diff options
Diffstat (limited to 'nixos')
45 files changed, 637 insertions, 167 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.section.md b/nixos/doc/manual/release-notes/rl-2105.section.md index 080ca68d92581..cae3f8a850115 100644 --- a/nixos/doc/manual/release-notes/rl-2105.section.md +++ b/nixos/doc/manual/release-notes/rl-2105.section.md @@ -353,7 +353,7 @@ When upgrading from a previous release, please be aware of the following incompa Another benefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` and `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. We are using the path `/etc/unbound/unbound.conf` as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location. - The module has also been reworked to be [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) compliant. As such, `sevices.unbound.extraConfig` has been removed and replaced by [services.unbound.settings](options.html#opt-services.unbound.settings). `services.unbound.interfaces` has been renamed to `services.unbound.settings.server.interface`. + The module has also been reworked to be [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) compliant. As such, `services.unbound.extraConfig` has been removed and replaced by [services.unbound.settings](options.html#opt-services.unbound.settings). `services.unbound.interfaces` has been renamed to `services.unbound.settings.server.interface`. `services.unbound.forwardAddresses` and `services.unbound.allowedAccess` have also been changed to use the new settings interface. You can follow the instructions when executing `nixos-rebuild` to upgrade your configuration to use the new interface. diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index c9da29063e1a6..3d27d3fef8faa 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -87,7 +87,7 @@ In addition to numerous new and updated packages, this release has the following - [gmediarender](https://github.com/hzeller/gmrender-resurrect), a simple, headless UPnP/DLNA renderer. Available as [services.gmediarender](options.html#opt-services.gmediarender.enable). -- [go2rtc](https://github.com/AlexxIT/go2rtc), a camera streaming appliation with support for RTSP, WebRTC, HomeKit, FFMPEG, RTMP and other protocols. Available as [services.go2rtc](options.html#opt-services.go2rtc.enable). +- [go2rtc](https://github.com/AlexxIT/go2rtc), a camera streaming application with support for RTSP, WebRTC, HomeKit, FFMPEG, RTMP and other protocols. Available as [services.go2rtc](options.html#opt-services.go2rtc.enable). - [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in Golang with many filters. Available as [services.goeland](#opt-services.goeland.enable). @@ -203,7 +203,7 @@ In addition to numerous new and updated packages, this release has the following - `graylog` has been updated to version 5, which can not be updated directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0. -- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs. +- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implementation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs. - `nushell` has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as `old-alias` but it is recommended you migrate to the new format. See [Reworked aliases](https://www.nushell.sh/blog/2023-03-14-nushell_0_77.html#reworked-aliases-breaking-changes-kubouch). @@ -555,7 +555,7 @@ In addition to numerous new and updated packages, this release has the following - `buildDunePackage` now defaults to `strictDeps = true` which means that any library should go into `buildInputs` or `checkInputs`. Any executable that is run on the building machine should go into `nativeBuildInputs` or `nativeCheckInputs` respectively. Example of executables are `ocaml`, `findlib` and `menhir`. PPXs are libraries which are built by dune and should therefore not go into `nativeBuildInputs`. -- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs. +- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implementation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs. - Top-level `buildPlatform`, `hostPlatform`, `targetPlatform` have been deprecated, use `stdenv.X` instead. diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 2fb86c2e4bd19..2ab28b898d7f1 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -10,6 +10,12 @@ - The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details. +- [systemd](https://systemd.io) has been updated from v253 to v254, see [the release notes](https://github.com/systemd/systemd/blob/v254/NEWS#L3-L659) for more information on the changes. + - `boot.resumeDevice` **must be specified** when hibernating if not in EFI mode. + - systemd may warn your system about the permissions of your ESP partition (often `/boot`), this warning can be ignored for now, we are looking + into a satisfying solution regarding this problem. + - Updating with `nixos-rebuild boot` and rebooting is recommended, since in some rare cases the `nixos-rebuild switch` into the new generation on a live system might fail due to missing mount units. + - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. An experimental new module `security.sudo-rs` was added. Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces @@ -20,7 +26,6 @@ [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ - ## New Services {#sec-release-23.11-new-services} - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable). @@ -80,6 +85,10 @@ - [NNCP](http://www.nncpgo.org/). Added nncp-daemon and nncp-caller services. Configuration is set with [programs.nncp.settings](#opt-programs.nncp.settings) and the daemons are enabled at [services.nncp](#opt-services.nncp.caller.enable). +- [tuxedo-rs](https://github.com/AaronErhardt/tuxedo-rs), Rust utilities for interacting with hardware from TUXEDO Computers. + +- [audiobookshelf](https://github.com/advplyr/audiobookshelf/), a self-hosted audiobook and podcast server. Available as [services.audiobookshelf](#opt-services.audiobookshelf.enable). + ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} - The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices. @@ -112,6 +121,9 @@ - The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`. +- `buildVimPluginFrom2Nix` has been renamed to `buildVimPlugin`, which now + now skips `configurePhase` and `buildPhase` + - JACK tools (`jack_*` except `jack_control`) have moved from the `jack2` package to `jack-example-tools` - The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though: @@ -121,6 +133,8 @@ - A list of all extras (and the extras enabled by default) can be found at the [option's reference for `services.matrix-synapse.extras`](#opt-services.matrix-synapse.extras). - In some cases (e.g. for running synapse workers) it was necessary to re-use the `PYTHONPATH` of `matrix-synapse.service`'s environment to have all plugins available. This isn't necessary anymore, instead `config.services.matrix-synapse.package` can be used as it points to the wrapper with properly configured `extras` and also all plugins