diff options
Diffstat (limited to 'nixos')
221 files changed, 4298 insertions, 1154 deletions
diff --git a/nixos/doc/manual/administration/nixos-state.section.md b/nixos/doc/manual/administration/nixos-state.section.md new file mode 100644 index 0000000000000..9819d613198c3 --- /dev/null +++ b/nixos/doc/manual/administration/nixos-state.section.md @@ -0,0 +1,28 @@ +# NixOS {#sec-nixos-state} + +## `/nix` {#sec-state-nix} + +NixOS needs the entirety of `/nix` to be persistent, as it includes: +- `/nix/store`, which contains all the system's executables, libraries, and supporting data; +- `/nix/var/nix`, which contains: + - the Nix daemon's database; + - roots whose transitive closure is preserved when garbage-collecting the Nix store; + - system-wide and per-user profiles. + +## `/boot` {#sec-state-boot} + +`/boot` should also be persistent, as it contains: +- the kernel and initrd which the bootloader loads, +- the bootloader's configuration, including the kernel's command-line which + determines the store path to use as system environment. + + +## Users and groups {#sec-state-users} + +- `/var/lib/nixos` should persist: it holds state needed to generate stable + uids and gids for declaratively-managed users and groups, etc. +- `users.mutableUsers` should be false, *or* the following files under `/etc` + should all persist: + - {manpage}`passwd(5)` and {manpage}`group(5)`, + - {manpage}`shadow(5)` and {manpage}`gshadow(5)`, + - {manpage}`subuid(5)` and {manpage}`subgid(5)`. diff --git a/nixos/doc/manual/administration/running.md b/nixos/doc/manual/administration/running.md index 48e8c7c6668b7..83412d9b7af58 100644 --- a/nixos/doc/manual/administration/running.md +++ b/nixos/doc/manual/administration/running.md @@ -8,6 +8,7 @@ rebooting.chapter.md user-sessions.chapter.md control-groups.chapter.md logging.chapter.md +system-state.chapter.md cleaning-store.chapter.md containers.chapter.md troubleshooting.chapter.md diff --git a/nixos/doc/manual/administration/system-state.chapter.md b/nixos/doc/manual/administration/system-state.chapter.md new file mode 100644 index 0000000000000..6840cc3902578 --- /dev/null +++ b/nixos/doc/manual/administration/system-state.chapter.md @@ -0,0 +1,17 @@ +# Necessary system state {#ch-system-state} + +Normally — on systems with a persistent `rootfs` — system services can persist state to +the filesystem without administrator intervention. + +However, it is possible and not-uncommon to create [impermanent systems], whose +`rootfs` is either a `tmpfs` or reset during boot. While NixOS itself supports +this kind of configuration, special care needs to be taken. + +[impermanent systems]: https://nixos.wiki/wiki/Impermanence + + +```{=include=} sections +nixos-state.section.md +systemd-state.section.md +zfs-state.section.md +``` diff --git a/nixos/doc/manual/administration/systemd-state.section.md b/nixos/doc/manual/administration/systemd-state.section.md new file mode 100644 index 0000000000000..84f074871a655 --- /dev/null +++ b/nixos/doc/manual/administration/systemd-state.section.md @@ -0,0 +1,52 @@ +# systemd {#sec-systemd-state} + +## `machine-id(5)` {#sec-machine-id} + +`systemd` uses per-machine identifier — {manpage}`machine-id(5)` — which must be +unique and persistent; otherwise, the system journal may fail to list earlier +boots, etc. + +`systemd` generates a random `machine-id(5)` during boot if it does not already exist, +and persists it in `/etc/machine-id`. As such, it suffices to make that file persistent. + +Alternatively, it is possible to generate a random `machine-id(5)`; while the +specification allows for *any* hex-encoded 128b value, systemd itself uses +[UUIDv4], *i.e.* random UUIDs, and it is thus preferable to do so as well, in +case some software assumes `machine-id(5)` to be a UUIDv4. Those can be +generated with `uuidgen -r | tr -d -` (`tr` being used to remove the dashes). + +Such a `machine-id(5)` can be set by writing it to `/etc/machine-id` or through +the kernel's command-line, though NixOS' systemd maintainers [discourage] the +latter approach. + +[UUIDv4]: https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_(random) +[discourage]: https://github.com/NixOS/nixpkgs/pull/268995 + + +## `/var/lib/systemd` {#sec-var-systemd} + +Moreover, `systemd` expects its state directory — `/var/lib/systemd` — to persist, for: +- {manpage}`systemd-random-seed(8)`, which loads a 256b “seed” into the kernel's RNG + at boot time, and saves a fresh one during shutdown; +- {manpage}`systemd.timer(5)` with `Persistent=yes`, which are then run after boot if + the timer would have triggered during the time the system was shut down; +- {manpage}`systemd-coredump(8)` to store core dumps there by default; + (see {manpage}`coredump.conf(5)`) +- {manpage}`systemd-timesyncd(8)`; +- {manpage}`systemd-backlight(8)` and {manpage}`systemd-rfkill(8)` persist hardware-related + state; +- possibly other things, this list is not meant to be exhaustive. + +In any case, making `/var/lib/systemd` persistent is recommended. + + +## `/var/log/journal/{machine-id}` {#sec-var-journal} + +Lastly, {manpage}`systemd-journald(8)` writes the system's journal in binary +form to `/var/log/journal/{machine-id}`; if (locally) persisting the entire log +is desired, it is recommended to make all of `/var/log/journal` persistent. + +If not, one can set `Storage=volatile` in {manpage}`journald.conf(5)` +([`services.journald.storage = "volatile";`](#opt-services.journald.storage)), +which disables journal persistence and causes it to be written to +`/run/log/journal`. diff --git a/nixos/doc/manual/administration/zfs-state.section.md b/nixos/doc/manual/administration/zfs-state.section.md new file mode 100644 index 0000000000000..11ad5badea7ed --- /dev/null +++ b/nixos/doc/manual/administration/zfs-state.section.md @@ -0,0 +1,16 @@ +# ZFS {#sec-zfs-state} + +When using ZFS, `/etc/zfs/zpool.cache` should be persistent (or a symlink to a persistent +location) as it is the default value for the `cachefile` [property](man:zpoolprops(7)). + +This cachefile is used on system startup to discover ZFS pools, so ZFS pools +holding the `rootfs` and/or early-boot datasets such as `/nix` can be set to +`cachefile=none`. + +In principle, if there are no other pools attached to the system, `zpool.cache` +does not need to be persisted; it is however *strongly recommended* to persist +it, in case additional pools are added later on, temporarily or permanently: + +While mishandling the cachefile does not lead to data loss by itself, it may +cause zpools not to be imported during boot, and services may then write to a +location where a dataset was expected to be mounted. diff --git a/nixos/doc/manual/release-notes/release-notes.md b/nixos/doc/manual/release-notes/release-notes.md index 3f926fb21a5ca..0514a1b0044af 100644 --- a/nixos/doc/manual/release-notes/release-notes.md +++ b/nixos/doc/manual/release-notes/release-notes.md @@ -3,6 +3,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. ```{=include=} sections +rl-2405.section.md rl-2311.section.md rl-2305.section.md rl-2211.section.md diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 400eb1062d9a7..8edf4fd35e4fb 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -100,7 +100,7 @@ In addition to numerous new and upgraded packages, this release has the followin - [opensnitch](https://github.com/evilsocket/opensnitch), an application firewall. Available as [services.opensnitch](#opt-services.opensnitch.enable). - [snapraid](https://www.snapraid.it/), a backup program for disk arrays. - Available as [snapraid](#opt-snapraid.enable). + Available as [snapraid](#opt-services.snapraid.enable). - [Hockeypuck](https://github.com/hockeypuck/hockeypuck), a OpenPGP Key Server. Available as [services.hockeypuck](#opt-services.hockeypuck.enable). diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 5c6bdf97d1203..1aef1828908f8 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -1313,6 +1313,14 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 - When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`, the snapraid-sync systemd service will no longer fail to run. +- `wpa_supplicant`'s configuration file cannot be read by non-root users, and + secrets (such as Pre-Shared Keys) can safely be passed via + `networking.wireless.environmentFile`. + + The configuration file could previously be read, when `userControlled.enable` (non-default), + by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`) + + ## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib} ### Breaking Changes {#sec-release-23.11-lib-breaking} diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 2e56e564ed2a6..f423311620d9b 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -10,6 +10,12 @@ In addition to numerous new and upgraded packages, this release has the followin - `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment. +- NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS. + - This can be disabled through the `environment.stub-ld.enable` option. + - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically. + +- Julia environments can now be built with arbitrary packages from the ecosystem using the `.withPackages` function. For example: `julia.withPackages ["Plots"]`. + ## New Services {#sec-release-24.05-new-services} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -18,23 +24,71 @@ In addition to numerous new and upgraded packages, this release has the followin - [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable). +- [GNS3](https://www.gns3.com/), a network software emulator. Available as [services.gns3-server](#opt-services.gns3-server.enable). + +- [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training. + +- [ollama](https://ollama.ai), server for running large language models locally. + - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable). The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares. +- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable). + - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). +- [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable). + ## Backward Incompatibilities {#sec-release-24.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> - The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS. +- `k9s` was updated to v0.30. There have been various breaking changes in the config file format, + check out the changelog of [v0.29](https://github.com/derailed/k9s/releases/tag/v0.29.0) and + [v0.30](https://github.com/derailed/k9s/releases/tag/v0.30.0) for details. It is recommended + to back up your current configuration and let k9s recreate the new base configuration. + +- `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details. + +- `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details. + +- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) + - `mkosi` was updated to v19. Parts of the user interface have changed. Consult the [release notes](https://github.com/systemd/mkosi/releases/tag/v19) for a list of changes. +- The `kanata` package has been updated to v1.5.0, which includes [breaking changes](https://github.com/jtroo/kanata/releases/tag/v1.5.0). + +- The latest available version of Nextcloud is v28 (available as `pkgs.nextcloud28`). The installation logic is as follows: + - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**) + - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud28` will be installed by default. + - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default. + - Please note that an upgrade from v26 (or older) to v28 directly is not possible. Please upgrade to `nextcloud27` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud27;`](options.html#opt-services.nextcloud.package). + +- `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead. + - `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. +- `networking.iproute2.enable` now does not set `environment.etc."iproute2/rt_tables".text`. + + Setting `environment.etc."iproute2/{CONFIG_FILE_NAME}".text` will override the whole configuration file instead of appending it to the upstream configuration file. + + `CONFIG_FILE_NAME` includes `bpf_pinning`, `ematch_map`, `group`, `nl_protos`, `rt_dsfield`, `rt_protos`, `rt_realms`, `rt_scopes`, and `rt_tables`. + +- The `systemd.oomd` module behavior is changed as: + + - Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like [this](https://pagure.io/fedora-workstation/issue/358). + Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/806c95e1c70af18f81d499b24cd7acfa4c36ffd6?branch=806c95e1c70af18f81d499b24cd7acfa4c36ffd6) + + - Remove swap policy. This helps prevent killing processes when user's swap is small. + + - Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb) + + - `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`. + ## Other Notable Changes {#sec-release-24.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -50,13 +104,39 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m The `nimPackages` and `nim2Packages` sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. +- [Portunus](https://github.com/majewsky/portunus) has been updated to major version 2. + This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. + After upgrading, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all user accounts to strong password hashes. + Support for weak password hashes will be removed in NixOS 24.11. + - `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc. +- The following options of the Nextcloud module were moved into [`services.nextcloud.extraOptions`](#opt-services.nextcloud.extraOptions) and renamed to match the name from Nextcloud's `config.php`: + - `logLevel` -> [`loglevel`](#opt-services.nextcloud.extraOptions.loglevel), + - `logType` -> [`log_type`](#opt-services.nextcloud.extraOptions.log_type), + - `defaultPhoneRegion` -> [`default_phone_region`](#opt-services.nextcloud.extraOptions.default_phone_region), + - `overwriteProtocol` -> [`overwriteprotocol`](#opt-services.nextcloud.extraOptions.overwriteprotocol), + - `skeletonDirectory` -> [`skeletondirectory`](#opt-services.nextcloud.extraOptions.skeletondirectory), + - `globalProfiles` -> [`profile.enabled`](#opt-services.nextcloud.extraOptions._profile.enabled_), + - `extraTrustedDomains` -> [`trusted_domains`](#opt-services.nextcloud.extraOptions.trusted_domains) and + - `trustedProxies` -> [`trusted_proxies`](#opt-services.nextcloud.extraOptions.trusted_proxies). + - The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. +- [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or + `globalRedirect` can now have redirect codes other than 301 through + `redirectCode`. + +- The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock). + +- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11. + +- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module + (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. + - Gitea 1.21 upgrade has several breaking changes, including: - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*` - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command. diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index e5d82f4de7c9d..1a33abd01ea18 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -522,11 +522,16 @@ let format' = format; in let chmod 0644 $efiVars ''; + createHydraBuildProducts = '' + mkdir -p $out/nix-support + echo "file ${format}-image $out/${filename}" >> $out/nix-support/hydra-build-products + ''; + buildImage = pkgs.vmTools.runInLinuxVM ( pkgs.runCommand name { preVM = prepareImage + lib.optionalString touchEFIVars createEFIVars; buildInputs = with pkgs; [ util-linux e2fsprogs dosfstools ]; - postVM = moveOrConvertImage + postVM; + postVM = moveOrConvertImage + createHydraBuildProducts + postVM; QEMU_OPTS = concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}" ++ lib.optionals touchEFIVars [ @@ -616,5 +621,5 @@ let format' = format; in let in if onlyNixStore then pkgs.runCommand name {} - (prepareImage + moveOrConvertImage + postVM) + (prepareImage + moveOrConvertImage + createHydraBuildProducts + postVM) else buildImage diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index f430321bb6076..da60b669fa27e 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -447,8 +447,7 @@ class Machine: """ def check_active(_: Any) -> bool: - info = self.get_unit_info(unit, user) - state = info["ActiveState"] + state = self.get_unit_property(unit, "ActiveState", user) if state == "failed": raise Exception(f'unit "{unit}" reached state "{state}"') @@ -491,6 +490,35 @@ class Machine: if line_pattern.match(line) ) + def get_unit_property( + self, + unit: str, + property: str, + user: Optional[str] = None, + ) -> str: + status, lines = self.systemctl( + f'--no-pager show "{unit}" --property="{property}"', + user, + ) + if status != 0: + raise Exception( + f'retrieving systemctl property "{property}" for unit "{unit}"' + + ("" if user is None else f' under user "{user}"') + + f" failed with exit code {status}" + ) + + invalid_output_message = ( + f'systemctl show --property "{property}" "{unit}"' + f"produced invalid output: {lines}" + ) + + line_pattern = re.compile(r"^([^=]+)=(.*)$") + match = line_pattern.match(lines) + assert match is not None, invalid_output_message + + assert match[1] == property, invalid_output_message + return match[2] + def systemctl(self, q: str, user: Optional[str] = None) -> Tuple[int, str]: """ Runs `systemctl` commands with optional support for diff --git a/nixos/modules/config/iproute2.nix b/nixos/modules/config/iproute2.nix index 78bd07d680e20..0cde57b759be3 100644 --- a/nixos/modules/config/iproute2.nix +++ b/nixos/modules/config/iproute2.nix @@ -18,10 +18,9 @@ in }; config = mkIf cfg.enable { - environment.etc."iproute2/rt_tables" = { + environment.etc."iproute2/rt_tables.d/nixos.conf" = { mode = "0644"; - text = (fileContents "${pkgs.iproute2}/lib/iproute2/rt_tables") - + (optionalString (cfg.rttablesExtraConfig != "") "\n\n${cfg.rttablesExtraConfig}"); + text = cfg.rttablesExtraConfig; }; }; } diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index d2f01fb87d32d..e374e4a7a27e9 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -226,18 +226,6 @@ in "ldap.conf" = ldapConfig; }; - system.activationScripts = mkIf (!cfg.daemon.enable) { - ldap = stringAfter [ "etc" "groups" "users" ] '' - if test -f "${cfg.bind.passwordFile}" ; then - umask 0077 - conf="$(mktemp)" - printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | - cat ${ldapConfig.source} - >"$conf" - mv -fT "$conf" /etc/ldap.conf - fi - ''; - }; - system.nssModules = mkIf cfg.nsswitch (singleton ( if cfg.daemon.enable then nss_pam_ldapd else nss_ldap )); @@ -258,42 +246,63 @@ in }; }; - systemd.services = mkIf cfg.daemon.enable { - nslcd = { - wantedBy = [ "multi-user.target" ]; - - preStart = '' - umask 0077 - conf="$(mktemp)" - { - cat ${nslcdConfig} - test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || - printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" - test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || - printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" - } >"$conf" - mv -fT "$conf" /run/nslcd/nslcd.conf - ''; - - restartTriggers = [ - nslcdConfig - cfg.bind.passwordFile - cfg.daemon.rootpwmodpwFile - ]; - - serviceConfig = { - ExecStart = "${nslcdWrapped}/bin/nslcd"; - Type = "forking"; - Restart = "always"; - User = "nslcd"; - Group = "nslcd"; - RuntimeDirectory = [ "nslcd" ]; - PIDFile = "/run/nslcd/nslcd.pid"; - AmbientCapabilities = "CAP_SYS_RESOURCE"; + systemd.services = mkMerge [ + (mkIf (!cfg.daemon.enable) { + ldap-password = { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + if test -f "${cfg.bind.passwordFile}" ; then + umask 0077 + conf="$(mktemp)" + printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | + cat ${ldapConfig.source} - >"$conf" + mv -fT "$conf" /etc/ldap.conf + fi + ''; }; - }; + }) + + (mkIf cfg.daemon.enable { + nslcd = { + wantedBy = [ "multi-user.target" ]; + + preStart = '' + umask 0077 + conf="$(mktemp)" + { + cat ${nslcdConfig} + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" + } >"$conf" + mv -fT "$conf" /run/nslcd/nslcd.conf + ''; - }; + restartTriggers = [ + nslcdConfig + cfg.bind.passwordFile + cfg.daemon.rootpwmodpwFile + ]; + + serviceConfig = { + ExecStart = "${nslcdWrapped}/bin/nslcd"; + Type = "forking"; + Restart = "always"; + User = "nslcd"; + Group = "nslcd"; + RuntimeDirectory = [ "nslcd" ]; + PIDFile = "/run/nslcd/nslcd.pid"; + AmbientCapabilities = "CAP_SYS_RESOURCE"; + }; + }; + }) + ]; }; diff --git a/nixos/modules/config/ldso.nix b/nixos/modules/config/ldso.nix new file mode 100644 index 0000000000000..72ae3958d8869 --- /dev/null +++ b/nixos/modules/config/ldso.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) last splitString mkOption types mdDoc optionals; + + libDir = pkgs.stdenv.hostPlatform.libDir; + ldsoBasename = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs.stdenv.cc.bintools.dynamicLinker)); + + pkgs32 = pkgs.pkgsi686Linux; + libDir32 = pkgs32.stdenv.hostPlatform.libDir; + ldsoBasename32 = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs32.stdenv.cc.bintools.dynamicLinker)); +in { + options = { + environment.ldso = mkOption { + type = types.nullOr types.path; + default = null; + description = mdDoc '' + The executable to link into the normal FHS location of the ELF loader. + ''; + }; + + environment.ldso32 = mkOption { + type = types.nullOr types.path; + default = null; + description = mdDoc '' + The executable to link into the normal FHS location of the 32-bit ELF loader. + + This currently only works on x86_64 architectures. + ''; + }; + }; + + config = { + assertions = [ + { assertion = isNull config.environment.ldso32 || pkgs.stdenv.isx86_64; + message = "Option environment.ldso32 currently only works on x86_64."; + } + ]; + + systemd.tmpfiles.rules = ( + if isNull config.environment.ldso then [ + "r /${libDir}/${ldsoBasename} - - - - -" + ] else [ + "d /${libDir} 0755 root root - -" + "L+ /${libDir}/${ldsoBasename} - - - - ${config.environment.ldso}" + ] + ) ++ optionals pkgs.stdenv.isx86_64 ( + if isNull config.environment.ldso32 then [ + "r /${libDir32}/${ldsoBasename32} - - - - -" + ] else [ + "d /${libDir32} 0755 root root - -" + "L+ /${libDir32}/${ldsoBasename32} - - - - ${config.environment.ldso32}" + ] + ); + }; + + meta.maintainers = with lib.maintainers; [ tejing ]; +} diff --git a/nixos/modules/config/nix-channel.nix b/nixos/modules/config/nix-channel.nix index a7ca7a5c74a40..dd97cb730ae41 100644 --- a/nixos/modules/config/nix-channel.nix +++ b/nixos/modules/config/nix-channel.nix @@ -12,7 +12,6 @@ let mkDefault mkIf mkOption - stringAfter types ; diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index ec26d4b12eff0..0f5888f5ea3b0 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -34,6 +34,7 @@ with lib; ffmpeg_5 = super.ffmpeg_5.override { ffmpegVariant = "headless"; }; # dep of graphviz, libXpm is optional for Xpm support gd = super.gd.override { withXorg = false; }; + ghostscript = super.ghostscript.override { cupsSupport = false; x11Support = false; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; gpsd = super.gpsd.override { guiSupport = false; }; graphviz = super.graphviz-nox; @@ -44,6 +45,7 @@ with lib; }; imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; }; imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; }; + intel-vaapi-driver = super.intel-vaapi-driver.override { enableGui = false; }; libdevil = super.libdevil-nox; libextractor = super.libextractor.override { gtkSupport = false; }; libva = super.libva-minimal; @@ -72,7 +74,7 @@ with lib; qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; }; qrencode = super.qrencode.overrideAttrs (_: { doCheck = false; }); qt5 = super.qt5.overrideScope (const (super': { - qtbase = super'.qtbase.override { withGtk3 = false; }; + qtbase = super'.qtbase.override { withGtk3 = false; withQttranslation = false; }; })); stoken = super.stoken.override { withGTK3 = false; }; # translateManpages -> perlPackages.po4a -> texlive-combined-basic -> texlive-core-big -> libX11 diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index b10edeb75604d..662959bf0071b 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -8,8 +8,6 @@ let cfg = config.hardware.pulseaudio; alsaCfg = config.sound; - systemWide = cfg.enable && cfg.systemWide; - nonSystemWide = cfg.enable && !cfg.systemWide; hasZeroconf = let z = cfg.zeroconf; in z.publish.enable || z.discovery.enable; overriddenPackage = cfg.package.override @@ -217,16 +215,10 @@ in { }; - config = mkMerge [ + config = lib.mkIf cfg.enable (mkMerge [ { - environment.etc = { - "pulse/client.conf".source = clientConf; - }; - - hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa"; - } + environment.etc."pulse/client.conf".source = clientConf; - (mkIf cfg.enable { environment.systemPackages = [ overriddenPackage ]; sound.enable = true; @@ -242,6 +234,8 @@ in { "libao.conf".source = writeText "libao.conf" "default_driver=pulse"; }; + hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa"; + # Disable flat volumes to enable relative ones hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no"; @@ -255,7 +249,7 @@ in { # PulseAudio is packaged with udev rules to handle various audio device quirks services.udev.packages = [ overriddenPackage ]; - }) + } (mkIf (cfg.extraModules != []) { hardware.pulseaudio.daemon.config.dl-search-path = let @@ -277,7 +271,7 @@ in { services.avahi.publish.userServices = true; }) - (mkIf nonSystemWide { + (mkIf (!cfg.systemWide) { environment.etc = { "pulse/default.pa".source = myConfigFile; }; @@ -297,7 +291,7 @@ in { }; }) - (mkIf systemWide { + (mkIf cfg.systemWide { users.users.pulse = { # For some reason, PulseAudio wants UID == GID. uid = assert uid == gid; uid; @@ -328,6 +322,6 @@ in { environment.variables.PULSE_COOKIE = "${stateDir}/.config/pulse/cookie"; }) - ]; + ]); } diff --git a/nixos/modules/config/stub-ld.nix b/nixos/modules/config/stub-ld.nix new file mode 100644 index 0000000000000..14c07466d0611 --- /dev/null +++ b/nixos/modules/config/stub-ld.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) optionalString mkOption types mdDoc mkIf mkDefault; + + cfg = config.environment.stub-ld; + + message = '' + NixOS cannot run dynamically linked executables intended for generic + linux environments out of the box. For more information, see: + https://nix.dev/permalink/stub-ld + ''; + + stub-ld-for = pkgsArg: messageArg: pkgsArg.pkgsStatic.runCommandCC "stub-ld" { + nativeBuildInputs = [ pkgsArg.unixtools.xxd ]; + inherit messageArg; + } '' + printf "%s" "$messageArg" | xxd -i -n message >main.c + cat <<EOF >>main.c + #include <stdio.h> + int main(int argc, char * argv[]) { + fprintf(stderr, "Could not start dynamically linked executable: %s\n", argv[0]); + fwrite(message, sizeof(unsigned char), message_len, stderr); + return 127; // matches behavior of bash and zsh without a loader. fish uses 139 + } + EOF + $CC -Os main.c -o $out + ''; + + pkgs32 = pkgs.pkgsi686Linux; + + stub-ld = stub-ld-for pkgs message; + stub-ld32 = stub-ld-for pkgs32 message; +in { + options = { + environment.stub-ld = { + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = mdDoc '' + Install a stub ELF loader to print an informative error message + in the event that a user attempts to run an ELF binary not + compiled for NixOS. