} c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) $${i}; done'" + KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'" + ''; + hardware.opengl = { + extraPackages = [ + nvidia_x11.out + ]; + extraPackages32 = [ + nvidia_x11.lib32 + ]; + }; + environment.systemPackages = [ + nvidia_x11.bin + ]; + }) + # X11 + (lib.mkIf x11Enabled { + assertions = [ { assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == ""; message = "You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor."; @@ -248,227 +349,207 @@ in { { assertion = cfg.dynamicBoost.enable -> lib.versionAtLeast nvidia_x11.version "510.39.01"; message = "NVIDIA's Dynamic Boost feature only exists on versions >= 510.39.01"; - } - ]; - - # If Optimus/PRIME is enabled, we: - # - Specify the configured NVIDIA GPU bus ID in the Device section for the - # "nvidia" driver. - # - Add the AllowEmptyInitialConfiguration option to the Screen section for the - # "nvidia" driver, in order to allow the X server to start without any outputs. - # - Add a separate Device section for the Intel GPU, using the "modesetting" - # driver and with the configured BusID. - # - OR add a separate Device section for the AMD APU, using the "amdgpu" - # driver and with the configures BusID. - # - Reference that Device section from the ServerLayout section as an inactive - # device. - # - Configure the display manager to run specific `xrandr` commands which will - # configure/enable displays connected to the Intel iGPU / AMD APU. - - # reverse sync implies offloading - hardware.nvidia.prime.offload.enable = lib.mkDefault reverseSyncCfg.enable; - - services.xserver.drivers = - lib.optional primeEnabled { - name = igpuDriver; - display = offloadCfg.enable; - modules = lib.optional (igpuDriver == "amdgpu") pkgs.xorg.xf86videoamdgpu; - deviceSection = - '' - BusID "${igpuBusId}" - '' - + lib.optionalString (syncCfg.enable && igpuDriver != "amdgpu") '' - Option "AccelMethod" "none" - ''; - } - ++ lib.singleton { - name = "nvidia"; - modules = [nvidia_x11.bin]; - display = !offloadCfg.enable; - deviceSection = - lib.optionalString primeEnabled - '' - BusID "${pCfg.nvidiaBusId}" - '' - + lib.optionalString pCfg.allowExternalGpu '' - Option "AllowExternalGpus" - ''; - screenSection = - '' - Option "RandRRotation" "on" - '' - + lib.optionalString syncCfg.enable '' - Option "AllowEmptyInitialConfiguration" - '' - + lib.optionalString cfg.forceFullCompositionPipeline '' - Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" - Option "AllowIndirectGLXProtocol" "off" - Option "TripleBuffer" "on" - ''; - }; - - services.xserver.serverLayoutSection = - lib.optionalString syncCfg.enable '' - Inactive "Device-${igpuDriver}[0]" - '' - + lib.optionalString reverseSyncCfg.enable '' - Inactive "Device-nvidia[0]" - '' - + lib.optionalString offloadCfg.enable '' - Option "AllowNVIDIAGPUScreens" - ''; - - services.xserver.displayManager.setupCommands = let - gpuProviderName = - if igpuDriver == "amdgpu" - then - # find the name of the provider if amdgpu - "`${lib.getExe pkgs.xorg.xrandr} --listproviders | ${lib.getExe pkgs.gnugrep} -i AMD | ${lib.getExe pkgs.gnused} -n 's/^.*name://p'`" - else igpuDriver; - providerCmdParams = - if syncCfg.enable - then "\"${gpuProviderName}\" NVIDIA-0" - else "NVIDIA-G0 \"${gpuProviderName}\""; - in - lib.optionalString (syncCfg.enable || reverseSyncCfg.enable) '' - # Added by nvidia configuration module for Optimus/PRIME. - ${lib.getExe pkgs.xorg.xrandr} --setprovideroutputsource ${providerCmdParams} - ${lib.getExe pkgs.xorg.xrandr} --auto - ''; - - environment.etc = { - "nvidia/nvidia-application-profiles-rc" = lib.mkIf nvidia_x11.useProfiles {source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";}; + }]; + + # If Optimus/PRIME is enabled, we: + # - Specify the configured NVIDIA GPU bus ID in the Device section for the + # "nvidia" driver. + # - Add the AllowEmptyInitialConfiguration option to the Screen section for the + # "nvidia" driver, in order to allow the X server to start without any outputs. + # - Add a separate Device section for the Intel GPU, using the "modesetting" + # driver and with the configured BusID. + # - OR add a separate Device section for the AMD APU, using the "amdgpu" + # driver and with the configures BusID. + # - Reference that Device section from the ServerLayout section as an inactive + # device. + # - Configure the display manager to run specific `xrandr` commands which will + # configure/enable displays connected to the Intel iGPU / AMD APU. + + # reverse sync implies offloading + hardware.nvidia.prime.offload.enable = lib.mkDefault reverseSyncCfg.enable; + + services.xserver.drivers = + lib.optional primeEnabled { + name = igpuDriver; + display = offloadCfg.enable; + modules = lib.optional (igpuDriver == "amdgpu") pkgs.xorg.xf86videoamdgpu; + deviceSection = + '' + BusID "${igpuBusId}" + '' + + lib.optionalString (syncCfg.enable && igpuDriver != "amdgpu") '' + Option "AccelMethod" "none" + ''; + } + ++ lib.singleton { + name = "nvidia"; + modules = [nvidia_x11.bin]; + display = !offloadCfg.enable; + deviceSection = + lib.optionalString primeEnabled + '' + BusID "${pCfg.nvidiaBusId}" + '' + + lib.optionalString pCfg.allowExternalGpu '' + Option "AllowExternalGpus" + ''; + screenSection = + '' + Option "RandRRotation" "on" + '' + + lib.optionalString syncCfg.enable '' + Option "AllowEmptyInitialConfiguration" + '' + + lib.optionalString cfg.forceFullCompositionPipeline '' + Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" + Option "AllowIndirectGLXProtocol" "off" + Option "TripleBuffer" "on" + ''; + }; - # 'nvidia_x11' installs it's files to /run/opengl-driver/... - "egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/"; - }; + services.xserver.serverLayoutSection = + lib.optionalString syncCfg.enable '' + Inactive "Device-${igpuDriver}[0]" + '' + + lib.optionalString reverseSyncCfg.enable '' + Inactive "Device-nvidia[0]" + '' + + lib.optionalString offloadCfg.enable '' + Option "AllowNVIDIAGPUScreens" + ''; + + services.xserver.displayManager.setupCommands = let + gpuProviderName = + if igpuDriver == "amdgpu" + then + # find the name of the provider if amdgpu + "`${lib.getExe pkgs.xorg.xrandr} --listproviders | ${lib.getExe pkgs.gnugrep} -i AMD | ${lib.getExe pkgs.gnused} -n 's/^.*name://p'`" + else igpuDriver; + providerCmdParams = + if syncCfg.enable + then "\"${gpuProviderName}\" NVIDIA-0" + else "NVIDIA-G0 \"${gpuProviderName}\""; + in + lib.optionalString (syncCfg.enable || reverseSyncCfg.enable) '' + # Added by nvidia configuration module for Optimus/PRIME. + ${lib.getExe pkgs.xorg.xrandr} --setprovideroutputsource ${providerCmdParams} + ${lib.getExe pkgs.xorg.xrandr} --auto + ''; + + environment.etc = { + "nvidia/nvidia-application-profiles-rc" = lib.mkIf nvidia_x11.useProfiles {source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";}; + + # 'nvidia_x11' installs it's files to /run/opengl-driver/... + "egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/"; + }; - hardware.opengl = { - extraPackages = [ - nvidia_x11.out - pkgs.nvidia-vaapi-driver - ]; - extraPackages32 = [ - nvidia_x11.lib32 - pkgs.pkgsi686Linux.nvidia-vaapi-driver - ]; - }; - environment.systemPackages = - [nvidia_x11.bin] - ++ lib.optional cfg.nvidiaSettings nvidia_x11.settings - ++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced - ++ lib.optional offloadCfg.enableOffloadCmd - (pkgs.writeShellScriptBin "nvidia-offload" '' - export __NV_PRIME_RENDER_OFFLOAD=1 - export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 - export __GLX_VENDOR_LIBRARY_NAME=nvidia - export __VK_LAYER_NV_optimus=NVIDIA_only - exec "$@" - ''); - - systemd.packages = lib.optional cfg.powerManagement.enable nvidia_x11.out; - - systemd.services = let - nvidiaService = state: { - description = "NVIDIA system ${state} actions"; - path = [pkgs.kbd]; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'"; - }; - before = ["systemd-${state}.service"]; - requiredBy = ["systemd-${state}.service"]; + hardware.opengl = { + extraPackages = [ + pkgs.nvidia-vaapi-driver + ]; + extraPackages32 = [ + pkgs.pkgsi686Linux.nvidia-vaapi-driver + ]; }; - in - lib.mkMerge [ - (lib.mkIf cfg.powerManagement.enable { - nvidia-suspend = nvidiaService "suspend"; - nvidia-hibernate = nvidiaService "hibernate"; - nvidia-resume = - (nvidiaService "resume") - // { - before = []; - after = ["systemd-suspend.service" "systemd-hibernate.service"]; - requiredBy = ["systemd-suspend.service" "systemd-hibernate.service"]; - }; - }) - (lib.mkIf cfg.nvidiaPersistenced { - "nvidia-persistenced" = { - description = "NVIDIA Persistence Daemon"; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "forking"; - Restart = "always"; - PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; - ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose"; - ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; - }; + environment.systemPackages = + lib.optional cfg.nvidiaSettings nvidia_x11.settings + ++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced + ++ lib.optional offloadCfg.enableOffloadCmd + (pkgs.writeShellScriptBin "nvidia-offload" '' + export __NV_PRIME_RENDER_OFFLOAD=1 + export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 + export __GLX_VENDOR_LIBRARY_NAME=nvidia + export __VK_LAYER_NV_optimus=NVIDIA_only + exec "$@" + ''); + + systemd.packages = lib.optional cfg.powerManagement.enable nvidia_x11.out; + + systemd.services = let + nvidiaService = state: { + description = "NVIDIA system ${state} actions"; + path = [pkgs.kbd]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'"; }; - }) - (lib.mkIf cfg.dynamicBoost.enable { - "nvidia-powerd" = { - description = "nvidia-powerd service"; - path = [ - pkgs.util-linux # nvidia-powerd wants lscpu - ]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "dbus"; - BusName = "nvidia.powerd.server"; - ExecStart = "${nvidia_x11.bin}/bin/nvidia-powerd"; + before = ["systemd-${state}.service"]; + requiredBy = ["systemd-${state}.service"]; + }; + in + lib.mkMerge [ + (lib.mkIf cfg.powerManagement.enable { + nvidia-suspend = nvidiaService "suspend"; + nvidia-hibernate = nvidiaService "hibernate"; + nvidia-resume = + (nvidiaService "resume") + // { + before = []; + after = ["systemd-suspend.service" "systemd-hibernate.service"]; + requiredBy = ["systemd-suspend.service" "systemd-hibernate.service"]; + }; + }) + (lib.mkIf cfg.nvidiaPersistenced { + "nvidia-persistenced" = { + description = "NVIDIA Persistence Daemon"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "forking"; + Restart = "always"; + PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; + ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose"; + ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + }; }; - }; - }) - ]; - - services.acpid.enable = true; - - services.dbus.packages = lib.optional cfg.dynamicBoost.enable nvidia_x11.bin; - - hardware.firmware = lib.optional cfg.open nvidia_x11.firmware; - - systemd.tmpfiles.rules = - lib.optional config.virtualisation.docker.enableNvidia - "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin" - ++ lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) - "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; - - boot = { - blacklistedKernelModules = ["nouveau" "nvidiafb"]; - - extraModulePackages = - if cfg.open - then [nvidia_x11.open] - else [nvidia_x11.bin]; - - # nvidia-uvm is required by CUDA applications. - kernelModules = - ["nvidia-uvm"] - ++ lib.optionals config.services.xserver.enable ["nvidia" "nvidia_modeset" "nvidia_drm"]; - - # If requested enable modesetting via kernel parameter. - kernelParams = - lib.optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1" - ++ lib.optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1" - ++ lib.optional cfg.open "nvidia.NVreg_OpenRmEnableUnsupportedGpus=1" - ++ lib.optional (config.boot.kernelPackages.kernel.kernelAtLeast "6.2" && !ibtSupport) "ibt=off"; - - # enable finegrained power management - extraModprobeConfig = lib.optionalString cfg.powerManagement.finegrained '' - options nvidia "NVreg_DynamicPowerManagement=0x02" - ''; - }; - - services.udev.extraRules = - '' - # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'for i in $$(cat /proc/driver/nvidia/gpus/*/information | grep Minor | cut -d \ -f 4); do mknod -m 666 /dev/nvidia$${i} c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) $${i}; done'" - KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'" - '' - + lib.optionalString cfg.powerManagement.finegrained ( + }) + (lib.mkIf cfg.dynamicBoost.enable { + "nvidia-powerd" = { + description = "nvidia-powerd service"; + path = [ + pkgs.util-linux # nvidia-powerd wants lscpu + ]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "dbus"; + BusName = "nvidia.powerd.server"; + ExecStart = "${nvidia_x11.bin}/bin/nvidia-powerd"; + }; + }; + }) + ]; + services.acpid.enable = true; + + services.dbus.packages = lib.optional cfg.dynamicBoost.enable nvidia_x11.bin; + + hardware.firmware = lib.optional cfg.open nvidia_x11.firmware; + + systemd.tmpfiles.rules = + lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) + "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; + + boot = { + extraModulePackages = + if cfg.open + then [nvidia_x11.open] + else [nvidia_x11.bin]; + # nvidia-uvm is required by CUDA applications. + kernelModules = + lib.optionals config.services.xserver.enable ["nvidia" "nvidia_modeset" "nvidia_drm"]; + + # If requested enable modesetting via kernel parameter. + kernelParams = + lib.optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1" + ++ lib.optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + ++ lib.optional cfg.open "nvidia.NVreg_OpenRmEnableUnsupportedGpus=1" + ++ lib.optional (config.boot.kernelPackages.kernel.kernelAtLeast "6.2" && !ibtSupport) "ibt=off"; + + # enable finegrained power management + extraModprobeConfig = lib.optionalString cfg.powerManagement.finegrained '' + options nvidia "NVreg_DynamicPowerManagement=0x02" + ''; + }; + services.udev.extraRules = + lib.optionalString cfg.powerManagement.finegrained ( lib.optionalString (lib.versionOlder config.boot.kernelPackages.kernel.version "5.5") '' # Remove NVIDIA USB xHCI Host Controller devices, if present ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1" @@ -489,5 +570,30 @@ in { ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on" '' ); - }; + }) + # Data Center + (lib.mkIf (cfg.datacenter.enable) { + boot.extraModulePackages = [ + nvidia_x11.bin + ]; + systemd.services.nvidia-fabricmanager = { + enable = true; + description = "Start NVIDIA NVLink Management"; + wantedBy = [ "multi-user.target" ]; + unitConfig.After = [ "network-online.target" ]; + unitConfig.Requires = [ "network-online.target" ]; + serviceConfig = { + Type = "forking"; + TimeoutStartSec = 240; + ExecStart = let + nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings; + in + nvidia_x11.fabricmanager + "/bin/nv-fabricmanager -c " + nv-fab-conf; + LimitCORE="infinity"; + }; + }; + environment.systemPackages = + lib.optional cfg.datacenter.enable nvidia_x11.fabricmanager; + }) + ]); } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6ce8a2d88ab4d..05cf792e3fcbe 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -55,6 +55,7 @@ ./hardware/cpu/amd-sev.nix ./hardware/cpu/intel-microcode.nix ./hardware/cpu/intel-sgx.nix + ./hardware/decklink.nix ./hardware/device-tree.nix ./hardware/digitalbitbox.nix ./hardware/flipperzero.nix @@ -395,7 +396,6 @@ ./services/continuous-integration/gitlab-runner.nix ./services/continuous-integration/gocd-agent/default.nix ./services/continuous-integration/gocd-server/default.nix - ./services/continuous-integration/hail.nix ./services/continuous-integration/hercules-ci-agent/default.nix ./services/continuous-integration/hydra/default.nix ./services/continuous-integration/jenkins/default.nix @@ -1250,6 +1250,7 @@ ./services/web-apps/matomo.nix ./services/web-apps/mattermost.nix ./services/web-apps/mediawiki.nix + ./services/web-apps/meme-bingo-web.nix ./services/web-apps/miniflux.nix ./services/web-apps/monica.nix ./services/web-apps/moodle.nix diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 286faeadc489d..7d3322ea5e50f 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -81,7 +81,7 @@ in if [ "$TERM" != "dumb" ] || [ -n "$INSIDE_EMACS" ]; then PROMPT_COLOR="1;31m" ((UID)) && PROMPT_COLOR="1;32m" - if [ -n "$INSIDE_EMACS" ] || [ "$TERM" = "eterm" ] || [ "$TERM" = "eterm-color" ]; then + if [ -n "$INSIDE_EMACS" ]; then # Emacs term mode doesn't support xterm title escape sequence (\e]0;) PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] " else diff --git a/nixos/modules/security/acme/default.md b/nixos/modules/security/acme/default.md index 8ff97b55f6856..31548ad181a73 100644 --- a/nixos/modules/security/acme/default.md +++ b/nixos/modules/security/acme/default.md @@ -189,7 +189,7 @@ security.acme.defaults.email = "admin+acme@example.com"; security.acme.certs."example.com" = { domain = "*.example.com"; dnsProvider = "rfc2136"; - credentialsFile = "/var/lib/secrets/certs.secret"; + environmentFile = "/var/lib/secrets/certs.secret"; # We don't need to wait for propagation since this is a local DNS server dnsPropagationCheck = false; }; @@ -256,7 +256,7 @@ security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@example.com"; security.acme.defaults = { dnsProvider = "rfc2136"; - credentialsFile = "/var/lib/secrets/certs.secret"; + environmentFile = "/var/lib/secrets/certs.secret"; # We don't need to wait for propagation since this is a local DNS server dnsPropagationCheck = false; }; diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 8aee71c864d0a..92bed172f4522 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, options, ... }: with lib; let + + cfg = config.security.acme; opt = options.security.acme; user = if cfg.useRoot then "root" else "acme"; @@ -14,6 +16,36 @@ let mkAccountHash = acmeServer: data: mkHash "${toString acmeServer} ${data.keyType} ${data.email}"; accountDirRoot = "/var/lib/acme/.lego/accounts/"; + lockdir = "/run/acme/"; + concurrencyLockfiles = map (n: "${toString n}.lock") (lib.range 1 cfg.maxConcurrentRenewals); + # Assign elements of `baseList` to each element of `needAssignmentList`, until the latter is exhausted. + # returns: [{fst = "element of baseList"; snd = "element of needAssignmentList"}] + roundRobinAssign = baseList: needAssignmentList: + if baseList == [] then [] + else _rrCycler baseList baseList needAssignmentList; + _rrCycler = with builtins; origBaseList: workingBaseList: needAssignmentList: + if (workingBaseList == [] || needAssignmentList == []) + then [] + else + [{ fst = head workingBaseList; snd = head needAssignmentList;}] ++ + _rrCycler origBaseList (if (tail workingBaseList == []) then origBaseList else tail workingBaseList) (tail needAssignmentList); + attrsToList = mapAttrsToList (attrname: attrval: {name = attrname; value = attrval;}); + # for an AttrSet `funcsAttrs` having functions as values, apply single arguments from + # `argsList` to them in a round-robin manner. + # Returns an attribute set with the applied functions as values. + roundRobinApplyAttrs = funcsAttrs: argsList: lib.listToAttrs (map (x: {inherit (x.snd) name; value = x.snd.value x.fst;}) (roundRobinAssign argsList (attrsToList funcsAttrs))); + wrapInFlock = lockfilePath: script: + # explainer: https://stackoverflow.com/a/60896531 + '' + exec {LOCKFD}> ${lockfilePath} + echo "Waiting to acquire lock ${lockfilePath}" + ${pkgs.flock}/bin/flock ''${LOCKFD} || exit 1 + echo "Acquired lock ${lockfilePath}" + '' + + script + "\n" + + ''echo "Releasing lock ${lockfilePath}" # only released after process exit''; + + # There are many services required to make cert renewals work. # They all follow a common structure: # - They inherit this commonServiceConfig @@ -31,6 +63,7 @@ let ProtectSystem = "strict"; ReadWritePaths = [ "/var/lib/acme" + lockdir ]; PrivateTmp = true; @@ -118,7 +151,8 @@ let # We don't want this to run every time a renewal happens RemainAfterExit = true; - # These StateDirectory entries negate the need for tmpfiles + # StateDirectory entries are a cleaner, service-level mechanism + # for dealing with persistent service data StateDirectory = [ "acme" "acme/.lego" "acme/.lego/accounts" ]; StateDirectoryMode = 755; WorkingDirectory = "/var/lib/acme"; @@ -127,6 +161,25 @@ let ExecStart = "+" + (pkgs.writeShellScript "acme-fixperms" script); }; }; + lockfilePrepareService = { + description = "Manage lock files for acme services"; + + # ensure all required lock files exist, but none more + script = '' + GLOBIGNORE="${concatStringsSep ":" concurrencyLockfiles}" + rm -f * + unset GLOBIGNORE + + xargs touch <<< "${toString concurrencyLockfiles}" + ''; + + serviceConfig = commonServiceConfig // { + # We don't want this to run every time a renewal happens + RemainAfterExit = true; + WorkingDirectory = lockdir; + }; + }; + certToConfig = cert: data: let acmeServer = data.server; @@ -229,10 +282,10 @@ let }; }; - selfsignService = { + selfsignService = lockfileName: { description = "Generate self-signed certificate for ${cert}"; - after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ]; - requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ]; + after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service"; + requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service"; path = with pkgs; [ minica ]; @@ -256,7 +309,7 @@ let # Working directory will be /tmp # minica will output to a folder sharing the name of the first domain # in the list, which will be ${data.domain} - script = '' + script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") '' minica \ --ca-key ca/key.pem \ --ca-cert ca/cert.pem \ @@ -277,10 +330,10 @@ let ''; }; - renewService = { + renewService = lockfileName: { description = "Renew ACME certificate for ${cert}"; - after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps; - wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps; + after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service"; + wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service"; # https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099 wantedBy = optionals (!config.boot.isContainer) [ "multi-user.target" ]; @@ -309,8 +362,14 @@ let "/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates" ]; - # Only try loading the credentialsFile if the dns challenge is enabled - EnvironmentFile = mkIf useDns data.credentialsFile; + # Only try loading the environmentFile if the dns challenge is enabled + EnvironmentFile = mkIf useDns data.environmentFile; + + Environment = mkIf useDns + (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles); + + LoadCredential = mkIf useDns + (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles); # Run as root (Prefixed with +) ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" '' @@ -329,7 +388,7 @@ let }; # Working directory will be /tmp - script = '' + script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") '' ${optionalString data.enableDebugLogs "set -x"} set -euo pipefail @@ -443,6 +502,10 @@ let defaultText = if isDefaults then default else literalExpression "config.security.acme.defaults.${name}"; }; in { + imports = [ + (mkRenamedOptionModule [ "credentialsFile" ] [ "environmentFile" ]) + ]; + options = { validMinDays = mkOption { type = types.int; @@ -554,9 +617,9 @@ let ''; }; - credentialsFile = mkOption { + environmentFile = mkOption { type = types.nullOr types.path; - inherit (defaultAndText "credentialsFile" null) default defaultText; + inherit (defaultAndText "environmentFile" null) default defaultText; description = lib.mdDoc '' Path to an EnvironmentFile for the cert's service containing any required and optional environment variables for your selected dnsProvider. @@ -566,6 +629,24 @@ let example = "/var/src/secrets/example.org-route53-api-token"; }; + credentialFiles = mkOption { + type = types.attrsOf (types.path); + inherit (defaultAndText "credentialFiles" {}) default defaultText; + description = lib.mdDoc '' + Environment variables suffixed by "_FILE" to set for the cert's service + for your selected dnsProvider. + To find out what values you need to set, consult the documentation at + <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider. + This allows to securely pass credential files to lego by leveraging systemd + credentials. + ''; + example = literalExpression '' + { + "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org"; + } + ''; + }; + dnsPropagationCheck = mkOption { type = types.bool; inherit (defaultAndText "dnsPropagationCheck" true) default defaultText; @@ -755,6 +836,17 @@ in { } ''; }; + maxConcurrentRenewals = mkOption { + default = 5; + type = types.int; + description = lib.mdDoc '' + Maximum number of concurrent certificate generation or renewal jobs. All other + jobs will queue and wait running jobs to finish. Reduces the system load of + certificate generation. + + Set to `0` to allow unlimited number of concurrent job runs." + ''; + }; }; }; @@ -865,6 +957,13 @@ in { `security.acme.certs.${cert}.listenHTTP` must be provided. ''; } + { + assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles); + message = '' + Option `security.acme.certs.${cert}.credentialFiles` can only be + used for variables suffixed by "_FILE". + ''; + } ]) cfg.certs)); users.users.acme = { @@ -875,12 +974,28 @@ in { users.groups.acme = {}; - systemd.services = { - "acme-fixperms" = userMigrationService; - } // (mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewService) certConfigs) + # for lock files, still use tmpfiles as they should better reside in /run + systemd.tmpfiles.rules = [ + "d ${lockdir} 0700 ${user} - - -" + "Z ${lockdir} 0700 ${user} - - -" + ]; + + systemd.services = let + renewServiceFunctions = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewService) certConfigs; + renewServices = if cfg.maxConcurrentRenewals > 0 + then roundRobinApplyAttrs renewServiceFunctions concurrencyLockfiles + else mapAttrs (_: f: f null) renewServiceFunctions; + selfsignServiceFunctions = mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs; + selfsignServices = if cfg.maxConcurrentRenewals > 0 + then roundRobinApplyAttrs selfsignServiceFunctions concurrencyLockfiles + else mapAttrs (_: f: f null) selfsignServiceFunctions; + in + { "acme-fixperms" = userMigrationService; } + // (optionalAttrs (cfg.maxConcurrentRenewals > 0) {"acme-lockfiles" = lockfilePrepareService; }) + // renewServices // (optionalAttrs (cfg.preliminarySelfsigned) ({ "acme-selfsigned-ca" = selfsignCAService; - } // (mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs))); + } // selfsignServices)); systemd.timers = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewTimer) certConfigs; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index a431817fe1bb3..d83259ccbebc1 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1303,7 +1303,7 @@ in security.pam.enableEcryptfs = mkEnableOption (lib.mdDoc "eCryptfs PAM module (mounting ecryptfs home