defined via [`services.matrix-synapse.plugins`](#opt-services.matrix-synapse.plugins) available. This is also the reason for why the option is read-only now, it's supposed to be set by the module only. +- `netbox` was updated to 3.6. NixOS' `services.netbox.package` still defaults to 3.5 if `stateVersion` is earlier than 23.11. Please review upstream's breaking changes [for 3.6.0](https://github.com/netbox-community/netbox/releases/tag/v3.6.0) and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically. + - `etcd` has been updated to 3.5, you will want to read the [3.3 to 3.4](https://etcd.io/docs/v3.5/upgrades/upgrade_3_4/) and [3.4 to 3.5](https://etcd.io/docs/v3.5/upgrades/upgrade_3_5/) upgrade guides - `gitlab` installations created or updated between versions \[15.11.0, 15.11.2] have an incorrect database schema. This will become a problem when upgrading to `gitlab` >=16.2.0. A workaround for affected users can be found in the [GitLab docs](https://docs.gitlab.com/ee/update/versions/gitlab_16_changes.html#undefined-column-error-upgrading-to-162-or-later). @@ -153,6 +167,10 @@ - PHP now defaults to PHP 8.2, updated from 8.1. +- GraalVM has been updated to the latest version, and this brings significant changes. Upstream don't release multiple versions targeting different JVMs anymore, so now we only have one GraalVM derivation (`graalvm-ce`). While at first glance the version may seem a downgrade (22.3.1 -> 21.0.0), the major version is now following the JVM it targets (so this latest version targets JVM 21). Also some products like `llvm-installable-svm` and `native-image-svm` were incorporate to the main GraalVM derivation, so they're included by default. + +- GraalPy (`graalCEPackages.graalpy`), TruffleRuby (`graalCEPackages.truffleruby`), GraalJS (`graalCEPackages.graaljs`) and GraalNodeJS (`grallCEPackages.graalnodejs`) are now indepedent from the main GraalVM derivation. + - The ISC DHCP package and corresponding module have been removed, because they are end of life upstream. See https://www.isc.org/blogs/isc-dhcp-eol/ for details and switch to a different DHCP implementation like kea or dnsmasq. - `prometheus-unbound-exporter` has been replaced by the Let's Encrypt maintained version, since the previous version was archived. This requires some changes to the module configuration, most notable `controlInterface` needs migration @@ -184,6 +202,10 @@ - `spamassassin` no longer supports the `Hashcash` module. The module needs to be removed from the `loadplugin` list if it was copied over from the default `initPreConf` option. +- `nano` was removed from `environment.defaultPackages`. To not leave systems without a editor, now `programs.nano.enable` is enabled by default. + +- `programs.nano.nanorc` and `programs.nano.syntaxHighlight` no longer have an effect unless `programs.nano.enable` is set to true which is the default. + - `services.outline.sequelizeArguments` has been removed, as `outline` no longer executes database migrations via the `sequelize` cli. - The binary of the package `cloud-sql-proxy` has changed from `cloud_sql_proxy` to `cloud-sql-proxy`. @@ -226,6 +248,11 @@ - `networking.networkmanager.firewallBackend` was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally. +- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime) now always evaluates the initial accumulator argument first. + If you depend on the lazier behavior, consider using [`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl) or [`builtins.foldl'`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-foldl') instead. + +- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.foldlAttrs) now always evaluates the initial accumulator argument first. + - `rome` was removed because it is no longer maintained and is succeeded by `biome`. - The `services.mtr-exporter.target` has been removed in favor of `services.mtr-exporter.jobs` which allows specifying multiple targets. @@ -256,6 +283,8 @@ - New options were added to `services.searx` for better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server. +- `jq` was updated to 1.7, its [first release in 5 years](https://github.com/jqlang/jq/releases/tag/jq-1.7). + - A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing `virtualisation.vlans` is still supported for cases where the name of the network interface is irrelevant. - DocBook option documentation is no longer supported, all module documentation now uses markdown. @@ -276,11 +305,11 @@ The module update takes care of the new config syntax and the data itself (user - `services.nginx` gained a `defaultListen` option at server-level with support for PROXY protocol listeners, also `proxyProtocol` is now exposed in `services.nginx.virtualHosts.<name>.listen` option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see [#213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more details. -- `services.restic.backups` now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easly be run from the command line. This behavior can be disabled by setting `createWrapper` to `false`, per backup configuration. +- `services.restic.backups` now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easily be run from the command line. This behavior can be disabled by setting `createWrapper` to `false`, per backup configuration. - `services.prometheus.exporters` has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called [Scaphandre](https://github.com/hubblo-org/scaphandre), see [#239803](https://github.com/NixOS/nixpkgs/pull/239803) for more details. -- The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recomended to review the [upstream release notes](https://mariadb.com/kb/en/mariadb-connector-c-33-release-notes/). +- The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recommended to review the [upstream release notes](https://mariadb.com/kb/en/mariadb-connector-c-33-release-notes/). - The module `services.calibre-server` has new options to configure the `host`, `port`, `auth.enable`, `auth.mode` and `auth.userDb` path, see [#216497](https://github.com/NixOS/nixpkgs/pull/216497/) for more details. @@ -327,6 +356,24 @@ The module update takes care of the new config syntax and the data itself (user - `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved for `root` and the `wheel` group. +- CoreDNS can now be built with external plugins by overriding `externalPlugins` and `vendorHash` arguments like this: + + ``` + services.coredns = { + enable = true; + package = pkgs.coredns.override { + externalPlugins = [ + {name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";} + ]; + vendorHash = "<SRI hash>"; + }; + }; + ``` + + To get the necessary SRI hash, set `vendorHash = "";`. The build will fail and produce the correct `vendorHash` in the error message. + + If you use this feature, updates to CoreDNS may require updating `vendorHash` by following these steps again. + ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals} @@ -346,7 +393,7 @@ The module update takes care of