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.ldso = mkDefault stub-ld; + environment.ldso32 = mkIf pkgs.stdenv.isx86_64 (mkDefault stub-ld32); + }; + + meta.maintainers = with lib.maintainers; [ tejing ]; +} diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index 8989a64082643..21046d6f1697b 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -258,7 +258,8 @@ in # avoid this race condition. after = [ "systemd-modules-load.service" ]; wantedBy = [ "${realDevice'}.swap" ]; - before = [ "${realDevice'}.swap" ]; + before = [ "${realDevice'}.swap" "shutdown.target"]; + conflicts = [ "shutdown.target" ]; path = [ pkgs.util-linux pkgs.e2fsprogs ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup; diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 452c050b6dda9..bedba984a3c23 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -21,18 +21,28 @@ in options = { boot.kernel.sysctl = mkOption { - type = types.submodule { + type = let + highestValueType = types.ints.unsigned // { + merge = loc: defs: + foldl + (a: b: if b.value == null then null else lib.max a b.value) + 0 + (filterOverrides defs); + }; + in types.submodule { freeformType = types.attrsOf sysctlOption; - options."net.core.rmem_max" = mkOption { - type = types.nullOr types.ints.unsigned // { - merge = loc: defs: - foldl - (a: b: if b.value == null then null else lib.max a b.value) - 0 - (filterOverrides defs); + options = { + "net.core.rmem_max" = mkOption { + type = types.nullOr highestValueType; + default = null; + description = lib.mdDoc "The maximum receive socket buffer size in bytes. In case of conflicting values, the highest will be used."; + }; + + "net.core.wmem_max" = mkOption { + type = types.nullOr highestValueType; + default = null; + description = lib.mdDoc "The maximum send socket buffer size in bytes. In case of conflicting values, the highest will be used."; }; - default = null; - description = lib.mdDoc "The maximum socket receive buffer size. In case of conflicting values, the highest will be used."; }; }; default = {}; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 39aac9fb821bd..2aed620eb154c 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -475,7 +475,7 @@ let sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid"; sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid"; groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups; - usersWithoutExistingGroup = lib.filterAttrs (n: u: !lib.elem u.group groupNames) cfg.users; + usersWithoutExistingGroup = lib.filterAttrs (n: u: u.group != "" && !lib.elem u.group groupNames) cfg.users; spec = pkgs.writeText "users-groups.json" (builtins.toJSON { inherit (cfg) mutableUsers; diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 6f58e848b38ae..a97c8c418c865 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -48,10 +48,7 @@ in { alsa-firmware sof-firmware libreelec-dvb-firmware - ] ++ optional pkgs.stdenv.hostPlatform.isAarch raspberrypiWirelessFirmware - ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ - rtl8723bs-firmware - ]; + ] ++ optional pkgs.stdenv.hostPlatform.isAarch raspberrypiWirelessFirmware; }) (mkIf cfg.enableAllFirmware { assertions = [{ diff --git a/nixos/modules/hardware/keyboard/qmk.nix b/nixos/modules/hardware/keyboard/qmk.nix index df3bcaeccd2ec..d95d36dedb44e 100644 --- a/nixos/modules/hardware/keyboard/qmk.nix +++ b/nixos/modules/hardware/keyboard/qmk.nix @@ -12,5 +12,6 @@ in config = mkIf cfg.enable { services.udev.packages = [ pkgs.qmk-udev-rules ]; + users.groups.plugdev = {}; }; } diff --git a/nixos/modules/hardware/video/amdgpu-pro.nix b/nixos/modules/hardware/video/amdgpu-pro.nix index 605aa6ef8b88a..2a86280eec8cb 100644 --- a/nixos/modules/hardware/video/amdgpu-pro.nix +++ b/nixos/modules/hardware/video/amdgpu-pro.nix @@ -39,9 +39,10 @@ in hardware.firmware = [ package.fw ]; - system.activationScripts.setup-amdgpu-pro = '' - ln -sfn ${package}/opt/amdgpu{,-pro} /run - ''; + systemd.tmpfiles.settings.amdgpu-pro = { + "/run/amdgpu"."L+".argument = "${package}/opt/amdgpu"; + "/run/amdgpu-pro"."L+".argument = "${package}/opt/amdgpu-pro"; + }; system.requiredKernelConfig = with config.lib.kernelConfig; [ (isYes "DEVICE_PRIVATE") diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index c76883b656d40..3b983f768f91a 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -47,7 +47,8 @@ in { TRUNK_LINK_FAILURE_MODE=0; NVSWITCH_FAILURE_MODE=0; ABORT_CUDA_JOBS_ON_FM_EXIT=1; - TOPOLOGY_FILE_PATH=nvidia_x11.fabricmanager + "/share/nvidia-fabricmanager/nvidia/nvswitch"; + TOPOLOGY_FILE_PATH="${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + DATABASE_PATH="${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; }; defaultText = lib.literalExpression '' { @@ -69,7 +70,8 @@ in { TRUNK_LINK_FAILURE_MODE=0; NVSWITCH_FAILURE_MODE=0; ABORT_CUDA_JOBS_ON_FM_EXIT=1; - TOPOLOGY_FILE_PATH=nvidia_x11.fabricmanager + "/share/nvidia-fabricmanager/nvidia/nvswitch"; + TOPOLOGY_FILE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + DATABASE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; } ''; description = lib.mdDoc '' @@ -584,24 +586,50 @@ in { boot.extraModulePackages = [ nvidia_x11.bin ]; - systemd.services.nvidia-fabricmanager = { - enable = true; - description = "Start NVIDIA NVLink Management"; - wantedBy = [ "multi-user.target" ]; - unitConfig.After = [ "network-online.target" ]; - unitConfig.Requires = [ "network-online.target" ]; - serviceConfig = { - Type = "forking"; - TimeoutStartSec = 240; - ExecStart = let - nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings; - in - nvidia_x11.fabricmanager + "/bin/nv-fabricmanager -c " + nv-fab-conf; - LimitCORE="infinity"; - }; - }; - environment.systemPackages = - lib.optional cfg.datacenter.enable nvidia_x11.fabricmanager; - }) - ]); + + systemd = { + tmpfiles.rules = + lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia) + "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced"; + + services = lib.mkMerge [ + ({ + nvidia-fabricmanager = { + enable = true; + description = "Start NVIDIA NVLink Management"; + wantedBy = [ "multi-user.target" ]; + unitConfig.After = [ "network-online.target" ]; + unitConfig.Requires = [ "network-online.target" ]; + serviceConfig = { + Type = "forking"; + TimeoutStartSec = 240; + ExecStart = let + nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings; + in + "${lib.getExe nvidia_x11.fabricmanager} -c ${nv-fab-conf}"; + LimitCORE="infinity"; + }; + }; + }) + (lib.mkIf cfg.nvidiaPersistenced { + "nvidia-persistenced" = { + description = "NVIDIA Persistence Daemon"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "forking"; + Restart = "always"; + PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid"; + ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose"; + ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced"; + }; + }; + }) + ]; + }; + + environment.systemPackages = + lib.optional cfg.datacenter.enable nvidia_x11.fabricmanager + ++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced; + }) + ]); } diff --git a/nixos/modules/image/repart-image.nix b/nixos/modules/image/repart-image.nix new file mode 100644 index 0000000000000..b4a1dfe51ff3a --- /dev/null +++ b/nixos/modules/image/repart-image.nix @@ -0,0 +1,80 @@ +# This is an expression meant to be called from `./repart.nix`, it is NOT a +# NixOS module that can be imported. + +{ lib +, runCommand +, python3 +, black +, ruff +, mypy +, systemd +, fakeroot +, util-linux +, dosfstools +, mtools +, e2fsprogs +, squashfsTools +, erofs-utils +, btrfs-progs +, xfsprogs + + # arguments +, name +, fileSystems +, partitions +, split +, seed +, definitionsDirectory +}: + +let + amendRepartDefinitions = runCommand "amend-repart-definitions.py" + { + # TODO: ruff does not splice properly in nativeBuildInputs + depsBuildBuild = [ ruff ]; + nativeBuildInputs = [ python3 black mypy ]; + } '' + install ${./amend-repart-definitions.py} $out + patchShebangs --build $out + + black --check --diff $out + ruff --line-length 88 $out + mypy --strict $out + ''; + + fileSystemToolMapping = { + "vfat" = [ dosfstools mtools ]; + "ext4" = [ e2fsprogs.bin ]; + "squashfs" = [ squashfsTools ]; + "erofs" = [ erofs-utils ]; + "btrfs" = [ btrfs-progs ]; + "xfs" = [ xfsprogs ]; + }; + + fileSystemTools = builtins.concatMap (f: fileSystemToolMapping."${f}") fileSystems; +in + +runCommand name +{ + nativeBuildInputs = [ + systemd + fakeroot + util-linux + ] ++ fileSystemTools; +} '' + amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory}) + + mkdir -p $out + cd $out + + unshare --map-root-user fakeroot systemd-repart \ + --dry-run=no \ + --empty=create \ + --size=auto \ + --seed="${seed}" \ + --definitions="$amendedRepartDefinitions" \ + --split="${lib.boolToString split}" \ + --json=pretty \ + image.raw \ + | tee repart-output.json +'' diff --git a/nixos/modules/image/repart.nix b/nixos/modules/image/repart.nix index 41e6110885b85..da4f45d9a6392 100644 --- a/nixos/modules/image/repart.nix +++ b/nixos/modules/image/repart.nix @@ -90,8 +90,10 @@ in }; package = lib.mkPackageOption pkgs "systemd-repart" { - default = "systemd"; - example = "pkgs.systemdMinimal.override { withCryptsetup = true; }"; + # We use buildPackages so that repart images are built with the build + # platform's systemd, allowing for cross-compiled systems to work. + default = [ "buildPackages" "systemd" ]; + example = "pkgs.buildPackages.systemdMinimal.override { withCryptsetup = true; }"; }; partitions = lib.mkOption { @@ -131,22 +133,10 @@ in system.build.image = let - fileSystemToolMapping = with pkgs; { - "vfat" = [ dosfstools mtools ]; - "ext4" = [ e2fsprogs.bin ]; - "squashfs" = [ squashfsTools ]; - "erofs" = [ erofs-utils ]; - "btrfs" = [ btrfs-progs ]; - "xfs" = [ xfsprogs ]; - }; - fileSystems = lib.filter (f: f != null) (lib.mapAttrsToList (_n: v: v.repartConfig.Format or null) cfg.partitions); - fileSystemTools = builtins.concatMap (f: fileSystemToolMapping."${f}") fileSystems; - - makeClosure = paths: pkgs.closureInfo { rootPaths = paths; }; # Add the closure of the provided Nix store paths to cfg.partitions so @@ -157,23 +147,8 @@ in { closure = "${makeClosure partitionConfig.storePaths}/store-paths"; } ); - finalPartitions = lib.mapAttrs addClosure cfg.partitions; - - amendRepartDefinitions = pkgs.runCommand "amend-repart-definitions.py" - { - nativeBuildInputs = with pkgs; [ black ruff mypy ]; - buildInputs = [ pkgs.python3 ]; - } '' - install ${./amend-repart-definitions.py} $out - patchShebangs --host $out - - black --check --diff $out - ruff --line-length 88 $out - mypy --strict $out - ''; - format = pkgs.formats.ini { }; definitionsDirectory = utils.systemdUtils.lib.definitions @@ -183,30 +158,11 @@ in partitions = pkgs.writeText "partitions.json" (builtins.toJSON finalPartitions); in - pkgs.runCommand cfg.name - { - nativeBuildInputs = [ - cfg.package - pkgs.fakeroot - pkgs.util-linux - ] ++ fileSystemTools; - } '' - amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory}) - - mkdir -p $out - cd $out - - unshare --map-root-user fakeroot systemd-repart \ - --dry-run=no \ - --empty=create \ - --size=auto \ - --seed="${cfg.seed}" \ - --definitions="$amendedRepartDefinitions" \ - --split="${lib.boolToString cfg.split}" \ - --json=pretty \ - image.raw \ - | tee repart-output.json - ''; + pkgs.callPackage ./repart-image.nix { + systemd = cfg.package; + inherit (cfg) name split seed; + inherit fileSystems definitionsDirectory partitions; + }; meta.maintainers = with lib.maintainers; [ nikstur ]; diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 9ccc76a82c95a..a7d11370d445e 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -231,7 +231,8 @@ in # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index 46462c5abd435..f3e698468e642 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -77,7 +77,11 @@ let libPath = filter (pkgs.path + "/lib"); pkgsLibPath = filter (pkgs.path + "/pkgs/pkgs-lib"); nixosPath = filter (pkgs.path + "/nixos"); - modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy; + modules = + "[ " + + concatMapStringsSep " " (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy + + " ]"; + passAsFile = [ "modules" ]; } '' export NIX_STORE_DIR=$TMPDIR/store export NIX_STATE_DIR=$TMPDIR/state @@ -87,7 +91,7 @@ let --argstr libPath "$libPath" \ --argstr pkgsLibPath "$pkgsLibPath" \ --argstr nixosPath "$nixosPath" \ - --arg modules "[ $modules ]" \ + --arg modules "import $modulesPath" \ --argstr stateVersion "${options.system.stateVersion.default}" \ --argstr release "${config.system.nixos.release}" \ $nixosPath/lib/eval-cacheable-options.nix > $out \ diff --git a/nixos/modules/misc/mandoc.nix b/nixos/modules/misc/mandoc.nix index 9bcef5b1a09bd..73646a60aabb2 100644 --- a/nixos/modules/misc/mandoc.nix +++ b/nixos/modules/misc/mandoc.nix @@ -5,25 +5,39 @@ let cfg = config.documentation.man.mandoc; -in { + toMandocOutput = output: ( + lib.mapAttrsToList + ( + name: value: + if lib.isString value || lib.isPath value then "output ${name} ${value}" + else if lib.isInt value then "output ${name} ${builtins.toString value}" + else if lib.isBool value then lib.optionalString value "output ${name}" + else if value == null then "" + else throw "Unrecognized value type ${builtins.typeOf value} of key ${name} in mandoc output settings" + ) + output + ); +in +{ meta.maintainers = [ lib.maintainers.sternenseemann ]; options = { documentation.man.mandoc = { - enable = lib.mkEnableOption (lib.mdDoc "mandoc as the default man page viewer"); + enable = lib.mkEnableOption "mandoc as the default man page viewer"; manPath = lib.mkOption { type = with lib.types; listOf str; default = [ "share/man" ]; example = lib.literalExpression "[ \"share/man\" \"share/man/fr\" ]"; - description = lib.mdDoc '' - Change the manpath, i. e. the directories where - {manpage}`man(1)` + description = '' + Change the paths included in the MANPATH environment variable, + i. e. the directories where {manpage}`man(1)` looks for section-specific directories of man pages. You only need to change this setting if you want extra man pages (e. g. in non-english languages). All values must be strings that are a valid path from the target prefix (without including it). - The first value given takes priority. + The first value given takes priority. Note that this will not + add manpath directives to {manpage}`man.conf(5)`. ''; }; @@ -31,11 +45,122 @@ in { type = lib.types.package; default = pkgs.mandoc; defaultText = lib.literalExpression "pkgs.mandoc"; - description = lib.mdDoc '' + description = '' The `mandoc` derivation to use. Useful to override configuration options used for the package. ''; }; + + settings = lib.mkOption { + description = "Configuration for {manpage}`man.conf(5)`"; + default = { }; + type = lib.types.submodule { + options = { + manpath = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + example = lib.literalExpression "[ \"/run/current-system/sw/share/man\" ]"; + description = '' + Override the default search path for {manpage}`man(1)`, + {manpage}`apropos(1)`, and {manpage}`makewhatis(8)`. It can be + used multiple times to specify multiple paths, with the order + determining the manual page search order. + This is not recommended in favor of + {option}`documentation.man.mandoc.manPath`, but if it's needed to + specify the manpath in this way, set + {option}`documentation.man.mandoc.manPath` to an empty list (`[]`). + ''; + }; + output.fragment = lib.mkEnableOption '' + Omit the <!DOCTYPE> declaration and the <html>, <head>, and <body> + elements and only emit the subtree below the <body> element in HTML + output of {manpage}`mandoc(1)`. The style argument will be ignored. + This is useful when embedding manual content within existing documents. + ''; + output.includes = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + example = lib.literalExpression "../src/%I.html"; + description = '' + A string of relative path used as a template for the output path of + linked header files (usually via the In macro) in HTML output. + Instances of `%I` are replaced with the include filename. The + default is not to present a hyperlink. + ''; + }; + output.indent = lib.mkOption { + type = with lib.types; nullOr int; + default = null; + description = '' + Number of blank characters at the left margin for normal text, + default of `5` for {manpage}`mdoc(7)` and `7` for + {manpage}`man(7)`. Increasing this is not recommended; it may + result in degraded formatting, for example overfull lines or ugly + line breaks. When output is to a pager on a terminal that is less + than 66 columns wide, the default is reduced to three columns. + ''; + }; + output.man = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + example = lib.literalExpression "../html%S/%N.%S.html"; + description = '' + A template for linked manuals (usually via the Xr macro) in HTML + output. Instances of ‘%N’ and ‘%S’ are replaced with the linked + manual's name and section, respectively. If no section is included, + section 1 is assumed. The default is not to present a hyperlink. + If two formats are given and a file %N.%S exists in the current + directory, the first format is used; otherwise, the second format is used. + ''; + }; + output.paper = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + description = '' + This option is for generating PostScript and PDF output. The paper + size name may be one of `a3`, `a4`, `a5`, `legal`, or `letter`. + You may also manually specify dimensions as `NNxNN`, width by + height in millimetres. If an unknown value is encountered, letter + is used. Output pages default to letter sized and are rendered in + the Times font family, 11-point. Margins are calculated as 1/9 the + page length and width. Line-height is 1.4m. + ''; + }; + output.style = lib.mkOption { + type = with lib.types; nullOr path; + default = null; + description = '' + Path to the file used for an external style-sheet. This must be a + valid absolute or relative URI. + ''; + }; + output.toc = lib.mkEnableOption '' + In HTML output of {manpage}`mandoc(1)`, If an input file contains + at least two non-standard sections, print a table of contents near + the beginning of the output. + ''; + output.width = lib.mkOption { + type = with lib.types; nullOr int; + default = null; + description = '' + The ASCII and UTF-8 output width, default is `78`. When output is a + pager on a terminal that is less than 79 columns wide, the + default is reduced to one less than the terminal width. In any case, + lines that are output in literal mode are never wrapped and may + exceed the output width. + ''; + }; + }; + }; + }; + + extraConfig = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Extra configuration to write to {manpage}`man.conf(5)`. + ''; + }; }; }; @@ -43,21 +168,29 @@ in { environment = { systemPackages = [ cfg.package ]; - # tell mandoc about man pages - etc."man.conf".text = lib.concatMapStrings (path: '' - manpath /run/current-system/sw/${path} - '') cfg.manPath; + etc."man.conf".text = lib.concatStringsSep "\n" ( + (map (path: "manpath ${path}") cfg.settings.manpath) + ++ (toMandocOutput cfg.settings.output) + ++ [ cfg.extraConfig ] + ); # create mandoc.db for whatis(1), apropos(1) and man(1) -k # TODO(@sternenseemman): fix symlinked directories not getting indexed, # see: https://inbox.vuxu.org/mandoc-tech/20210906171231.GF83680@athene.usta.de/T/#e85f773c1781e3fef85562b2794f9cad7b2909a3c extraSetup = lib.mkIf config.documentation.man.generateCaches '' - ${makewhatis} -T utf8 ${ + for man_path in ${ lib.concatMapStringsSep " " (path: "$out/" + lib.escapeShellArg path - ) cfg.manPath - } + ) cfg.manPath} ${lib.concatMapStringsSep " " (path: + lib.escapeShellArg path) cfg.settings.manpath + } + do + [[ -d "$man_path" ]] && ${makewhatis} -T utf8 $man_path + done ''; + + # tell mandoc the paths containing man pages + profileRelativeSessionVariables."MANPATH" = map (path: if builtins.substring 0 1 path != "/" then "/${path}" else path) cfg.manPath; }; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 820ce54ddeb6c..65047bdd110a7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -12,6 +12,7 @@ ./config/iproute2.nix ./config/krb5/default.nix ./config/ldap.nix + ./config/ldso.nix ./config/locale.nix ./config/malloc.nix ./config/mysql.nix @@ -28,6 +29,7 @@ ./config/resolvconf.nix ./config/shells-environment.nix ./config/stevenblack.nix + ./config/stub-ld.nix ./config/swap.nix ./config/sysctl.nix ./config/system-environment.nix @@ -276,6 +278,7 @@ ./programs/wayland/waybar.nix ./programs/wayland/wayfire.nix ./programs/weylus.nix + ./programs/winbox.nix ./programs/wireshark.nix ./programs/xastir.nix ./programs/wshowkeys.nix @@ -341,6 +344,7 @@ ./services/audio/mopidy.nix ./services/audio/mpd.nix ./services/audio/mpdscribble.nix + ./services/audio/mympd.nix ./services/audio/navidrome.nix ./services/audio/networkaudiod.nix ./services/audio/roon-bridge.nix @@ -364,6 +368,7 @@ ./services/backup/mysql-backup.nix ./services/backup/postgresql-backup.nix ./services/backup/postgresql-wal-receiver.nix + ./services/backup/snapraid.nix ./services/backup/restic-rest-server.nix ./services/backup/restic.nix ./services/backup/rsnapshot.nix @@ -615,6 +620,7 @@ ./services/mail/public-inbox.nix ./services/mail/roundcube.nix ./services/mail/rspamd.nix + ./services/mail/rspamd-trainer.nix ./services/mail/rss2email.nix ./services/mail/schleuder.nix ./services/mail/spamassassin.nix @@ -717,6 +723,7 @@ ./services/misc/nzbget.nix ./services/misc/nzbhydra2.nix ./services/misc/octoprint.nix + ./services/misc/ollama.nix ./services/misc/ombi.nix ./services/misc/osrm.nix ./services/misc/owncast.nix @@ -766,6 +773,7 @@ ./services/misc/tautulli.nix ./services/misc/tiddlywiki.nix ./services/misc/tp-auto-kbbl.nix + ./services/misc/tuxclocker.nix ./services/misc/tzupdate.nix ./services/misc/uhub.nix ./services/misc/weechat.nix @@ -941,6 +949,7 @@ ./services/networking/ghostunnel.nix ./services/networking/git-daemon.nix ./services/networking/globalprotect-vpn.nix + ./services/networking/gns3-server.nix ./services/networking/gnunet.nix ./services/networking/go-autoconfig.nix ./services/networking/go-neb.nix @@ -1254,6 +1263,7 @@ ./services/web-apps/changedetection-io.nix ./services/web-apps/chatgpt-retrieval-plugin.nix ./services/web-apps/cloudlog.nix + ./services/web-apps/code-server.nix ./services/web-apps/convos.nix ./services/web-apps/dex.nix ./services/web-apps/discourse.nix @@ -1507,7 +1517,6 @@ ./tasks/network-interfaces.nix ./tasks/powertop.nix ./tasks/scsi-link-power-management.nix - ./tasks/snapraid.nix ./tasks/stratis.nix ./tasks/swraid.nix ./tasks/trackpoint.nix diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 52750cd472dad..58f07b050b5c4 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -105,6 +105,8 @@ with lib; ]; boot.swraid.enable = true; + # remove warning about unset mail + boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true"; # Show all debug messages from the kernel but don't log refused packets # because we have the firewall enabled. This makes installs from the diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index 75f355b4a002b..b76740f7cc587 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -21,6 +21,8 @@ with lib; # Perl is a default package. environment.defaultPackages = mkDefault [ ]; + environment.stub-ld.enable = false; + # The lessopen package pulls in Perl. programs.less.lessopen = mkDefault null; diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix index 7d9491d1fc1f3..003cfdbfc8fad 100644 --- a/nixos/modules/programs/atop.nix +++ b/nixos/modules/programs/atop.nix @@ -137,6 +137,7 @@ in atop.preStart = '' set -e -u shopt -s nullglob + rm -f "$LOGPATH"/atop_*.new for logfile in "$LOGPATH"/atop_* do ${atop}/bin/atopconvert "$logfile" "$logfile".new @@ -144,9 +145,9 @@ in # false positives for atop-rotate.service if ! ${pkgs.diffutils}/bin/cmp -s "$logfile" "$logfile".new then - ${pkgs.coreutils}/bin/mv -v -f "$logfile".new "$logfile" + mv -v -f "$logfile".new "$logfile" else - ${pkgs.coreutils}/bin/rm -f "$logfile".new + rm -f "$logfile".new fi done ''; diff --git a/nixos/modules/programs/direnv.nix b/nixos/modules/programs/direnv.nix index 1aa62ea54d2c5..fdc646eb4b164 100644 --- a/nixos/modules/programs/direnv.nix +++ b/nixos/modules/programs/direnv.nix @@ -49,7 +49,14 @@ in { default = true; }; - package = lib.mkPackageOption pkgs "nix-direnv" {}; + package = lib.mkOption { + default = pkgs.nix-direnv.override { nix = config.nix.package; }; + defaultText = "pkgs.nix-direnv"; + type = lib.types.package; + description = lib.mdDoc '' + The nix-direnv package to use + ''; + }; }; }; diff --git a/nixos/modules/programs/gamemode.nix b/nixos/modules/programs/gamemode.nix index c43e2c2296f5a..344f392852e2a 100644 --- a/nixos/modules/programs/gamemode.nix +++ b/nixos/modules/programs/gamemode.nix @@ -18,7 +18,7 @@ in settings = mkOption { type = settingsFormat.type; - default = {}; + default = { }; description = lib.mdDoc '' System-wide configuration for GameMode (/etc/gamemode.ini). See gamemoded(8) man page for available settings. diff --git a/nixos/modules/programs/gpaste.nix b/nixos/modules/programs/gpaste.nix index 074b4d59a365a..37172c9583a37 100644 --- a/nixos/modules/programs/gpaste.nix +++ b/nixos/modules/programs/gpaste.nix @@ -32,5 +32,7 @@ with lib; systemd.packages = [ pkgs.gnome.gpaste ]; # gnome-control-center crashes in Keyboard Shortcuts pane without the GSettings schemas. services.xserver.desktopManager.gnome.sessionPath = [ pkgs.gnome.gpaste ]; + # gpaste-reloaded applet doesn't work without the typelib + services.xserver.desktopManager.cinnamon.sessionPath = [ pkgs.gnome.gpaste ]; }; } diff --git a/nixos/modules/programs/hyprland.nix b/nixos/modules/programs/hyprland.nix index 166c6cbc5c183..9061ce5da83a8 100644 --- a/nixos/modules/programs/hyprland.nix +++ b/nixos/modules/programs/hyprland.nix @@ -30,7 +30,6 @@ in readOnly = true; default = cfg.package.override { enableXWayland = cfg.xwayland.enable; - enableNvidiaPatches = cfg.enableNvidiaPatches; }; defaultText = literalExpression "`programs.hyprland.package` with applied configuration"; @@ -42,8 +41,6 @@ in portalPackage = mkPackageOption pkgs "xdg-desktop-portal-hyprland" { }; xwayland.enable = mkEnableOption (mdDoc "XWayland") // { default = true; }; - - enableNvidiaPatches = mkEnableOption (mdDoc "patching wlroots for better Nvidia support"); }; config = mkIf cfg.enable { @@ -73,9 +70,13 @@ in [ "programs" "hyprland" "xwayland" "hidpi" ] "XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland" ) - (mkRenamedOptionModule - [ "programs" "hyprland" "nvidiaPatches" ] + (mkRemovedOptionModule [ "programs" "hyprland" "enableNvidiaPatches" ] + "Nvidia patches are no longer needed" + ) + (mkRemovedOptionModule + [ "programs" "hyprland" "nvidiaPatches" ] + "Nvidia patches are no longer needed" ) ]; } diff --git a/nixos/modules/programs/mininet.nix b/nixos/modules/programs/mininet.nix index 01ffd811e70e2..3568736854d8e 100644 --- a/nixos/modules/programs/mininet.nix +++ b/nixos/modules/programs/mininet.nix @@ -6,39 +6,6 @@ with lib; let cfg = config.programs.mininet; - - telnet = pkgs.runCommand "inetutils-telnet" - { } - '' - mkdir -p $out/bin - ln -s ${pkgs.inetutils}/bin/telnet $out/bin - ''; - - generatedPath = with pkgs; makeSearchPath "bin" [ - iperf - ethtool - iproute2 - socat - # mn errors out without a telnet binary - # pkgs.inetutils brings an undesired ifconfig into PATH see #43105 - nettools - telnet - ]; - - pyEnv = pkgs.python3.withPackages (ps: [ ps.mininet-python ]); - - mnexecWrapped = pkgs.runCommand "mnexec-wrapper" - { nativeBuildInputs = [ pkgs.makeWrapper pkgs.python3Packages.wrapPython ]; } - '' - makeWrapper ${pkgs.mininet}/bin/mnexec \ - $out/bin/mnexec \ - --prefix PATH : "${generatedPath}" - - makeWrapper ${pyEnv}/bin/mn \ - $out/bin/mn \ - --prefix PYTHONPATH : "${pyEnv}/${pyEnv.sitePackages}" \ - --prefix PATH : "${generatedPath}" - ''; in { options.programs.mininet.enable = mkEnableOption (lib.mdDoc "Mininet"); @@ -47,6 +14,6 @@ in virtualisation.vswitch.enable = true; - environment.systemPackages = [ mnexecWrapped ]; + environment.systemPackages = [ pkgs.mininet ]; }; } diff --git a/nixos/modules/programs/mosh.nix b/nixos/modules/programs/mosh.nix index 9e56e1731d7cc..593246ab6dcd1 100644 --- a/nixos/modules/programs/mosh.nix +++ b/nixos/modules/programs/mosh.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.mosh; @@ -9,28 +7,26 @@ let in { options.programs.mosh = { - enable = mkOption { - description = lib.mdDoc '' - Whether to enable mosh. Note, this will open ports in your firewall! - ''; - default = false; - type = lib.types.bool; + enable = lib.mkEnableOption "mosh"; + openFirewall = lib.mkEnableOption "" // { + description = "Whether to automatically open the necessary ports in the firewall."; + default = true; }; - withUtempter = mkOption { + withUtempter = lib.mkEnableOption "" // { description = lib.mdDoc '' Whether to enable libutempter for mosh. + This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). Note, this will add a guid wrapper for the group utmp! ''; default = true; - type = lib.types.bool; }; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ mosh ]; - networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; - security.wrappers = mkIf cfg.withUtempter { + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.mosh ]; + networking.firewall.allowedUDPPortRanges = lib.optional cfg.openFirewall { from = 60000; to = 61000; }; + security.wrappers = lib.mkIf cfg.withUtempter { utempter = { source = "${pkgs.libutempter}/lib/utempter/utempter"; owner = "root"; diff --git a/nixos/modules/programs/nix-ld.nix b/nixos/modules/programs/nix-ld.nix index e3a9bb16410c9..6f36ce33640cd 100644 --- a/nixos/modules/programs/nix-ld.nix +++ b/nixos/modules/programs/nix-ld.nix @@ -47,7 +47,7 @@ in }; config = lib.mkIf config.programs.nix-ld.enable { - systemd.tmpfiles.packages = [ cfg.package ]; + environment.ldso = "${cfg.package}/libexec/nix-ld"; environment.systemPackages = [ nix-ld-libraries ]; diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 18eb3f938f3d8..c39a3c8d509be 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -8,14 +8,12 @@ let cfg = config.programs.ssh; - askPassword = cfg.askPassword; - askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper" '' #! ${pkgs.runtimeShell} -e export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')" export WAYLAND_DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^WAYLAND_DISPLAY=\(.