directory on login)"); security.pam.enableFscrypt = mkEnableOption (lib.mdDoc '' - Enables fscrypt to automatically unlock directories with the user's login password. + fscrypt to automatically unlock directories with the user's login password. This also enables a service at security.pam.services.fscrypt which is used by fscrypt to verify the user's password when setting up a new protector. If you diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 12255d8392fe9..ad65f80bb2ca5 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -5,8 +5,8 @@ let parentWrapperDir = dirOf wrapperDir; - securityWrapper = pkgs.callPackage ./wrapper.nix { - inherit parentWrapperDir; + securityWrapper = sourceProg : pkgs.callPackage ./wrapper.nix { + inherit sourceProg; }; fileModeType = @@ -91,8 +91,7 @@ let , ... }: '' - cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}" - echo -n "${source}" > "$wrapperDir/${program}.real" + cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}" # Prevent races chmod 0000 "$wrapperDir/${program}" @@ -119,8 +118,7 @@ let , ... }: '' - cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}" - echo -n "${source}" > "$wrapperDir/${program}.real" + cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}" # Prevent races chmod 0000 "$wrapperDir/${program}" @@ -248,11 +246,13 @@ in export PATH="${wrapperDir}:$PATH" ''; - security.apparmor.includes."nixos/security.wrappers" = '' - include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [ - securityWrapper + security.apparmor.includes = lib.mapAttrs' (wrapName: wrap: lib.nameValuePair + "nixos/security.wrappers/${wrapName}" '' + include "${pkgs.apparmorRulesFromClosure { name="security.wrappers.${wrapName}"; } [ + (securityWrapper wrap.source) ]}" - ''; + mrpx ${wrap.source}, + '') wrappers; ###### wrappers activation script system.activationScripts.wrappers = diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c index 17776a97af81e..2cf1727a31c8c 100644 --- a/nixos/modules/security/wrappers/wrapper.c +++ b/nixos/modules/security/wrappers/wrapper.c @@ -17,6 +17,10 @@ #include <syscall.h> #include <byteswap.h> +#ifndef SOURCE_PROG +#error SOURCE_PROG should be defined via preprocessor commandline +#endif + // aborts when false, printing the failed expression #define ASSERT(expr) ((expr) ? (void) 0 : assert_failure(#expr)) // aborts when returns non-zero, printing the failed expression and errno @@ -24,10 +28,6 @@ extern char **environ; -// The WRAPPER_DIR macro is supplied at compile time so that it cannot -// be changed at runtime -static char *wrapper_dir = WRAPPER_DIR; - // Wrapper debug variable name static char *wrapper_debug = "WRAPPER_DEBUG"; @@ -151,115 +151,20 @@ static int make_caps_ambient(const char *self_path) { return 0; } -int readlink_malloc(const char *p, char **ret) { - size_t l = FILENAME_MAX+1; - int r; - - for (;;) { - char *c = calloc(l, sizeof(char)); - if (!c) { - return -ENOMEM; - } - - ssize_t n = readlink(p, c, l-1); - if (n < 0) { - r = -errno; - free(c); - return r; - } - - if ((size_t) n < l-1) { - c[n] = 0; - *ret = c; - return 0; - } - - free(c); - l *= 2; - } -} - int main(int argc, char **argv) { ASSERT(argc >= 1); - char *self_path = NULL; - int self_path_size = readlink_malloc("/proc/self/exe", &self_path); - if (self_path_size < 0) { - fprintf(stderr, "cannot readlink /proc/self/exe: %s", strerror(-self_path_size)); - } - - unsigned int ruid, euid, suid, rgid, egid, sgid; - MUSTSUCCEED(getresuid(&ruid, &euid, &suid)); - MUSTSUCCEED(getresgid(&rgid, &egid, &sgid)); - - // If true, then we did not benefit from setuid privilege escalation, - // where the original uid is still in ruid and different from euid == suid. - int didnt_suid = (ruid == euid) && (euid == suid); - // If true, then we did not benefit from setgid privilege escalation - int didnt_sgid = (rgid == egid) && (egid == sgid); - - - // Make sure that we are being executed from the right location, - // i.e., `safe_wrapper_dir'. This is to prevent someone from creating - // hard link `X' from some other location, along with a false - // `X.real' file, to allow arbitrary programs from being executed - // with elevated capabilities. - int len = strlen(wrapper_dir); - if (len > 0 && '/' == wrapper_dir[len - 1]) - --len; - ASSERT(!strncmp(self_path, wrapper_dir, len)); - ASSERT('/' == wrapper_dir[0]); - ASSERT('/' == self_path[len]); - - // If we got privileges with the fs set[ug]id bit, check that the privilege we - // got matches the one one we expected, ie that our effective uid/gid - // matches the uid/gid of `self_path`. This ensures that we were executed as - // `self_path', and not, say, as some other setuid program. - // We don't check that if we did not benefit from the set[ug]id bit, as - // can be the case in nosuid mounts or user namespaces. - struct stat st; - ASSERT(lstat(self_path, &st) != -1); - - // if the wrapper gained privilege with suid, check that we got the uid of the file owner - ASSERT(!((st.st_mode & S_ISUID) && !didnt_suid) || (st.st_uid == euid)); - // if the wrapper gained privilege with sgid, check that we got the gid of the file group - ASSERT(!((st.st_mode & S_ISGID) && !didnt_sgid) || (st.st_gid == egid)); - // same, but with suid instead of euid - ASSERT(!((st.st_mode & S_ISUID) && !didnt_suid) || (st.st_uid == suid)); - ASSERT(!((st.st_mode & S_ISGID) && !didnt_sgid) || (st.st_gid == sgid)); - - // And, of course, we shouldn't be writable. - ASSERT(!(st.st_mode & (S_IWGRP | S_IWOTH))); - - // Read the path of the real (wrapped) program from <self>.real. - char real_fn[PATH_MAX + 10]; - int real_fn_size = snprintf(real_fn, sizeof(real_fn), "%s.real", self_path); - ASSERT(real_fn_size < sizeof(real_fn)); - - int fd_self = open(real_fn, O_RDONLY); - ASSERT(fd_self != -1); - - char source_prog[PATH_MAX]; - len = read(fd_self, source_prog, PATH_MAX); - ASSERT(len != -1); - ASSERT(len < sizeof(source_prog)); - ASSERT(len > 0); - source_prog[len] = 0; - - close(fd_self); // Read the capabilities set on the wrapper and raise them in to // the ambient set so the program we're wrapping receives the // capabilities too! - if (make_caps_ambient(self_path) != 0) { - free(self_path); + if (make_caps_ambient("/proc/self/exe") != 0) { return 1; } - free(self_path); - execve(source_prog, argv, environ); + execve(SOURCE_PROG, argv, environ); fprintf(stderr, "%s: cannot run `%s': %s\n", - argv[0], source_prog, strerror(errno)); + argv[0], SOURCE_PROG, strerror(errno)); return 1; } diff --git a/nixos/modules/security/wrappers/wrapper.nix b/nixos/modules/security/wrappers/wrapper.nix index e3620fb222d2c..aec43412404ea 100644 --- a/nixos/modules/security/wrappers/wrapper.nix +++ b/nixos/modules/security/wrappers/wrapper.nix @@ -1,4 +1,4 @@ -{ stdenv, linuxHeaders, parentWrapperDir, debug ? false }: +{ stdenv, linuxHeaders, sourceProg, debug ? false }: # For testing: # $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { parentWrapperDir = "/run/wrappers"; debug = true; }' stdenv.mkDerivation { @@ -7,7 +7,7 @@ stdenv.mkDerivation { dontUnpack = true; hardeningEnable = [ "pie" ]; CFLAGS = [ - ''-DWRAPPER_DIR="${parentWrapperDir}"'' + ''-DSOURCE_PROG="${sourceProg}"'' ] ++ (if debug then [ "-Werror" "-Og" "-g" ] else [ diff --git a/nixos/modules/services/audio/tts.nix b/nixos/modules/services/audio/tts.nix index 1a355c8ee39f5..0d93224ec0306 100644 --- a/nixos/modules/services/audio/tts.nix +++ b/nixos/modules/services/audio/tts.nix @@ -134,6 +134,7 @@ in ProtectProc = "invisible"; ProcSubset = "pid"; RestrictAddressFamilies = [ + "AF_UNIX" "AF_INET" "AF_INET6" ]; diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index 6f4cbab817267..78220e99c3d1f 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -260,6 +260,16 @@ in Restic package to use. ''; }; + + createWrapper = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to generate and add a script to the system path, that has the same environment variables set + as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without + having to manually specify most options. + ''; + }; }; })); default = { }; @@ -316,7 +326,8 @@ in in nameValuePair "restic-backups-${name}" ({ environment = { - RESTIC_CACHE_DIR = "%C/restic-backups-${name}"; + # not %C, because that wouldn't work in the wrapper script + RESTIC_CACHE_DIR = "/var/cache/restic-backups-${name}"; RESTIC_PASSWORD_FILE = backup.passwordFile; RESTIC_REPOSITORY = backup.repository; RESTIC_REPOSITORY_FILE = backup.repositoryFile; @@ -331,7 +342,7 @@ in nameValuePair (rcloneAttrToConf name) (toRcloneVal value) ) backup.rcloneConfig); - path = [ pkgs.openssh ]; + path = [ config.programs.ssh.package ]; restartIfChanged = false; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; @@ -378,5 +389,22 @@ in timerConfig = backup.timerConfig; }) config.services.restic.backups; + + # generate wrapper scripts, as described in the createWrapper option + environment.systemPackages = lib.mapAttrsToList (name: backup: let + extraOptions = lib.concatMapStrings (arg: " -o ${arg}") backup.extraOptions; + resticCmd = "${backup.package}/bin/restic${extraOptions}"; + in pkgs.writeShellScriptBin "restic-${name}" '' + set -a # automatically export variables + ${lib.optionalString (backup.environmentFile != null) "source ${backup.environmentFile}"} + # set same environment variables as the systemd service + ${lib.pipe config.systemd.services."restic-backups-${name}".environment [ + (lib.filterAttrs (_: v: v != null)) + (lib.mapAttrsToList (n: v: "${n}=${v}")) + (lib.concatStringsSep "\n") + ]} + + exec ${resticCmd} $@ + '') (lib.filterAttrs (_: v: v.createWrapper) config.services.restic.backups); }; } diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index 595374ea1e5b3..b4b997201c8f5 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -272,7 +272,13 @@ in { Group = cfg.group; WorkingDirectory = cfg.home; # NOTE: call twistd directly with stdout logging for systemd - ExecStart = "${python.pkgs.twisted}/bin/twistd -o --nodaemon --pidfile= --logfile - --python ${tacFile}"; + ExecStart = "${python.pkgs.twisted}/bin/twistd -o --nodaemon --pidfile= --logfile - --python ${cfg.buildbotDir}/buildbot.tac"; + # To reload on upgrade, set the following in your configuration: + # systemd.services.buildbot-master.reloadIfChanged = true; + ExecReload = [ + "${pkgs.coreutils}/bin/ln -sf ${tacFile} ${cfg.buildbotDir}/buildbot.tac" + "${pkgs.coreutils}/bin/kill -HUP $MAINPID" + ]; }; }; }; diff --git a/nixos/modules/services/continuous-integration/hail.nix b/nixos/modules/services/continuous-integration/hail.nix deleted file mode 100644 index 62e8b8077c079..0000000000000 --- a/nixos/modules/services/continuous-integration/hail.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ config, lib, pkgs, ...}: - -with lib; - -let - cfg = config.services.hail; -in { - - - ###### interface - - options.services.hail = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enables the Hail Auto Update Service. Hail can automatically deploy artifacts - built by a Hydra Continuous Integration server. A common use case is to provide - continuous deployment for single services or a full NixOS configuration.''; - }; - profile = mkOption { - type = types.str; - default = "hail-profile"; - description = lib.mdDoc "The name of the Nix profile used by Hail."; - }; - hydraJobUri = mkOption { - type = types.str; - description = lib.mdDoc "The URI of the Hydra Job."; - }; - netrc = mkOption { - type = types.nullOr types.path; - description = lib.mdDoc "The netrc file to use when fetching data from Hydra."; - default = null; - }; - package = mkOption { - type = types.package; - default = pkgs.haskellPackages.hail; - defaultText = literalExpression "pkgs.haskellPackages.hail"; - description = lib.mdDoc "Hail package to use."; - }; - }; - - - ###### implementation - - config = mkIf cfg.enable { - systemd.services.hail = { - description = "Hail Auto Update Service"; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ nix ]; - environment = { - HOME = "/var/lib/empty"; - }; - serviceConfig = { - ExecStart = "${cfg.package}/bin/hail --profile ${cfg.profile} --job-uri ${cfg.hydraJobUri}" - + lib.optionalString (cfg.netrc != null) " --netrc-file ${cfg.netrc}"; - }; - }; - }; -} diff --git a/nixos/modules/services/continuous-integration/woodpecker/agents.nix b/nixos/modules/services/continuous-integration/woodpecker/agents.nix index cc5b903afd595..3b883c72ff07f 100644 --- a/nixos/modules/services/continuous-integration/woodpecker/agents.nix +++ b/nixos/modules/services/continuous-integration/woodpecker/agents.nix @@ -35,6 +35,16 @@ let ''; }; + path = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = [ ]; + example = [ "" ]; + description = lib.mdDoc '' + Additional packages that should be added to the agent's `PATH`. + Mostly useful for the `local` backend. + ''; + }; + environmentFile = lib.mkOption { type = lib.types.listOf lib.types.path; default = [ ]; @@ -94,7 +104,7 @@ let "-/etc/localtime" ]; }; - inherit (agentCfg) environment; + inherit (agentCfg) environment path; }; }; in @@ -106,28 +116,41 @@ in agents = lib.mkOption { default = { }; type = lib.types.attrsOf agentModule; - example = { - docker = { - environment = { - WOODPECKER_SERVER = "localhost:9000"; - WOODPECKER_BACKEND = "docker"; - DOCKER_HOST = "unix:///run/podman/podman.sock"; + example = lib.literalExpression '' + { + podman = { + environment = { + WOODPECKER_SERVER = "localhost:9000"; + WOODPECKER_BACKEND = "docker"; + DOCKER_HOST = "unix:///run/podman/podman.sock"; + }; + + extraGroups = [ "podman" ]; + + environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ]; }; - extraGroups = [ "docker" ]; + exec = { + environment = { + WOODPECKER_SERVER = "localhost:9000"; + WOODPECKER_BACKEND = "local"; + }; - environmentFile = "/run/secrets/woodpecker/agent-secret.txt"; - }; + environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ]; - exec = { - environment = { - WOODPECKER_SERVER = "localhost:9000"; - WOODPECKER_BACKEND = "exec"; + path = [ + # Needed to clone repos + git + git-lfs + woodpecker-plugin-git + # Used by the runner as the default shell + bash + # Most likely to be used in pipeline definitions + coreutils + ]; }; - - environmentFile = "/run/secrets/woodpecker/agent-secret.txt"; - }; - }; + } + ''; description = lib.mdDoc "woodpecker-agents configurations"; }; }; diff --git a/nixos/modules/services/home-automation/zigbee2mqtt.nix b/nixos/modules/services/home-automation/zigbee2mqtt.nix index 796de3a491e49..6b5bd8a0d9bbc 100644 --- a/nixos/modules/services/home-automation/zigbee2mqtt.nix +++ b/nixos/modules/services/home-automation/zigbee2mqtt.nix @@ -66,9 +66,10 @@ in server = mkDefault "mqtt://localhost:1883"; }; serial.port = mkDefault "/dev/ttyACM0"; - # reference device configuration, that is kept in a separate file + # reference device/group configuration, that is kept in a separate file # to prevent it being overwritten in the units ExecStartPre script devices = mkDefault "devices.yaml"; + groups = mkDefault "groups.yaml"; }; systemd.services.zigbee2mqtt = { diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index 342ac5ec6e049..ba1445f083975 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: with lib; @@ -220,6 +220,12 @@ in in this case you can disable the failing check with this option. ''; }; + + extraArgs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + description = "Additional command line arguments to pass on logrotate invocation"; + }; }; }; @@ -231,7 +237,7 @@ in serviceConfig = { Restart = "no"; User = "root"; - ExecStart = "${pkgs.logrotate}/sbin/logrotate ${mailOption} ${cfg.configFile}"; + ExecStart = "${pkgs.logrotate}/sbin/logrotate ${utils.escapeSystemdExecArgs cfg.extraArgs} ${mailOption} ${cfg.configFile}"; }; }; systemd.services.logrotate-checkconf = { @@ -240,7 +246,7 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = "${pkgs.logrotate}/sbin/logrotate --debug ${cfg.configFile}"; + ExecStart = "${pkgs.logrotate}/sbin/logrotate ${utils.escapeSystemdExecArgs cfg.extraArgs} --debug ${cfg.configFile}"; }; }; }; diff --git a/nixos/modules/services/mail/listmonk.nix b/nixos/modules/services/mail/listmonk.nix index 251362fdd89d3..11b2a5186229b 100644 --- a/nixos/modules/services/mail/listmonk.nix +++ b/nixos/modules/services/mail/listmonk.nix @@ -54,7 +54,7 @@ let smtp = mkOption { type = listOf (submodule { - freeformType = with types; attrsOf (oneOf [ str int bool ]); + freeformType = with types; attrsOf anything; options = { enabled = mkEnableOption (lib.mdDoc "this SMTP server for listmonk"); @@ -86,7 +86,7 @@ let # TODO: refine this type based on the smtp one. "bounce.mailboxes" = mkOption { type = listOf - (submodule { freeformType = with types; oneOf [ str int bool ]; }); + (submodule { freeformType = with types; listOf (attrsOf anything); }); default = [ ]; description = lib.mdDoc "List of bounce mailboxes"; }; diff --git a/nixos/modules/services/mail/stalwart-mail.nix b/nixos/modules/services/mail/stalwart-mail.nix index fdbdc99070b93..eb87d9f6f695e 100644 --- a/nixos/modules/services/mail/stalwart-mail.nix +++ b/nixos/modules/services/mail/stalwart-mail.nix @@ -18,7 +18,7 @@ in { default = { }; description = mdDoc '' Configuration options for the Stalwart email server. - See <https://stalw.art/docs/> for available options. + See <https://stalw.art/docs/category/configuration> for available options. By default, the module is configured to store everything locally. ''; diff --git a/nixos/modules/services/misc/cfdyndns.nix b/nixos/modules/services/misc/cfdyndns.nix index 9cd8b188ffaec..5a02de2aad213 100644 --- a/nixos/modules/services/misc/cfdyndns.nix +++ b/nixos/modules/services/misc/cfdyndns.nix @@ -23,6 +23,15 @@ in ''; }; + apiTokenFile = mkOption { + default = null; + type = types.nullOr types.str; + description = lib.mdDoc '' + The path to a file containing the API Token + used to authenticate with CloudFlare. + ''; + }; + apikeyFile = mkOption { default = null; type = types.nullOr types.str; @@ -55,12 +64,15 @@ in Group = config.ids.gids.cfdyndns; }; environment = { - CLOUDFLARE_EMAIL="${cfg.email}"; CLOUDFLARE_RECORDS="${concatStringsSep "," cfg.records}"; }; script = '' ${optionalString (cfg.apikeyFile != null) '' export CLOUDFLARE_APIKEY="$(cat ${escapeShellArg cfg.apikeyFile})" + export CLOUDFLARE_EMAIL="${cfg.email}" + ''} + ${optionalString (cfg.apiTokenFile != null) '' + export CLOUDFLARE_APITOKEN="$(cat ${escapeShellArg cfg.apiTokenFile})" ''} ${pkgs.cfdyndns}/bin/cfdyndns ''; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index e75239e059d3b..702423ef09cd0 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -33,8 +33,7 @@ let ${cfg.extraConfig} EOL - ssh-keygen -q -f mock-hostkey -N "" - sshd -t -f $out -h mock-hostkey + sshd -G -f $out ''; cfg = config.services.openssh; diff --git a/nixos/modules/services/networking/wstunnel.nix b/nixos/modules/services/networking/wstunnel.nix index 067d5df487255..3c3ecc3e04d79 100644 --- a/nixos/modules/services/networking/wstunnel.nix +++ b/nixos/modules/services/networking/wstunnel.nix @@ -86,12 +86,12 @@ let description = mdDoc "Address and port to listen on. Setting the port to a value below 1024 will also give the process the required `CAP_NET_BIND_SERVICE` capability."; type = types.submodule hostPortSubmodule; default = { - address = "0.0.0.0"; + host = "0.0.0.0"; port = if config.enableHTTPS then 443 else 80; }; defaultText = literalExpression '' { - address = "0.0.0.0"; + host = "0.0.0.0"; port = if enableHTTPS then 443 else 80; } ''; diff --git a/nixos/modules/services/web-apps/galene.nix b/nixos/modules/services/web-apps/galene.nix index 747b85f94c65a..81fed8a0b99a5 100644 --- a/nixos/modules/services/web-apps/galene.nix +++ b/nixos/modules/services/web-apps/galene.nix @@ -186,7 +186,7 @@ in ProtectSystem = "strict"; ReadWritePaths = cfg.recordingsDir; RemoveIPC = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix index b3fdb681e2f30..b92525075541a 100644 --- a/nixos/modules/services/web-apps/healthchecks.nix +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -1,16 +1,16 @@ -{ config, lib, pkgs, buildEnv, ... }: +{ config, lib, options, pkgs, buildEnv, ... }: with lib; let defaultUser = "healthchecks"; cfg = config.services.healthchecks; + opt = options.services.healthchecks; pkg = cfg.package; boolToPython = b: if b then "True" else "False"; environment = { PYTHONPATH = pkg.pythonPath; STATIC_ROOT = cfg.dataDir + "/static"; - DB_NAME = "${cfg.dataDir}/healthchecks.sqlite"; } // cfg.settings; environmentFile = pkgs.writeText "healthchecks-environment" (lib.generators.toKeyValue { } environment); @@ -98,17 +98,24 @@ in description = lib.mdDoc '' Environment variables which are read by healthchecks `(local)_settings.py`. - Settings which are explicitly covered in options bewlow, are type-checked and/or transformed + Settings which are explicitly covered in options below, are type-checked and/or transformed before added to the environment, everything else is passed as a string. See <https://healthchecks.io/docs/self_hosted_configuration/> for a full documentation of settings. - We add two variables to this list inside the packages `local_settings.py.` - - STATIC_ROOT to set a state directory for dynamically generated static files. - - SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store. + We add additional variables to this list inside the packages `local_settings.py.` + - `STATIC_ROOT` to set a state directory for dynamically generated static files. + - `SECRET_KEY_FILE` to read `SECRET_KEY` from a file at runtime and keep it out of + /nix/store. + - `_FILE` variants for several values that hold sensitive information in + [Healthchecks configuration](https://healthchecks.io/docs/self_hosted_configuration/) so + that they also can be read from a file and kept out of /nix/store. To see which values + have support for a `_FILE` variant, run: + - `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'` + - or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled. ''; - type = types.submodule { + type = types.submodule (settings: { freeformType = types.attrsOf types.str; options = { ALLOWED_HOSTS = lib.mkOption { @@ -143,8 +150,28 @@ in ''; apply = boolToPython; }; + + DB = mkOption { + type = types.enum [ "sqlite" "postgres" "mysql" ]; + default = "sqlite"; + description = lib.mdDoc "Database engine to use."; + }; + + DB_NAME = mkOption { + type = types.str; + default = + if settings.config.DB == "sqlite" + then "${cfg.dataDir}/healthchecks.sqlite" + else "hc"; + defaultText = lib.literalExpression '' + if config.${settings.options.DB} == "sqlite" + then "''${config.${opt.dataDir}}/healthchecks.sqlite" + else "hc" + ''; + description = lib.mdDoc "Database name."; + }; }; - }; + }); }; }; @@ -168,7 +195,7 @@ in StateDirectoryMode = mkIf (cfg.dataDir == "/var/lib/healthchecks") "0750"; }; in - { + { healthchecks-migration = { description = "Healthchecks migrations"; wantedBy = [ "healthchecks.target" ]; diff --git a/nixos/modules/services/web-apps/meme-bingo-web.nix b/nixos/modules/services/web-apps/meme-bingo-web.nix new file mode 100644 index 0000000000000..cb864321ef276 --- /dev/null +++ b/nixos/modules/services/web-apps/meme-bingo-web.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption mdDoc types literalExpression; + + cfg = config.services.meme-bingo-web; +in { + options = { + services.meme-bingo-web = { + enable = mkEnableOption (mdDoc '' + A web app for the meme bingo, rendered entirely on the web server and made interactive with forms. + + Note: The application's author suppose to run meme-bingo-web behind a reverse proxy for SSL and HTTP/3. + ''); + + package = mkOption { + type = types.package; + default = pkgs.meme-bingo-web; + defaultText = literalExpression "pkgs.meme-bingo-web"; + description = mdDoc "meme-bingo-web package to use."; + }; + + baseUrl = mkOption { + description = mdDoc '' + URL to be used for the HTML <base> element on all HTML routes. + ''; + type = types.str; + default = "http://localhost:41678/"; + example = "https://bingo.example.com/"; + }; + port = mkOption { + description = mdDoc '' + Port to be used for the web server. + ''; + type = types.port; + default = 41678; + example = 21035; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.meme-bingo-web = { + description = "A web app for playing meme bingos."; + wantedBy = [ "multi-user.target" ]; + + environment = { + MEME_BINGO_BASE = cfg.baseUrl; + MEME_BINGO_PORT = toString cfg.port; + }; + path = [ cfg.package ]; + + serviceConfig = { + User = "meme-bingo-web"; + Group = "meme-bingo-web"; + + DynamicUser = true; + + ExecStart = "${cfg.package}/bin/meme-bingo-web"; + + Restart = "always"; + RestartSec = 1; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "/dev/random" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; + RestrictSUIDSGID = true; + RemoveIPC = true; + NoNewPrivileges = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} diff --git a/nixos/modules/services/web-apps/plausible.nix b/nixos/modules/services/web-apps/plausible.nix index 911daa53e6587..4b308d2ee56ee 100644 --- a/nixos/modules/services/web-apps/plausible.nix +++ b/nixos/modules/services/web-apps/plausible.nix @@ -248,6 +248,7 @@ in { # setup ${cfg.package}/createdb.sh ${cfg.package}/migrate.sh + ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))" ${optionalString cfg.adminUser.activate '' if ! ${cfg.package}/init-admin.sh | grep 'already exists'; then psql -d plausible <<< "UPDATE users SET email_verified=true;" diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 3102e6a469536..592ab253f7daf 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -595,47 +595,9 @@ let tt-rss = { description = "Tiny Tiny RSS feeds update daemon"; - preStart = let - callSql = e: - if cfg.database.type == "pgsql" then '' - ${optionalString (cfg.database.password != null) "PGPASSWORD=${cfg.database.password}"} \ - ${optionalString (cfg.database.passwordFile != null) "PGPASSWORD=$(cat ${cfg.database.passwordFile})"} \ - ${config.services.postgresql.package}/bin/psql \ - -U ${cfg.database.user} \ - ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} --port ${toString dbPort}"} \ - -c '${e}' \ - ${cfg.database.name}'' - - else if cfg.database.type == "mysql" then '' - echo '${e}' | ${config.services.mysql.package}/bin/mysql \ - -u ${cfg.database.user} \ - ${optionalString (cfg.database.password != null) "-p${cfg.database.password}"} \ - ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} -P ${toString dbPort}"} \ - ${cfg.database.name}'' - - else ""; - - in (optionalString (cfg.database.type == "pgsql") '' - exists=$(${callSql "select count(*) > 0 from pg_tables where tableowner = user"} \ - | tail -n+3 | head -n-2 | sed -e 's/[ \n\t]*//') - - if [ "$exists" == 'f' ]; then - ${callSql "\\i ${pkgs.tt-rss}/schema/ttrss_schema_${cfg.database.type}.sql"} - else - echo 'The database contains some data. Leaving it as it is.' - fi; - '') - - + (optionalString (cfg.database.type == "mysql") '' - exists=$(${callSql "select count(*) > 0 from information_schema.tables where table_schema = schema()"} \ - | tail -n+2 | sed -e 's/[ \n\t]*//') - - if [ "$exists" == '0' ]; then - ${callSql "\\. ${pkgs.tt-rss}/schema/ttrss_schema_${cfg.database.type}.sql"} - else - echo 'The database contains some data. Leaving it as it is.' - fi; - ''); + preStart = '' + ${pkgs.php81}/bin/php ${cfg.root}/www/update.php --update-schema + ''; serviceConfig = { User = "${cfg.user}"; diff --git a/nixos/modules/services/x11/window-managers/oroborus.nix b/nixos/modules/services/x11/window-managers/oroborus.nix deleted file mode 100644 index 654b8708e48fe..0000000000000 --- a/nixos/modules/services/x11/window-managers/oroborus.