the new config syntax and the data itself (user - The `qemu-vm.nix` module by default now identifies block devices via persistent names available in `/dev/disk/by-*`. Because the rootDevice is - identfied by its filesystem label, it needs to be formatted before the VM is + identified by its filesystem label, it needs to be formatted before the VM is started. The functionality of automatically formatting the rootDevice in the initrd is removed from the QEMU module. However, for tests that depend on this functionality, a test utility for the scripted initrd is added diff --git a/nixos/lib/test-driver/default.nix b/nixos/lib/test-driver/default.nix index 33313059fff77..6e01e00b43552 100644 --- a/nixos/lib/test-driver/default.nix +++ b/nixos/lib/test-driver/default.nix @@ -4,19 +4,20 @@ , qemu_pkg ? qemu_test , coreutils , imagemagick_light -, libtiff , netpbm , qemu_test , socat +, ruff , tesseract4 , vde2 , extraPythonPackages ? (_ : []) }: -python3Packages.buildPythonApplication rec { +python3Packages.buildPythonApplication { pname = "nixos-test-driver"; version = "1.1"; src = ./.; + format = "pyproject"; propagatedBuildInputs = [ coreutils @@ -31,14 +32,13 @@ python3Packages.buildPythonApplication rec { ++ extraPythonPackages python3Packages; doCheck = true; - nativeCheckInputs = with python3Packages; [ mypy pylint black ]; + nativeCheckInputs = with python3Packages; [ mypy ruff black ]; checkPhase = '' - mypy --disallow-untyped-defs \ - --no-implicit-optional \ - --pretty \ - --no-color-output \ - --ignore-missing-imports ${src}/test_driver - pylint --errors-only --enable=unused-import ${src}/test_driver - black --check --diff ${src}/test_driver + echo -e "\x1b[32m## run mypy\x1b[0m" + mypy test_driver extract-docstrings.py + echo -e "\x1b[32m## run ruff\x1b[0m" + ruff . + echo -e "\x1b[32m## run black\x1b[0m" + black --check --diff . ''; } diff --git a/nixos/lib/test-driver/extract-docstrings.py b/nixos/lib/test-driver/extract-docstrings.py index 5aec4c89a9d74..64850ca711f3b 100644 --- a/nixos/lib/test-driver/extract-docstrings.py +++ b/nixos/lib/test-driver/extract-docstrings.py @@ -1,5 +1,6 @@ import ast import sys +from pathlib import Path """ This program takes all the Machine class methods and prints its methods in @@ -40,27 +41,34 @@ some_function(param1, param2) """ -assert len(sys.argv) == 2 -with open(sys.argv[1], "r") as f: - module = ast.parse(f.read()) +def main() -> None: + if len(sys.argv) != 2: + print(f"Usage: {sys.argv[0]} <path-to-test-driver>") + sys.exit(1) -class_definitions = (node for node in module.body if isinstance(node, ast.ClassDef)) + module = ast.parse(Path(sys.argv[1]).read_text()) -machine_class = next(filter(lambda x: x.name == "Machine", class_definitions)) -assert machine_class is not None + class_definitions = (node for node in module.body if isinstance(node, ast.ClassDef)) -function_definitions = [ - node for node in machine_class.body if isinstance(node, ast.FunctionDef) -] -function_definitions.sort(key=lambda x: x.name) + machine_class = next(filter(lambda x: x.name == "Machine", class_definitions)) + assert machine_class is not None -for f in function_definitions: - docstr = ast.get_docstring(f) - if docstr is not None: - args = ", ".join((a.arg for a in f.args.args[1:])) - args = f"({args})" + function_definitions = [ + node for node in machine_class.body if isinstance(node, ast.FunctionDef) + ] + function_definitions.sort(key=lambda x: x.name) - docstr = "\n".join((f" {l}" for l in docstr.strip().splitlines())) + for function in function_definitions: + docstr = ast.get_docstring(function) + if docstr is not None: + args = ", ".join(a.arg for a in function.args.args[1:]) + args = f"({args})" - print(f"{f.name}{args}\n\n:{docstr[1:]}\n") + docstr = "\n".join(f" {line}" for line in docstr.strip().splitlines()) + + print(f"{function.name}{args}\n\n:{docstr[1:]}\n") + + +if __name__ == "__main__": + main() diff --git a/nixos/lib/test-driver/pyproject.toml b/nixos/lib/test-driver/pyproject.toml new file mode 100644 index 0000000000000..8638f14dfdaef --- /dev/null +++ b/nixos/lib/test-driver/pyproject.toml @@ -0,0 +1,44 @@ +[build-system] +requires = ["setuptools"] +build-backend = "setuptools.build_meta" + +[project] +name = "nixos-test-driver" +version = "0.0.0" + +[project.scripts] +nixos-test-driver = "test_driver:main" +generate-driver-symbols = "test_driver:generate_driver_symbols" + +[tool.setuptools.packages] +find = {} + +[tool.setuptools.package-data] +test_driver = ["py.typed"] + +[tool.ruff] +line-length = 88 + +select = ["E", "F", "I", "U", "N"] +ignore = ["E501"] + +# xxx: we can import https://pypi.org/project/types-colorama/ here +[[tool.mypy.overrides]] +module = "colorama.*" +ignore_missing_imports = true + +[[tool.mypy.overrides]] +module = "ptpython.*" +ignore_missing_imports = true + +[tool.black] +line-length = 88 +target-version = ['py39'] +include = '\.pyi?$' + +[tool.mypy] +python_version = "3.10" +warn_redundant_casts = true +disallow_untyped_calls = true +disallow_untyped_defs = true +no_implicit_optional = true diff --git a/nixos/lib/test-driver/setup.py b/nixos/lib/test-driver/setup.py deleted file mode 100644 index 1719b988db689..0000000000000 --- a/nixos/lib/test-driver/setup.py +++ /dev/null @@ -1,14 +0,0 @@ -from setuptools import setup, find_packages - -setup( - name="nixos-test-driver", - version='1.1', - packages=find_packages(), - package_data={"test_driver": ["py.typed"]}, - entry_points={ - "console_scripts": [ - "nixos-test-driver=test_driver:main", - "generate-driver-symbols=test_driver:generate_driver_symbols" - ] - }, -) diff --git a/nixos/lib/test-driver/shell.nix b/nixos/lib/test-driver/shell.nix new file mode 100644 index 0000000000000..367bbad556c03 --- /dev/null +++ b/nixos/lib/test-driver/shell.nix @@ -0,0 +1,2 @@ +with import ../../.. {}; +pkgs.callPackage ./default.nix {} diff --git a/nixos/lib/test-driver/test_driver/__init__.py b/nixos/lib/test-driver/test_driver/__init__.py index c90e3d9e1cdb6..371719d7a9884 100755 --- a/nixos/lib/test-driver/test_driver/__init__.py +++ b/nixos/lib/test-driver/test_driver/__init__.py @@ -1,11 +1,12 @@ -from pathlib import Path import argparse -import ptpython.repl import os import time +from pathlib import Path + +import ptpython.repl -from test_driver.logger import rootlog from test_driver.driver import Driver +from test_driver.logger import rootlog class EnvDefault(argparse.Action): @@ -25,9 +26,7 @@ class EnvDefault(argparse.Action): ) if required and default: required = False - super(EnvDefault, self).__init__( - default=default, required=required, nargs=nargs, **kwargs - ) + super().