*\)/\1/; t; d')" - exec ${askPassword} "$@" + exec ${cfg.askPassword} "$@" ''; knownHosts = attrValues cfg.knownHosts; @@ -52,10 +50,11 @@ in }; forwardX11 = mkOption { - type = types.bool; + type = with lib.types; nullOr bool; default = false; description = lib.mdDoc '' Whether to request X11 forwarding on outgoing connections by default. + If set to null, the option is not set at all. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. Note: there are some security risks to forwarding an X11 connection. @@ -274,10 +273,10 @@ in config = { programs.ssh.setXAuthLocation = - mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding); + mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 == true || config.services.openssh.settings.X11Forwarding); assertions = - [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation; + [ { assertion = cfg.forwardX11 == true -> cfg.setXAuthLocation; message = "cannot enable X11 forwarding without setting XAuth location"; } ] ++ flip mapAttrsToList cfg.knownHosts (name: data: { @@ -298,11 +297,8 @@ in AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} GlobalKnownHostsFile ${concatStringsSep " " knownHostsFiles} - ${optionalString cfg.setXAuthLocation '' - XAuthLocation ${pkgs.xorg.xauth}/bin/xauth - ''} - - ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} + ${optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} + ${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"} ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} ${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"} @@ -344,7 +340,7 @@ in fi ''; - environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword askPassword; + environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword cfg.askPassword; }; } diff --git a/nixos/modules/programs/starship.nix b/nixos/modules/programs/starship.nix index 9dca39da5edc0..bec3900496fd9 100644 --- a/nixos/modules/programs/starship.nix +++ b/nixos/modules/programs/starship.nix @@ -44,21 +44,39 @@ in config = mkIf cfg.enable { programs.bash.${initOption} = '' if [[ $TERM != "dumb" ]]; then - export STARSHIP_CONFIG=${settingsFile} + # don't set STARSHIP_CONFIG automatically if there's a user-specified + # config file. starship appears to use a hardcoded config location + # rather than one inside an XDG folder: + # https://github.com/starship/starship/blob/686bda1706e5b409129e6694639477a0f8a3f01b/src/configure.rs#L651 + if [[ ! -f "$HOME/.config/starship.toml" ]]; then + export STARSHIP_CONFIG=${settingsFile} + fi eval "$(${pkgs.starship}/bin/starship init bash)" fi ''; programs.fish.${initOption} = '' if test "$TERM" != "dumb" - set -x STARSHIP_CONFIG ${settingsFile} + # don't set STARSHIP_CONFIG automatically if there's a user-specified + # config file. starship appears to use a hardcoded config location + # rather than one inside an XDG folder: + # https://github.com/starship/starship/blob/686bda1706e5b409129e6694639477a0f8a3f01b/src/configure.rs#L651 + if not test -f "$HOME/.config/starship.toml"; + set -x STARSHIP_CONFIG ${settingsFile} + end eval (${pkgs.starship}/bin/starship init fish) end ''; programs.zsh.${initOption} = '' if [[ $TERM != "dumb" ]]; then - export STARSHIP_CONFIG=${settingsFile} + # don't set STARSHIP_CONFIG automatically if there's a user-specified + # config file. starship appears to use a hardcoded config location + # rather than one inside an XDG folder: + # https://github.com/starship/starship/blob/686bda1706e5b409129e6694639477a0f8a3f01b/src/configure.rs#L651 + if [[ ! -f "$HOME/.config/starship.toml" ]]; then + export STARSHIP_CONFIG=${settingsFile} + fi eval "$(${pkgs.starship}/bin/starship init zsh)" fi ''; diff --git a/nixos/modules/programs/wayland/river.nix b/nixos/modules/programs/wayland/river.nix index ec59bd50a0150..995129b9710ae 100644 --- a/nixos/modules/programs/wayland/river.nix +++ b/nixos/modules/programs/wayland/river.nix @@ -48,6 +48,9 @@ in { # To make a river session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; + + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 + xdg.portal.config.river.default = mkDefault [ "wlr" "gtk" ]; } (import ./wayland-session.nix { inherit lib pkgs; }) ]); diff --git a/nixos/modules/programs/wayland/sway.nix b/nixos/modules/programs/wayland/sway.nix index f96c833856dbb..57ee629b28810 100644 --- a/nixos/modules/programs/wayland/sway.nix +++ b/nixos/modules/programs/wayland/sway.nix @@ -26,13 +26,28 @@ let }; }; - defaultSwayPackage = pkgs.sway.override { - extraSessionCommands = cfg.extraSessionCommands; - extraOptions = cfg.extraOptions; - withBaseWrapper = cfg.wrapperFeatures.base; - withGtkWrapper = cfg.wrapperFeatures.gtk; - isNixOS = true; - }; + genFinalPackage = pkg: + let + expectedArgs = lib.naturalSort [ + "extraSessionCommands" + "extraOptions" + "withBaseWrapper" + "withGtkWrapper" + "isNixOS" + ]; + existedArgs = with lib; + naturalSort + (intersectLists expectedArgs (attrNames (functionArgs pkg.override))); + in if existedArgs != expectedArgs then + pkg + else + pkg.override { + extraSessionCommands = cfg.extraSessionCommands; + extraOptions = cfg.extraOptions; + withBaseWrapper = cfg.wrapperFeatures.base; + withGtkWrapper = cfg.wrapperFeatures.gtk; + isNixOS = true; + }; in { options.programs.sway = { enable = mkEnableOption (lib.mdDoc '' @@ -44,14 +59,16 @@ in { package = mkOption { type = with types; nullOr package; - default = defaultSwayPackage; + default = pkgs.sway; + apply = p: if p == null then null else genFinalPackage p; defaultText = literalExpression "pkgs.sway"; description = lib.mdDoc '' - Sway package to use. Will override the options - 'wrapperFeatures', 'extraSessionCommands', and 'extraOptions'. - Set to `null` to not add any Sway package to your - path. This should be done if you want to use the Home Manager Sway - module to install Sway. + Sway package to use. If the package does not contain the override arguments + `extraSessionCommands`, `extraOptions`, `withBaseWrapper`, `withGtkWrapper`, + `isNixOS`, then the module options {option}`wrapperFeatures`, + {option}`wrapperFeatures` and {option}`wrapperFeatures` will have no effect. + Set to `null` to not add any Sway package to your path. This should be done if + you want to use the Home Manager Sway module to install Sway. ''; }; diff --git a/nixos/modules/programs/winbox.nix b/nixos/modules/programs/winbox.nix new file mode 100644 index 0000000000000..1337f57839b02 --- /dev/null +++ b/nixos/modules/programs/winbox.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.programs.winbox; +in +{ + options.programs.winbox = { + enable = lib.mkEnableOption ("MikroTik Winbox"); + package = lib.mkPackageOption pkgs "winbox" { }; + + openFirewall = lib.mkOption { + description = '' + Whether to open ports for the MikroTik Neighbor Discovery protocol. Required for Winbox neighbor discovery. + ''; + default = false; + type = lib.types.bool; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 5678 ]; + }; +} diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 24b48338ed772..ea1af6c6e2f29 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -164,7 +164,8 @@ in "local-fs.target" "systemd-journald-audit.socket" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; wantedBy = [ "multi-user.target" ]; unitConfig = { Description="Load AppArmor policies"; diff --git a/nixos/modules/security/auditd.nix b/nixos/modules/security/auditd.nix index db4b2701ee2e9..253ee1d4dd0e5 100644 --- a/nixos/modules/security/auditd.nix +++ b/nixos/modules/security/auditd.nix @@ -13,6 +13,8 @@ with lib; systemd.services.auditd = { description = "Linux Audit daemon"; wantedBy = [ "basic.target" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { ConditionVirtualization = "!container"; @@ -23,7 +25,7 @@ with lib; path = [ pkgs.audit ]; serviceConfig = { - ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit"; + ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/audit"; ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange"; }; }; diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 2a855a77e3a39..ef76bfeb6d66a 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -195,7 +195,8 @@ in systemd.services.login-duo = lib.mkIf cfg.ssh.enable { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then @@ -216,7 +217,8 @@ in systemd.services.pam-duo = lib.mkIf cfg.ssh.enable { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then diff --git a/nixos/modules/security/ipa.nix b/nixos/modules/security/ipa.nix index 69a670cd5e4a3..49226ec38199c 100644 --- a/nixos/modules/security/ipa.nix +++ b/nixos/modules/security/ipa.nix @@ -181,25 +181,33 @@ in { ''; }; - system.activationScripts.ipa = stringAfter ["etc"] '' - # libcurl requires a hard copy of the certificate - if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then - rm -f /etc/ipa/ca.crt - cp ${cfg.certificate} /etc/ipa/ca.crt - fi - - if [ ! -f /etc/krb5.keytab ]; then - cat <<EOF - - In order to complete FreeIPA integration, please join the domain by completing the following steps: - 1. Authenticate as an IPA user authorized to join new hosts, e.g. kinit admin@${cfg.realm} - 2. Join the domain and obtain the keytab file: ipa-join - 3. Install the keytab file: sudo install -m 600 krb5.keytab /etc/ - 4. Restart sssd systemd service: sudo systemctl restart sssd - - EOF - fi - ''; + systemd.services."ipa-activation" = { + wantedBy = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + # libcurl requires a hard copy of the certificate + if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then + rm -f /etc/ipa/ca.crt + cp ${cfg.certificate} /etc/ipa/ca.crt + fi + + if [ ! -f /etc/krb5.keytab ]; then + cat <<EOF + + In order to complete FreeIPA integration, please join the domain by completing the following steps: + 1. Authenticate as an IPA user authorized to join new hosts, e.g. kinit admin@${cfg.realm} + 2. Join the domain and obtain the keytab file: ipa-join + 3. Install the keytab file: sudo install -m 600 krb5.keytab /etc/ + 4. Restart sssd systemd service: sudo systemctl restart sssd + + EOF + fi + ''; + }; services.sssd.config = '' [domain/${cfg.domain}] diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index f991675827efb..b4376562c34d7 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -6,8 +6,6 @@ let cfg = config.security.sudo-rs; - inherit (config.security.pam) enableSSHAgentAuth; - toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 250f9775be14d..a298686b34e97 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -278,7 +278,9 @@ in systemd.services.suid-sgid-wrappers = { description = "Create SUID/SGID Wrappers"; wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + after = [ "systemd-sysusers.service" ]; unitConfig.DefaultDependencies = false; unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ]; serviceConfig.Type = "oneshot"; diff --git a/nixos/modules/security/wrappers/wrapper.nix b/nixos/modules/security/wrappers/wrapper.nix index 27d46c630af54..ca4b27bff1801 100644 --- a/nixos/modules/security/wrappers/wrapper.nix +++ b/nixos/modules/security/wrappers/wrapper.nix @@ -1,8 +1,8 @@ { stdenv, unsecvars, linuxHeaders, sourceProg, debug ? false }: # For testing: -# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { parentWrapperDir = "/run/wrappers"; debug = true; }' +# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { sourceProg = "${pkgs.hello}/bin/hello"; debug = true; }' stdenv.mkDerivation { - name = "security-wrapper"; + name = "security-wrapper-${baseNameOf sourceProg}"; buildInputs = [ linuxHeaders ]; dontUnpack = true; CFLAGS = [ diff --git a/nixos/modules/services/admin/pgadmin.nix b/nixos/modules/services/admin/pgadmin.nix index 390c80d1a2d42..5eaa911e37f18 100644 --- a/nixos/modules/services/admin/pgadmin.nix +++ b/nixos/modules/services/admin/pgadmin.nix @@ -3,7 +3,6 @@ with lib; let - pkg = pkgs.pgadmin4; cfg = config.services.pgadmin; _base = with types; [ int bool str ]; @@ -36,6 +35,8 @@ in default = 5050; }; + package = mkPackageOptionMD pkgs "pgadmin4" { }; + initialEmail = mkOption { description = lib.mdDoc "Initial email for the pgAdmin account"; type = types.str; @@ -150,7 +151,7 @@ in echo "$PW" # Retype password: echo "$PW" - ) | ${pkg}/bin/pgadmin4-setup + ) | ${cfg.package}/bin/pgadmin4-setup ''; restartTriggers = [ @@ -162,7 +163,7 @@ in DynamicUser = true; LogsDirectory = "pgadmin"; StateDirectory = "pgadmin"; - ExecStart = "${pkg}/bin/pgadmin4"; + ExecStart = "${cfg.package}/bin/pgadmin4"; }; }; diff --git a/nixos/modules/services/audio/mopidy.nix b/nixos/modules/services/audio/mopidy.nix index 40e8679f53d74..9d8e67b0ea478 100644 --- a/nixos/modules/services/audio/mopidy.nix +++ b/nixos/modules/services/audio/mopidy.nix @@ -76,7 +76,7 @@ in { systemd.services.mopidy = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "sound.target" ]; + after = [ "network-online.target" "sound.target" ]; description = "mopidy music player daemon"; serviceConfig = { ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}"; diff --git a/nixos/modules/services/audio/mympd.nix b/nixos/modules/services/audio/mympd.nix new file mode 100644 index 0000000000000..f1c7197085d7d --- /dev/null +++ b/nixos/modules/services/audio/mympd.nix @@ -0,0 +1,129 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.services.mympd; +in { + options = { + + services.mympd = { + + enable = lib.mkEnableOption (lib.mdDoc "MyMPD server"); + + package = lib.mkPackageOption pkgs "mympd" {}; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Open ports needed for the functionality of the program. + ''; + }; + + extraGroups = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "music" ]; + description = lib.mdDoc '' + Additional groups for the systemd service. + ''; + }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = with lib.types; attrsOf (nullOr (oneOf [ str bool int ])); + options = { + http_port = lib.mkOption { + type = lib.types.port; + description = lib.mdDoc '' + The HTTP port where mympd's web interface will be available. + + The HTTPS/SSL port can be configured via {option}`config`. + ''; + example = "8080"; + }; + + ssl = lib.mkOption { + type = lib.types.bool; + description = lib.mdDoc '' + Whether to enable listening on the SSL port. + + Refer to <https://jcorporation.github.io/myMPD/configuration/configuration-files#ssl-options> + for more information. + ''; + default = false; + }; + }; + }; + description = lib.mdDoc '' + Manages the configuration files declaratively. For all the configuration + options, see <https://jcorporation.github.io/myMPD/configuration/configuration-files>. + + Each key represents the "File" column from the upstream configuration table, and the + value is the content of that file. + ''; + }; + }; + + }; + + config = lib.mkIf cfg.enable { + systemd.services.mympd = { + # upstream service config: https://github.com/jcorporation/myMPD/blob/master/contrib/initscripts/mympd.service.in + after = [ "mpd.service" ]; + wantedBy = [ "multi-user.target" ]; + preStart = with lib; '' + config_dir="/var/lib/mympd/config" + mkdir -p "$config_dir" + + ${pipe cfg.settings [ + (mapAttrsToList (name: value: '' + echo -n "${if isBool value then boolToString value else toString value}" > "$config_dir/${name}" + '')) + (concatStringsSep "\n") + ]} + ''; + unitConfig = { + Description = "myMPD server daemon"; + Documentation = "man:mympd(1)"; + }; + serviceConfig = { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + DynamicUser = true; + ExecStart = lib.getExe cfg.package; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictRealtime = true; + StateDirectory = "mympd"; + CacheDirectory = "mympd"; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX"; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + SupplementaryGroups = cfg.extraGroups; + }; + }; + + networking.firewall = lib.mkMerge [ + (lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.settings.http_port ]; + }) + (lib.mkIf (cfg.openFirewall && cfg.settings.ssl && cfg.settings.ssl_port != null) { + allowedTCPPorts = [ cfg.settings.ssl_port ]; + }) + ]; + + }; + + meta.maintainers = [ lib.maintainers.eliandoran ]; + +} diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index 393fe83f493f5..6f4455d3be605 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -143,20 +143,15 @@ let }; # Paths listed in ReadWritePaths must exist before service is started - mkActivationScript = name: cfg: + mkTmpfiles = name: cfg: let - install = "install -o ${cfg.user} -g ${cfg.group}"; - in - nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] ('' - # Ensure that the home directory already exists - # We can't assert createHome == true because that's not the case for root - cd "${config.users.users.${cfg.user}.home}" - # Create each directory separately to prevent root owned parent dirs - ${install} -d .config .config/borg - ${install} -d .cache .cache/borg - '' + optionalString (isLocalPath cfg.repo && !cfg.removableDevice) '' - ${install} -d ${escapeShellArg cfg.repo} - '')); + settings = { inherit (cfg) user group; }; + in lib.nameValuePair "borgbackup-job-${name}" ({ + "${config.users.users."${cfg.user}".home}/.config/borg".d = settings; + "${config.users.users."${cfg.user}".home}/.cache/borg".d = settings; + } // optionalAttrs (isLocalPath cfg.repo && !cfg.removableDevice) { + "${cfg.repo}".d = settings; + }); mkPassAssertion = name: cfg: { assertion = with cfg.encryption; @@ -760,7 +755,7 @@ in { ++ mapAttrsToList mkSourceAssertions jobs ++ mapAttrsToList mkRemovableDeviceAssertions jobs; - system.activationScripts = mapAttrs' mkActivationScript jobs; + systemd.tmpfiles.settings = mapAttrs' mkTmpfiles jobs; systemd.services = # A job named "foo" is mapped to systemd.services.borgbackup-job-foo diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index e3eb504e0adfc..b222dd952d159 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -384,10 +384,11 @@ in ${lib.optionalString (backup.environmentFile != null) "source ${backup.environmentFile}"} # set same environment variables as the systemd service ${lib.pipe config.systemd.services."restic-backups-${name}".environment [ - (lib.filterAttrs (_: v: v != null)) + (lib.filterAttrs (n: v: v != null && n != "PATH")) (lib.mapAttrsToList (n: v: "${n}=${v}")) (lib.concatStringsSep "\n") ]} + PATH=${config.systemd.services."restic-backups-${name}".environment.PATH}:$PATH exec ${resticCmd} $@ '') (lib.filterAttrs (_: v: v.createWrapper) config.services.restic.backups); diff --git a/nixos/modules/tasks/snapraid.nix b/nixos/modules/services/backup/snapraid.nix index 9570c6b76123b..c9b2550e80e81 100644 --- a/nixos/modules/tasks/snapraid.nix +++ b/nixos/modules/services/backup/snapraid.nix @@ -2,10 +2,15 @@ with lib; -let cfg = config.snapraid; +let cfg = config.services.snapraid; in { - options.snapraid = with types; { + imports = [ + # Should have never been on the top-level. + (mkRenamedOptionModule [ "snapraid" ] [ "services" "snapraid" ]) + ]; + + options.services.snapraid = with types; { enable = mkEnableOption (lib.mdDoc "SnapRAID"); dataDisks = mkOption { default = { }; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 38682701ea151..35151ebd6bd7b 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -212,7 +212,7 @@ in services.certmgr = { enable = true; - package = pkgs.certmgr-selfsigned; + package = pkgs.certmgr; svcManager = "command"; specs = let diff --git a/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixos/modules/services/continuous-integration/buildkite-agents.nix index a35ca4168074f..2e488f83d4c3b 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -35,6 +35,12 @@ let type = lib.types.str; }; + extraGroups = lib.mkOption { + default = [ "keys" ]; + description = lib.mdDoc "Groups the user for this buildkite agent should belong to"; + type = lib.types.listOf lib.types.str; + }; + runtimePackages = lib.mkOption { default = [ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]; defaultText = lib.literalExpression "[ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]"; @@ -150,7 +156,7 @@ in home = cfg.dataDir; createHome = true; description = "Buildkite agent user"; - extraGroups = [ "keys" ]; + extraGroups = cfg.extraGroups; isSystemUser = true; group = "buildkite-agent-${name}"; }; diff --git a/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixos/modules/services/continuous-integration/jenkins/default.nix index e96743784e047..d69cf4587aaba 100644 --- a/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -236,6 +236,7 @@ in { serviceConfig = { User = cfg.user; + StateDirectory = mkIf (hasPrefix "/var/lib/jenkins" cfg.home) "jenkins"; }; }; }; diff --git a/nixos/modules/services/databases/aerospike.nix b/nixos/modules/services/databases/aerospike.nix index 373c8f4bffb0d..4923c0f00ddb4 100644 --- a/nixos/modules/services/databases/aerospike.nix +++ b/nixos/modules/services/databases/aerospike.nix @@ -108,6 +108,11 @@ in }; users.groups.aerospike.gid = config.ids.gids.aerospike; + boot.kernel.sysctl = { + "net.core.rmem_max" = mkDefault 15728640; + "net.core.wmem_max" = mkDefault 5242880; + }; + systemd.services.aerospike = rec { description = "Aerospike server"; @@ -131,14 +136,6 @@ in echo "kernel.shmmax too low, setting to 1GB" ${pkgs.procps}/bin/sysctl -w kernel.shmmax=1073741824 fi - if [ $(echo "$(cat /proc/sys/net/core/rmem_max) < 15728640" | ${pkgs.bc}/bin/bc) == "1" ]; then - echo "increasing socket buffer limit (/proc/sys/net/core/rmem_max): $(cat /proc/sys/net/core/rmem_max) -> 15728640" - echo 15728640 > /proc/sys/net/core/rmem_max - fi - if [ $(echo "$(cat /proc/sys/net/core/wmem_max) < 5242880" | ${pkgs.bc}/bin/bc) == "1" ]; then - echo "increasing socket buffer limit (/proc/sys/net/core/wmem_max): $(cat /proc/sys/net/core/wmem_max) -> 5242880" - echo 5242880 > /proc/sys/net/core/wmem_max - fi install -d -m0700 -o ${serviceConfig.User} -g ${serviceConfig.Group} "${cfg.workDir}" install -d -m0700 -o ${serviceConfig.User} -g ${serviceConfig.Group} "${cfg.workDir}/smd" install -d -m0700 -o ${serviceConfig.User} -g ${serviceConfig.Group} "${cfg.workDir}/udf" diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index d0058fd1948b0..ed5915735730b 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -404,7 +404,7 @@ in default = {}; description = lib.mdDoc '' PostgreSQL configuration. Refer to - <https://www.postgresql.org/docs/15/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE> + <https://www.postgresql.org/docs/current/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE> for an overview of `postgresql.conf`. ::: {.note} diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index d99faf381e019..4c26e6874023a 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -35,6 +35,7 @@ in { services.dbus.packages = [ pkgs.flatpak ]; systemd.packages = [ pkgs.flatpak ]; + systemd.tmpfiles.packages = [ pkgs.flatpak ]; environment.profiles = [ "$HOME/.local/share/flatpak/exports" diff --git a/nixos/modules/services/desktops/pipewire/pipewire.nix b/nixos/modules/services/desktops/pipewire/pipewire.nix index 04ac415c177cb..da409030b3a35 100644 --- a/nixos/modules/services/desktops/pipewire/pipewire.nix +++ b/nixos/modules/services/desktops/pipewire/pipewire.nix @@ -4,6 +4,8 @@ with lib; let + json = pkgs.formats.json {}; + mapToFiles = location: config: concatMapAttrs (name: value: { "pipewire/${location}.conf.d/${name}.conf".source = json.generate "${name}" value;}) config; cfg = config.services.pipewire; enable32BitAlsaPlugins = cfg.alsa.support32Bit && pkgs.stdenv.isx86_64 @@ -72,15 +74,140 @@ in { https://github.com/PipeWire/pipewire/blob/master/NEWS ''; }; + + extraConfig = { + pipewire = mkOption { + type = lib.types.attrsOf json.type; + default = {}; + example = { + "10-clock-rate" = { + "context.properties" = { + "default.clock.rate" = 44100; + }; + }; + "11-no-upmixing" = { + "stream.properties" = { + "channelmix.upmix" = false; + }; + }; + }; + description = lib.mdDoc '' + Additional configuration for the PipeWire server. + + Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/pipewire.conf.d`. + + See `man pipewire.conf` for details, and [the PipeWire wiki][wiki] for examples. + + See also: + - [PipeWire wiki - virtual devices][wiki-virtual-device] for creating virtual devices or remapping channels + - [PipeWire wiki - filter-chain][wiki-filter-chain] for creating more complex processing pipelines + - [PipeWire wiki - network][wiki-network] for streaming audio over a network + + [wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-PipeWire + [wiki-virtual-device]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Virtual-Devices + [wiki-filter-chain]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Filter-Chain + [wiki-network]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Network + ''; + }; + client = mkOption { + type = lib.types.attrsOf json.type; + default = {}; + example = { + "10-no-resample" = { + "stream.properties" = { + "resample.disable" = true; + }; + }; + }; + description = lib.mdDoc '' + Additional configuration for the PipeWire client library, used by most applications. + + Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/client.conf.d`. + + See the [PipeWire wiki][wiki] for examples. + + [wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-client + ''; + }; + client-rt = mkOption { + type = lib.types.attrsOf json.type; + default = {}; + example = { + "10-alsa-linear-volume" = { + "alsa.properties" = { + "alsa.volume-method" = "linear"; + }; + }; + }; + description = lib.mdDoc '' + Additional configuration for the PipeWire client library, used by real-time applications and legacy ALSA clients. + + Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/client-rt.conf.d`. + + See the [PipeWire wiki][wiki] for examples of general configuration, and [PipeWire wiki - ALSA][wiki-alsa] for ALSA clients. + + [wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-client + [wiki-alsa]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-ALSA + ''; + }; + jack = mkOption { + type = lib.types.attrsOf json.type; + default = {}; + example = { + "20-hide-midi" = { + "jack.properties" = { + "jack.show-midi" = false; + }; + }; + }; + description = lib.mdDoc '' + Additional configuration for the PipeWire JACK server and client library. + + Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/jack.conf.d`. + + See the [PipeWire wiki][wiki] for examples. + + [wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-JACK + ''; + }; + pipewire-pulse = mkOption { + type = lib.types.attrsOf json.type; + default = {}; + example = { + "15-force-s16-info" = { + "pulse.rules" = [{ + matches = [ + { "application.process.binary" = "my-broken-app"; } + ]; + actions = { + quirks = [ "force-s16-info" ]; + }; + }]; + }; + }; + description = lib.mdDoc '' + Additional configuration for the PipeWire PulseAudio server. + + Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/pipewire-pulse.conf.d`. + + See `man pipewire-pulse.conf` for details, and [the PipeWire wiki][wiki] for examples. + + See also: + - [PipeWire wiki - PulseAudio tricks guide][wiki-tricks] for more examples. + + [wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-PulseAudio + [wiki-tricks]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Guide-PulseAudio-Tricks + ''; + }; + }; }; }; imports = [ (lib.mkRemovedOptionModule ["services" "pipewire" "config"] '' - Overriding default Pipewire configuration through NixOS options never worked correctly and is no longer supported. - Please create drop-in files in /etc/pipewire/pipewire.conf.d/ to make the desired setting changes instead. + Overriding default PipeWire configuration through NixOS options never worked correctly and is no longer supported. + Please create drop-in configuration files via `services.pipewire.extraConfig` instead. '') - (lib.mkRemovedOptionModule ["services" "pipewire" "media-session"] '' pipewire-media-session is no longer supported upstream and has been removed. Please switch to `services.pipewire.wireplumber` instead. @@ -133,26 +260,35 @@ in { services.udev.packages = [ cfg.package ]; # If any paths are updated here they must also be updated in the package test. - environment.etc."alsa/conf.d/49-pipewire-modules.conf" = mkIf cfg.alsa.enable { - text = '' - pcm_type.pipewire { - libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_pcm_pipewire.so ; - ${optionalString enable32BitAlsaPlugins - "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;"} - } - ctl_type.pipewire { - libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_ctl_pipewire.so ; - ${optionalString enable32BitAlsaPlugins - "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;"} - } - ''; - }; - environment.etc."alsa/conf.d/50-pipewire.conf" = mkIf cfg.alsa.enable { - source = "${cfg.package}/share/alsa/alsa.conf.d/50-pipewire.conf"; - }; - environment.etc."alsa/conf.d/99-pipewire-default.conf" = mkIf