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.xserver.windowManager.oroborus; -in -{ - ###### interface - options = { - services.xserver.windowManager.oroborus.enable = mkEnableOption (lib.mdDoc "oroborus"); - }; - - ###### implementation - config = mkIf cfg.enable { - services.xserver.windowManager.session = singleton { - name = "oroborus"; - start = '' - ${pkgs.oroborus}/bin/oroborus & - waitPID=$! - ''; - }; - environment.systemPackages = [ pkgs.oroborus ]; - }; -} diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index fb7afce4a5808..8c9483f01c102 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -279,7 +279,7 @@ in { support your new systems. Warning: the builder can execute all emulated systems within the same build, which introduces impurities in the case of cross compilation. ''; - type = types.listOf types.str; + type = types.listOf (types.enum (builtins.attrNames magics)); }; }; }; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 1770f0759434d..d9a1535ffc7dd 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -147,7 +147,7 @@ in { default = false; type = types.bool; description = lib.mdDoc '' - Make MemTest86+ available from the systemd-boot menu. MemTest86+ is a + Make Memtest86+ available from the systemd-boot menu. Memtest86+ is a program for testing memory. ''; }; @@ -191,7 +191,7 @@ in { default = {}; example = literalExpression '' { "memtest86.conf" = ''' - title MemTest86+ + title Memtest86+ efi /efi/memtest86/memtest.efi '''; } ''; @@ -285,7 +285,7 @@ in { boot.loader.systemd-boot.extraEntries = mkMerge [ (mkIf cfg.memtest86.enable { "${cfg.memtest86.entryFilename}" = '' - title MemTest86 + title Memtest86+ efi /efi/memtest86/memtest.efi ''; }) diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 6d0afcc57fcc6..238c6670ea0f8 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -902,6 +902,9 @@ let "RelayTarget" "RelayAgentCircuitId" "RelayAgentRemoteId" + "BootServerAddress" + "BootServerName" + "BootFilename" ]) (assertInt "PoolOffset") (assertMinimum "PoolOffset" 0) @@ -2812,9 +2815,15 @@ let environment.etc."systemd/networkd.conf" = renderConfig cfg.config; - systemd.services.systemd-networkd = { + systemd.services.systemd-networkd = let + isReloadableUnitFileName = unitFileName: strings.hasSuffix ".network" unitFileName; + reloadableUnitFiles = attrsets.filterAttrs (k: v: isReloadableUnitFileName k) unitFiles; + nonReloadableUnitFiles = attrsets.filterAttrs (k: v: !isReloadableUnitFileName k) unitFiles; + unitFileSources = unitFiles: map (x: x.source) (attrValues unitFiles); + in { wantedBy = [ "multi-user.target" ]; - restartTriggers = map (x: x.source) (attrValues unitFiles) ++ [ + reloadTriggers = unitFileSources reloadableUnitFiles; + restartTriggers = unitFileSources nonReloadableUnitFiles ++ [ config.environment.etc."systemd/networkd.conf".source ]; aliases = [ "dbus-org.freedesktop.network1.service" ]; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index c0af29e3b9909..5a2133f960e2b 100755 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -105,7 +105,7 @@ fi # Required by the activation script install -m 0755 -d /etc -if [ -d "/etc/nixos" ]; then +if [ ! -h "/etc/nixos" ]; then install -m 0755 -d /etc/nixos fi install -m 01777 -d /tmp diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index ac55461107fb9..b6c3085c4f16f 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -395,7 +395,9 @@ in description = lib.mdDoc '' The amount of time which can elapse after a reboot has been triggered before a watchdog hardware device will automatically reboot the system. - Valid time units include "ms", "s", "min", "h", "d", and "w". + Valid time units include "ms", "s", "min", "h", "d", and "w". If left + `null`, systemd will use its default of `10min`; see also {command}`man + 5 systemd-system.conf`. ''; }; diff --git a/nixos/modules/tasks/bcache.nix b/nixos/modules/tasks/bcache.nix index 35b922dc8a1d3..68531a4d2fed7 100644 --- a/nixos/modules/tasks/bcache.nix +++ b/nixos/modules/tasks/bcache.nix @@ -1,6 +1,10 @@ -{ config, lib, pkgs, ... }: - -{ +{ config, lib, pkgs, ... }: let + cfg = config.boot.bcache; +in { + options.boot.bcache.enable = lib.mkEnableOption (lib.mdDoc "bcache mount support") // { + default = true; + example = false; + }; options.boot.initrd.services.bcache.enable = lib.mkEnableOption (lib.mdDoc "bcache support in the initrd") // { description = lib.mdDoc '' *This will only be used when systemd is used in stage 1.* @@ -9,7 +13,7 @@ ''; }; - config = { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.bcache-tools ]; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index eb1c7512d9200..0d4033ca9430a 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1396,14 +1396,12 @@ in security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' /run/wrappers/bin/ping { include <abstractions/base> - include <nixos/security.wrappers> + include <nixos/security.wrappers/ping> rpx /run/wrappers/wrappers.*/ping, } /run/wrappers/wrappers.*/ping { include <abstractions/base> - include <nixos/security.wrappers> - r /run/wrappers/wrappers.*/ping.real, - mrpx ${config.security.wrappers.ping.source}, + include <nixos/security.wrappers/ping> capability net_raw, capability setpcap, } diff --git a/nixos/modules/tasks/swraid.nix b/nixos/modules/tasks/swraid.nix index f624294565b06..1174187062d74 100644 --- a/nixos/modules/tasks/swraid.nix +++ b/nixos/modules/tasks/swraid.nix @@ -2,6 +2,8 @@ cfg = config.boot.swraid; + mdadm_conf = config.environment.etc."mdadm.conf"; + in { imports = [ (lib.mkRenamedOptionModule [ "boot" "initrd" "services" "swraid" "enable" ] [ "boot" "swraid" "enable" ]) @@ -36,8 +38,14 @@ in { }; config = lib.mkIf cfg.enable { + warnings = lib.mkIf + ((builtins.match ".*(MAILADDR|PROGRAM).*" mdadm_conf.text) == null) + [ "mdadm: Neither MAILADDR nor PROGRAM has been set. This will cause the `mdmon` service to crash." ]; + environment.systemPackages = [ pkgs.mdadm ]; + environment.etc."mdadm.conf".text = lib.mkAfter cfg.mdadmConf; + services.udev.packages = [ pkgs.mdadm ]; systemd.packages = [ pkgs.mdadm ]; @@ -59,12 +67,10 @@ in { $out/bin/mdadm --version ''; - extraFiles."/etc/mdadm.conf".source = pkgs.writeText "mdadm.conf" config.boot.swraid.mdadmConf; + extraFiles."/etc/mdadm.conf".source = pkgs.writeText "mdadm.conf" mdadm_conf.text; systemd = { - contents."/etc/mdadm.conf" = lib.mkIf (cfg.mdadmConf != "") { - text = cfg.mdadmConf; - }; + contents."/etc/mdadm.conf".text = mdadm_conf.text; packages = [ pkgs.mdadm ]; initrdBin = [ pkgs.mdadm ]; diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 4d220b9747aa6..e5f2d4c7934a1 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -18,7 +18,7 @@ dnsConfig = nodes: { dnsProvider = "exec"; dnsPropagationCheck = false; - credentialsFile = pkgs.writeText "wildcard.env" '' + environmentFile = pkgs.writeText "wildcard.env" '' EXEC_PATH=${dnsScript nodes} EXEC_POLLING_INTERVAL=1 EXEC_PROPAGATION_TIMEOUT=1 @@ -266,6 +266,37 @@ in { } ]; + concurrency-limit.configuration = {pkgs, ...