__init__(default=default, required=required, nargs=nargs, **kwargs) def __call__(self, parser, namespace, values, option_string=None): # type: ignore setattr(namespace, self.dest, values) diff --git a/nixos/lib/test-driver/test_driver/driver.py b/nixos/lib/test-driver/test_driver/driver.py index 835d60ec3b4fd..723c807178607 100644 --- a/nixos/lib/test-driver/test_driver/driver.py +++ b/nixos/lib/test-driver/test_driver/driver.py @@ -1,14 +1,14 @@ -from contextlib import contextmanager -from pathlib import Path -from typing import Any, Dict, Iterator, List, Union, Optional, Callable, ContextManager import os import re import tempfile +from contextlib import contextmanager +from pathlib import Path +from typing import Any, Callable, ContextManager, Dict, Iterator, List, Optional, Union from test_driver.logger import rootlog from test_driver.machine import Machine, NixStartScript, retry -from test_driver.vlan import VLan from test_driver.polling_condition import PollingCondition +from test_driver.vlan import VLan def get_tmp_dir() -> Path: diff --git a/nixos/lib/test-driver/test_driver/logger.py b/nixos/lib/test-driver/test_driver/logger.py index e6182ff7c761d..116244b5e4ae0 100644 --- a/nixos/lib/test-driver/test_driver/logger.py +++ b/nixos/lib/test-driver/test_driver/logger.py @@ -1,13 +1,17 @@ -from colorama import Style, Fore -from contextlib import contextmanager -from typing import Any, Dict, Iterator -from queue import Queue, Empty -from xml.sax.saxutils import XMLGenerator +# mypy: disable-error-code="no-untyped-call" +# drop the above line when mypy is upgraded to include +# https://github.com/python/typeshed/commit/49b717ca52bf0781a538b04c0d76a5513f7119b8 import codecs import os import sys import time import unicodedata +from contextlib import contextmanager +from queue import Empty, Queue +from typing import Any, Dict, Iterator +from xml.sax.saxutils import XMLGenerator + +from colorama import Fore, Style class Logger: diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index 2afcbc95c6670..7ed001a1dfce4 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -1,7 +1,3 @@ -from contextlib import _GeneratorContextManager, nullcontext -from pathlib import Path -from queue import Queue -from typing import Any, Callable, Dict, Iterable, List, Optional, Tuple import base64 import io import os @@ -16,6 +12,10 @@ import sys import tempfile import threading import time +from contextlib import _GeneratorContextManager, nullcontext +from pathlib import Path +from queue import Queue +from typing import Any, Callable, Dict, Iterable, List, Optional, Tuple from test_driver.logger import rootlog @@ -236,14 +236,14 @@ class LegacyStartCommand(StartCommand): def __init__( self, - netBackendArgs: Optional[str] = None, - netFrontendArgs: Optional[str] = None, + netBackendArgs: Optional[str] = None, # noqa: N803 + netFrontendArgs: Optional[str] = None, # noqa: N803 hda: Optional[Tuple[Path, str]] = None, cdrom: Optional[str] = None, usb: Optional[str] = None, bios: Optional[str] = None, - qemuBinary: Optional[str] = None, - qemuFlags: Optional[str] = None, + qemuBinary: Optional[str] = None, # noqa: N803 + qemuFlags: Optional[str] = None, # noqa: N803 ): if qemuBinary is not None: self._cmd = qemuBinary @@ -599,7 +599,7 @@ class Machine: return (-1, output.decode()) # Get the return code - self.shell.send("echo ${PIPESTATUS[0]}\n".encode()) + self.shell.send(b"echo ${PIPESTATUS[0]}\n") rc = int(self._next_newline_closed_block_from_shell().strip()) return (rc, output.decode(errors="replace")) @@ -843,6 +843,9 @@ class Machine: while True: chunk = self.shell.recv(1024) + # No need to print empty strings, it means we are waiting. + if len(chunk) == 0: + continue self.log(f"Guest shell says: {chunk!r}") # NOTE: for this to work, nothing must be printed after this line! if b"Spawning backdoor root shell..." in chunk: @@ -1129,7 +1132,7 @@ class Machine: return assert self.shell - self.shell.send("poweroff\n".encode()) + self.shell.send(b"poweroff\n") self.wait_for_shutdown() def crash(self) -> None: diff --git a/nixos/lib/test-driver/test_driver/polling_condition.py b/nixos/lib/test-driver/test_driver/polling_condition.py index 02ca0a03ab3dc..12cbad69e34e9 100644 --- a/nixos/lib/test-driver/test_driver/polling_condition.py +++ b/nixos/lib/test-driver/test_driver/polling_condition.py @@ -1,11 +1,11 @@ -from typing import Callable, Optional -from math import isfinite import time +from math import isfinite +from typing import Callable, Optional from .logger import rootlog -class PollingConditionFailed(Exception): +class PollingConditionError(Exception): pass @@ -60,7 +60,7 @@ class PollingCondition: def maybe_raise(self) -> None: if not self.check(): - raise PollingConditionFailed(self.status_message(False)) + raise PollingConditionError(self.status_message(False)) def status_message(self, status: bool) -> str: return f"Polling condition {'succeeded' if status else 'failed'}: {self.description}" diff --git a/nixos/lib/test-driver/test_driver/vlan.py b/nixos/lib/test-driver/test_driver/vlan.py index f2a7f250d1d2f..ec9679108e58d 100644 --- a/nixos/lib/test-driver/test_driver/vlan.py +++ b/nixos/lib/test-driver/test_driver/vlan.py @@ -1,8 +1,8 @@ -from pathlib import Path import io import os import pty import subprocess +from pathlib import Path from test_driver.logger import rootlog diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index 7ea9d6a5c7135..e618cf2f861a3 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -177,6 +177,7 @@ rec { genJqSecretsReplacementSnippet' = attr: set: output: let secrets = recursiveGetAttrWithJqPrefix set attr; + stringOrDefault = str: def: if str == "" then def else str; in '' if [[ -h '${output}' ]]; then rm '${output}' @@ -195,10 +196,12 @@ rec { (attrNames secrets)) + "\n" + "${pkgs.jq}/bin/jq >'${output}' " - + lib.escapeShellArg (concatStringsSep - " | " - (imap1 (index: name: ''${name} = $ENV.secret${toString index}'') - (attrNames secrets))) + + lib.escapeShellArg (stringOrDefault + (concatStringsSep + " | " + (imap1 (index: name: ''${name} = $ENV.secret${toString index}'') + (attrNames secrets))) + ".") + '' <<'EOF' ${builtins.toJSON set} diff --git a/nixos/modules/config/console.nix b/nixos/modules/config/console.nix index 1e8bb78f302d6..d06ec0051c4d6 100644 --- a/nixos/modules/config/console.nix +++ b/nixos/modules/config/console.nix @@ -168,6 +168,9 @@ in # ...but only the keymaps if we don't "/etc/kbd/keymaps" = lib.mkIf (!cfg.earlySetup) { source = "${consoleEnv config.boot.initrd.systemd.package.kbd}/share/keymaps"; }; }; + boot.initrd.systemd.additionalUpstreamUnits = [ + "systemd-vconsole-setup.service" + ]; boot.initrd.systemd.storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-vconsole-setup" "${config.boot.initrd.systemd.package.kbd}/bin/setfont" diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index 222da3e02e86d..7e623dec4b1c3 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -42,8 +42,7 @@ let ]; defaultPackageNames = - [ "nano" - "perl" + [ "perl" "rsync" "strace" ]; diff --git a/nixos/modules/image/repart.nix b/nixos/modules/image/repart.nix index 4a0021e9a56e5..e567485c9d342 100644 --- a/nixos/modules/image/repart.nix +++ b/nixos/modules/image/repart.nix @@ -188,6 +188,7 @@ in nativeBuildInputs = [ cfg.package pkgs.fakeroot + pkgs.util-linux ] ++ fileSystemTools; } '' amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory}) @@ -195,7 +196,7 @@ in mkdir -p $out cd $out - fakeroot systemd-repart \ + unshare --map-root-user fakeroot systemd-repart \ --dry-run=no \ --empty=create \ --size=auto \ diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 1b0434fa76747..bfcae9c7a9352 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -176,16 +176,12 @@ in ''; type = types.listOf overlayType; description = lib.mdDoc '' - List of overlays to use with the Nix Packages collection. - (For details, see the Nixpkgs documentation.) It allows - you to override packages globally. Each function in the list - takes as an argument the *original* Nixpkgs. - The first argument should be used for finding dependencies, and - the second should be used for overriding recipes. - - If `nixpkgs.pkgs` is set, overlays specified here - will be applied after the overlays that were already present - in `nixpkgs.pkgs`. + List of overlays to apply to Nixpkgs. + This option allows modifying the Nixpkgs package set accessed through the `pkgs` module argument. + + For details, see the [Overlays chapter in the Nixpkgs manual](https://nixos.org/manual/nixpkgs/stable/#chap-overlays). + + If the {option}`nixpkgs.pkgs` option is set, overlays specified using `nixpkgs.overlays` will be applied after the overlays that were already included in `nixpkgs.pkgs`. ''; }; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 54fd5c7b04031..ec6f410a48f68 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -346,6 +346,7 @@ ./services/audio/squeezelite.nix ./services/audio/tts.nix ./services/audio/wyoming/faster-whisper.nix + ./services/audio/wyoming/openwakeword.nix ./services/audio/wyoming/piper.nix ./services/audio/ympd.nix ./services/backup/automysqlbackup.nix @@ -541,6 +542,7 @@ ./services/hardware/tlp.nix ./services/hardware/trezord.nix ./services/hardware/triggerhappy.nix + ./services/hardware/tuxedo-rs.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix ./services/hardware/undervolt.nix @@ -1210,6 +1212,7 @@ ./services/web-apps/atlassian/confluence.nix ./services/web-apps/atlassian/crowd.nix ./services/web-apps/atlassian/jira.nix + ./services/web-apps/audiobookshelf.nix ./services/web-apps/bookstack.nix ./services/web-apps/calibre-web.nix ./services/web-apps/coder.nix diff --git a/nixos/modules/programs/nano.nix b/nixos/modules/programs/nano.nix index 7705bf0ddc72c..28ddb4aaf66ff 100644 --- a/nixos/modules/programs/nano.nix +++ b/nixos/modules/programs/nano.nix @@ -2,14 +2,16 @@ let cfg = config.programs.nano; - LF = "\n"; in { - ###### interface - options = { programs.nano = { + enable = lib.mkEnableOption (lib.mdDoc "nano") // { + default = true; + }; + + package = lib.mkPackageOptionMD pkgs "nano" { }; nanorc = lib.mkOption { type = lib.types.lines; @@ -24,28 +26,22 @@ in set tabsize 2 ''; }; + syntaxHighlight = lib.mkOption { type = lib.types.bool; - default = true; + default = false; description = lib.mdDoc "Whether to enable syntax highlight for various languages."; }; }; }; - ###### implementation - - config = lib.mkIf (cfg.nanorc != "" || cfg.syntaxHighlight) { - environment.etc.nanorc.text = lib.concatStringsSep LF ( - ( lib.optionals cfg.syntaxHighlight [ - "# The line below is added because value of programs.nano.syntaxHighlight is set to true" - ''include "${pkgs.nano}/share/nano/*.nanorc"'' - "" - ]) - ++ ( lib.optionals (cfg.nanorc != "") [ - "# The lines below have been set from value of programs.nano.nanorc" - cfg.nanorc - ]) - ); + config = lib.mkIf cfg.enable { + environment = { + etc.nanorc.text = (lib.optionalString cfg.syntaxHighlight '' + # load syntax highlighting files + include "${cfg.package}/share/nano/*.nanorc" + '') + cfg.nanorc; + systemPackages = [ cfg.package ]; + }; }; - } diff --git a/nixos/modules/services/audio/wyoming/openwakeword.nix b/nixos/modules/services/audio/wyoming/openwakeword.nix new file mode 100644 index 0000000000000..e1993407dad1e --- /dev/null +++ b/nixos/modules/services/audio/wyoming/openwakeword.nix @@ -0,0 +1,157 @@ +{ config +, lib +, pkgs +, ... +}: + +let + cfg = config.services.wyoming.openwakeword; + + inherit (lib) + concatMapStringsSep + escapeShellArgs + mkOption + mdDoc + mkEnableOption + mkIf + mkPackageOptionMD + types + ; + + inherit (builtins) + toString + ; + + models = [ + # wyoming_openwakeword/models/*.tflite + "alexa" + "hey_jarvis" + "hey_mycroft" + "hey_rhasspy" + "ok_nabu" + ]; + +in + +{ + meta.buildDocsInSandbox = false; + + options.services.wyoming.openwakeword = with types; { + enable = mkEnableOption (mdDoc "Wyoming openWakeWord server"); + + package = mkPackageOptionMD pkgs "wyoming-openwakeword" { }; + + uri = mkOption { + type = strMatching "^(tcp|unix)://.*$"; + default = "tcp://0.0.0.0:10400"; + example = "tcp://192.0.2.1:5000"; + description = mdDoc '' + URI to bind the wyoming server to. + ''; + }; + + models = mkOption { + type = listOf (enum models); + default = models; + description = mdDoc '' + List of wake word models that should be made available. + ''; + }; + + preloadModels = mkOption { + type = listOf (enum models); + default = [ + "ok_nabu" + ]; + description = mdDoc '' + List of wake word models to preload after startup. + ''; + }; + + threshold = mkOption { + type = float; + default = 0.5; + description = mdDoc '' + Activation threshold (0-1), where higher means fewer activations. + + See trigger level for the relationship between activations and + wake word detections. + ''; + apply = toString; + }; + + triggerLevel = mkOption { + type = int; + default = 1; + description = mdDoc '' + Number of activations before a detection is registered. + + A higher trigger level means fewer detections. + ''; + apply = toString; + }; + + extraArgs = mkOption { + type = listOf str; + default = [ ]; + description = mdDoc '' + Extra arguments to pass to the server commandline. + ''; + apply = escapeShellArgs; + }; + }; + + config = mkIf cfg.enable { + systemd.services."wyoming-openwakeword" = { + description = "Wyoming openWakeWord server"; + after = [ + "network-online.