cfg.alsa.enable { - source = "${cfg.package}/share/alsa/alsa.conf.d/99-pipewire-default.conf"; - }; + environment.etc = { + "alsa/conf.d/49-pipewire-modules.conf" = mkIf cfg.alsa.enable { + text = '' + pcm_type.pipewire { + libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_pcm_pipewire.so ; + ${optionalString enable32BitAlsaPlugins + "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;"} + } + ctl_type.pipewire { + libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_ctl_pipewire.so ; + ${optionalString enable32BitAlsaPlugins + "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;"} + } + ''; + }; + + "alsa/conf.d/50-pipewire.conf" = mkIf cfg.alsa.enable { + source = "${cfg.package}/share/alsa/alsa.conf.d/50-pipewire.conf"; + }; + + "alsa/conf.d/99-pipewire-default.conf" = mkIf cfg.alsa.enable { + source = "${cfg.package}/share/alsa/alsa.conf.d/99-pipewire-default.conf"; + }; + } + // mapToFiles "pipewire" cfg.extraConfig.pipewire + // mapToFiles "client" cfg.extraConfig.client + // mapToFiles "client-rt" cfg.extraConfig.client-rt + // mapToFiles "jack" cfg.extraConfig.jack + // mapToFiles "pipewire-pulse" cfg.extraConfig.pipewire-pulse; environment.sessionVariables.LD_LIBRARY_PATH = lib.mkIf cfg.jack.enable [ "${cfg.package.jack}/lib" ]; diff --git a/nixos/modules/services/development/livebook.md b/nixos/modules/services/development/livebook.md index 73ddc57f6179a..5012e977a4f7f 100644 --- a/nixos/modules/services/development/livebook.md +++ b/nixos/modules/services/development/livebook.md @@ -18,7 +18,7 @@ which runs the server. port = 20123; # See note below about security environmentFile = pkgs.writeText "livebook.env" '' - LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; + LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ''; }; } @@ -37,3 +37,14 @@ A better approach would be to put the password in some secure user-readable location and set `environmentFile = /home/user/secure/livebook.env`. ::: + +### Extra dependencies {#module-services-livebook-extra-dependencies} + +By default, the Livebook service is run with minimum dependencies, but +some features require additional packages. For example, the machine +learning Kinos require `gcc` and `gnumake`. To add these, use +`extraPackages`: + +``` +services.livebook.extraPackages = with pkgs; [ gcc gnumake ]; +``` diff --git a/nixos/modules/services/development/livebook.nix b/nixos/modules/services/development/livebook.nix index 3991a4125ec39..75729ff28efaf 100644 --- a/nixos/modules/services/development/livebook.nix +++ b/nixos/modules/services/development/livebook.nix @@ -12,6 +12,8 @@ in # future, this can be changed to a system service. enableUserService = mkEnableOption "a user service for Livebook"; + package = mkPackageOption pkgs "livebook" { }; + environmentFile = mkOption { type = types.path; description = lib.mdDoc '' @@ -63,6 +65,15 @@ in } ''; }; + + extraPackages = mkOption { + type = with types; listOf package; + default = [ ]; + description = lib.mdDoc '' + Extra packages to make available to the Livebook service. + ''; + example = literalExpression "with pkgs; [ gcc gnumake ]"; + }; }; config = mkIf cfg.enableUserService { @@ -79,9 +90,9 @@ in sname = cfg.erlang_node_short_name; } // cfg.options); in - "${pkgs.livebook}/bin/livebook server ${args}"; + "${cfg.package}/bin/livebook server ${args}"; }; - path = [ pkgs.bash ]; + path = [ pkgs.bash ] ++ cfg.extraPackages; wantedBy = [ "default.target" ]; }; }; diff --git a/nixos/modules/services/hardware/kanata.nix b/nixos/modules/services/hardware/kanata.nix index 0b77bfbc33b3f..05e76d8432154 100644 --- a/nixos/modules/services/hardware/kanata.nix +++ b/nixos/modules/services/hardware/kanata.nix @@ -78,7 +78,13 @@ let mkName = name: "kanata-${name}"; mkDevices = devices: - optionalString ((length devices) > 0) "linux-dev ${concatStringsSep ":" devices}"; + let + devicesString = pipe devices [ + (map (device: "\"" + device + "\"")) + (concatStringsSep " ") + ]; + in + optionalString ((length devices) > 0) "linux-dev (${devicesString})"; mkConfig = name: keyboard: pkgs.writeText "${mkName name}-config.kdb" '' (defcfg diff --git a/nixos/modules/services/hardware/keyd.nix b/nixos/modules/services/hardware/keyd.nix index 724e9b9568478..77297401a51c7 100644 --- a/nixos/modules/services/hardware/keyd.nix +++ b/nixos/modules/services/hardware/keyd.nix @@ -143,7 +143,7 @@ in RuntimeDirectory = "keyd"; # Hardening - CapabilityBoundingSet = ""; + CapabilityBoundingSet = [ "CAP_SYS_NICE" ]; DeviceAllow = [ "char-input rw" "/dev/uinput rw" @@ -152,7 +152,7 @@ in PrivateNetwork = true; ProtectHome = true; ProtectHostname = true; - PrivateUsers = true; + PrivateUsers = false; PrivateMounts = true; PrivateTmp = true; RestrictNamespaces = true; @@ -165,9 +165,9 @@ in LockPersonality = true; ProtectProc = "invisible"; SystemCallFilter = [ + "nice" "@system-service" "~@privileged" - "~@resources" ]; RestrictAddressFamilies = [ "AF_UNIX" ]; RestrictSUIDSGID = true; diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index 8408844c4f943..8f64afe60734c 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -4,7 +4,7 @@ with lib; let - pkg = pkgs.sane-backends.override { + pkg = config.hardware.sane.backends-package.override { scanSnapDriversUnfree = config.hardware.sane.drivers.scanSnap.enable; scanSnapDriversPackage = config.hardware.sane.drivers.scanSnap.package; }; @@ -57,6 +57,13 @@ in ''; }; + hardware.sane.backends-package = mkOption { + type = types.package; + default = pkgs.sane-backends; + defaultText = literalExpression "pkgs.sane-backends"; + description = lib.mdDoc "Backends driver package to use."; + }; + hardware.sane.snapshot = mkOption { type = types.bool; default = false; diff --git a/nixos/modules/services/hardware/thermald.nix b/nixos/modules/services/hardware/thermald.nix index 7ae602823cd65..a4839f326cc45 100644 --- a/nixos/modules/services/hardware/thermald.nix +++ b/nixos/modules/services/hardware/thermald.nix @@ -19,6 +19,12 @@ in ''; }; + ignoreCpuidCheck = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to ignore the cpuid check to allow running on unsupported platforms"; + }; + configFile = mkOption { type = types.nullOr types.path; default = null; @@ -42,6 +48,7 @@ in ${cfg.package}/sbin/thermald \ --no-daemon \ ${optionalString cfg.debug "--loglevel=debug"} \ + ${optionalString cfg.ignoreCpuidCheck "--ignore-cpuid-check"} \ ${optionalString (cfg.configFile != null) "--config-file ${cfg.configFile}"} \ --dbus-enable \ --adaptive diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 08ca7a0d247d0..670b9087f1107 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -112,7 +112,8 @@ let echo "OK" filesToFixup="$(for i in "$out"/*; do - grep -l '\B\(/usr\)\?/s\?bin' "$i" || : + # list all files referring to (/usr)/bin paths, but allow references to /bin/sh. + grep -P -l '\B(?!\/bin\/sh\b)(\/usr)?\/bin(?:\/.*)?' "$i" || : done)" if [ -n "$filesToFixup" ]; then @@ -222,6 +223,9 @@ in description = lib.mdDoc '' Packages added to the {env}`PATH` environment variable when executing programs from Udev rules. + + coreutils, gnu{sed,grep}, util-linux and config.systemd.package are + automatically included. ''; }; diff --git a/nixos/modules/services/hardware/vdr.nix b/nixos/modules/services/hardware/vdr.nix index afa64fa16c4a6..5feb379b50d1a 100644 --- a/nixos/modules/services/hardware/vdr.nix +++ b/nixos/modules/services/hardware/vdr.nix @@ -45,6 +45,7 @@ in { systemd.services.vdr = { description = "VDR"; wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; serviceConfig = { ExecStart = '' ${cfg.package}/bin/vdr \ diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 2a6b07c6f1a6e..bc470576b759b 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -468,8 +468,8 @@ in { mkdir -p "${cfg.configDir}/custom_components" # remove components symlinked in from below the /nix/store - components="$(find "${cfg.configDir}/custom_components" -maxdepth 1 -type l)" - for component in "$components"; do + readarray -d "" components < <(find "${cfg.configDir}/custom_components" -maxdepth 1 -type l -print0) + for component in "''${components[@]}"; do if [[ "$(readlink "$component")" =~ ^${escapeShellArg builtins.storeDir} ]]; then rm "$component" fi diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 8a277cea6e461..5d87fc87d4161 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -220,10 +220,16 @@ in logcheck = {}; }; - system.activationScripts.logcheck = '' - mkdir -m 700 -p /var/{lib,lock}/logcheck - chown ${cfg.user} /var/{lib,lock}/logcheck - ''; + systemd.tmpfiles.settings.logcheck = { + "/var/lib/logcheck".d = { + mode = "700"; + inherit (cfg) user; + }; + "/var/lock/logcheck".d = { + mode = "700"; + inherit (cfg) user; + }; + }; services.cron.systemCronJobs = let withTime = name: {timeArgs, ...}: timeArgs != null; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 23c47aaca7e23..209e066a19ef8 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -747,7 +747,7 @@ in ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ln -sf ${from} /var/lib/postfix/conf/${to} - ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} + ${pkgs.postfix}/bin/postalias -o -p /var/lib/postfix/conf/${to} '') cfg.aliasFiles)} ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ln -sf ${from} /var/lib/postfix/conf/${to} @@ -779,6 +779,19 @@ in ExecStart = "${pkgs.postfix}/bin/postfix start"; ExecStop = "${pkgs.postfix}/bin/postfix stop"; ExecReload = "${pkgs.postfix}/bin/postfix reload"; + + # Hardening + PrivateTmp = true; + PrivateDevices = true; + ProtectSystem = "full"; + CapabilityBoundingSet = [ "~CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE" ]; + MemoryDenyWriteExecute = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; }; }; diff --git a/nixos/modules/services/mail/rspamd-trainer.nix b/nixos/modules/services/mail/rspamd-trainer.nix new file mode 100644 index 0000000000000..bb78ddf9dd471 --- /dev/null +++ b/nixos/modules/services/mail/rspamd-trainer.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.rspamd-trainer; + format = pkgs.formats.toml { }; + +in { + options.services.rspamd-trainer = { + + enable = mkEnableOption (mdDoc "Spam/ham trainer for rspamd"); + + settings = mkOption { + default = { }; + description = mdDoc '' + IMAP authentication configuration for rspamd-trainer. For supplying + the IMAP password, use the `secrets` option. + ''; + type = types.submodule { + freeformType = format.type; + }; + example = literalExpression '' + { + HOST = "localhost"; + USERNAME = "spam@example.com"; + INBOXPREFIX = "INBOX/"; + } + ''; + }; + + secrets = lib.mkOption { + type = with types; listOf path; + description = lib.mdDoc '' + A list of files containing the various secrets. Should be in the + format expected by systemd's `EnvironmentFile` directory. For the + IMAP account password use `PASSWORD = mypassword`. + ''; + default = [ ]; + }; + + }; + + config = mkIf cfg.enable { + + systemd = { + services.rspamd-trainer = { + description = "Spam/ham trainer for rspamd"; + serviceConfig = { + ExecStart = "${pkgs.rspamd-trainer}/bin/rspamd-trainer"; + WorkingDirectory = "/var/lib/rspamd-trainer"; + StateDirectory = [ "rspamd-trainer/log" ]; + Type = "oneshot"; + DynamicUser = true; + EnvironmentFile = [ + ( format.generate "rspamd-trainer-env" cfg.settings ) + cfg.secrets + ]; + }; + }; + timers."rspamd-trainer" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "10m"; + OnUnitActiveSec = "10m"; + Unit = "rspamd-trainer.service"; + }; + }; + }; + + }; + + meta.maintainers = with lib.maintainers; [ onny ]; + +} diff --git a/nixos/modules/services/matrix/matrix-sliding-sync.nix b/nixos/modules/services/matrix/matrix-sliding-sync.nix index 295be0c6bf167..8b22cd7dba802 100644 --- a/nixos/modules/services/matrix/matrix-sliding-sync.nix +++ b/nixos/modules/services/matrix/matrix-sliding-sync.nix @@ -1,10 +1,14 @@ { config, lib, pkgs, ... }: let - cfg = config.services.matrix-synapse.sliding-sync; + cfg = config.services.matrix-sliding-sync; in { - options.services.matrix-synapse.sliding-sync = { + imports = [ + (lib.mkRenamedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] [ "services" "matrix-sliding-sync" ]) + ]; + + options.services.matrix-sliding-sync = { enable = lib.mkEnableOption (lib.mdDoc "sliding sync"); package = lib.mkPackageOption pkgs "matrix-sliding-sync" { }; @@ -83,6 +87,7 @@ in systemd.services.matrix-sliding-sync = rec { after = lib.optional cfg.createDatabase "postgresql.service" + ++ lib.optional config.services.dendrite.enable "dendrite.service" ++ lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit; wants = after; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/matrix/synapse.md b/nixos/modules/services/matrix/synapse.md index 58be24204fcfe..f270be8c8d781 100644 --- a/nixos/modules/services/matrix/synapse.md +++ b/nixos/modules/services/matrix/synapse.md @@ -16,13 +16,13 @@ around Matrix. ## Synapse Homeserver {#module-services-matrix-synapse} -[Synapse](https://github.com/matrix-org/synapse) is +[Synapse](https://github.com/element-hq/synapse) is the reference homeserver implementation of Matrix from the core development team at matrix.org. The following configuration example will set up a synapse server for the `example.org` domain, served from the host `myhostname.example.org`. For more information, please refer to the -[installation instructions of Synapse](https://matrix-org.github.io/synapse/latest/setup/installation.html) . +[installation instructions of Synapse](https://element-hq.github.io/synapse/latest/setup/installation.html) . ``` { pkgs, lib, config, ... }: let @@ -70,7 +70,7 @@ in { # the domain (i.e. example.org from @foo:example.org) and the federation port # is 8448. # Further reference can be found in the docs about delegation under - # https://matrix-org.github.io/synapse/latest/delegate.html + # https://element-hq.github.io/synapse/latest/delegate.html locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; # This is usually needed for homeserver discovery (from e.g. other Matrix clients). # Further reference can be found in the upstream docs at @@ -169,7 +169,7 @@ in an additional file like this: ::: {.note} It's also possible to user alternative authentication mechanism such as [LDAP (via `matrix-synapse-ldap3`)](https://github.com/matrix-org/matrix-synapse-ldap3) -or [OpenID](https://matrix-org.github.io/synapse/latest/openid.html). +or [OpenID](https://element-hq.github.io/synapse/latest/openid.html). ::: ## Element (formerly known as Riot) Web Client {#module-services-matrix-element-web} diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index 9cc769c2d0db7..50019d2a25cb5 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -446,7 +446,7 @@ in { default = { }; description = mdDoc '' The primary synapse configuration. See the - [sample configuration](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_config.yaml) + [sample configuration](https://github.com/element-hq/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_config.yaml) for possible values. Secrets should be passed in by using the `extraConfigFiles` option. @@ -749,7 +749,7 @@ in { by the module, but in practice it broke on runtime and as a result, no URL preview worked anywhere if this was set. - See https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_url_blacklist + See https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_url_blacklist on how to configure it properly. '')) (types.attrsOf types.str)); @@ -873,7 +873,7 @@ in { Redis configuration for synapse. See the - [upstream documentation](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/usage/configuration/config_documentation.md#redis) + [upstream documentation](https://github.com/element-hq/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/usage/configuration/config_documentation.md#redis) for available options. ''; }; @@ -886,7 +886,7 @@ in { description = lib.mdDoc '' Options for configuring workers. Worker support will be enabled if at least one worker is configured here. - See the [worker documention](https://matrix-org.github.io/synapse/latest/workers.html#worker-configuration) + See the [worker documention](https://element-hq.github.io/synapse/latest/workers.html#worker-configuration) for possible options for each worker. Worker-specific options overriding the shared homeserver configuration can be specified here for each worker. @@ -900,9 +900,9 @@ in { using [`services.matrix-synapse.configureRedisLocally`](#opt-services.matrix-synapse.configureRedisLocally). Workers also require a proper reverse proxy setup to direct incoming requests to the appropriate process. See - the [reverse proxy documentation](https://matrix-org.github.io/synapse/latest/reverse_proxy.html) for a + the [reverse proxy documentation](https://element-hq.github.io/synapse/latest/reverse_proxy.html) for a general reverse proxying setup and - the [worker documentation](https://matrix-org.github.io/synapse/latest/workers.html#available-worker-applications) + the [worker documentation](https://element-hq.github.io/synapse/latest/workers.html#available-worker-applications) for the available endpoints per worker application. ::: ''; @@ -932,7 +932,7 @@ in { The file for log configuration. See the [python documentation](https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema) - for the schema and the [upstream repository](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_log_config.yaml) + for the schema and the [upstream repository](https://github.com/element-hq/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_log_config.yaml) for an example. ''; }; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index f4305bea2ad76..d0135b2ba7acd 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -234,6 +234,13 @@ in description = lib.mdDoc "Path to the git repositories."; }; + camoHmacKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/lib/secrets/gitea/camoHmacKey"; + description = lib.mdDoc "Path to a file containing the camo HMAC key."; + }; + mailerPasswordFile = mkOption { type = types.nullOr types.str; default = null; @@ -429,6 +436,10 @@ in LFS_JWT_SECRET = "#lfsjwtsecret#"; }; + camo = mkIf (cfg.camoHmacKeyFile != null) { + HMAC_KEY = "#hmackey#"; + }; + session = { COOKIE_NAME = lib.mkDefault "session"; }; @@ -570,6 +581,10 @@ in ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}' ''} + ${lib.optionalString (cfg.camoHmacKeyFile != null) '' + ${replaceSecretBin} '#hmackey#' '${cfg.camoHmacKeyFile}' '${runConfig}' + ''} + ${lib.optionalString (cfg.mailerPasswordFile != null) '' ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}' ''} diff --git a/nixos/modules/services/misc/guix/default.nix b/nixos/modules/services/misc/guix/default.nix index 7b468e7067cc2..7174ff36b7090 100644 --- a/nixos/modules/services/misc/guix/default.nix +++ b/nixos/modules/services/misc/guix/default.nix @@ -22,11 +22,19 @@ let }) (builtins.genList guixBuildUser numberOfUsers)); - # A set of Guix user profiles to be linked at activation. + # A set of Guix user profiles to be linked at activation. All of these should + # be default profiles managed by Guix CLI and the profiles are located in + # `${cfg.stateDir}/profiles/per-user/$USER/$PROFILE`. guixUserProfiles = { - # The current Guix profile that is created through `guix pull`. + # The default Guix profile managed by `guix pull`. Take note this should be + # the profile with the most precedence in `PATH` env to let users use their + # updated versions of `guix` CLI. "current-guix" = "\${XDG_CONFIG_HOME}/guix/current"; + # The default Guix home profile. This profile contains more than exports + # such as an activation script at `$GUIX_HOME_PROFILE/activate`. + "guix-home" = "$HOME/.guix-home/profile"; + # The default Guix profile similar to $HOME/.nix-profile from Nix. "guix-profile" = "$HOME/.guix-profile"; }; @@ -228,14 +236,8 @@ in description = "Guix daemon socket"; before = [ "multi-user.target" ]; listenStreams = [ "${cfg.stateDir}/guix/daemon-socket/socket" ]; - unitConfig = { - RequiresMountsFor = [ - cfg.storeDir - cfg.stateDir - ]; - ConditionPathIsReadWrite = "${cfg.stateDir}/guix/daemon-socket"; - }; - wantedBy = [ "socket.target" ]; + unitConfig.RequiresMountsFor = [ cfg.storeDir cfg.stateDir ]; + wantedBy = [ "sockets.target" ]; }; systemd.mounts = [{ @@ -262,20 +264,31 @@ in # ephemeral setups where only certain part of the filesystem is # persistent (e.g., "Erase my darlings"-type of setup). system.userActivationScripts.guix-activate-user-profiles.text = let + guixProfile = profile: "${cfg.stateDir}/guix/profiles/per-user/\${USER}/${profile}"; + linkProfile = profile: location: let + userProfile = guixProfile profile; + in '' + [ -d "${userProfile}" ] && ln -sfn "${userProfile}" "${location}" + ''; linkProfileToPath = acc: profile: location: let - guixProfile = "${cfg.stateDir}/guix/profiles/per-user/\${USER}/${profile}"; - in acc + '' - [ -d "${guixProfile}" ] && [ -L "${location}" ] || ln -sf "${guixProfile}" "${location}" - ''; + in acc + (linkProfile profile location); + + # This should contain export-only Guix user profiles. The rest of it is + # handled manually in the activation script. + guixUserProfiles' = lib.attrsets.removeAttrs guixUserProfiles [ "guix-home" ]; - activationScript = lib.foldlAttrs linkProfileToPath "" guixUserProfiles; + linkExportsScript = lib.foldlAttrs linkProfileToPath "" guixUserProfiles'; in '' # Don't export this please! It is only expected to be used for this # activation script and nothing else. XDG_CONFIG_HOME=''${XDG_CONFIG_HOME:-$HOME/.config} # Linking the usual Guix profiles into the home directory. - ${activationScript} + ${linkExportsScript} + + # Activate all of the default Guix non-exports profiles manually. + ${linkProfile "guix-home" "$HOME/.guix-home"} + [ -L "$HOME/.guix-home" ] && "$HOME/.guix-home/activate" ''; # GUIX_LOCPATH is basically LOCPATH but for Guix libc which in turn used by @@ -373,7 +386,6 @@ in serviceConfig = { Type = "oneshot"; - MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateNetworks = true; ProtectControlGroups = true; diff --git a/nixos/modules/services/misc/moonraker.nix b/nixos/modules/services/misc/moonraker.nix index 0ee7e898cf761..750dca9d03736 100644 --- a/nixos/modules/services/misc/moonraker.nix +++ b/nixos/modules/services/misc/moonraker.nix @@ -186,6 +186,12 @@ in { }; }; + # set this to false, otherwise we'll get a warning indicating that `/etc/klipper.cfg` + # is not located in the moonraker config directory. + services.moonraker.settings = lib.mkIf (!config.services.klipper.mutableConfig) { + file_manager.check_klipper_config_path = false; + }; + security.polkit.extraConfig = lib.optionalString cfg.allowSystemControl '' // nixos/moonraker: Allow Moonraker to perform system-level operations // diff --git a/nixos/modules/services/misc/nitter.nix b/nixos/modules/services/misc/nitter.nix index c2c462d46bb5b..d2cf7c0de2b77 100644 --- a/nixos/modules/services/misc/nitter.nix +++ b/nixos/modules/services/misc/nitter.nix @@ -304,6 +304,23 @@ in ''; }; + guestAccounts = mkOption { + type = types.path; + default = "/var/lib/nitter/guest_accounts.jsonl"; + description = lib.mdDoc '' + Path to the guest accounts file. + + This file contains a list of guest accounts that can be used to + access the instance without logging in. The file is in JSONL format, + where each line is a JSON object with the following fields: + + {"oauth_token":"some_token","oauth_token_secret":"some_secret_key"} + + See https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment + for more information on guest accounts and how to generate them. + ''; + }; + redisCreateLocally = mkOption { type = types.bool; default = true; @@ -333,8 +350,12 @@ in after = [ "network-online.target" ]; serviceConfig = { DynamicUser = true; + LoadCredential="guestAccountsFile:${cfg.guestAccounts}"; StateDirectory = "nitter"; - Environment = [ "NITTER_CONF_FILE=/var/lib/nitter/nitter.conf" ]; + Environment = [ + "NITTER_CONF_FILE=/var/lib/nitter/nitter.conf" + "NITTER_ACCOUNTS_FILE=%d/guestAccountsFile" + ]; # Some parts of Nitter expect `public` folder in working directory, # see https://github.com/zedeus/nitter/issues/414 WorkingDirectory = "${cfg.package}/share/nitter"; diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix new file mode 100644 index 0000000000000..9794bbbec464c --- /dev/null +++ b/nixos/modules/services/misc/ollama.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: let + + cfg = config.services.ollama; + +in { + + options = { + services.ollama = { + enable = lib.mkEnableOption ( + lib.mdDoc "Server for local large language models" + ); + package = lib.mkPackageOption pkgs "ollama" { }; + }; + }; + + config = lib.mkIf cfg.enable { + + systemd = { + services.ollama = { + wantedBy = [ "multi-user.target" ]; + description = "Server for local large language models"; + after = [ "network.target" ]; + environment = { + HOME = "%S/ollama"; + OLLAMA_MODELS = "%S/ollama/models"; + }; + serviceConfig = { + ExecStart = "${lib.getExe cfg.package} serve"; + WorkingDirectory = "/var/lib/ollama"; + StateDirectory = [ "ollama" ]; + DynamicUser = true; + }; + }; + }; + + environment.systemPackages = [ cfg.package ]; + + }; + + meta.maintainers = with lib.maintainers; [ onny ]; + +} diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 3299b6404c2b5..7036a372d1ea8 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -102,7 +102,9 @@ in ldap = { package = mkOption { type = types.package; - # needs openldap built with a libxcrypt that support crypt sha256 until https://github.com/majewsky/portunus/issues/2 is solved + # needs openldap built with a libxcrypt that support crypt sha256 until users have had time to migrate to newer hashes + # Ref: <https://github.com/majewsky/portunus/issues/2> + # TODO: remove in NixOS 24.11 (cf. same note on pkgs/servers/portunus/default.nix) default = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }; defaultText = lib.literalExpression "pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }"; description = lib.mdDoc "The OpenLDAP package to use."; @@ -247,6 +249,7 @@ in acmeDirectory = config.security.acme.certs."