}: lib.mkMerge [ + webserverBasicConfig { + security.acme.maxConcurrentRenewals = 1; + + services.nginx.virtualHosts = { + "f.example.test" = vhostBase // { + enableACME = true; + }; + "g.example.test" = vhostBase // { + enableACME = true; + }; + "h.example.test" = vhostBase // { + enableACME = true; + }; + }; + + systemd.services = { + # check for mutual exclusion of starting renew services + "acme-f.example.test".serviceConfig.ExecPreStart = "+" + (pkgs.writeShellScript "test-f" '' + test "$(systemctl is-active acme-{g,h}.example.test.service | grep activating | wc -l)" -le 0 + ''); + "acme-g.example.test".serviceConfig.ExecPreStart = "+" + (pkgs.writeShellScript "test-g" '' + test "$(systemctl is-active acme-{f,h}.example.test.service | grep activating | wc -l)" -le 0 + ''); + "acme-h.example.test".serviceConfig.ExecPreStart = "+" + (pkgs.writeShellScript "test-h" '' + test "$(systemctl is-active acme-{g,f}.example.test.service | grep activating | wc -l)" -le 0 + ''); + }; + } + ]; + # Test lego internal server (listenHTTP option) # Also tests useRoot option lego-server.configuration = { ... }: { @@ -297,7 +328,7 @@ in { services.caddy = { enable = true; - virtualHosts."a.exmaple.test" = { + virtualHosts."a.example.test" = { useACMEHost = "example.test"; extraConfig = '' root * ${documentRoot} @@ -591,6 +622,15 @@ in { webserver.wait_for_unit("nginx.service") check_connection(client, "slow.example.test") + with subtest("Can limit concurrency of running renewals"): + switch_to(webserver, "concurrency-limit") + webserver.wait_for_unit("acme-finished-f.example.test.target") + webserver.wait_for_unit("acme-finished-g.example.test.target") + webserver.wait_for_unit("acme-finished-h.example.test.target") + check_connection(client, "f.example.test") + check_connection(client, "g.example.test") + check_connection(client, "h.example.test") + with subtest("Works with caddy"): switch_to(webserver, "caddy") webserver.wait_for_unit("acme-finished-example.test.target") diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 0037fb1893664..d674d0cdba37d 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -275,7 +275,6 @@ in { firefox-beta = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-beta; }; firefox-devedition = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-devedition; }; firefox-esr = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr; }; # used in `tested` job - firefox-esr-102 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-102; }; firefox-esr-115 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-115; }; firejail = handleTest ./firejail.nix {}; firewall = handleTest ./firewall.nix { nftables = false; }; diff --git a/nixos/tests/fontconfig-default-fonts.nix b/nixos/tests/fontconfig-default-fonts.nix index d8c6ea0f721b5..293dc43f91f38 100644 --- a/nixos/tests/fontconfig-default-fonts.nix +++ b/nixos/tests/fontconfig-default-fonts.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ lib, ... }: nodes.machine = { config, pkgs, ... }: { fonts.enableDefaultPackages = true; # Background fonts fonts.packages = with pkgs; [ - noto-fonts-emoji + noto-fonts-color-emoji cantarell-fonts twitter-color-emoji source-code-pro diff --git a/nixos/tests/noto-fonts.nix b/nixos/tests/noto-fonts.nix index edbb0db4cb7aa..b871f5f517294 100644 --- a/nixos/tests/noto-fonts.nix +++ b/nixos/tests/noto-fonts.nix @@ -11,7 +11,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { noto-fonts noto-fonts-cjk-sans noto-fonts-cjk-serif - noto-fonts-emoji + noto-fonts-color-emoji ]; fontconfig.defaultFonts = { serif = [ "Noto Serif" "Noto Serif CJK SC" ]; diff --git a/nixos/tests/postgis.nix b/nixos/tests/postgis.nix index 9d81ebaad85f2..d0685abc510c9 100644 --- a/nixos/tests/postgis.nix +++ b/nixos/tests/postgis.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { - services.postgresql = let mypg = pkgs.postgresql_11; in { + services.postgresql = let mypg = pkgs.postgresql; in { enable = true; package = mypg; extraPlugins = with mypg.pkgs; [ diff --git a/nixos/tests/restic.nix b/nixos/tests/restic.nix index 626049e73341f..3b9ea2f85b1ed 100644 --- a/nixos/tests/restic.nix +++ b/nixos/tests/restic.nix @@ -97,9 +97,9 @@ import ./make-test-python.nix ( server.start() server.wait_for_unit("dbus.socket") server.fail( - "${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots", - '${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"', - "${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots", + "restic-remotebackup snapshots", + 'restic-remote-from-file-backup snapshots"', + "restic-rclonebackup snapshots", "grep 'backup.* /opt' /root/fake-restic.log", ) server.succeed( @@ -112,20 +112,20 @@ import ./make-test-python.nix ( "timedatectl set-time '2016-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /root/backupCleanupCommand", - '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + 'restic-remotebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', # test that restoring that snapshot produces the same directory "mkdir /tmp/restore-1", - "${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} restore latest -t /tmp/restore-1", + "restic-remotebackup restore latest -t /tmp/restore-1", "diff -ru ${testDir} /tmp/restore-1/opt", # test that remote-from-file-backup produces a snapshot "systemctl start restic-backups-remote-from-file-backup.service", - '${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + 'restic-remote-from-file-backup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', # test that rclonebackup produces a snapshot "systemctl start restic-backups-rclonebackup.service", - '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + 'restic-rclonebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', # test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines "systemctl start restic-backups-custompackage.service", @@ -158,12 +158,12 @@ import ./make-test-python.nix ( "rm /root/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", - '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', - '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', + 'restic-remotebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', + 'restic-rclonebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', # test that remoteprune brings us back to 1 snapshot in remotebackup "systemctl start restic-backups-remoteprune.service", - '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + 'restic-remotebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', ) ''; diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix index 3b6028c6f0b09..1b177391488d8 100644 --- a/nixos/tests/sudo.nix +++ b/nixos/tests/sudo.nix @@ -5,7 +5,7 @@ let in import ./make-test-python.nix ({ lib, pkgs, ...} : { name = "sudo"; - meta.maintainers = with lib.maintainers; [ lschuermann ]; + meta.maintainers = pkgs.sudo.meta.maintainers; nodes.machine = { lib, ... }: diff --git a/nixos/tests/systemd-initrd-swraid.nix b/nixos/tests/systemd-initrd-swraid.nix index d87170c925742..d00e67b5705ab 100644 --- a/nixos/tests/systemd-initrd-swraid.nix +++ b/nixos/tests/systemd-initrd-swraid.nix @@ -20,6 +20,9 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { ARRAY /dev/md0 devices=/dev/vdb,/dev/vdc ''; }; + environment.etc."mdadm.conf".text = '' + MAILADDR test@example.com + ''; boot.initrd = { systemd = { enable = true; @@ -29,11 +32,14 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { }; specialisation.boot-swraid.configuration.virtualisation.rootDevice = "/dev/disk/by-label/testraid"; + # This protects against a regression. We do not have to switch to it. + # It's sufficient to trigger its evaluation. + specialisation.build-old-initrd.configuration.boot.initrd.systemd.enable = lib.mkForce false; }; testScript = '' # Create RAID - machine.succeed("mdadm --create --force /dev/md0 -n 2 --level=raid0 /dev/vdb /dev/vdc") + machine.succeed("mdadm --create --force /dev/md0 -n 2 --level=raid1 /dev/vdb /dev/vdc --metadata=0.90") machine.succeed("mkfs.ext4 -L testraid /dev/md0") machine.succeed("mkdir -p /mnt && mount /dev/md0 /mnt && echo hello > /mnt/test && umount /mnt") @@ -48,5 +54,13 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { assert "/dev/md0 on / type ext4" in machine.succeed("mount") assert "hello" in machine.succeed("cat /test") assert "md0" in machine.succeed("cat /proc/mdstat") + + expected_config = """MAILADDR test@example.com + + ARRAY /dev/md0 devices=/dev/vdb,/dev/vdc + """ + got_config = machine.execute("cat /etc/mdadm.conf")[1] + assert expected_config == got_config, repr((expected_config, got_config)) + machine.wait_for_unit("mdmonitor.service") ''; }) diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix index 391e9b42b45bd..1d4fa85d73993 100644 --- a/nixos/tests/wrappers.nix +++ b/nixos/tests/wrappers.nix @@ -21,6 +21,8 @@ in }; }; + security.apparmor.enable = true; + security.wrappers = { suidRoot = { owner = "root"; @@ -84,17 +86,27 @@ in test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -g', '0') test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -rg', '0') + # Test that in nonewprivs environment the wrappers simply exec their target. + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -u', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}') + + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -g', '${toString usersGid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}') + # We are only testing the permitted set, because it's easiest to look at with capsh. machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN')) machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN')) machine.succeed(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_CHOWN')) machine.fail(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_SYS_ADMIN')) - # test a few "attacks" against which the wrapper protects itself - machine.succeed("cp /run/wrappers/bin/suid_root_busybox{,.real} /tmp/") - machine.fail(cmd_as_regular("/tmp/suid_root_busybox id -u")) - - machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox") - machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u")) + # Test that the only user of apparmor policy includes generated by + # wrappers works. Ideally this'd be located in a test for the module that + # actually makes the apparmor policy for ping, but there's no convenient + # test for that one. + machine.succeed("ping -c 1 127.0.0.1") ''; }) |