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + serviceConfig = { + DynamicUser = true; + User = "wyoming-openwakeword"; + # https://github.com/home-assistant/addons/blob/master/openwakeword/rootfs/etc/s6-overlay/s6-rc.d/openwakeword/run + ExecStart = '' + ${cfg.package}/bin/wyoming-openwakeword \ + --uri ${cfg.uri} \ + ${concatMapStringsSep " " (model: "--model ${model}") cfg.models} \ + ${concatMapStringsSep " " (model: "--preload-model ${model}") cfg.preloadModels} \ + --threshold ${cfg.threshold} \ + --trigger-level ${cfg.triggerLevel} ${cfg.extraArgs} + ''; + CapabilityBoundingSet = ""; + DeviceAllow = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RuntimeDirectory = "wyoming-openwakeword"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + }; + }; +} diff --git a/nixos/modules/services/backup/btrbk.nix b/nixos/modules/services/backup/btrbk.nix index b838c174553d2..9b7f1566eb1ed 100644 --- a/nixos/modules/services/backup/btrbk.nix +++ b/nixos/modules/services/backup/btrbk.nix @@ -166,7 +166,7 @@ in { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} - { command = "/run/current-system/bin/btrfs"; options = [ "NOPASSWD" ]; } + { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } ]; @@ -182,7 +182,7 @@ in (doasCmdNoPass "${pkgs.coreutils}/bin/mkdir") (doasCmdNoPass "${pkgs.coreutils}/bin/readlink") # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} - (doasCmdNoPass "/run/current-system/bin/btrfs") + (doasCmdNoPass "/run/current-system/sw/bin/btrfs") (doasCmdNoPass "/run/current-system/sw/bin/mkdir") (doasCmdNoPass "/run/current-system/sw/bin/readlink") diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 0acaf0fd00a67..7b30360590ec6 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -106,12 +106,14 @@ in identMap = mkOption { type = types.lines; default = ""; + example = literalExample '' + map-name-0 system-username-0 database-username-0 + map-name-1 system-username-1 database-username-1 + ''; description = lib.mdDoc '' Defines the mapping from system users to database users. - The general form is: - - map-name system-username database-username + See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html). ''; }; @@ -128,6 +130,11 @@ in initialScript = mkOption { type = types.nullOr types.path; default = null; + example = literalExpression '' + pkgs.writeText "init-sql-script" ''' + alter user postgres with password 'myPassword'; + ''';''; + description = lib.mdDoc '' A file containing SQL statements to execute on first startup. ''; @@ -464,13 +471,16 @@ in services.postgresql.dataDir = mkDefault "/var/lib/postgresql/${cfg.package.psqlSchema}"; - services.postgresql.authentication = mkAfter + services.postgresql.authentication = mkMerge [ + (mkBefore "# Generated file; do not edit!") + (mkAfter '' - # Generated file; do not edit! + # default value of services.postgresql.authentication local all all peer host all all 127.0.0.1/32 md5 host all all ::1/128 md5 - ''; + '') + ]; users.users.postgres = { name = "postgres"; diff --git a/nixos/modules/services/hardware/tlp.nix b/nixos/modules/services/hardware/tlp.nix index d2cc7c661c693..cad510e571cb2 100644 --- a/nixos/modules/services/hardware/tlp.nix +++ b/nixos/modules/services/hardware/tlp.nix @@ -65,7 +65,7 @@ in "tlp.conf".text = (mkTlpConfig cfg.settings) + cfg.extraConfig; } // optionalAttrs enableRDW { "NetworkManager/dispatcher.d/99tlp-rdw-nm".source = - "${tlp}/etc/NetworkManager/dispatcher.d/99tlp-rdw-nm"; + "${tlp}/usr/lib/NetworkManager/dispatcher.d/99tlp-rdw-nm"; }; environment.systemPackages = [ tlp ]; diff --git a/nixos/modules/services/hardware/tuxedo-rs.nix b/nixos/modules/services/hardware/tuxedo-rs.nix new file mode 100644 index 0000000000000..343f6845fabbd --- /dev/null +++ b/nixos/modules/services/hardware/tuxedo-rs.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.hardware.tuxedo-rs; + +in +{ + options = { + hardware.tuxedo-rs = { + enable = mkEnableOption (lib.mdDoc "Rust utilities for interacting with hardware from TUXEDO Computers."); + + tailor-gui.enable = mkEnableOption (lib.mdDoc "Alternative to TUXEDO Control Center, written in Rust."); + }; + }; + + config = mkIf cfg.enable (mkMerge [ + { + hardware.tuxedo-keyboard.enable = true; + + systemd = { + services.tailord = { + enable = true; + description = "Tuxedo Tailor hardware control service"; + after = [ "systemd-logind.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "dbus"; + BusName = "com.tux.Tailor"; + ExecStart = "${pkgs.tuxedo-rs}/bin/tailord"; + Environment = "RUST_BACKTRACE=1"; + Restart = "on-failure"; + }; + }; + }; + + services.dbus.packages = [ pkgs.tuxedo-rs ]; + + environment.systemPackages = [ pkgs.tuxedo-rs ]; + } + (mkIf cfg.tailor-gui.enable { + environment.systemPackages = [ pkgs.tailor-gui ]; + }) + ]); + + meta.maintainers = with maintainers; [ mrcjkb ]; +} diff --git a/nixos/modules/services/matrix/matrix-sliding-sync.nix b/nixos/modules/services/matrix/matrix-sliding-sync.nix index 9bf4de3317cc2..7e464d6ed5898 100644 --- a/nixos/modules/services/matrix/matrix-sliding-sync.nix +++ b/nixos/modules/services/matrix/matrix-sliding-sync.nix @@ -7,7 +7,7 @@ in options.services.matrix-synapse.sliding-sync = { enable = lib.mkEnableOption (lib.mdDoc "sliding sync"); - package = lib.mkPackageOption pkgs "matrix-sliding-sync" { }; + package = lib.mkPackageOptionMD pkgs "matrix-sliding-sync" { }; settings = lib.mkOption { type = lib.types.submodule { @@ -44,7 +44,7 @@ in }; }; default = { }; - description = '' + description = lib.mdDoc '' Freeform environment variables passed to the sliding sync proxy. Refer to <https://github.com/matrix-org/sliding-sync#setup> for all supported values. ''; diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix index 0f92265ccbea6..129345e38106b 100644 --- a/nixos/modules/services/misc/dysnomia.nix +++ b/nixos/modules/services/misc/dysnomia.nix @@ -223,7 +223,7 @@ in ejabberdUser = config.services.ejabberd.user; }; } // lib.optionalAttrs (config.services.mysql.enable) { mysql-database = { - mysqlPort = config.services.mysql.port; + mysqlPort = config.services.mysql.settings.mysqld.port; mysqlSocket = "/run/mysqld/mysqld.sock"; } // lib.optionalAttrs cfg.enableAuthentication { mysqlUsername = "root"; diff --git a/nixos/modules/services/misc/xmr-stak.nix b/nixos/modules/services/misc/xmr-stak.nix index 6e123cf0380cc..54efae48d5d29 100644 --- a/nixos/modules/services/misc/xmr-stak.nix +++ b/nixos/modules/services/misc/xmr-stak.nix @@ -7,7 +7,7 @@ let cfg = config.services.xmr-stak; pkg = pkgs.xmr-stak.override { - inherit (cfg) openclSupport cudaSupport; + inherit (cfg) openclSupport; }; in @@ -17,7 +17,6 @@ in services.xmr-stak = { enable = mkEnableOption (lib.mdDoc "xmr-stak miner"); openclSupport = mkEnableOption (lib.mdDoc "support for OpenCL (AMD/ATI graphics cards)"); - cudaSupport = mkEnableOption (lib.mdDoc "support for CUDA (NVidia graphics cards)"); extraArgs = mkOption { type = types.listOf types.str; @@ -64,15 +63,12 @@ in wantedBy = [ "multi-user.target" ]; bindsTo = [ "network-online.target" ]; after = [ "network-online.target" ]; - environment = mkIf cfg.cudaSupport { - LD_LIBRARY_PATH = "${pkgs.linuxPackages_latest.nvidia_x11}/lib"; - }; preStart = concatStrings (flip mapAttrsToList cfg.configFiles (fn: content: '' ln -sf '${pkgs.writeText "xmr-stak-${fn}" content}' '${fn}' '')); - serviceConfig = let rootRequired = cfg.openclSupport || cfg.cudaSupport; in { + serviceConfig = let rootRequired = cfg.openclSupport; in { ExecStart = "${pkg}/bin/xmr-stak ${concatStringsSep " " cfg.extraArgs}"; # xmr-stak generates cpu and/or gpu configuration files WorkingDirectory = "/tmp"; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index bf2f5230c7381..327d19daca30f 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -583,7 +583,7 @@ in (lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null") cfg.ports} ${concatMapStringsSep "\n" - (la: "sshd -G -T -C laddr=${la.addr},lport=${toString la.port} -f ${sshconf} > /dev/null") + (la: "sshd -G -T -C ${escapeShellArg "laddr=${la.addr},lport=${toString la.port}"} -f ${sshconf} > /dev/null") cfg.listenAddresses} touch $out '') diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 483bfe046df2f..071e699751434 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -51,8 +51,8 @@ in ruleFile = mkOption { type = types.nullOr types.path; - default = /var/lib/usbguard/rules.conf; - example = /run/secrets/usbguard-rules; + default = "/var/lib/usbguard/rules.conf"; + example = "/run/secrets/usbguard-rules"; description = lib.mdDoc '' This tells the USBGuard daemon which file to load as policy rule set. diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 752ab91fe6315..b98cb5283a1a6 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -182,7 +182,7 @@ in example = "770"; description = lib.mdDoc '' If not `null`, is used as the permissions - set by `systemd.activationScripts.transmission-daemon` + set by `system.activationScripts.transmission-daemon` on the directories [](#opt-services.transmission.settings.download-dir), [](#opt-services.transmission.settings.incomplete-dir). and [](#opt-services.transmission.settings.watch-dir). diff --git a/nixos/modules/services/web-apps/audiobookshelf.nix b/nixos/modules/services/web-apps/audiobookshelf.nix new file mode 100644 index 0000000000000..84dffc5f9d3c5 --- /dev/null +++ b/nixos/modules/services/web-apps/audiobookshelf.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.audiobookshelf; +in +{ + options = { + services.audiobookshelf = { + enable = mkEnableOption "Audiobookshelf, self-hosted audiobook and podcast server."; + + package = mkPackageOption pkgs "audiobookshelf" { }; + + dataDir = mkOption { + description = "Path to Audiobookshelf config and metadata inside of /var/lib."; + default = "audiobookshelf"; + type = types.str; + }; + + host = mkOption { + description = "The host Audiobookshelf binds to."; + default = "127.0.0.1"; + example = "0.0.0.0"; + type = types.str; + }; + + port = mkOption { + description = "The TCP port Audiobookshelf will listen on."; + default = 8000; + type = types.port; + }; + + user = mkOption { + description = "User account under which Audiobookshelf runs."; + default = "audiobookshelf"; + type = types.str; + }; + + group = mkOption { + description = "Group under which Audiobookshelf runs."; + default = "audiobookshelf"; + type = types.str; + }; + + openFirewall = mkOption { + description = "Open ports in the firewall for the Audiobookshelf web interface."; + default = false; + type = types.bool; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.audiobookshelf = { + description = "Audiobookshelf is a self-hosted audiobook and podcast server"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + StateDirectory = cfg.dataDir; + WorkingDirectory = "/var/lib/${cfg.dataDir}"; + ExecStart = "${cfg.package}/bin/audiobookshelf --host ${cfg.host} --port ${toString cfg.port}"; + Restart = "on-failure"; + }; + }; + + users.users = mkIf (cfg.user == "audiobookshelf") { + audiobookshelf = { + isSystemUser = true; + group = cfg.group; + home = "/var/lib/${cfg.dataDir}"; + }; + }; + + users.groups = mkIf (cfg.group == "audiobookshelf") { + audiobookshelf = { }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + }; + + meta.maintainers = with maintainers; [ wietsedv ]; +} diff --git a/nixos/modules/services/web-apps/netbox.nix b/nixos/modules/services/web-apps/netbox.nix index 6d89ffc2a7b70..8ba1852848e5b 100644 --- a/nixos/modules/services/web-apps/netbox.nix +++ b/nixos/modules/services/web-apps/netbox.nix @@ -74,9 +74,18 @@ in { package = lib.mkOption { type = lib.types.package; - default = if lib.versionAtLeast config.system.stateVersion "23.05" then pkgs.netbox else pkgs.netbox_3_3; + default = + if lib.versionAtLeast config.system.stateVersion "23.11" + then pkgs.netbox_3_6 + else if lib.versionAtLeast config.system.stateVersion "23.05" + then pkgs.netbox_3_5 + else pkgs.netbox_3_3; defaultText = lib.literalExpression '' - if versionAtLeast config.system.stateVersion "23.05" then pkgs.netbox else pkgs.netbox_3_3; + if lib.versionAtLeast config.system.stateVersion "23.11" + then pkgs.netbox_3_6 + else if lib.versionAtLeast config.system.stateVersion "23.05" + then pkgs.netbox_3_5 + else pkgs.netbox_3_3; ''; description = lib.mdDoc '' NetBox package to use. diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7a7fb4061eea5..62e0a8940e2c4 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -146,6 +146,10 @@ let error_log ${cfg.logError}; daemon off; + ${optionalString cfg.enableQuicBPF '' + quic_bpf on; + ''} + ${cfg.config} ${optionalString (cfg.eventsConfig != "" || cfg.config == "") '' @@ -783,6 +787,19 @@ in ''; }; + enableQuicBPF = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enables routing of QUIC packets using eBPF. When enabled, this allows + to support QUIC connection migration. The directive is only supported + on Linux 5.7+. + Note that enabling this option will make nginx run with extended + capabilities that are usually limited to processes running as root + namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`. + ''; + }; + user = mkOption { type = types.str; default = "nginx"; @@ -1126,6 +1143,14 @@ in } { + assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF); + message = '' + services.nginx.enableQuicBPF requires using nginxQuic package, + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. + ''; + } + + { assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); message = '' services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic package, @@ -1224,8 +1249,8 @@ in # New file permissions UMask = "0027"; # 0640 / 0750 # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) @@ -1250,6 +1275,7 @@ in # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] + ++ optional cfg.enableQuicBPF [ "bpf" ] ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; }; }; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 238c6670ea0f8..ef8204e2cf537 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -517,17 +517,24 @@ let (assertValueOneOf "Unmanaged" boolValues) (assertInt "Group") (assertRange "Group" 0 2147483647) - (assertValueOneOf "RequiredForOnline" (boolValues ++ [ - "missing" - "off" - "no-carrier" - "dormant" - "degraded-carrier" - "carrier" - "degraded" - "enslaved" - "routable" - ])) + (assertValueOneOf "RequiredForOnline" (boolValues ++ ( + let + # https://freedesktop.org/software/systemd/man/networkctl.html#missing + operationalStates = [ + "missing" + "off" + "no-carrier" + "dormant" + "degraded-carrier" + "carrier" + "degraded" + "enslaved" + "routable" + ]; + operationalStateRanges = concatLists (imap0 (i: min: map (max: "${min}:${max}") (drop i operationalStates)) operationalStates); + in + operationalStates ++ operationalStateRanges + ))) (assertValueOneOf "RequiredFamilyForOnline" [ "ipv4" "ipv6" @@ -799,6 +806,8 @@ let "UseAddress" "UseDNS" "UseNTP" + "UseHostname" + "UseDomains" "RouteMetric" "RapidCommit" "MUDURL" @@ -813,16 +822,20 @@ let "DUIDRawData" "IAID" "UseDelegatedPrefix" + "SendRelease" ]) (assertValueOneOf "UseAddress" boolValues) (assertValueOneOf "UseDNS" boolValues) (assertValueOneOf "UseNTP" boolValues) + (assertValueOneOf "UseHostname" boolValues) + (assertValueOneOf "UseDomains" (boolValues ++ ["route"])) (assertInt "RouteMetric") (assertValueOneOf "RapidCommit" boolValues) (assertValueOneOf "WithoutRA" ["no" "solicit" "information-request"]) (assertRange "SendOption" 1 65536) (assertInt "IAID") (assertValueOneOf "UseDelegatedPrefix" boolValues) + (assertValueOneOf "SendRelease" boolValues) ]; sectionDHCPPrefixDelegation = checkUnitConfig "DHCPPrefixDelegation" [ @@ -948,10 +961,12 @@ let "Prefix" "PreferredLifetimeSec" "ValidLifetimeSec" + "Assign" "Token" ]) (assertValueOneOf "AddressAutoconfiguration" boolValues) (assertValueOneOf "OnLink" boolValues) + (assertValueOneOf "Assign" boolValues) ]; sectionIPv6RoutePrefix = checkUnitConfig "IPv6RoutePrefix" [ diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index b6c3085c4f16f..8e38072b4c6db 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -48,6 +48,7 @@ let "rescue.service" # Udev. + "systemd-tmpfiles-setup-dev-early.service" "systemd-udevd-control.socket" "systemd-udevd-kernel.socket" "systemd-udevd.service" diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 5d9fca7a605ee..b20b0168e40f1 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -57,7 +57,6 @@ let "systemd-ask-password-console.service" "systemd-fsck@.service" "systemd-halt.service" - "systemd-hibernate-resume@.service" "systemd-journald-audit.socket" "systemd-journald-dev-log.socket" "systemd-journald.service" diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 7cb2ca23fa417..91e30aa4c0af9 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -187,9 +187,8 @@ let skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck || isBindMount fs; # https://wiki.archlinux.org/index.php/fstab#Filepath_spaces escape = string: builtins.replaceStrings [ " " "\t" ] [ "\\040" "\\011" ] string; - in fstabFileSystems: { rootPrefix ? "" }: concatMapStrings (fs: - (optionalString (isBindMount fs) (escape rootPrefix)) - + (if fs.device != null then escape fs.device + in fstabFileSystems: { }: concatMapStrings (fs: + (if fs.device != null then escape fs.device else if fs.label != null then "/dev/disk/by-label/${escape fs.label}" else throw "No device specified for mount point ‘${fs.mountPoint}’.") + " " + escape fs.mountPoint @@ -199,9 +198,7 @@ let + "\n" ) fstabFileSystems; - initrdFstab = pkgs.writeText "initrd-fstab" (makeFstabEntries (filter utils.fsNeededForBoot fileSystems) { - rootPrefix = "/sysroot"; - }); + initrdFstab = pkgs.writeText "initrd-fstab" (makeFstabEntries (filter utils.fsNeededForBoot fileSystems) { }); in diff --git a/nixos/modules/virtualisation/oci-common.nix b/nixos/modules/virtualisation/oci-common.nix index ac9405e3ecfa2..a620df063151e 100644 --- a/nixos/modules/virtualisation/oci-common.nix +++ b/nixos/modules/virtualisation/oci-common.nix @@ -56,5 +56,5 @@ in # Otherwise the instance may not have a working network-online.target, # making the fetch-ssh-keys.service fail - networking.useNetworkd = true; + networking.useNetworkd = lib.mkDefault true; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 9fae33a9b3478..5b2e12a501bf4 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -119,6 +119,7 @@ in { atd = handleTest ./atd.nix {}; atop = handleTest ./atop.nix {}; atuin = handleTest ./atuin.nix {}; + audiobookshelf = handleTest ./audiobookshelf.nix {}; auth-mysql = handleTest ./auth-mysql.nix {}; authelia = handleTest ./authelia.nix {}; avahi = handleTest ./avahi.nix {}; @@ -531,8 +532,8 @@ in { netdata = handleTest ./netdata.nix {}; networking.networkd = handleTest ./networking.nix { networkd = true; }; networking.scripted = handleTest ./networking.nix { networkd = false; }; - netbox = handleTest ./web-apps/netbox.nix { inherit (pkgs) netbox; }; - netbox_3_3 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_3; }; + netbox_3_5 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_5; }; + netbox_3_6 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_6; }; netbox-upgrade = handleTest ./web-apps/netbox-upgrade.nix {}; # TODO: put in networking.nix after the test becomes more complete networkingProxy = handleTest ./networking-proxy.nix {}; diff --git a/nixos/tests/audiobookshelf.nix b/nixos/tests/audiobookshelf.nix new file mode 100644 index 0000000000000..64bd415160ee0 --- /dev/null +++ b/nixos/tests/audiobookshelf.nix @@ -0,0 +1,23 @@ +import ./make-test-python.nix ({ lib, ... }: + +with lib; + +{ + name = "audiobookshelf"; + meta.maintainers = with maintainers; [ wietsedv ]; + + nodes.machine = + { pkgs, ... }: + { + services.audiobookshelf = { + enable = true; + port = 1234; + }; + }; + + testScript = '' + machine.wait_for_unit("audiobookshelf.service") + machine.wait_for_open_port(1234) + machine.succeed("curl --fail http://localhost:1234/") + ''; +}) diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index d771ffd3e0f79..e88625678fec3 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -57,7 +57,7 @@ in { { services.openssh = { - enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; + enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } { addr = "[::]"; port = 22; } ]; extraConfig = '' # Combined test for two (predictable) Match criterias Match LocalAddress 127.0.0.1 LocalPort 22 diff --git a/nixos/tests/web-apps/netbox-upgrade.nix b/nixos/tests/web-apps/netbox-upgrade.nix index 602cf8d889d4f..b5403eb678bcb 100644 --- a/nixos/tests/web-apps/netbox-upgrade.nix +++ b/nixos/tests/web-apps/netbox-upgrade.nix @@ -1,13 +1,15 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: let - oldNetbox = pkgs.netbox_3_3; + oldNetbox = pkgs.netbox_3_5; + newNetbox = pkgs.netbox_3_6; in { name = "netbox-upgrade"; meta = with lib.maintainers; { - maintainers = [ minijackson ]; + maintainers = [ minijackson raitobezarius ]; }; nodes.machine = { config, ... }: { + virtualisation.memorySize = 2048; services.netbox = { enable = true; package = oldNetbox; @@ -32,7 +34,7 @@ in { networking.firewall.allowedTCPPorts = [ 80 ]; - specialisation.upgrade.configuration.services.netbox.package = lib.mkForce pkgs.netbox; + specialisation.upgrade.configuration.services.netbox.package = lib.mkForce newNetbox; }; testScript = { nodes, ... }: @@ -43,7 +45,7 @@ in { (lib.concatStringsSep ".") ]; oldApiVersion = apiVersion oldNetbox.version; - newApiVersion = apiVersion pkgs.netbox.version; + newApiVersion = apiVersion newNetbox.version; in '' start_all() diff --git a/nixos/tests/web-apps/netbox.nix b/nixos/tests/web-apps/netbox.nix index 30de74f1886c0..233f16a8fe0de 100644 --- a/nixos/tests/web-apps/netbox.nix +++ b/nixos/tests/web-apps/netbox.nix @@ -16,6 +16,7 @@ in import ../make-test-python.nix ({ lib, pkgs, netbox, ... }: { }; nodes.machine = { config, ... }: { + virtualisation.memorySize = 2048; services.netbox = { enable = true; package = netbox; |