${cfg.domain}".directory; in { + PORTUNUS_SERVER_HTTP_SECURE = "true"; PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt"; PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem"; PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain; diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index b517170cda216..c1209e34a92b5 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -53,7 +53,7 @@ in enable = mkEnableOption (lib.mdDoc "Redmine"); package = mkPackageOption pkgs "redmine" { - example = "redmine.override { ruby = pkgs.ruby_2_7; }"; + example = "redmine.override { ruby = pkgs.ruby_3_2; }"; }; user = mkOption { diff --git a/nixos/modules/services/misc/tuxclocker.nix b/nixos/modules/services/misc/tuxclocker.nix new file mode 100644 index 0000000000000..5969f75b8e30d --- /dev/null +++ b/nixos/modules/services/misc/tuxclocker.nix @@ -0,0 +1,71 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.tuxclocker; +in +{ + options.programs.tuxclocker = { + enable = mkEnableOption (lib.mdDoc '' + TuxClocker, a hardware control and monitoring program + ''); + + enableAMD = mkEnableOption (lib.mdDoc '' + AMD GPU controls. + Sets the `amdgpu.ppfeaturemask` kernel parameter to 0xfffd7fff to enable all TuxClocker controls + ''); + + enabledNVIDIADevices = mkOption { + type = types.listOf types.int; + default = [ ]; + example = [ 0 1 ]; + description = lib.mdDoc '' + Enable NVIDIA GPU controls for a device by index. + Sets the `Coolbits` Xorg option to enable all TuxClocker controls. + ''; + }; + + useUnfree = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + Whether to use components requiring unfree dependencies. + Disabling this allows you to get everything from the binary cache. + ''; + }; + }; + + config = let + package = if cfg.useUnfree then pkgs.tuxclocker else pkgs.tuxclocker-without-unfree; + in + mkIf cfg.enable { + environment.systemPackages = [ + package + ]; + + services.dbus.packages = [ + package + ]; + + # MSR is used for some features + boot.kernelModules = [ "msr" ]; + + # https://download.nvidia.com/XFree86/Linux-x86_64/430.14/README/xconfigoptions.html#Coolbits + services.xserver.config = let + configSection = (i: '' + Section "Device" + Driver "nvidia" + Option "Coolbits" "31" + Identifier "Device-nvidia[${toString i}]" + EndSection + ''); + in + concatStrings (map configSection cfg.enabledNVIDIADevices); + + # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/amd/include/amd_shared.h#n207 + # Enable everything modifiable in TuxClocker + boot.kernelParams = mkIf cfg.enableAMD [ "amdgpu.ppfeaturemask=0xfffd7fff" ]; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index e78cb4d01dc5b..b4ac8e21451af 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -1435,6 +1435,10 @@ let remote_timeout = mkOpt types.str '' Timeout for requests to the remote write endpoint. ''; + headers = mkOpt (types.attrsOf types.str) '' + Custom HTTP headers to be sent along with each remote write request. + Be aware that headers that are set by Prometheus itself can't be overwritten. + ''; write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' List of remote write relabel configurations. ''; @@ -1530,6 +1534,10 @@ let remote_timeout = mkOpt types.str '' Timeout for requests to the remote read endpoint. ''; + headers = mkOpt (types.attrsOf types.str) '' + Custom HTTP headers to be sent along with each remote read request. + Be aware that headers that are set by Prometheus itself can't be overwritten. + ''; read_recent = mkOpt types.bool '' Whether reads should be made for queries for time ranges that the local storage should have complete data for. diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 39abd293b2d18..35db8a7376b11 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -64,6 +64,7 @@ let "pgbouncer" "php-fpm" "pihole" + "ping" "postfix" "postgres" "process" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index 8b1cd47d0a409..3abb6ff6bdf8b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -15,8 +15,8 @@ in { type = types.listOf types.str; example = literalExpression '' [ - "/run/kea-dhcp4/kea-dhcp4.socket" - "/run/kea-dhcp6/kea-dhcp6.socket" + "/run/kea/kea-dhcp4.socket" + "/run/kea/kea-dhcp6.socket" ] ''; description = lib.mdDoc '' @@ -31,13 +31,15 @@ in { ]; serviceConfig = { User = "kea"; + DynamicUser = true; ExecStart = '' ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \ --address ${cfg.listenAddress} \ --port ${toString cfg.port} \ ${concatStringsSep " " cfg.controlSocketPaths} ''; - SupplementaryGroups = [ "kea" ]; + RuntimeDirectory = "kea"; + RuntimeDirectoryPreserve = true; RestrictAddressFamilies = [ # Need AF_UNIX to collect data "AF_UNIX" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix index 3158e71f0468b..88dc79fc2503f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix @@ -43,14 +43,14 @@ in }; }; serviceOpts = mkMerge ([{ + environment.CONST_LABELS = concatStringsSep "," cfg.constLabels; serviceConfig = { ExecStart = '' ${pkgs.prometheus-nginx-exporter}/bin/nginx-prometheus-exporter \ --nginx.scrape-uri='${cfg.scrapeUri}' \ - --nginx.ssl-verify=${boolToString cfg.sslVerify} \ + --${lib.optionalString (!cfg.sslVerify) "no-"}nginx.ssl-verify \ --web.listen-address=${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path=${cfg.telemetryPath} \ - --prometheus.const-labels=${concatStringsSep "," cfg.constLabels} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/ping.nix b/nixos/modules/services/monitoring/prometheus/exporters/ping.nix new file mode 100644 index 0000000000000..af78b6bef6258 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/ping.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.ping; + + settingsFormat = pkgs.formats.yaml {}; + configFile = settingsFormat.generate "config.yml" cfg.settings; +in +{ + port = 9427; + extraOpts = { + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + default = {}; + + description = lib.mdDoc '' + Configuration for ping_exporter, see + <https://github.com/czerwonk/ping_exporter> + for supported values. + ''; + }; + }; + + serviceOpts = { + serviceConfig = { + # ping-exporter needs `CAP_NET_RAW` to run as non root https://github.com/czerwonk/ping_exporter#running-as-non-root-user + CapabilityBoundingSet = [ "CAP_NET_RAW" ]; + AmbientCapabilities = [ "CAP_NET_RAW" ]; + ExecStart = '' + ${pkgs.prometheus-ping-exporter}/bin/ping_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + --config.path="${configFile}" \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/sabnzbd.nix b/nixos/modules/services/monitoring/prometheus/exporters/sabnzbd.nix index 4112774940139..b9ab305f7c082 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/sabnzbd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/sabnzbd.nix @@ -19,7 +19,11 @@ in }; apiKeyFile = mkOption { type = types.str; - description = "File containing the API key."; + description = '' + The path to a file containing the API key. + The file is securely passed to the service by leveraging systemd credentials. + No special permissions need to be set on this file. + ''; example = "/run/secrets/sabnzbd_apikey"; }; }; @@ -30,18 +34,24 @@ in serviceOpts = let servers = lib.zipAttrs cfg.servers; - apiKeys = lib.concatStringsSep "," (builtins.map (file: "$(cat ${file})") servers.apiKeyFile); + credentials = lib.imap0 (i: v: { name = "apikey-${toString i}"; path = v; }) servers.apiKeyFile; in { + serviceConfig.LoadCredential = builtins.map ({ name, path }: "${name}:${path}") credentials; + environment = { METRICS_PORT = toString cfg.port; METRICS_ADDR = cfg.listenAddress; SABNZBD_BASEURLS = lib.concatStringsSep "," servers.baseUrl; }; - script = '' - export SABNZBD_APIKEYS="${apiKeys}" - exec ${lib.getExe pkgs.prometheus-sabnzbd-exporter} - ''; + script = + let + apiKeys = lib.concatStringsSep "," (builtins.map (cred: "$(< $CREDENTIALS_DIRECTORY/${cred.name})") credentials); + in + '' + export SABNZBD_APIKEYS="${apiKeys}" + exec ${lib.getExe pkgs.prometheus-sabnzbd-exporter} + ''; }; } diff --git a/nixos/modules/services/monitoring/thanos.nix b/nixos/modules/services/monitoring/thanos.nix index 5baa0d8446e54..02502816ef5d7 100644 --- a/nixos/modules/services/monitoring/thanos.nix +++ b/nixos/modules/services/monitoring/thanos.nix @@ -394,9 +394,8 @@ let Maximum number of queries processed concurrently by query node. ''; - query.replica-labels = mkAttrsParam "query.replica-label" '' + query.replica-labels = mkListParam "query.replica-label" '' Labels to treat as a replica indicator along which data is - deduplicated. Still you will be able to query without deduplication using diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index c9dda8a8c0930..63afb5deb5bd4 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -590,6 +590,7 @@ in "d /var/lib/nut 700" ]; + services.udev.packages = [ pkgs.nut ]; /* users.users.nut = diff --git a/nixos/modules/services/network-filesystems/drbd.nix b/nixos/modules/services/network-filesystems/drbd.nix index e74ed391d48e3..79a1b768b4615 100644 --- a/nixos/modules/services/network-filesystems/drbd.nix +++ b/nixos/modules/services/network-filesystems/drbd.nix @@ -55,8 +55,8 @@ let cfg = config.services.drbd; in wants = [ "systemd-udev.settle.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.drbd}/sbin/drbdadm up all"; - ExecStop = "${pkgs.drbd}/sbin/drbdadm down all"; + ExecStart = "${pkgs.drbd}/bin/drbdadm up all"; + ExecStop = "${pkgs.drbd}/bin/drbdadm down all"; }; }; }; diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index fbf9b32a2b25a..8226fc614bc47 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -147,18 +147,6 @@ in description = lib.mdDoc "Whether Kubo should try to run the fs-repo-migration at startup."; }; - ipfsMountDir = mkOption { - type = types.str; - default = "/ipfs"; - description = lib.mdDoc "Where to mount the IPFS namespace to"; - }; - - ipnsMountDir = mkOption { - type = types.str; - default = "/ipns"; - description = lib.mdDoc "Where to mount the IPNS namespace to"; - }; - enableGC = mkOption { type = types.bool; default = false; @@ -205,6 +193,18 @@ in ]; description = lib.mdDoc "Where Kubo listens for incoming p2p connections"; }; + + Mounts.IPFS = mkOption { + type = types.str; + default = "/ipfs"; + description = lib.mdDoc "Where to mount the IPFS namespace to"; + }; + + Mounts.IPNS = mkOption { + type = types.str; + default = "/ipns"; + description = lib.mdDoc "Where to mount the IPNS namespace to"; + }; }; }; description = lib.mdDoc '' @@ -309,8 +309,8 @@ in systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" ] ++ optionals cfg.autoMount [ - "d '${cfg.ipfsMountDir}' - ${cfg.user} ${cfg.group} - -" - "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.settings.Mounts.IPFS}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.settings.Mounts.IPNS}' - ${cfg.user} ${cfg.group} - -" ]; # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself @@ -320,8 +320,6 @@ in services.kubo.settings = mkIf cfg.autoMount { Mounts.FuseAllowOther = lib.mkDefault true; - Mounts.IPFS = lib.mkDefault cfg.ipfsMountDir; - Mounts.IPNS = lib.mkDefault cfg.ipnsMountDir; }; systemd.services.ipfs = { @@ -352,8 +350,8 @@ in ipfs --offline config replace - ''; postStop = mkIf cfg.autoMount '' - # After an unclean shutdown the fuse mounts at cfg.ipnsMountDir and cfg.ipfsMountDir are locked - umount --quiet '${cfg.ipnsMountDir}' '${cfg.ipfsMountDir}' || true + # After an unclean shutdown the fuse mounts at cfg.settings.Mounts.IPFS and cfg.settings.Mounts.IPNS are locked + umount --quiet '${cfg.settings.Mounts.IPFS}' '${cfg.settings.Mounts.IPNS}' || true ''; serviceConfig = { ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${kuboFlags}" ]; @@ -361,6 +359,8 @@ in Group = cfg.group; StateDirectory = ""; ReadWritePaths = optionals (!cfg.autoMount) [ "" cfg.dataDir ]; + # Make sure the socket units are started before ipfs.service + Sockets = [ "ipfs-gateway.socket" "ipfs-api.socket" ]; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (!cfg.startWhenNeeded) { wantedBy = [ "default.target" ]; @@ -403,8 +403,8 @@ in (mkRenamedOptionModule [ "services" "ipfs" "defaultMode" ] [ "services" "kubo" "defaultMode" ]) (mkRenamedOptionModule [ "services" "ipfs" "autoMount" ] [ "services" "kubo" "autoMount" ]) (mkRenamedOptionModule [ "services" "ipfs" "autoMigrate" ] [ "services" "kubo" "autoMigrate" ]) - (mkRenamedOptionModule [ "services" "ipfs" "ipfsMountDir" ] [ "services" "kubo" "ipfsMountDir" ]) - (mkRenamedOptionModule [ "services" "ipfs" "ipnsMountDir" ] [ "services" "kubo" "ipnsMountDir" ]) + (mkRenamedOptionModule [ "services" "ipfs" "ipfsMountDir" ] [ "services" "kubo" "settings" "Mounts" "IPFS" ]) + (mkRenamedOptionModule [ "services" "ipfs" "ipnsMountDir" ] [ "services" "kubo" "settings" "Mounts" "IPNS" ]) (mkRenamedOptionModule [ "services" "ipfs" "gatewayAddress" ] [ "services" "kubo" "settings" "Addresses" "Gateway" ]) (mkRenamedOptionModule [ "services" "ipfs" "apiAddress" ] [ "services" "kubo" "settings" "Addresses" "API" ]) (mkRenamedOptionModule [ "services" "ipfs" "swarmAddress" ] [ "services" "kubo" "settings" "Addresses" "Swarm" ]) @@ -419,5 +419,7 @@ in (mkRenamedOptionModule [ "services" "kubo" "gatewayAddress" ] [ "services" "kubo" "settings" "Addresses" "Gateway" ]) (mkRenamedOptionModule [ "services" "kubo" "apiAddress" ] [ "services" "kubo" "settings" "Addresses" "API" ]) (mkRenamedOptionModule [ "services" "kubo" "swarmAddress" ] [ "services" "kubo" "settings" "Addresses" "Swarm" ]) + (mkRenamedOptionModule [ "services" "kubo" "ipfsMountDir" ] [ "services" "kubo" "settings" "Mounts" "IPFS" ]) + (mkRenamedOptionModule [ "services" "kubo" "ipnsMountDir" ] [ "services" "kubo" "settings" "Mounts" "IPNS" ]) ]; } diff --git a/nixos/modules/services/networking/firewall-iptables.nix b/nixos/modules/services/networking/firewall-iptables.nix index e900868387203..2d11517700086 100644 --- a/nixos/modules/services/networking/firewall-iptables.nix +++ b/nixos/modules/services/networking/firewall-iptables.nix @@ -308,8 +308,9 @@ in description = "Firewall"; wantedBy = [ "sysinit.target" ]; wants = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; + before = [ "network-pre.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; path = [ cfg.package ] ++ cfg.extraPackages; diff --git a/nixos/modules/services/networking/gns3-server.md b/nixos/modules/services/networking/gns3-server.md new file mode 100644 index 0000000000000..9320d914fbd3a --- /dev/null +++ b/nixos/modules/services/networking/gns3-server.md @@ -0,0 +1,31 @@ +# GNS3 Server {#module-services-gns3-server} + +[GNS3](https://www.gns3.com/), a network software emulator. + +## Basic Usage {#module-services-gns3-server-basic-usage} + +A minimal configuration looks like this: + +```nix +{ + services.gns3-server = { + enable = true; + + auth = { + enable = true; + user = "gns3"; + passwordFile = "/var/lib/secrets/gns3_password"; + }; + + ssl = { + enable = true; + certFile = "/var/lib/gns3/ssl/cert.pem"; + keyFile = "/var/lib/gns3/ssl/key.pem"; + }; + + dynamips.enable = true; + ubridge.enable = true; + vpcs.enable = true; + }; +} +``` diff --git a/nixos/modules/services/networking/gns3-server.nix b/nixos/modules/services/networking/gns3-server.nix new file mode 100644 index 0000000000000..25583765de672 --- /dev/null +++ b/nixos/modules/services/networking/gns3-server.nix @@ -0,0 +1,263 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.gns3-server; + + settingsFormat = pkgs.formats.ini { }; + configFile = settingsFormat.generate "gns3-server.conf" cfg.settings; + +in { + meta = { + doc = ./gns3-server.md; + maintainers = [ lib.maintainers.anthonyroussel ]; + }; + + options = { + services.gns3-server = { + enable = lib.mkEnableOption (lib.mdDoc "GNS3 Server daemon"); + + package = lib.mkPackageOptionMD pkgs "gns3-server" { }; + + auth = { + enable = lib.mkEnableOption (lib.mdDoc "password based HTTP authentication to access the GNS3 Server"); + + user = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "gns3"; + description = lib.mdDoc ''Username used to access the GNS3 Server.''; + }; + + passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/secrets/gns3-server-password"; + description = lib.mdDoc '' + A file containing the password to access the GNS3 Server. + + ::: {.warning} + This should be a string, not a nix path, since nix paths + are copied into the world-readable nix store. + ::: + ''; + }; + }; + + settings = lib.mkOption { + type = lib.types.submodule { freeformType = settingsFormat.type; }; + default = {}; + example = { host = "127.0.0.1"; port = 3080; }; + description = lib.mdDoc '' + The global options in `config` file in ini format. + + Refer to <https://docs.gns3.com/docs/using-gns3/administration/gns3-server-configuration-file/> + for all available options. + ''; + }; + + log = { + file = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = "/var/log/gns3/server.log"; + description = lib.mdDoc ''Path of the file GNS3 Server should log to.''; + }; + + debug = lib.mkEnableOption (lib.mdDoc "debug logging"); + }; + + ssl = { + enable = lib.mkEnableOption (lib.mdDoc "SSL encryption"); + + certFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/var/lib/gns3/ssl/server.pem"; + description = lib.mdDoc '' + Path to the SSL certificate file. This certificate will + be offered to, and may be verified by, clients. + ''; + }; + + keyFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/var/lib/gns3/ssl/server.key"; + description = lib.mdDoc "Private key file for the certificate."; + }; + }; + + dynamips = { + enable = lib.mkEnableOption (lib.mdDoc ''Whether to enable Dynamips support.''); + package = lib.mkPackageOptionMD pkgs "dynamips" { }; + }; + + ubridge = { + enable = lib.mkEnableOption (lib.mdDoc ''Whether to enable uBridge support.''); + package = lib.mkPackageOptionMD pkgs "ubridge" { }; + }; + + vpcs = { + enable = lib.mkEnableOption (lib.mdDoc ''Whether to enable VPCS support.''); + package = lib.mkPackageOptionMD pkgs "vpcs" { }; + }; + }; + }; + + config = let + flags = { + enableDocker = config.virtualisation.docker.enable; + enableLibvirtd = config.virtualisation.libvirtd.enable; + }; + + in lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.ssl.enable -> cfg.ssl.certFile != null; + message = "Please provide a certificate to use for SSL encryption."; + } + { + assertion = cfg.ssl.enable -> cfg.ssl.keyFile != null; + message = "Please provide a private key to use for SSL encryption."; + } + { + assertion = cfg.auth.enable -> cfg.auth.user != null; + message = "Please provide a username to use for HTTP authentication."; + } + { + assertion = cfg.auth.enable -> cfg.auth.passwordFile != null; + message = "Please provide a password file to use for HTTP authentication."; + } + ]; + + users.groups.ubridge = lib.mkIf cfg.ubridge.enable { }; + + security.wrappers.ubridge = lib.mkIf cfg.ubridge.enable { + capabilities = "cap_net_raw,cap_net_admin=eip"; + group = "ubridge"; + owner = "root"; + permissions = "u=rwx,g=rx,o=r"; + source = lib.getExe cfg.ubridge.package; + }; + + services.gns3-server.settings = lib.mkMerge [ + { + Server = { + appliances_path = lib.mkDefault "/var/lib/gns3/appliances"; + configs_path = lib.mkDefault "/var/lib/gns3/configs"; + images_path = lib.mkDefault "/var/lib/gns3/images"; + projects_path = lib.mkDefault "/var/lib/gns3/projects"; + symbols_path = lib.mkDefault "/var/lib/gns3/symbols"; + }; + } + (lib.mkIf (cfg.ubridge.enable) { + Server.ubridge_path = lib.mkDefault (lib.getExe cfg.ubridge.package); + }) + (lib.mkIf (cfg.auth.enable) { + Server = { + auth = lib.mkDefault (lib.boolToString cfg.auth.enable); + user = lib.mkDefault cfg.auth.user; + password = lib.mkDefault "@AUTH_PASSWORD@"; + }; + }) + (lib.mkIf (cfg.vpcs.enable) { + VPCS.vpcs_path = lib.mkDefault (lib.getExe cfg.vpcs.package); + }) + (lib.mkIf (cfg.dynamips.enable) { + Dynamips.dynamips_path = lib.mkDefault (lib.getExe cfg.dynamips.package); + }) + ]; + + systemd.services.gns3-server = let + commandArgs = lib.cli.toGNUCommandLineShell { } { + config = "/etc/gns3/gns3_server.conf"; + pid = "/run/gns3/server.pid"; + log = cfg.log.file; + ssl = cfg.ssl.enable; + # These are implicitly not set if `null` + certfile = cfg.ssl.certFile; + certkey = cfg.ssl.keyFile; + }; + in + { + description = "GNS3 Server"; + + after = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + + # configFile cannot be stored in RuntimeDirectory, because GNS3 + # uses the `--config` base path to stores supplementary configuration files at runtime. + # + preStart = '' + install -m660 ${configFile} /etc/gns3/gns3_server.conf + + ${lib.optionalString cfg.auth.enable '' + ${pkgs.replace-secret}/bin/replace-secret \ + '@AUTH_PASSWORD@' \ + "''${CREDENTIALS_DIRECTORY}/AUTH_PASSWORD" \ + /etc/gns3/gns3_server.conf + ''} + ''; + + path = lib.optional flags.enableLibvirtd pkgs.qemu; + + reloadTriggers = [ configFile ]; + + serviceConfig = { + ConfigurationDirectory = "gns3"; + ConfigurationDirectoryMode = "0750"; + DynamicUser = true; + Environment = "HOME=%S/gns3"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "${lib.getExe cfg.package} ${commandArgs}"; + Group = "gns3"; + LimitNOFILE = 16384; + LoadCredential = lib.mkIf cfg.auth.enable [ "AUTH_PASSWORD:${cfg.auth.passwordFile}" ]; + LogsDirectory = "gns3"; + LogsDirectoryMode = "0750"; + PIDFile = "/run/gns3/server.pid"; + Restart = "on-failure"; + RestartSec = 5; + RuntimeDirectory = "gns3"; + StateDirectory = "gns3"; + StateDirectoryMode = "0750"; + SupplementaryGroups = lib.optional flags.enableDocker "docker" + ++ lib.optional flags.enableLibvirtd "libvirtd" + ++ lib.optional cfg.ubridge.enable "ubridge"; + User = "gns3"; + WorkingDirectory = "%S/gns3"; + + # Hardening + DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm"; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateUsers = true; + # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat + # ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + "AF_PACKET" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0077"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/harmonia.nix b/nixos/modules/services/networking/harmonia.nix index d0f4a8a6e6333..b384ac9261376 100644 --- a/nixos/modules/services/networking/harmonia.nix +++ b/nixos/modules/services/networking/harmonia.nix @@ -55,6 +55,7 @@ in ExecStart = lib.getExe cfg.package; User = "harmonia"; Group = "harmonia"; + Restart = "on-failure"; PrivateUsers = true; DeviceAllow = [ "" ]; UMask = "0066"; diff --git a/nixos/modules/services/networking/jigasi.nix b/nixos/modules/services/networking/jigasi.nix index 8d2d25c6edfc6..e701689031b14 100644 --- a/nixos/modules/services/networking/jigasi.nix +++ b/nixos/modules/services/networking/jigasi.nix @@ -96,7 +96,7 @@ in config = mkOption { type = attrsOf str; default = { }; - example = literalExample '' + example = literalExpression '' { "org.jitsi.jigasi.auth.URL" = "XMPP:jitsi-meet.example.com"; } diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix index 2f922a026a3a9..5ca705976c413 100644 --- a/nixos/modules/services/networking/kea.nix +++ b/nixos/modules/services/networking/kea.nix @@ -254,6 +254,8 @@ in DynamicUser = true; User = "kea"; ConfigurationDirectory = "kea"; + RuntimeDirectory = "kea"; + RuntimeDirectoryPreserve = true; StateDirectory = "kea"; UMask = "0077"; }; @@ -288,8 +290,8 @@ in ]; environment = { - KEA_PIDFILE_DIR = "/run/kea-ctrl-agent"; - KEA_LOCKFILE_DIR = "/run/kea-ctrl-agent"; + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; }; restartTriggers = [ @@ -300,7 +302,6 @@ in ExecStart = "${package}/bin/kea-ctrl-agent -c /etc/kea/ctrl-agent.conf ${lib.escapeShellArgs cfg.ctrl-agent.extraArgs}"; KillMode = "process"; Restart = "on-failure"; - RuntimeDirectory = "kea-ctrl-agent"; } // commonServiceConfig; }; }) @@ -329,8 +330,8 @@ in ]; environment = { - KEA_PIDFILE_DIR = "/run/kea-dhcp4"; - KEA_LOCKFILE_DIR = "/run/kea-dhcp4"; + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; }; restartTriggers = [ @@ -348,7 +349,6 @@ in "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ]; - RuntimeDirectory = "kea-dhcp4"; } // commonServiceConfig; }; }) @@ -377,8 +377,8 @@ in ]; environment = { - KEA_PIDFILE_DIR = "/run/kea-dhcp6"; - KEA_LOCKFILE_DIR = "/run/kea-dhcp6"; + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; }; restartTriggers = [ @@ -394,7 +394,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - RuntimeDirectory = "kea-dhcp6"; } // commonServiceConfig; }; }) @@ -423,8 +422,8 @@ in ]; environment = { - KEA_PIDFILE_DIR = "/run/kea-dhcp-ddns"; - KEA_LOCKFILE_DIR = "/run/kea-dhcp-ddns"; + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; }; restartTriggers = [ @@ -439,7 +438,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - RuntimeDirectory = "kea-dhcp-ddns"; } // commonServiceConfig; }; }) diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix index b9ebbfbd9a297..e13876172dac6 100644 --- a/nixos/modules/services/networking/nebula.nix +++ b/nixos/modules/services/networking/nebula.nix @@ -196,7 +196,7 @@ in before = [ "sshd.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "simple"; + Type = "notify"; Restart = "always"; ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; UMask = "0027"; diff --git a/nixos/modules/services/networking/quicktun.nix b/nixos/modules/services/networking/quicktun.nix index 7aed972adc882..2d44659f20804 100644 --- a/nixos/modules/services/networking/quicktun.nix +++ b/nixos/modules/services/networking/quicktun.nix @@ -1,94 +1,153 @@ -{ config, pkgs, lib, ... }: +{ options, config, pkgs, lib, ... }: let + inherit (lib) mkOption mdDoc types mkIf; + opt = options.services.quicktun; cfg = config.services.quicktun; - in - -with lib; - { options = { - services.quicktun = mkOption { default = { }; - description = lib.mdDoc "QuickTun tunnels"; - type = types.attrsOf (types.submodule { + description = mdDoc '' + QuickTun tunnels. + + See <http://wiki.ucis.nl/QuickTun> for more information about available options. + ''; + type = types.attrsOf (types.submodule ({ name, ... }: let + qtcfg = cfg.${name}; + in { options = { tunMode = mkOption { - type = types.int; - default = 0; - example = 1; - description = lib.mdDoc ""; + type = with types; coercedTo bool (b: if b then 1 else 0) (ints.between 0 1); + default = false; + example = true; + description = mdDoc "Whether to operate in tun (IP) or tap (Ethernet) mode."; }; remoteAddress = mkOption { type = types.str; + default = "0.0.0.0"; example = "tunnel.example.com"; - description = lib.mdDoc ""; + description = mdDoc '' + IP address or hostname of the remote end (use `0.0.0.0` for a floating/dynamic remote endpoint). + ''; }; localAddress = mkOption { - type = types.str; + type = with types; nullOr str; + default = null; example = "0.0.0.0"; - description = lib.mdDoc ""; + description = mdDoc "IP address or hostname of the local end."; }; localPort = mkOption { - type = types.int; + type = types.port; default = 2998; - description = lib.mdDoc ""; + description = mdDoc "Local UDP port."; }; remotePort = mkOption { - type = types.int; - default = 2998; - description = lib.mdDoc ""; + type = types.port; + default = qtcfg.localPort; + defaultText = lib.literalExpression "config.services.quicktun.<name>.localPort"; + description = mdDoc " remote UDP port"; }; remoteFloat = mkOption { - type = types.int; - default = 0; - description = lib.mdDoc ""; + type = with types; coercedTo bool (b: if b then 1 else 0) (ints.between 0 1); + default = false; + example = true; + description = mdDoc '' + Whether to allow the remote address and port to change when properly encrypted packets are received. + ''; }; protocol = mkOption { - type = types.str; + type = types.enum [ "raw" "nacl0" "nacltai" "salty" ]; default = "nacltai"; - description = lib.mdDoc ""; + description = mdDoc "Which protocol to use."; }; privateKey = mkOption { - type = types.str; - description = lib.mdDoc ""; + type = with types; nullOr str; + default = null; + description = mdDoc '' + Local secret key in hexadecimal form. + + ::: {.warning} + This option is deprecated. Please use {var}`services.quicktun.<name>.privateKeyFile` instead. + ::: + + ::: {.note} + Not needed when {var}`services.quicktun.<name>.protocol` is set to `raw`. + ::: + ''; + }; + + privateKeyFile = mkOption { + type = with types; nullOr path; + # This is a hack to deprecate `privateKey` without using `mkChangedModuleOption` + default = if qtcfg.privateKey == null then null else pkgs.writeText "quickttun-key-${name}" qtcfg.privateKey; + defaultText = "null"; + description = mdDoc '' + Path to file containing local secret key in binary or hexadecimal form. + + ::: {.note} + Not needed when {var}`services.quicktun.<name>.protocol` is set to `raw`. + ::: + ''; }; publicKey = mkOption { - type = types.str; - description = lib.mdDoc ""; + type = with types; nullOr str; + default = null; + description = mdDoc '' + Remote public key in hexadecimal form. + + ::: {.note} + Not needed when {var}`services.quicktun.<name>.protocol` is set to `raw`. + ::: + ''; }; timeWindow = mkOption { - type = types.int; + type = types.ints.unsigned; default = 5; - description = lib.mdDoc ""; + description = mdDoc '' + Allowed time window for first received packet in seconds (positive number allows packets from history) + ''; }; upScript = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc ""; + type = with types; nullOr lines; + default = null; + description = mdDoc '' + Run specified command or script after the tunnel device has been opened. + ''; }; }; - }); + })); }; - }; - config = mkIf (cfg != []) { - systemd.services = foldr (a: b: a // b) {} ( - mapAttrsToList (name: qtcfg: { + config = { + warnings = lib.pipe cfg [ + (lib.mapAttrsToList (name: value: if value.privateKey != null then name else null)) + (builtins.filter (n: n != null)) + (map (n: " - services.quicktun.${n}.privateKey")) + (services: lib.optional (services != [ ]) '' + `services.quicktun.<name>.privateKey` is deprecated. + Please use `services.quicktun.<name>.privateKeyFile` instead. + + Offending options: + ${lib.concatStringsSep "\n" services} + '') + ]; + + systemd.services = lib.mkMerge ( + lib.mapAttrsToList (name: qtcfg: { "quicktun-${name}" = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -96,14 +155,14 @@ with lib; INTERFACE = name; TUN_MODE = toString qtcfg.tunMode; REMOTE_ADDRESS = qtcfg.remoteAddress; - LOCAL_ADDRESS = qtcfg.localAddress; + LOCAL_ADDRESS = mkIf (qtcfg.localAddress != null) (qtcfg.localAddress); LOCAL_PORT = toString qtcfg.localPort; REMOTE_PORT = toString qtcfg.remotePort; REMOTE_FLOAT = toString qtcfg.remoteFloat; - PRIVATE_KEY = qtcfg.privateKey; - PUBLIC_KEY = qtcfg.publicKey; + PRIVATE_KEY_FILE = mkIf (qtcfg.privateKeyFile != null) qtcfg.privateKeyFile; + PUBLIC_KEY = mkIf (qtcfg.publicKey != null) qtcfg.publicKey; TIME_WINDOW = toString qtcfg.timeWindow; - TUN_UP_SCRIPT = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; + TUN_UP_SCRIPT = mkIf (qtcfg.upScript != null) (pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript); SUID = "nobody"; }; serviceConfig = { @@ -114,5 +173,4 @@ with lib; }) cfg ); }; - } diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 99d4d9eeffcc6..e0425792431e6 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -559,6 +559,15 @@ in { ''; }; + databaseDir = mkOption { + type = types.path; + description = lib.mdDoc '' + The directory containing the database and logs. + ''; + default = cfg.configDir; + defaultText = literalExpression "config.${opt.configDir}"; + }; + extraFlags = mkOption { type = types.listOf types.str; default = []; @@ -660,7 +669,7 @@ in { -no-browser \ -gui-address=${if isUnixGui then "unix://" else ""}${cfg.guiAddress} \ -config=${cfg.configDir} \ - -data=${cfg.dataDir} \ + -data=${cfg.databaseDir} \ ${escapeShellArgs cfg.extraFlags} ''; MemoryDenyWriteExecute = true; diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 3822df81063d9..1070e4e252967 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -100,8 +100,8 @@ in { }; systemd.services.tailscaled-autoconnect = mkIf (cfg.authKeyFile != null) { - after = ["tailscale.service"]; - wants = ["tailscale.service"]; + after = ["tailscaled.service"]; + wants = ["tailscaled.service"]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/networking/tinyproxy.nix b/nixos/modules/services/networking/tinyproxy.nix index 42d45c460c2e7..8ff12b52f10ca 100644 --- a/nixos/modules/services/networking/tinyproxy.nix +++ b/nixos/modules/services/networking/tinyproxy.nix @@ -85,7 +85,7 @@ in User = "tinyproxy"; Group = "tinyproxy"; Type = "simple"; - ExecStart = "${getExe pkgs.tinyproxy} -d -c ${configFile}"; + ExecStart = "${getExe cfg.package} -d -c ${configFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; KillSignal = "SIGINT"; TimeoutStopSec = "30s"; diff --git a/nixos/modules/services/networking/vdirsyncer.nix b/nixos/modules/services/networking/vdirsyncer.nix index 6a069943434da..165dc70f0876a 100644 --- a/nixos/modules/services/networking/vdirsyncer.nix +++ b/nixos/modules/services/networking/vdirsyncer.nix @@ -20,9 +20,11 @@ let else pkgs.writeText "vdirsyncer-${name}.conf" (toIniJson ( { - general = cfg'.config.general // (lib.optionalAttrs (cfg'.config.statusPath == null) { - status_path = "/var/lib/vdirsyncer/${name}"; - }); + general = cfg'.config.general // { + status_path = if cfg'.config.statusPath == null + then "/var/lib/vdirsyncer/${name}" + else cfg'.config.statusPath; + }; } // ( mapAttrs' (name: nameValuePair "pair ${name}") cfg'.config.pairs ) // ( diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 90d9c68433cf4..4586550ed75e7 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -107,6 +107,10 @@ let stopIfChanged = false; path = [ package ]; + # if `userControl.enable`, the supplicant automatically changes the permissions + # and owning group of the runtime dir; setting `umask` ensures the generated + # config file isn't readable (except to root); see nixpkgs#267693 + serviceConfig.UMask = "066"; serviceConfig.RuntimeDirectory = "wpa_supplicant"; serviceConfig.RuntimeDirectoryMode = "700"; serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index 514753687d699..9173e7eb3457b 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -137,16 +137,24 @@ in message = "networking.enableIPv6 must be true for yggdrasil to work"; }]; - system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' - if [ ! -e ${keysPath} ] - then - mkdir --mode=700 -p ${builtins.dirOf keysPath} - ${binYggdrasil} -genconf -json \ - | ${pkgs.jq}/bin/jq \ - 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ - > ${keysPath} - fi - ''; + # This needs to be a separate service. The yggdrasil service fails if + # this is put into its preStart. + systemd.services.yggdrasil-persistent-keys = lib.mkIf cfg.persistentKeys { + wantedBy = [ "multi-user.target" ]; + before = [ "yggdrasil.service" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + if [ ! -e ${keysPath} ] + then + mkdir --mode=700 -p ${builtins.dirOf keysPath} + ${binYggdrasil} -genconf -json \ + | ${pkgs.jq}/bin/jq \ + 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ + > ${keysPath} + fi + ''; + }; systemd.services.yggdrasil = { description = "Yggdrasil Network Service"; diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index 994e01d4980ea..60615d553041b 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -4,6 +4,8 @@ with lib; let cfg = config.services.zerotierone; + localConfFile = pkgs.writeText "zt-local.conf" (builtins.toJSON cfg.localConf); + localConfFilePath = "/var/lib/zerotier-one/local.conf"; in { options.services.zerotierone.enable = mkEnableOption (lib.mdDoc "ZeroTierOne"); @@ -29,6 +31,19 @@ in options.services.zerotierone.package = mkPackageOption pkgs "zerotierone" { }; + options.services.zerotierone.localConf = mkOption { + default = null; + description = mdDoc '' + Optional configuration to be written to the Zerotier JSON-based local.conf. + If set, the configuration will be symlinked to `/var/lib/zerotier-one/local.conf` at build time. + To understand the configuration format, refer to https://docs.zerotier.com/config/#local-configuration-options. + ''; + example = { + settings.allowTcpFallbackRelay = false; + }; + type = types.nullOr types.attrs; + }; + config = mkIf cfg.enable { systemd.services.zerotierone = { description = "ZeroTierOne"; @@ -45,7 +60,17 @@ in chown -R root:root /var/lib/zerotier-one '' + (concatMapStrings (netId: '' touch "/var/lib/zerotier-one/networks.d/${netId}.conf" - '') cfg.joinNetworks); + '') cfg.joinNetworks) + optionalString (cfg.localConf != null) '' + if [ -L "${localConfFilePath}" ] + then + rm ${localConfFilePath} + elif [ -f "${localConfFilePath}" ] + then + mv ${localConfFilePath} ${localConfFilePath}.bak + fi + ln -s ${localConfFile} ${localConfFilePath} + ''; + serviceConfig = { ExecStart = "${cfg.package}/bin/zerotier-one -p${toString cfg.port}"; Restart = "always"; diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index 4d6fe33f697b8..9d306c205f946 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -45,19 +45,25 @@ in systemd.services.munged = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + wants = [ + "network-online.target" + "time-sync.target" + ]; + after = [ + "network-online.target" + "time-sync.target" + ]; path = [ pkgs.munge pkgs.coreutils ]; serviceConfig = { ExecStartPre = "+${pkgs.coreutils}/bin/chmod 0400 ${cfg.password}"; - ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}"; - PIDFile = "/run/munge/munged.pid"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "${pkgs.munge}/bin/munged --foreground --key-file ${cfg.password}"; User = "munge"; Group = "munge"; StateDirectory = "munge"; StateDirectoryMode = "0711"; + Restart = "on-failure"; RuntimeDirectory = "munge"; }; diff --git a/nixos/modules/services/security/shibboleth-sp.nix b/nixos/modules/services/security/shibboleth-sp.nix index e7897c3324cf6..975de1efa2f2a 100644 --- a/nixos/modules/services/security/shibboleth-sp.nix +++ b/nixos/modules/services/security/shibboleth-sp.nix @@ -1,44 +1,43 @@ -{pkgs, config, lib, ...}: +{ config, lib, pkgs, ... }: -with lib; let cfg = config.services.shibboleth-sp; in { options = { services.shibboleth-sp = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc "Whether to enable the shibboleth service"; }; - configFile = mkOption { - type = types.path; - example = literalExpression ''"''${pkgs.shibboleth-sp}/etc/shibboleth/shibboleth2.xml"''; + configFile = lib.mkOption { + type = lib.types.path; + example = lib.literalExpression ''"''${pkgs.shibboleth-sp}/etc/shibboleth/shibboleth2.xml"''; description = lib.mdDoc "Path to shibboleth config file"; }; - fastcgi.enable = mkOption { - type = types.bool; + fastcgi.enable = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc "Whether to include the shibauthorizer and shibresponder FastCGI processes"; }; - fastcgi.shibAuthorizerPort = mkOption { - type = types.int; + fastcgi.shibAuthorizerPort = lib.mkOption { + type = lib.types.int; default = 9100; description = lib.mdDoc "Port for shibauthorizer FastCGI process to bind to"; }; - fastcgi.shibResponderPort = mkOption { - type = types.int; + fastcgi.shibResponderPort = lib.mkOption { + type = lib.types.int; default = 9101; description = lib.mdDoc "Port for shibauthorizer FastCGI process to bind to"; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.shibboleth-sp = { description = "Provides SSO and federation for web applications"; after = lib.optionals cfg.fastcgi.enable [ "shibresponder.service" "shibauthorizer.service" ]; @@ -48,7 +47,7 @@ in { }; }; - systemd.services.shibresponder = mkIf cfg.fastcgi.enable { + systemd.services.shibresponder = lib.mkIf cfg.fastcgi.enable { description = "Provides SSO through Shibboleth via FastCGI"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -59,7 +58,7 @@ in { }; }; - systemd.services.shibauthorizer = mkIf cfg.fastcgi.enable { + systemd.services.shibauthorizer = lib.mkIf cfg.fastcgi.enable { description = "Provides SSO through Shibboleth via FastCGI"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -71,5 +70,5 @@ in { }; }; - meta.maintainers = with lib.maintainers; [ jammerful ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 4ff941251c99b..dea20dec1ab47 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -854,7 +854,7 @@ in BridgeRelay = true; ExtORPort.port = mkDefault "auto"; ServerTransportPlugin.transports = mkDefault ["obfs4"]; - ServerTransportPlugin.exec = mkDefault "${pkgs.obfs4}/bin/obfs4proxy managed"; + ServerTransportPlugin.exec = mkDefault "${lib.getExe pkgs.obfs4} managed"; } // optionalAttrs (cfg.relay.role == "private-bridge") { ExtraInfoStatistics = false; PublishServerDescriptor = false; diff --git a/nixos/modules/services/system/cachix-watch-store.nix b/nixos/modules/services/system/cachix-watch-store.nix index 992a59cbc075b..8aa5f0358fa97 100644 --- a/nixos/modules/services/system/cachix-watch-store.nix +++ b/nixos/modules/services/system/cachix-watch-store.nix @@ -23,6 +23,14 @@ in ''; }; + signingKeyFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc '' + Optional file containing a self-managed signing key to sign uploaded store paths. + ''; + default = null; + }; + compressionLevel = mkOption { type = types.nullOr types.int; description = lib.mdDoc "The compression level for ZSTD compression (between 0 and 16)"; @@ -69,7 +77,8 @@ in DynamicUser = true; LoadCredential = [ "cachix-token:${toString cfg.cachixTokenFile}" - ]; + ] + ++ lib.optional (cfg.signingKeyFile != null) "signing-key:${toString cfg.signingKeyFile}"; }; script = let @@ -80,6 +89,7 @@ in in '' export CACHIX_AUTH_TOKEN="$(<"$CREDENTIALS_DIRECTORY/cachix-token")" + ${lib.optionalString (cfg.signingKeyFile != null) ''export CACHIX_SIGNING_KEY="$(<"$CREDENTIALS_DIRECTORY/signing-key")"''} ${lib.escapeShellArgs command} ''; }; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index 8d5b25e617625..b47ebc92f93a8 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -184,6 +184,11 @@ in aliases = [ "dbus.service" ]; + unitConfig = { + # We get errors when reloading the dbus-broker service + # if /tmp got remounted after this service started + RequiresMountsFor = [ "/tmp" ]; + }; # Don't restart dbus. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 88537f8c4f7b6..497297ba693a3 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -251,6 +251,20 @@ in For instance, SSH sessions may time out more easily. ''; }; + + webHome = mkOption { + type = types.nullOr types.path; + default = null; + example = "pkgs.flood-for-transmission"; + description = lib.mdDoc '' + If not `null`, sets the value of the `TRANSMISSION_WEB_HOME` + environment variable used by the service. Useful for overriding + the web interface files, without overriding the transmission + package and thus requiring rebuilding it locally. Use this if + you want to use an alternative web interface, such as + `pkgs.flood-for-transmission`. + ''; + }; }; }; @@ -280,6 +294,7 @@ in requires = optional apparmor.enable "apparmor.service"; wantedBy = [ "multi-user.target" ]; environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; + environment.TRANSMISSION_WEB_HOME = lib.optionalString (cfg.webHome != null) cfg.webHome; serviceConfig = { # Use "+" because credentialsFile may not be accessible to User= or Group=. @@ -314,6 +329,9 @@ in BindPaths = [ "${cfg.home}/${settingsDir}" cfg.settings.download-dir + # Transmission may need to read in the host's /run (eg. /run/systemd/resolve) + # or write in its private /run (eg. /run/host). + "/run" ] ++ optional cfg.settings.incomplete-dir-enabled cfg.settings.incomplete-dir ++ @@ -324,7 +342,6 @@ in # an AppArmor profile is provided to get a confinement based upon paths and rights. builtins.storeDir "/etc" - "/run" ] ++ optional (cfg.settings.script-torrent-done-enabled && cfg.settings.script-torrent-done-filename != null) @@ -349,10 +366,10 @@ in MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; - PrivateMounts = true; + PrivateMounts = mkDefault true; PrivateNetwork = mkDefault false; PrivateTmp = true; - PrivateUsers = true; + PrivateUsers = mkDefault true; ProtectClock = true; ProtectControlGroups = true; # ProtectHome=true would not allow BindPaths= to work across /home, @@ -434,7 +451,7 @@ in # at least up to the values hardcoded here: (mkIf cfg.settings.utp-enabled { "net.core.rmem_max" = mkDefault 4194304; # 4MB - "net.core.wmem_max" = mkDefault "1048576"; # 1MB + "net.core.wmem_max" = mkDefault 1048576; # 1MB }) (mkIf cfg.performanceNetParameters { # Increase the number of available source (local) TCP and UDP ports to 49151. @@ -490,6 +507,10 @@ in # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, ''} + + ${optionalString (cfg.webHome != null) '' + r ${cfg.webHome}/**, + ''} ''; }; diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix index 146e968780c38..b7945282ba09b 100644 --- a/nixos/modules/services/video/frigate.nix +++ b/nixos/modules/services/video/frigate.nix @@ -353,6 +353,7 @@ in ]; serviceConfig = { ExecStart = "${cfg.package.python.interpreter} -m frigate"; + Restart = "on-failure"; User = "frigate"; Group = "frigate"; diff --git a/nixos/modules/services/web-apps/code-server.nix b/nixos/modules/services/web-apps/code-server.nix new file mode 100644 index 0000000000000..11601f6c30449 --- /dev/null +++ b/nixos/modules/services/web-apps/code-server.nix @@ -0,0 +1,259 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.code-server; + defaultUser = "code-server"; + defaultGroup = defaultUser; +in { + options = { + services.code-server = { + enable = lib.mkEnableOption (lib.mdDoc "code-server"); + + package = lib.mkPackageOptionMD pkgs "code-server" { + example = '' + pkgs.vscode-with-extensions.override { + vscode = pkgs.code-server; + vscodeExtensions = with pkgs.vscode-extensions; [ + bbenoist.nix + dracula-theme.theme-dracula + ]; + } + ''; + }; + + extraPackages = lib.mkOption { + default = [ ]; + description = lib.mdDoc '' + Additional packages to add to the code-server {env}`PATH`. + ''; + example = lib.literalExpression "[ pkgs.go ]"; + type = lib.types.listOf lib.types.package; + }; + + extraEnvironment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + description = lib.mdDoc '' + Additional environment variables to pass to code-server. + ''; + default = { }; + example = { PKG_CONFIG_PATH = "/run/current-system/sw/lib/pkgconfig"; }; + }; + + extraArguments = lib.mkOption { + default = [ ]; + description = lib.mdDoc '' + Additional arguments to pass to code-server. + ''; + example = lib.literalExpression ''[ "--log=info" ]''; + type = lib.types.listOf lib.types.str; + }; + + host = lib.mkOption { + default = "localhost"; + description = lib.mdDoc '' + The host name or IP address the server should listen to. + ''; + type = lib.types.str; + }; + + port = lib.mkOption { + default = 4444; + description = lib.mdDoc '' + The port the server should listen to. + ''; + type = lib.types.port; + }; + + auth = lib.mkOption { + default = "password"; + description = lib.mdDoc '' + The type of authentication to use. + ''; + type = lib.types.enum [ "none" "password" ]; + }; + + hashedPassword = lib.mkOption { + default = ""; + description = lib.mdDoc '' + Create the password with: `echo -n 'thisismypassword' | npx argon2-cli -e`. + ''; + type = lib.types.str; + }; + + user = lib.mkOption { + default = defaultUser; + example = "yourUser"; + description = lib.mdDoc '' + The user to run code-server as. + By default, a user named `${defaultUser}` will be created. + ''; + type = lib.types.str; + }; + + group = lib.mkOption { + default = defaultGroup; + example = "yourGroup"; + description = lib.mdDoc '' + The group to run code-server under. + By default, a group named `${defaultGroup}` will be created. + ''; + type = lib.types.str; + }; + + extraGroups = lib.mkOption { + default = [ ]; + description = lib.mdDoc '' + An array of additional groups for the `${defaultUser}` user. + ''; + example = [ "docker" ]; + type = lib.types.listOf lib.types.str; + }; + + socket = lib.mkOption { + default = null; + example = "/run/code-server/socket"; + description = lib.mdDoc '' + Path to a socket (bind-addr will be ignored). + ''; + type = lib.types.nullOr lib.types.str; + }; + + socketMode = lib.mkOption { + default = null; + description = lib.mdDoc '' + File mode of the socket. + ''; + type = lib.types.nullOr lib.types.str; + }; + + userDataDir = lib.mkOption { + default = null; + description = lib.mdDoc '' + Path to the user data directory. + ''; + type = lib.types.nullOr lib.types.str; + }; + + extensionsDir = lib.mkOption { + default = null; + description = lib.mdDoc '' + Path to the extensions directory. + ''; + type = lib.types.nullOr lib.types.str; + }; + + proxyDomain = lib.mkOption { + default = null; + example = "code-server.lan"; + description = lib.mdDoc '' + Domain used for proxying ports. + ''; + type = lib.types.nullOr lib.types.str; + }; + + disableTelemetry = lib.mkOption { + default = false; + example = true; + description = lib.mdDoc '' + Disable telemetry. + ''; + type = lib.types.bool; + }; + + disableUpdateCheck = lib.mkOption { + default = false; + example = true; + description = lib.mdDoc '' + Disable update check. + Without this flag, code-server checks every 6 hours against the latest github release and + then notifies you once every week that a new release is available. + ''; + type = lib.types.bool; + }; + + disableFileDownloads = lib.mkOption { + default = false; + example = true; + description = lib.mdDoc '' + Disable file downloads from Code. + ''; + type = lib.types.bool; + }; + + disableWorkspaceTrust = lib.mkOption { + default = false; + example = true; + description = lib.mdDoc '' + Disable Workspace Trust feature. + ''; + type = lib.types.bool; + }; + + disableGettingStartedOverride = lib.mkOption { + default = false; + example = true; + description = lib.mdDoc '' + Disable the coder/coder override in the Help: Getting Started page. + ''; + type = lib.types.bool; + }; + + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.code-server = { + description = "Code server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + path = cfg.extraPackages; + environment = { + HASHED_PASSWORD = cfg.hashedPassword; + } // cfg.extraEnvironment; + serviceConfig = { + ExecStart = '' + ${lib.getExe cfg.package} \ + --auth=${cfg.auth} \ + --bind-addr=${cfg.host}:${toString cfg.port} \ + '' + lib.optionalString (cfg.socket != null) '' + --socket=${cfg.socket} \ + '' + lib.optionalString (cfg.userDataDir != null) '' + --user-data-dir=${cfg.userDataDir} \ + '' + lib.optionalString (cfg.extensionsDir != null) '' + --extensions-dir=${cfg.extensionsDir} \ + '' + lib.optionalString (cfg.disableTelemetry == true) '' + --disable-telemetry \ + '' + lib.optionalString (cfg.disableUpdateCheck == true) '' + --disable-update-check \ + '' + lib.optionalString (cfg.disableFileDownloads == true) '' + --disable-file-downloads \ + '' + lib.optionalString (cfg.disableWorkspaceTrust == true) '' + --disable-workspace-trust \ + '' + lib.optionalString (cfg.disableGettingStartedOverride == true) '' + --disable-getting-started-override \ + '' + lib.escapeShellArgs cfg.extraArguments; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + RuntimeDirectory = cfg.user; + User = cfg.user; + Group = cfg.group; + Restart = "on-failure"; + }; + }; + + users.users."${cfg.user}" = lib.mkMerge [ + (lib.mkIf (cfg.user == defaultUser) { + isNormalUser = true; + description = "code-server user"; + inherit (cfg) group; + }) + { + packages = cfg.extraPackages; + inherit (cfg) extraGroups; + } + ]; + + users.groups."${defaultGroup}" = lib.mkIf (cfg.group == defaultGroup) { }; + }; + + meta.maintainers = [ lib.maintainers.stackshadow ]; +} diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix index 9683730bbe1f8..c8399143c37ba 100644 --- a/nixos/modules/services/web-apps/freshrss.nix +++ b/nixos/modules/services/web-apps/freshrss.nix @@ -294,7 +294,6 @@ in systemd.services.freshrss-updater = { description = "FreshRSS feed updater"; after = [ "freshrss-config.service" ]; - wantedBy = [ "multi-user.target" ]; startAt = "*:0/5"; environment = { DATA_PATH = cfg.dataDir; diff --git a/nixos/modules/services/web-apps/invidious.nix b/nixos/modules/services/web-apps/invidious.nix index cfba3c8a29708..32158f9575be0 100644 --- a/nixos/modules/services/web-apps/invidious.nix +++ b/nixos/modules/services/web-apps/invidious.nix @@ -10,82 +10,115 @@ let generatedHmacKeyFile = "/var/lib/invidious/hmac_key"; generateHmac = cfg.hmacKeyFile == null; - serviceConfig = { - systemd.services.invidious = { - description = "Invidious (An alternative YouTube front-end)"; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = lib.optionalString generateHmac '' - if [[ ! -e "${generatedHmacKeyFile}" ]]; then - ${pkgs.pwgen}/bin/pwgen 20 1 > "${generatedHmacKeyFile}" - chmod 0600 "${generatedHmacKeyFile}" - fi - ''; - - script = '' - configParts=() - '' - # autogenerated hmac_key - + lib.optionalString generateHmac '' - configParts+=("$(${pkgs.jq}/bin/jq -R '{"hmac_key":.}' <"${generatedHmacKeyFile}")") - '' - # generated settings file - + '' - configParts+=("$(< ${lib.escapeShellArg settingsFile})") - '' - # optional database password file - + lib.optionalString (cfg.database.host != null) '' - configParts+=("$(${pkgs.jq}/bin/jq -R '{"db":{"password":.}}' ${lib.escapeShellArg cfg.database.passwordFile})") - '' - # optional extra settings file - + lib.optionalString (cfg.extraSettingsFile != null) '' - configParts+=("$(< ${lib.escapeShellArg cfg.extraSettingsFile})") - '' - # explicitly specified hmac key file - + lib.optionalString (cfg.hmacKeyFile != null) '' - configParts+=("$(< ${lib.escapeShellArg cfg.hmacKeyFile})") - '' - # merge all parts into a single configuration with later elements overriding previous elements - + '' - export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s 'reduce .[] as $item ({}; . * $item)' <<<"''${configParts[*]}")" - exec ${cfg.package}/bin/invidious - ''; - - serviceConfig = { - RestartSec = "2s"; - DynamicUser = true; - StateDirectory = "invidious"; - StateDirectoryMode = "0750"; - - CapabilityBoundingSet = ""; - PrivateDevices = true; - PrivateUsers = true; - ProtectHome = true; - ProtectKernelLogs = true; - ProtectProc = "invisible"; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; - RestrictNamespaces = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; - - # Because of various issues Invidious must be restarted often, at least once a day, ideally - # every hour. - # This option enables the automatic restarting of the Invidious instance. - Restart = lib.mkDefault "always"; - RuntimeMaxSec = lib.mkDefault "1h"; - }; + commonInvidousServiceConfig = { + description = "Invidious (An alternative YouTube front-end)"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service"; + requires = lib.optional cfg.database.createLocally "postgresql.service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + RestartSec = "2s"; + DynamicUser = true; + User = lib.mkIf (cfg.database.createLocally || cfg.serviceScale > 1) "invidious"; + StateDirectory = "invidious"; + StateDirectoryMode = "0750"; + + CapabilityBoundingSet = ""; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + + # Because of various issues Invidious must be restarted often, at least once a day, ideally + # every hour. + # This option enables the automatic restarting of the Invidious instance. + # To ensure multiple instances of Invidious are not restarted at the exact same time, a + # randomized extra offset of up to 5 minutes is added. + Restart = lib.mkDefault "always"; + RuntimeMaxSec = lib.mkDefault "1h"; + RuntimeRandomizedExtraSec = lib.mkDefault "5min"; }; + }; + mkInvidiousService = scaleIndex: + lib.foldl' lib.recursiveUpdate commonInvidousServiceConfig [ + # only generate the hmac file in the first service + (lib.optionalAttrs (scaleIndex == 0) { + preStart = lib.optionalString generateHmac '' + if [[ ! -e "${generatedHmacKeyFile}" ]]; then + ${pkgs.pwgen}/bin/pwgen 20 1 > "${generatedHmacKeyFile}" + chmod 0600 "${generatedHmacKeyFile}" + fi + ''; + }) + # configure the secondary services to run after the first service + (lib.optionalAttrs (scaleIndex > 0) { + after = commonInvidousServiceConfig.after ++ [ "invidious.service" ]; + wants = commonInvidousServiceConfig.wants ++ [ "invidious.service" ]; + }) + { + script = '' + configParts=() + '' + # autogenerated hmac_key + + lib.optionalString generateHmac '' + configParts+=("$(${pkgs.jq}/bin/jq -R '{"hmac_key":.}' <"${generatedHmacKeyFile}")") + '' + # generated settings file + + '' + configParts+=("$(< ${lib.escapeShellArg settingsFile})") + '' + # optional database password file + + lib.optionalString (cfg.database.host != null) '' + configParts+=("$(${pkgs.jq}/bin/jq -R '{"db":{"password":.}}' ${lib.escapeShellArg cfg.database.passwordFile})") + '' + # optional extra settings file + + lib.optionalString (cfg.extraSettingsFile != null) '' + configParts+=("$(< ${lib.escapeShellArg cfg.extraSettingsFile})") + '' + # explicitly specified hmac key file + + lib.optionalString (cfg.hmacKeyFile != null) '' + configParts+=("$(< ${lib.escapeShellArg cfg.hmacKeyFile})") + '' + # configure threads for secondary instances + + lib.optionalString (scaleIndex > 0) '' + configParts+=('{"channel_threads":0, "feed_threads":0}') + '' + # configure different ports for the instances + + '' + configParts+=('{"port":${toString (cfg.port + scaleIndex)}}') + '' + # merge all parts into a single configuration with later elements overriding previous elements + + '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s 'reduce .[] as $item ({}; . * $item)' <<<"''${configParts[*]}")" + exec ${cfg.package}/bin/invidious + ''; + } + ]; - services.invidious.settings = { - inherit (cfg) port; + serviceConfig = { + systemd.services = builtins.listToAttrs (builtins.genList + (scaleIndex: { + name = "invidious" + lib.optionalString (scaleIndex > 0) "-${builtins.toString scaleIndex}"; + value = mkInvidiousService scaleIndex; + }) + cfg.serviceScale); + services.invidious.settings = { # Automatically initialises and migrates the database if necessary check_tables = true; db = { - user = lib.mkDefault "kemal"; + user = lib.mkDefault ( + if (lib.versionAtLeast config.system.stateVersion "24.05") + then "invidious" + else "kemal" + ); dbname = lib.mkDefault "invidious"; port = cfg.database.port; # Blank for unix sockets, see @@ -94,67 +127,73 @@ let # Not needed because peer authentication is enabled password = lib.mkIf (cfg.database.host == null) ""; }; + + host_binding = cfg.address; } // (lib.optionalAttrs (cfg.domain != null) { inherit (cfg) domain; }); - assertions = [{ - assertion = cfg.database.host != null -> cfg.database.passwordFile != null; - message = "If database host isn't null, database password needs to be set"; - }]; + assertions = [ + { + assertion = cfg.database.host != null -> cfg.database.passwordFile != null; + message = "If database host isn't null, database password needs to be set"; + } + { + assertion = cfg.serviceScale >= 1; + message = "Service can't be scaled below one instance"; + } + ]; }; # Settings necessary for running with an automatically managed local database localDatabaseConfig = lib.mkIf cfg.database.createLocally { + assertions = [ + { + assertion = cfg.settings.db.user == cfg.settings.db.dbname; + message = '' + For local automatic database provisioning (services.invidious.database.createLocally == true) + to work, the username used to connect to PostgreSQL must match the database name, that is + services.invidious.settings.db.user must match services.invidious.settings.db.dbname. + This is the default since NixOS 24.05. For older systems, it is normally safe to manually set + services.invidious.database.user to "invidious" as the new user will be created with permissions + for the existing database. `REASSIGN OWNED BY kemal TO invidious;` may also be needed. + ''; + } + ]; # Default to using the local database if we create it services.invidious.database.host = lib.mkDefault null; - - # TODO(raitobezarius to maintainers of invidious): I strongly advise to clean up the kemal specific - # thing for 24.05 and use `ensureDBOwnership`. - # See https://github.com/NixOS/nixpkgs/issues/216989 - systemd.services.postgresql.postStart = lib.mkAfter '' - $PSQL -tAc 'ALTER DATABASE "${cfg.settings.db.dbname}" OWNER TO "${cfg.settings.db.user}";' - ''; services.postgresql = { enable = true; - ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = false; }; + ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = true; }; ensureDatabases = lib.singleton cfg.settings.db.dbname; - # This is only needed because the unix user invidious isn't the same as - # the database user. This tells postgres to map one to the other. - identMap = '' - invidious invidious ${cfg.settings.db.user} - ''; - # And this specifically enables peer authentication for only this - # database, which allows passwordless authentication over the postgres - # unix socket for the user map given above. - authentication = '' - local ${cfg.settings.db.dbname} ${cfg.settings.db.user} peer map=invidious - ''; }; + }; + + ytproxyConfig = lib.mkIf cfg.http3-ytproxy.enable { + systemd.services.http3-ytproxy = { + description = "HTTP3 ytproxy for Invidious"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; - systemd.services.invidious-db-clean = { - description = "Invidious database cleanup"; - documentation = [ "https://docs.invidious.io/Database-Information-and-Maintenance.md" ]; - startAt = lib.mkDefault "weekly"; - path = [ config.services.postgresql.package ]; - after = [ "postgresql.service" ]; script = '' - psql ${cfg.settings.db.dbname} ${cfg.settings.db.user} -c "DELETE FROM nonces * WHERE expire < current_timestamp" - psql ${cfg.settings.db.dbname} ${cfg.settings.db.user} -c "TRUNCATE TABLE videos" + mkdir -p socket + exec ${lib.getExe cfg.http3-ytproxy.package}; ''; + serviceConfig = { + RestartSec = "2s"; DynamicUser = true; - User = "invidious"; + User = lib.mkIf cfg.nginx.enable config.services.nginx.user; + RuntimeDirectory = "http3-ytproxy"; + WorkingDirectory = "/run/http3-ytproxy"; }; }; - systemd.services.invidious = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - - serviceConfig = { - User = "invidious"; + services.nginx.virtualHosts.${cfg.domain} = lib.mkIf cfg.nginx.enable { + locations."~ (^/videoplayback|^/vi/|^/ggpht/|^/sb/)" = { + proxyPass = "http://unix:/run/http3-ytproxy/socket/http-proxy.sock"; }; }; }; @@ -165,14 +204,28 @@ let external_port = 80; }; - services.nginx = { + services.nginx = let + ip = if cfg.address == "0.0.0.0" then "127.0.0.1" else cfg.address; + in + { enable = true; virtualHosts.${cfg.domain} = { - locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}"; + locations."/".proxyPass = + if cfg.serviceScale == 1 then + "http://${ip}:${toString cfg.port}" + else "http://upstream-invidious"; enableACME = lib.mkDefault true; forceSSL = lib.mkDefault true; }; + upstreams = lib.mkIf (cfg.serviceScale > 1) { + "upstream-invidious".servers = builtins.listToAttrs (builtins.genList + (scaleIndex: { + name = "${ip}:${toString (cfg.port + scaleIndex)}"; + value = { }; + }) + cfg.serviceScale); + }; }; assertions = [{ @@ -220,6 +273,20 @@ in ''; }; + serviceScale = lib.mkOption { + type = types.int; + default = 1; + description = lib.mdDoc '' + How many invidious instances to run. + + See https://docs.invidious.io/improve-public-instance/#2-multiple-invidious-processes for more details + on how this is intended to work. All instances beyond the first one have the options `channel_threads` + and `feed_threads` set to 0 to avoid conflicts with multiple instances refreshing subscriptions. Instances + will be configured to bind to consecutive ports starting with {option}`services.invidious.port` for the + first instance. + ''; + }; + # This needs to be outside of settings to avoid infinite recursion # (determining if nginx should be enabled and therefore the settings # modified). @@ -233,6 +300,16 @@ in ''; }; + address = lib.mkOption { + type = types.str; + # default from https://github.com/iv-org/invidious/blob/master/config/config.example.yml + default = if cfg.nginx.enable then "127.0.0.1" else "0.0.0.0"; + defaultText = lib.literalExpression ''if config.services.invidious.nginx.enable then "127.0.0.1" else "0.0.0.0"''; + description = lib.mdDoc '' + The IP address Invidious should bind to. + ''; + }; + port = lib.mkOption { type = types.port; # Default from https://docs.invidious.io/Configuration.md @@ -298,11 +375,28 @@ in which can also be used to disable AMCE and TLS. ''; }; + + http3-ytproxy = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable http3-ytproxy for faster loading of images and video playback. + + If {option}`services.invidious.nginx.enable` is used, nginx will be configured automatically. If not, you + need to configure a reverse proxy yourself according to + https://docs.invidious.io/improve-public-instance/#3-speed-up-video-playback-with-http3-ytproxy. + ''; + }; + + package = lib.mkPackageOptionMD pkgs "http3-ytproxy" { }; + }; }; config = lib.mkIf cfg.enable (lib.mkMerge [ serviceConfig localDatabaseConfig nginxConfig + ytproxyConfig ]); } diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 7b00ce35eb1a7..538e728fcc72f 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -136,7 +136,7 @@ let # System Call Filtering SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ]; } // cfgService; - path = with pkgs; [ file imagemagick ffmpeg ]; + path = with pkgs; [ ffmpeg-headless file imagemagick ]; }) ) cfg.sidekiqProcesses; @@ -711,31 +711,28 @@ in { systemd.services.mastodon-init-db = lib.mkIf cfg.automaticMigrations { script = lib.optionalString (!databaseActuallyCreateLocally) '' umask 077 - - export PGPASSFILE - PGPASSFILE=$(mktemp) - cat > $PGPASSFILE <<EOF - ${cfg.database.host}:${toString cfg.database.port}:${cfg.database.name}:${cfg.database.user}:$(cat ${cfg.database.passwordFile}) - EOF - + export PGPASSWORD="$(cat '${cfg.database.passwordFile}')" '' + '' - if [ `psql ${cfg.database.name} -c \ + if [ `psql -c \ "select count(*) from pg_class c \ join pg_namespace s on s.oid = c.relnamespace \ where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \ and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then + echo "Seeding database" SAFETY_ASSURED=1 rails db:schema:load rails db:seed else + echo "Migrating database (this might be a noop)" rails db:migrate fi '' + lib.optionalString (!databaseActuallyCreateLocally) '' - rm $PGPASSFILE - unset PGPASSFILE + unset PGPASSWORD ''; path = [ cfg.package pkgs.postgresql ]; environment = env // lib.optionalAttrs (!databaseActuallyCreateLocally) { PGHOST = cfg.database.host; + PGPORT = toString cfg.database.port; + PGDATABASE = cfg.database.name; PGUSER = cfg.database.user; }; serviceConfig = { @@ -776,7 +773,7 @@ in { # System Call Filtering SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ]; } // cfgService; - path = with pkgs; [ file imagemagick ffmpeg ]; + path = with pkgs; [ ffmpeg-headless file imagemagick ]; }; systemd.services.mastodon-media-auto-remove = lib.mkIf cfg.mediaAutoRemove.enable { diff --git a/nixos/modules/services/web-apps/nextcloud.md b/nixos/modules/services/web-apps/nextcloud.md index ecc7f380592ae..ce8f96a6a3896 100644 --- a/nixos/modules/services/web-apps/nextcloud.md +++ b/nixos/modules/services/web-apps/nextcloud.md @@ -5,7 +5,7 @@ self-hostable cloud platform. The server setup can be automated using [services.nextcloud](#opt-services.nextcloud.enable). A desktop client is packaged at `pkgs.nextcloud-client`. -The current default by NixOS is `nextcloud27` which is also the latest +The current default by NixOS is `nextcloud28` which is also the latest major version available. ## Basic usage {#module-services-nextcloud-basic-usage} @@ -51,7 +51,7 @@ to ensure that changes can be applied by changing the module's options. In case the application serves multiple domains (those are checked with [`$_SERVER['HTTP_HOST']`](https://www.php.net/manual/en/reserved.variables.server.php)) it's needed to add them to -[`services.nextcloud.config.extraTrustedDomains`](#opt-services.nextcloud.config.extraTrustedDomains). +[`services.nextcloud.extraOptions.trusted_domains`](#opt-services.nextcloud.extraOptions.trusted_domains). Auto updates for Nextcloud apps can be enabled using [`services.nextcloud.autoUpdateApps`](#opt-services.nextcloud.autoUpdateApps.enable). diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index db6eacf30196b..15da41c236abe 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -9,6 +9,7 @@ let jsonFormat = pkgs.formats.json {}; defaultPHPSettings = { + output_buffering = "0"; short_open_tag = "Off"; expose_php = "Off"; error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; @@ -23,11 +24,49 @@ let catch_workers_output = "yes"; }; + appStores = { + # default apps bundled with pkgs.nextcloudXX, e.g. files, contacts + apps = { + enabled = true; + writable = false; + }; + # apps installed via cfg.extraApps + nix-apps = { + enabled = cfg.extraApps != { }; + linkTarget = pkgs.linkFarm "nix-apps" + (mapAttrsToList (name: path: { inherit name path; }) cfg.extraApps); + writable = false; + }; + # apps installed via the app store. + store-apps = { + enabled = cfg.appstoreEnable == null || cfg.appstoreEnable; + linkTarget = "${cfg.home}/store-apps"; + writable = true; + }; + }; + + webroot = pkgs.runCommand + "${cfg.package.name or "nextcloud"}-with-apps" + { } + '' + mkdir $out + ln -sfv "${cfg.package}"/* "$out" + ${concatStrings + (mapAttrsToList (name: store: optionalString (store.enabled && store?linkTarget) '' + if [ -e "$out"/${name} ]; then + echo "Didn't expect ${name} already in $out!" + exit 1 + fi + ln -sfTv ${store.linkTarget} "$out"/${name} + '') appStores)} + ''; + inherit (cfg) datadir; phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: (with all; enabled + ++ [ bz2 intl sodium ] # recommended ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -44,7 +83,7 @@ let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.runtimeShell} - cd ${cfg.package} + cd ${webroot} sudo=exec if [[ "$USER" != nextcloud ]]; then sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS' @@ -93,6 +132,22 @@ in { (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] '' Use services.nextcloud.enableImagemagick instead. '') + (mkRenamedOptionModule + [ "services" "nextcloud" "logLevel" ] [ "services" "nextcloud" "extraOptions" "loglevel" ]) + (mkRenamedOptionModule + [ "services" "nextcloud" "logType" ] [ "services" "nextcloud" "extraOptions" "log_type" ]) + (mkRenamedOptionModule + [ "services" "nextcloud" "config" "defaultPhoneRegion" ] [ "services" "nextcloud" "extraOptions" "default_phone_region" ]) + (mkRenamedOptionModule + [ "services" "nextcloud" "config" "overwriteProtocol" ] [ "services" "nextcloud" "extraOptions" "overwriteprotocol" ]) + (mkRenamedOptionModule + [ "services" "nextcloud" "skeletonDirectory" ] [ "services" "nextcloud" "extraOptions" "skeletondirectory" ]) + (mkRenamedOptionModule + [ "services" "nextcloud" "config" "globalProfiles" ] [ "services" "nextcloud" "extraOptions" "profile.enabled" ]) + (mkRenamedOptionModule + [ "services" "nextcloud" "config" "extraTrustedDomains" ] [ "services" "nextcloud" "extraOptions" "trusted_domains" ]) + (mkRenamedOptionModule + [ "services" "nextcloud" "config" "trustedProxies" ] [ "services" "nextcloud" "extraOptions" "trusted_proxies" ]) ]; options.services.nextcloud = { @@ -156,32 +211,6 @@ in { Set this to false to disable the installation of apps from the global appstore. App management is always enabled regardless of this setting. ''; }; - logLevel = mkOption { - type = types.ints.between 0 4; - default = 2; - description = lib.mdDoc '' - Log level value between 0 (DEBUG) and 4 (FATAL). - - - 0 (debug): Log all activity. - - - 1 (info): Log activity such as user logins and file activities, plus warnings, errors, and fatal errors. - - - 2 (warn): Log successful operations, as well as warnings of potential problems, errors and fatal errors. - - - 3 (error): Log failed operations and fatal errors. - - - 4 (fatal): Log only fatal errors that cause the server to stop. - ''; - }; - logType = mkOption { - type = types.enum [ "errorlog" "file" "syslog" "systemd" ]; - default = "syslog"; - description = lib.mdDoc '' - Logging backend to use. - systemd requires the php-systemd package to be added to services.nextcloud.phpExtraExtensions. - See the [nextcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html) for details. - ''; - }; https = mkOption { type = types.bool; default = false; @@ -190,7 +219,7 @@ in { package = mkOption { type = types.package; description = lib.mdDoc "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud26" "nextcloud27" ]; + relatedPackages = [ "nextcloud26" "nextcloud27" "nextcloud28" ]; }; phpPackage = mkPackageOption pkgs "php" { example = "php82"; @@ -205,16 +234,6 @@ in { ''; }; - skeletonDirectory = mkOption { - default = ""; - type = types.str; - description = lib.mdDoc '' - The directory where the skeleton files are located. These files will be - copied to the data directory of new users. Leave empty to not copy any - skeleton files. - ''; - }; - webfinger = mkOption { type = types.bool; default = false; @@ -314,7 +333,6 @@ in { }; - config = { dbtype = mkOption { type = types.enum [ "sqlite" "pgsql" "mysql" ]; @@ -379,53 +397,6 @@ in { setup of Nextcloud by the systemd service `nextcloud-setup.service`. ''; }; - - extraTrustedDomains = mkOption { - type = types.listOf types.str; - default = []; - description = lib.mdDoc '' - Trusted domains from which the Nextcloud installation will be - accessible. You don't need to add - `services.nextcloud.hostname` here. - ''; - }; - - trustedProxies = mkOption { - type = types.listOf types.str; - default = []; - description = lib.mdDoc '' - Trusted proxies to provide if the Nextcloud installation is being - proxied to secure against, e.g. spoofing. - ''; - }; - - overwriteProtocol = mkOption { - type = types.nullOr (types.enum [ "http" "https" ]); - default = null; - example = "https"; - - description = lib.mdDoc '' - Force Nextcloud to always use HTTP or HTTPS i.e. for link generation. - Nextcloud uses the currently used protocol by default, but when - behind a reverse-proxy, it may use `http` for everything although - Nextcloud may be served via HTTPS. - ''; - }; - - defaultPhoneRegion = mkOption { - default = null; - type = types.nullOr types.str; - example = "DE"; - description = lib.mdDoc '' - An [ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) - country code which replaces automatic phone-number detection - without a country code. - - As an example, with `DE` set as the default phone region, - the `+49` prefix can be omitted for phone numbers. - ''; - }; - objectstore = { s3 = { enable = mkEnableOption (lib.mdDoc '' @@ -608,30 +579,109 @@ in { The nextcloud-occ program preconfigured to target this Nextcloud instance. ''; }; - globalProfiles = mkEnableOption (lib.mdDoc "global profiles") // { - description = lib.mdDoc '' - Makes user-profiles globally available under `nextcloud.tld/u/user.name`. - Even though it's enabled by default in Nextcloud, it must be explicitly enabled - here because it has the side-effect that personal information is even accessible to - unauthenticated users by default. - - By default, the following properties are set to “Show to everyone” - if this flag is enabled: - - About - - Full name - - Headline - - Organisation - - Profile picture - - Role - - Twitter - - Website - - Only has an effect in Nextcloud 23 and later. - ''; - }; extraOptions = mkOption { - type = jsonFormat.type; + type = types.submodule { + freeformType = jsonFormat.type; + options = { + + loglevel = mkOption { + type = types.ints.between 0 4; + default = 2; + description = lib.mdDoc '' + Log level value between 0 (DEBUG) and 4 (FATAL). + + - 0 (debug): Log all activity. + + - 1 (info): Log activity such as user logins and file activities, plus warnings, errors, and fatal errors. + + - 2 (warn): Log successful operations, as well as warnings of potential problems, errors and fatal errors. + + - 3 (error): Log failed operations and fatal errors. + + - 4 (fatal): Log only fatal errors that cause the server to stop. + ''; + }; + log_type = mkOption { + type = types.enum [ "errorlog" "file" "syslog" "systemd" ]; + default = "syslog"; + description = lib.mdDoc '' + Logging backend to use. + systemd requires the php-systemd package to be added to services.nextcloud.phpExtraExtensions. + See the [nextcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html) for details. + ''; + }; + skeletondirectory = mkOption { + default = ""; + type = types.str; + description = lib.mdDoc '' + The directory where the skeleton files are located. These files will be + copied to the data directory of new users. Leave empty to not copy any + skeleton files. + ''; + }; + trusted_domains = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + Trusted domains, from which the nextcloud installation will be + accessible. You don't need to add + `services.nextcloud.hostname` here. + ''; + }; + trusted_proxies = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + Trusted proxies, to provide if the nextcloud installation is being + proxied to secure against e.g. spoofing. + ''; + }; + overwriteprotocol = mkOption { + type = types.enum [ "" "http" "https" ]; + default = ""; + example = "https"; + description = lib.mdDoc '' + Force Nextcloud to always use HTTP or HTTPS i.e. for link generation. + Nextcloud uses the currently used protocol by default, but when + behind a reverse-proxy, it may use `http` for everything although + Nextcloud may be served via HTTPS. + ''; + }; + default_phone_region = mkOption { + default = ""; + type = types.str; + example = "DE"; + description = lib.mdDoc '' + An [ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) + country code which replaces automatic phone-number detection + without a country code. + + As an example, with `DE` set as the default phone region, + the `+49` prefix can be omitted for phone numbers. + ''; + }; + "profile.enabled" = mkEnableOption (lib.mdDoc "global profiles") // { + description = lib.mdDoc '' + Makes user-profiles globally available under `nextcloud.tld/u/user.name`. + Even though it's enabled by default in Nextcloud, it must be explicitly enabled + here because it has the side-effect that personal information is even accessible to + unauthenticated users by default. + By default, the following properties are set to “Show to everyone” + if this flag is enabled: + - About + - Full name + - Headline + - Organisation + - Profile picture + - Role + - Twitter + - Website + Only has an effect in Nextcloud 23 and later. + ''; + }; + }; + }; default = {}; description = lib.mdDoc '' Extra options which should be appended to Nextcloud's config.php file. @@ -679,7 +729,7 @@ in { config = mkIf cfg.enable (mkMerge [ { warnings = let - latest = 27; + latest = 28; upgradeWarning = major: nixos: '' A legacy Nextcloud install (from before NixOS ${nixos}) may be installed. @@ -700,7 +750,8 @@ in { '') ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05")) - ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")); + ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")) + ++ (optional (versionOlder cfg.package.version "28") (upgradeWarning 27 "24.05")); services.nextcloud.package = with pkgs; mkDefault ( @@ -710,15 +761,13 @@ in { nextcloud defined in an overlay, please set `services.nextcloud.package` to `pkgs.nextcloud`. '' - else if versionOlder stateVersion "22.11" then nextcloud24 else if versionOlder stateVersion "23.05" then nextcloud25 else if versionOlder stateVersion "23.11" then nextcloud26 - else nextcloud27 + else if versionOlder stateVersion "24.05" then nextcloud27 + else nextcloud28 ); - services.nextcloud.phpPackage = - if versionOlder cfg.package.version "26" then pkgs.php81 - else pkgs.php82; + services.nextcloud.phpPackage = pkgs.php82; services.nextcloud.phpOptions = mkMerge [ (mapAttrs (const mkOptionDefault) defaultPHPSettings) @@ -766,11 +815,10 @@ in { # When upgrading the Nextcloud package, Nextcloud can report errors such as # "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly" # Restarting phpfpm on Nextcloud package update fixes these issues (but this is a workaround). - phpfpm-nextcloud.restartTriggers = [ cfg.package ]; + phpfpm-nextcloud.restartTriggers = [ webroot ]; nextcloud-setup = let c = cfg.config; - writePhpArray = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]"; requiresReadSecretFunction = c.dbpassFile != null || c.objectstore.s3.enable; objectstoreConfig = let s3 = c.objectstore.s3; in optionalString s3.enable '' 'objectstore' => [ @@ -800,6 +848,10 @@ in { nextcloudGreaterOrEqualThan = req: versionAtLeast cfg.package.version req; + mkAppStoreConfig = name: { enabled, writable, ... }: optionalString enabled '' + [ 'path' => '${webroot}/${name}', 'url' => '/${name}', 'writable' => ${boolToString writable} ], + ''; + overrideConfig = pkgs.writeText "nextcloud-config.php" '' <?php ${optionalString requiresReadSecretFunction '' @@ -828,17 +880,10 @@ in { } $CONFIG = [ 'apps_paths' => [ - ${optionalString (cfg.extraApps != { }) "[ 'path' => '${cfg.home}/nix-apps', 'url' => '/nix-apps', 'writable' => false ],"} - [ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ], - [ 'path' => '${cfg.home}/store-apps', 'url' => '/store-apps', 'writable' => true ], + ${concatStrings (mapAttrsToList mkAppStoreConfig appStores)} ], ${optionalString (showAppStoreSetting) "'appstoreenabled' => ${renderedAppStoreSetting},"} - 'datadirectory' => '${datadir}/data', - 'skeletondirectory' => '${cfg.skeletonDirectory}', ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} - 'log_type' => '${cfg.logType}', - 'loglevel' => '${builtins.toString cfg.logLevel}', - ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"} ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"} ${optionalString (c.dbport != null) "'dbport' => '${toString c.dbport}',"} @@ -851,10 +896,6 @@ in { '' } 'dbtype' => '${c.dbtype}', - 'trusted_domains' => ${writePhpArray ([ cfg.hostName ] ++ c.extraTrustedDomains)}, - 'trusted_proxies' => ${writePhpArray (c.trustedProxies)}, - ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"} - ${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles},"} ${objectstoreConfig} ]; @@ -907,7 +948,7 @@ in { (i: v: '' ${occ}/bin/nextcloud-occ config:system:set trusted_domains \ ${toString i} --value="${toString v}" - '') ([ cfg.hostName ] ++ cfg.config.extraTrustedDomains)); + '') ([ cfg.hostName ] ++ cfg.extraOptions.trusted_domains)); in { wantedBy = [ "multi-user.target" ]; @@ -935,17 +976,16 @@ in { exit 1 fi - ln -sf ${cfg.package}/apps ${cfg.home}/ - - # Install extra apps - ln -sfT \ - ${pkgs.linkFarm "nix-apps" - (mapAttrsToList (name: path: { inherit name path; }) cfg.extraApps)} \ - ${cfg.home}/nix-apps + ${concatMapStrings (name: '' + if [ -d "${cfg.home}"/${name} ]; then + echo "Cleaning up ${name}; these are now bundled in the webroot store-path!" + rm -r "${cfg.home}"/${name} + fi + '') [ "nix-apps" "apps" ]} # create nextcloud directories. # if the directories exist already with wrong permissions, we fix that - for dir in ${datadir}/config ${datadir}/data ${cfg.home}/store-apps ${cfg.home}/nix-apps; do + for dir in ${datadir}/config ${datadir}/data ${cfg.home}/store-apps; do if [ ! -e $dir ]; then install -o nextcloud -g nextcloud -d $dir elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then @@ -982,7 +1022,7 @@ in { environment.NEXTCLOUD_CONFIG_DIR = "${datadir}/config"; serviceConfig.Type = "oneshot"; serviceConfig.User = "nextcloud"; - serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php"; + serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${webroot}/cron.php"; }; nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { after = [ "nextcloud-setup.service" ]; @@ -1043,22 +1083,25 @@ in { user = "nextcloud"; }; - services.nextcloud = lib.mkIf cfg.configureRedis { - caching.redis = true; - extraOptions = { + services.nextcloud = { + caching.redis = lib.mkIf cfg.configureRedis true; + extraOptions = mkMerge [({ + datadirectory = lib.mkDefault "${datadir}/data"; + trusted_domains = [ cfg.hostName ]; + }) (lib.mkIf cfg.configureRedis { "memcache.distributed" = ''\OC\Memcache\Redis''; "memcache.locking" = ''\OC\Memcache\Redis''; redis = { host = config.services.redis.servers.nextcloud.unixSocket; port = 0; }; - }; + })]; }; services.nginx.enable = mkDefault true; services.nginx.virtualHosts.${cfg.hostName} = { - root = cfg.package; + root = webroot; locations = { "= /robots.txt" = { priority = 100; @@ -1075,14 +1118,6 @@ in { } ''; }; - "~ ^/store-apps" = { - priority = 201; - extraConfig = "root ${cfg.home};"; - }; - "~ ^/nix-apps" = { - priority = 201; - extraConfig = "root ${cfg.home};"; - }; "^~ /.well-known" = { priority = 210; extraConfig = '' @@ -1131,10 +1166,13 @@ in { fastcgi_read_timeout ${builtins.toString cfg.fastcgiTimeout}s; ''; }; - "~ \\.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|tflite|map|html|ttf|bcmap|mp4|webm)$".extraConfig = '' + "~ \\.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|tflite|map|html|ttf|bcmap|mp4|webm|ogg|flac)$".extraConfig = '' try_files $uri /index.php$request_uri; expires 6M; access_log off; + location ~ \.mjs$ { + default_type text/javascript; + } location ~ \.wasm$ { default_type application/wasm; } diff --git a/nixos/modules/services/web-apps/node-red.nix b/nixos/modules/services/web-apps/node-red.nix index de78f05a98ca2..82f89783d778a 100644 --- a/nixos/modules/services/web-apps/node-red.nix +++ b/nixos/modules/services/web-apps/node-red.nix @@ -19,7 +19,7 @@ in options.services.node-red = { enable = mkEnableOption (lib.mdDoc "the Node-RED service"); - package = mkPackageOption pkgs "nodePackages.node-red" { }; + package = mkPackageOption pkgs [ "nodePackages" "node-red" ] { }; openFirewall = mkOption { type = types.bool; diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix index 9a544e98cfc44..95dc219d108cc 100644 --- a/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixos/modules/services/web-servers/caddy/default.nix @@ -342,8 +342,9 @@ in } ''; - # https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size + # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000; + boot.kernel.sysctl."net.core.wmem_max" = mkDefault 2500000; systemd.packages = [ cfg.package ]; systemd.services.caddy = { diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index eafaa32f5b9b9..1285c2bbb916d 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -352,10 +352,11 @@ let # The acme-challenge location doesn't need to be added if we are not using any automated # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge - acmeLocation = optionalString (vhost.enableACME || (vhost.useACMEHost != null && config.security.acme.certs.${vhost.useACMEHost}.dnsProvider == null)) '' + acmeLocation = optionalString (vhost.enableACME || (vhost.useACMEHost != null && config.security.acme.certs.${vhost.useACMEHost}.dnsProvider == null)) # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) # We use ^~ here, so that we don't check any regexes (which could # otherwise easily override this intended match accidentally). + '' location ^~ /.well-known/acme-challenge/ { ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"} @@ -375,10 +376,11 @@ let ${concatMapStringsSep "\n" listenString redirectListen} server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; - ${acmeLocation} + location / { - return 301 https://$host$request_uri; + return ${toString vhost.redirectCode} https://$host$request_uri; } + ${acmeLocation} } ''} @@ -392,13 +394,6 @@ let http3 ${if vhost.http3 then "on" else "off"}; http3_hq ${if vhost.http3_hq then "on" else "off"}; ''} - ${acmeLocation} - ${optionalString (vhost.root != null) "root ${vhost.root};"} - ${optionalString (vhost.globalRedirect != null) '' - location / { - return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; - } - ''} ${optionalString hasSSL '' ssl_certificate ${vhost.sslCertificate}; ssl_certificate_key ${vhost.sslCertificateKey}; @@ -421,6 +416,14 @@ let ${mkBasicAuth vhostName vhost} + ${optionalString (vhost.root != null) "root ${vhost.root};"} + + ${optionalString (vhost.globalRedirect != null) '' + location / { + return ${toString vhost.redirectCode} http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; + } + ''} + ${acmeLocation} ${mkLocations vhost.locations} ${vhost.extraConfig} @@ -649,6 +652,8 @@ in Nginx package to use. This defaults to the stable version. Note that the nginx team recommends to use the mainline version which available in nixpkgs as `nginxMainline`. + Supported Nginx forks include `angie`, `openresty` and `tengine`. + For HTTP/3 support use `nginxQuic` or `angieQuic`. ''; }; @@ -1128,14 +1133,6 @@ in } { - assertion = any (host: host.kTLS) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.21.4"; - message = '' - services.nginx.virtualHosts.<name>.kTLS requires nginx version - 1.21.4 or above; see the documentation for services.nginx.package. - ''; - } - - { assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); message = '' Options services.nginx.service.virtualHosts.<name>.enableACME and @@ -1144,18 +1141,20 @@ in } { - assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF); + assertion = cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic" -> !(cfg.enableQuicBPF); message = '' services.nginx.enableQuicBPF requires using nginxQuic package, - which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or + `services.nginx.package = pkgs.angieQuic;`. ''; } { - assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); + assertion = cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic" -> all (host: !host.quic) (attrValues virtualHosts); message = '' - services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic package, - which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. + services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic or angie packages, + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or + `services.nginx.package = pkgs.angieQuic;`. ''; } @@ -1341,6 +1340,8 @@ in nginx.gid = config.ids.gids.nginx; }; + boot.kernelModules = optional (versionAtLeast config.boot.kernelPackages.kernel.version "4.17") "tls"; + # do not delete the default temp directories created upon nginx startup systemd.tmpfiles.rules = [ "X /tmp/systemd-private-%b-nginx.service-*/tmp/nginx_*" diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 9db4c8e23025b..64a95afab9f40 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -162,10 +162,11 @@ with lib; type = types.bool; default = false; description = lib.mdDoc '' - Whether to add a separate nginx server block that permanently redirects (301) - all plain HTTP traffic to HTTPS. This will set defaults for - `listen` to listen on all interfaces on the respective default - ports (80, 443), where the non-SSL listens are used for the redirect vhosts. + Whether to add a separate nginx server block that redirects (defaults + to 301, configurable with `redirectCode`) all plain HTTP traffic to + HTTPS. This will set defaults for `listen` to listen on all interfaces + on the respective default ports (80, 443), where the non-SSL listens + are used for the redirect vhosts. ''; }; @@ -307,8 +308,20 @@ with lib; default = null; example = "newserver.example.org"; description = lib.mdDoc '' - If set, all requests for this host are redirected permanently to - the given hostname. + If set, all requests for this host are redirected (defaults to 301, + configurable with `redirectCode`) to the given hostname. + ''; + }; + + redirectCode = mkOption { + type = types.ints.between 300 399; + default = 301; + example = 308; + description = lib.mdDoc '' + HTTP status used by `globalRedirect` and `forceSSL`. Possible usecases + include temporary (302, 307) redirects, keeping the request method and + body (307, 308), or explicitly resetting the method to GET (303). + See <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>. ''; }; diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index e9cadf2194682..f5a6c05865c47 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -79,20 +79,19 @@ in package = mkDefault pkgs.cinnamon.mint-cursor-themes; }; }; - services.xserver.displayManager.sessionCommands = '' - if test "$XDG_CURRENT_DESKTOP" = "Cinnamon"; then - true - ${concatMapStrings (p: '' - if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} - fi - - if [ -d "${p}/lib/girepository-1.0" ]; then - export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib - fi - '') cfg.sessionPath} - fi + + # Have to take care of GDM + Cinnamon on Wayland users + environment.extraInit = '' + ${concatMapStrings (p: '' + if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} + fi + + if [ -d "${p}/lib/girepository-1.0" ]; then + export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib + fi + '') cfg.sessionPath} ''; # Default services diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 027479b1ce094..e0227f93e2f25 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -295,7 +295,7 @@ in ++ lib.optional config.powerManagement.enable powerdevil ++ lib.optional config.services.colord.enable pkgs.colord-kde ++ lib.optional config.services.hardware.bolt.enable pkgs.plasma5Packages.plasma-thunderbolt - ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ] + ++ lib.optional config.services.samba.enable kdenetwork-filesharing ++ lib.optional config.services.xserver.wacom.enable pkgs.wacomtablet ++ lib.optional config.services.flatpak.enable flatpak-kcm; diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index d16152ab9dec5..08e3dce708447 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkOption mkDefault types optionalString stringAfter; + inherit (lib) mkOption mkDefault types optionalString; cfg = config.boot.binfmt; diff --git a/nixos/modules/system/boot/grow-partition.nix b/nixos/modules/system/boot/grow-partition.nix index 897602f9826ab..8a0fc3a03dac4 100644 --- a/nixos/modules/system/boot/grow-partition.nix +++ b/nixos/modules/system/boot/grow-partition.nix @@ -25,7 +25,7 @@ with lib; systemd.services.growpart = { wantedBy = [ "-.mount" ]; after = [ "-.mount" ]; - before = [ "systemd-growfs-root.service" ]; + before = [ "systemd-growfs-root.service" "shutdown.target" ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index a8cd2e8f05fcc..61e61f32bc5ee 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -243,8 +243,10 @@ in services.sshd = { description = "SSH Daemon"; - wantedBy = ["initrd.target"]; - after = ["network.target" "initrd-nixos-copy-secrets.service"]; + wantedBy = [ "initrd.target" ]; + after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; # Keys from Nix store are world-readable, which sshd doesn't # like. If this were a real nix store and not the initrd, we diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 7097e1d83dca9..0556c875241a1 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -36,7 +36,7 @@ let # Package set of targeted architecture if cfg.forcei686 then pkgs.pkgsi686Linux else pkgs; - realGrub = if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; } + realGrub = if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; zfs = cfg.zfsPackage; } else grubPkgs.grub2; grub = @@ -614,6 +614,16 @@ in ''; }; + zfsPackage = mkOption { + type = types.package; + internal = true; + default = pkgs.zfs; + defaultText = literalExpression "pkgs.zfs"; + description = lib.mdDoc '' + Which ZFS package to use if `config.boot.loader.grub.zfsSupport` is true. + ''; + }; + efiSupport = mkOption { default = false; type = types.bool; diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8bd9e71cb3a99..221e90b6f38fb 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -513,7 +513,7 @@ let postLVM = filterAttrs (n: v: !v.preLVM) luks.devices; - stage1Crypttab = pkgs.writeText "initrd-crypttab" (lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: let + stage1Crypttab = pkgs.writeText "initrd-crypttab" (lib.concatLines (lib.mapAttrsToList (n: v: let opts = v.crypttabExtraOpts ++ optional v.allowDiscards "discard" ++ optionals v.bypassWorkqueues [ "no-read-workqueue" "no-write-workqueue" ] diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 3e10770812db6..f236a4c005ad6 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -597,6 +597,8 @@ let "DHCP" "DHCPServer" "LinkLocalAddressing" + "IPv6LinkLocalAddressGenerationMode" + "IPv6StableSecretAddress" "IPv4LLRoute" "DefaultRouteOnDevice" "LLMNR" @@ -648,6 +650,7 @@ let (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6"]) (assertValueOneOf "DHCPServer" boolValues) (assertValueOneOf "LinkLocalAddressing" ["yes" "no" "ipv4" "ipv6" "fallback" "ipv4-fallback"]) + (assertValueOneOf "IPv6LinkLocalAddressGenerationMode" ["eui64" "none" "stable-privacy" "random"]) (assertValueOneOf "IPv4LLRoute" boolValues) (assertValueOneOf "DefaultRouteOnDevice" boolValues) (assertValueOneOf "LLMNR" (boolValues ++ ["resolve"])) diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index b898a63179624..538f71cc0b9ae 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -23,12 +23,13 @@ in }; services.resolved.fallbackDns = mkOption { - default = [ ]; + default = null; example = [ "8.8.8.8" "2001:4860:4860::8844" ]; - type = types.listOf types.str; + type = types.nullOr (types.listOf types.str); description = lib.mdDoc '' A list of IPv4 and IPv6 addresses to use as the fallback DNS servers. - If this option is empty, a compiled-in list of DNS servers is used instead. + If this option is null, a compiled-in list of DNS servers is used instead. + Setting this option to an empty list will override the built-in list to an empty list, disabling fallback. ''; }; @@ -134,7 +135,7 @@ in [Resolve] ${optionalString (config.networking.nameservers != []) "DNS=${concatStringsSep " " config.networking.nameservers}"} - ${optionalString (cfg.fallbackDns != []) + ${optionalString (cfg.fallbackDns != null) "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"} ${optionalString (cfg.domains != []) "Domains=${concatStringsSep " " cfg.domains}"} diff --git a/nixos/modules/system/boot/systemd/initrd-secrets.nix b/nixos/modules/system/boot/systemd/initrd-secrets.nix index 7b59c0cbe7b84..d375238aa146e 100644 --- a/nixos/modules/system/boot/systemd/initrd-secrets.nix +++ b/nixos/modules/system/boot/systemd/initrd-secrets.nix @@ -11,7 +11,8 @@ description = "Copy secrets into place"; # Run as early as possible wantedBy = [ "sysinit.target" ]; - before = [ "cryptsetup-pre.target" ]; + before = [ "cryptsetup-pre.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; # We write the secrets to /.initrd-secrets and move them because this allows diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 7e67eb4244482..4ae07944afc3c 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -90,8 +90,6 @@ let fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems; - needMakefs = lib.any (fs: fs.autoFormat) fileSystems; - kernel-name = config.boot.kernelPackages.kernel.name or "kernel"; modulesTree = config.system.modulesTree.override { name = kernel-name + "-modules"; }; firmware = config.hardware.firmware; @@ -429,7 +427,7 @@ in { "${cfg.package}/lib/systemd/systemd-fsck" "${cfg.package}/lib/systemd/systemd-hibernate-resume" "${cfg.package}/lib/systemd/systemd-journald" - (lib.mkIf needMakefs "${cfg.package}/lib/systemd/systemd-makefs") + "${cfg.package}/lib/systemd/systemd-makefs" "${cfg.package}/lib/systemd/systemd-modules-load" "${cfg.package}/lib/systemd/systemd-remount-fs" "${cfg.package}/lib/systemd/systemd-shutdown" diff --git a/nixos/modules/system/boot/systemd/oomd.nix b/nixos/modules/system/boot/systemd/oomd.nix index fad755e278c77..000b18c01609a 100644 --- a/nixos/modules/system/boot/systemd/oomd.nix +++ b/nixos/modules/system/boot/systemd/oomd.nix @@ -3,14 +3,18 @@ cfg = config.systemd.oomd; in { + imports = [ + (lib.mkRenamedOptionModule [ "systemd" "oomd" "enableUserServices" ] [ "systemd" "oomd" "enableUserSlices" ]) + ]; + options.systemd.oomd = { enable = lib.mkEnableOption (lib.mdDoc "the `systemd-oomd` OOM killer") // { default = true; }; # Fedora enables the first and third option by default. See the 10-oomd-* files here: - # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac351025597 + # https://src.fedoraproject.org/rpms/systemd/tree/806c95e1c70af18f81d499b24cd7acfa4c36ffd6 enableRootSlice = lib.mkEnableOption (lib.mdDoc "oomd on the root slice (`-.slice`)"); enableSystemSlice = lib.mkEnableOption (lib.mdDoc "oomd on the system slice (`system.slice`)"); - enableUserServices = lib.mkEnableOption (lib.mdDoc "oomd on all user services (`user@.service`)"); + enableUserSlices = lib.mkEnableOption (lib.mdDoc "oomd on all user slices (`user@.slice`) and all user owned slices"); extraConfig = lib.mkOption { type = with lib.types; attrsOf (oneOf [ str int bool ]); @@ -44,14 +48,24 @@ in { users.groups.systemd-oom = { }; systemd.slices."-".sliceConfig = lib.mkIf cfg.enableRootSlice { - ManagedOOMSwap = "kill"; + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "80%"; }; systemd.slices."system".sliceConfig = lib.mkIf cfg.enableSystemSlice { - ManagedOOMSwap = "kill"; + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "80%"; }; - systemd.services."user@".serviceConfig = lib.mkIf cfg.enableUserServices { + systemd.slices."user-".sliceConfig = lib.mkIf cfg.enableUserSlices { ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "50%"; + ManagedOOMMemoryPressureLimit = "80%"; + }; + systemd.user.units."slice" = lib.mkIf cfg.enableUserSlices { + text = '' + [Slice] + ManagedOOMMemoryPressure=kill + ManagedOOMMemoryPressureLimit=80% + ''; + overrideStrategy = "asDropin"; }; }; } diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 91e30aa4c0af9..1378a0090c1df 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -406,7 +406,8 @@ in ConditionVirtualization = "!container"; DefaultDependencies = false; # needed to prevent a cycle }; - before = [ "systemd-pstore.service" ]; + before = [ "systemd-pstore.service" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; wantedBy = [ "systemd-pstore.service" ]; }; }; diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index 639ff87841b6a..85cbe72e433fd 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -78,9 +78,10 @@ let value = { description = "Unlock bcachefs for ${fs.mountPoint}"; requiredBy = [ mountUnit ]; - before = [ mountUnit ]; - bindsTo = [ deviceUnit ]; after = [ deviceUnit ]; + before = [ mountUnit "shutdown.target" ]; + bindsTo = [ deviceUnit ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 784040f0ce9e3..b38f228fc1606 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -130,7 +130,8 @@ let "systemd-ask-password-console.service" ] ++ optional (config.boot.initrd.clevis.useTang) "network-online.target"; requiredBy = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; - before = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; + before = getPoolMounts prefix pool ++ [ "shutdown.target" "zfs-import.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = "no"; }; @@ -508,9 +509,15 @@ in }; services.zfs.zed = { - enableMail = mkEnableOption (lib.mdDoc "ZED's ability to send emails") // { - default = cfgZfs.package.enableMail; - defaultText = literalExpression "config.${optZfs.package}.enableMail"; + enableMail = mkOption { + type = types.bool; + default = config.services.mail.sendmailSetuidWrapper != null; + defaultText = literalExpression '' + config.services.mail.sendmailSetuidWrapper != null + ''; + description = mdDoc '' + Whether to enable ZED's ability to send emails. + ''; }; settings = mkOption { @@ -551,14 +558,6 @@ in message = "The kernel module and the userspace tooling versions are not matching, this is an unsupported usecase."; } { - assertion = cfgZED.enableMail -> cfgZfs.package.enableMail; - message = '' - To allow ZED to send emails, ZFS needs to be configured to enable - this. To do so, one must override the `zfs` package and set - `enableMail` to true. - ''; - } - { assertion = config.networking.hostId != null; message = "ZFS requires networking.hostId to be set"; } @@ -668,10 +667,17 @@ in # TODO FIXME See https://github.com/NixOS/nixpkgs/pull/99386#issuecomment-798813567. To not break people's bootloader and as probably not everybody would read release notes that thoroughly add inSystem. boot.loader.grub = mkIf (inInitrd || inSystem) { zfsSupport = true; + zfsPackage = cfgZfs.package; }; services.zfs.zed.settings = { - ZED_EMAIL_PROG = mkIf cfgZED.enableMail (mkDefault "${pkgs.mailutils}/bin/mail"); + ZED_EMAIL_PROG = mkIf cfgZED.enableMail (mkDefault ( + config.security.wrapperDir + "/" + + config.services.mail.sendmailSetuidWrapper.program + )); + # subject in header for sendmail + ZED_EMAIL_OPTS = mkIf cfgZED.enableMail (mkDefault "@ADDRESS@"); + PATH = lib.makeBinPath [ cfgZfs.package pkgs.coreutils diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 53ffaa028038d..2b2d24a64cb20 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1410,9 +1410,11 @@ in systemd.services.domainname = lib.mkIf (cfg.domain != null) { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; serviceConfig.ExecStart = ''${pkgs.nettools}/bin/domainname "${cfg.domain}"''; + serviceConfig.Type = "oneshot"; }; environment.etc.hostid = mkIf (cfg.hostId != null) { source = hostidFile; }; diff --git a/nixos/modules/tasks/trackpoint.nix b/nixos/modules/tasks/trackpoint.nix index d197a0feb337c..317613b847927 100644 --- a/nixos/modules/tasks/trackpoint.nix +++ b/nixos/modules/tasks/trackpoint.nix @@ -80,10 +80,17 @@ with lib; ACTION=="add|change", SUBSYSTEM=="input", ATTR{name}=="${cfg.device}", ATTR{device/speed}="${toString cfg.speed}", ATTR{device/sensitivity}="${toString cfg.sensitivity}" ''; - system.activationScripts.trackpoint = - '' - ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device}" + systemd.services.trackpoint = { + wantedBy = [ "sysinit.target" ] ; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + serviceConfig.ExecStart = '' + ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device} ''; + }; }) (mkIf (cfg.emulateWheel) { diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index e712fac17a462..ac4cd752615da 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -202,6 +202,13 @@ in services.udev.packages = [ pkgs.waagent ]; + # Provide waagent-shipped udev rules in initrd too. + boot.initrd.services.udev.packages = [ pkgs.waagent ]; + # udev rules shell out to chmod, cut and readlink, which are all + # provided by pkgs.coreutils, which is in services.udev.path, but not + # boot.initrd.services.udev.binPackages. + boot.initrd.services.udev.binPackages = [ pkgs.coreutils ]; + networking.dhcpcd.persistent = true; services.logrotate = { @@ -245,6 +252,27 @@ in pkgs.e2fsprogs pkgs.bash + pkgs.findutils + pkgs.gnugrep + pkgs.gnused + pkgs.iproute2 + pkgs.iptables + + # for hostname + pkgs.nettools + + pkgs.openssh + pkgs.openssl + pkgs.parted + + # for pidof + pkgs.procps + + # for useradd, usermod + pkgs.shadow + + pkgs.util-linux # for (u)mount, fdisk, sfdisk, mkswap + # waagent's Microsoft.OSTCExtensions.VMAccessForLinux needs Python 3 pkgs.python39 diff --git a/nixos/modules/virtualisation/lxd-agent.nix b/nixos/modules/virtualisation/lxd-agent.nix index 59dd46b74b400..8a2a1530eeb79 100644 --- a/nixos/modules/virtualisation/lxd-agent.nix +++ b/nixos/modules/virtualisation/lxd-agent.nix @@ -58,18 +58,28 @@ in { systemd.services.lxd-agent = { enable = true; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.kmod pkgs.util-linux ]; + before = [ "shutdown.target" ] ++ lib.optionals config.services.cloud-init.enable [ + "cloud-init.target" "cloud-init.service" "cloud-init-local.service" + ]; + conflicts = [ "shutdown.target" ]; + path = [ + pkgs.kmod + pkgs.util-linux + + # allow `incus exec` to find system binaries + "/run/current-system/sw" + ]; preStart = preStartScript; # avoid killing nixos-rebuild switch when executed through lxc exec + restartIfChanged = false; stopIfChanged = false; unitConfig = { Description = "LXD - agent"; Documentation = "https://documentation.ubuntu.com/lxd/en/latest"; ConditionPathExists = "/dev/virtio-ports/org.linuxcontainers.lxd"; - Before = lib.optionals config.services.cloud-init.enable [ "cloud-init.target" "cloud-init.service" "cloud-init-local.service" ]; DefaultDependencies = "no"; StartLimitInterval = "60"; StartLimitBurst = "10"; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index d92fd48a6103c..3d7f3ccb62f84 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -1256,6 +1256,8 @@ in unitConfig.RequiresMountsFor = "/sysroot/nix/.ro-store"; }]; services.rw-store = { + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = false; RequiresMountsFor = "/sysroot/nix/.rw-store"; diff --git a/nixos/modules/virtualisation/vmware-host.nix b/nixos/modules/virtualisation/vmware-host.nix index 1eaa896fe0965..094114623a424 100644 --- a/nixos/modules/virtualisation/vmware-host.nix +++ b/nixos/modules/virtualisation/vmware-host.nix @@ -85,34 +85,43 @@ in }; }; - ###### wrappers activation script + # Services - system.activationScripts.vmwareWrappers = - lib.stringAfter [ "specialfs" "users" ] - '' - mkdir -p "${parentWrapperDir}" - chmod 755 "${parentWrapperDir}" - # We want to place the tmpdirs for the wrappers to the parent dir. - wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) - chmod a+rx "$wrapperDir" - ${lib.concatStringsSep "\n" (vmwareWrappers)} - if [ -L ${wrapperDir} ]; then - # Atomically replace the symlink - # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ - old=$(readlink -f ${wrapperDir}) - if [ -e "${wrapperDir}-tmp" ]; then - rm --force --recursive "${wrapperDir}-tmp" - fi - ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" - mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" - rm --force --recursive "$old" - else - # For initial setup - ln --symbolic "$wrapperDir" "${wrapperDir}" + systemd.services."vmware-wrappers" = { + description = "Create VMVare Wrappers"; + wantedBy = [ "multi-user.target" ]; + before = [ + "vmware-authdlauncher.service" + "vmware-networks-configuration.service" + "vmware-networks.service" + "vmware-usbarbitrator.service" + ]; + after = [ "systemd-sysusers.service" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + mkdir -p "${parentWrapperDir}" + chmod 755 "${parentWrapperDir}" + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) + chmod a+rx "$wrapperDir" + ${lib.concatStringsSep "\n" (vmwareWrappers)} + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink -f ${wrapperDir}) + if [ -e "${wrapperDir}-tmp" ]; then + rm --force --recursive "${wrapperDir}-tmp" fi - ''; - - # Services + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" + rm --force --recursive "$old" + else + # For initial setup + ln --symbolic "$wrapperDir" "${wrapperDir}" + fi + ''; + }; systemd.services."vmware-authdlauncher" = { description = "VMware Authentication Daemon"; diff --git a/nixos/modules/virtualisation/waydroid.nix b/nixos/modules/virtualisation/waydroid.nix index b0e85b685083b..1f466c780cf22 100644 --- a/nixos/modules/virtualisation/waydroid.nix +++ b/nixos/modules/virtualisation/waydroid.nix @@ -32,7 +32,7 @@ in system.requiredKernelConfig = [ (kCfg.isEnabled "ANDROID_BINDER_IPC") (kCfg.isEnabled "ANDROID_BINDERFS") - (kCfg.isEnabled "ASHMEM") # FIXME Needs memfd support instead on Linux 5.18 and waydroid 1.2.1 + (kCfg.isEnabled "MEMFD_CREATE") ]; /* NOTE: we always enable this flag even if CONFIG_PSI_DEFAULT_DISABLED is not on diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 9b4b92be6f3ac..47506b964af49 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -90,6 +90,7 @@ in rec { (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSubvols") (onSystems ["x86_64-linux"] "nixos.tests.installer.luksroot") (onSystems ["x86_64-linux"] "nixos.tests.installer.lvm") + (onSystems ["x86_64-linux"] "nixos.tests.installer.separateBootZfs") (onSystems ["x86_64-linux"] "nixos.tests.installer.separateBootFat") (onSystems ["x86_64-linux"] "nixos.tests.installer.separateBoot") (onSystems ["x86_64-linux"] "nixos.tests.installer.simpleLabels") diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 0322ec9dc551a..02e3e91e2e3db 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -120,6 +120,7 @@ in { amazon-ssm-agent = handleTest ./amazon-ssm-agent.nix {}; amd-sev = runTest ./amd-sev.nix; anbox = runTest ./anbox.nix; + angie-api = handleTest ./angie-api.nix {}; anki-sync-server = handleTest ./anki-sync-server.nix {}; anuko-time-tracker = handleTest ./anuko-time-tracker.nix {}; apcupsd = handleTest ./apcupsd.nix {}; @@ -163,7 +164,7 @@ in { btrbk-no-timer = handleTest ./btrbk-no-timer.nix {}; btrbk-section-order = handleTest ./btrbk-section-order.nix {}; budgie = handleTest ./budgie.nix {}; - buildbot = handleTestOn [ "x86_64-linux" ] ./buildbot.nix {}; + buildbot = handleTest ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; c2fmzq = handleTest ./c2fmzq.nix {}; caddy = handleTest ./caddy.nix {}; @@ -197,6 +198,7 @@ in { cntr = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cntr.nix {}; cockpit = handleTest ./cockpit.nix {}; cockroachdb = handleTestOn ["x86_64-linux"] ./cockroachdb.nix {}; + code-server = handleTest ./code-server.nix {}; coder = handleTest ./coder.nix {}; collectd = handleTest ./collectd.nix {}; connman = handleTest ./connman.nix {}; @@ -255,6 +257,7 @@ in { dolibarr = handleTest ./dolibarr.nix {}; domination = handleTest ./domination.nix {}; dovecot = handleTest ./dovecot.nix {}; + drawterm = discoverTests (import ./drawterm.nix); drbd = handleTest ./drbd.nix {}; dublin-traceroute = handleTest ./dublin-traceroute.nix {}; earlyoom = handleTestOn ["x86_64-linux"] ./earlyoom.nix {}; @@ -315,6 +318,7 @@ in { freetube = discoverTests (import ./freetube.nix); freshrss-sqlite = handleTest ./freshrss-sqlite.nix {}; freshrss-pgsql = handleTest ./freshrss-pgsql.nix {}; + freshrss-http-auth = handleTest ./freshrss-http-auth.nix {}; frigate = handleTest ./frigate.nix {}; frp = handleTest ./frp.nix {}; frr = handleTest ./frr.nix {}; @@ -340,6 +344,7 @@ in { gnome-extensions = handleTest ./gnome-extensions.nix {}; gnome-flashback = handleTest ./gnome-flashback.nix {}; gnome-xorg = handleTest ./gnome-xorg.nix {}; + gns3-server = handleTest ./gns3-server.nix {}; gnupg = handleTest ./gnupg.nix {}; go-neb = handleTest ./go-neb.nix {}; gobgpd = handleTest ./gobgpd.nix {}; @@ -406,7 +411,7 @@ in { incus = pkgs.recurseIntoAttrs (handleTest ./incus { inherit handleTestOn; }); influxdb = handleTest ./influxdb.nix {}; influxdb2 = handleTest ./influxdb2.nix {}; - initrd-network-openvpn = handleTest ./initrd-network-openvpn {}; + initrd-network-openvpn = handleTestOn [ "x86_64-linux" "i686-linux" ] ./initrd-network-openvpn {}; initrd-network-ssh = handleTest ./initrd-network-ssh {}; initrd-luks-empty-passphrase = handleTest ./initrd-luks-empty-passphrase.nix {}; initrdNetwork = handleTest ./initrd-network.nix {}; @@ -541,6 +546,7 @@ in { munin = handleTest ./munin.nix {}; mutableUsers = handleTest ./mutable-users.nix {}; mxisd = handleTest ./mxisd.nix {}; + mympd = handleTest ./mympd.nix {}; mysql = handleTest ./mysql/mysql.nix {}; mysql-autobackup = handleTest ./mysql/mysql-autobackup.nix {}; mysql-backup = handleTest ./mysql/mysql-backup.nix {}; @@ -583,6 +589,7 @@ in { nginx-njs = handleTest ./nginx-njs.nix {}; nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {}; nginx-pubhtml = handleTest ./nginx-pubhtml.nix {}; + nginx-redirectcode = handleTest ./nginx-redirectcode.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; nginx-status-page = handleTest ./nginx-status-page.nix {}; nginx-tmpdir = handleTest ./nginx-tmpdir.nix {}; @@ -605,6 +612,7 @@ in { noto-fonts = handleTest ./noto-fonts.nix {}; noto-fonts-cjk-qt-default-weight = handleTest ./noto-fonts-cjk-qt-default-weight.nix {}; novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; + npmrc = handleTest ./npmrc.nix {}; nscd = handleTest ./nscd.nix {}; nsd = handleTest ./nsd.nix {}; ntfy-sh = handleTest ./ntfy-sh.nix {}; @@ -716,6 +724,7 @@ in { qgis-ltr = handleTest ./qgis.nix { qgisPackage = pkgs.qgis-ltr; }; qownnotes = handleTest ./qownnotes.nix {}; quake3 = handleTest ./quake3.nix {}; + quicktun = handleTest ./quicktun.nix {}; quorum = handleTest ./quorum.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; radarr = handleTest ./radarr.nix {}; @@ -734,6 +743,7 @@ in { rosenpass = handleTest ./rosenpass.nix {}; rshim = handleTest ./rshim.nix {}; rspamd = handleTest ./rspamd.nix {}; + rspamd-trainer = handleTest ./rspamd-trainer.nix {}; rss2email = handleTest ./rss2email.nix {}; rstudio-server = handleTest ./rstudio-server.nix {}; rsyncd = handleTest ./rsyncd.nix {}; @@ -777,6 +787,7 @@ in { spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {}; sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {}; sslh = handleTest ./sslh.nix {}; + ssh-agent-auth = handleTest ./ssh-agent-auth.nix {}; ssh-audit = handleTest ./ssh-audit.nix {}; sssd = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd.nix {}; sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix {}; @@ -787,6 +798,7 @@ in { step-ca = handleTestOn ["x86_64-linux"] ./step-ca.nix {}; stratis = handleTest ./stratis {}; strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; + stub-ld = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./stub-ld.nix {}; stunnel = handleTest ./stunnel.nix {}; sudo = handleTest ./sudo.nix {}; sudo-rs = handleTest ./sudo-rs.nix {}; @@ -826,7 +838,7 @@ in { systemd-initrd-vconsole = handleTest ./systemd-initrd-vconsole.nix {}; systemd-initrd-networkd = handleTest ./systemd-initrd-networkd.nix {}; systemd-initrd-networkd-ssh = handleTest ./systemd-initrd-networkd-ssh.nix {}; - systemd-initrd-networkd-openvpn = handleTest ./initrd-network-openvpn { systemdStage1 = true; }; + systemd-initrd-networkd-openvpn = handleTestOn [ "x86_64-linux" "i686-linux" ] ./initrd-network-openvpn { systemdStage1 = true; }; systemd-initrd-vlan = handleTest ./systemd-initrd-vlan.nix {}; systemd-journal = handleTest ./systemd-journal.nix {}; systemd-machinectl = handleTest ./systemd-machinectl.nix {}; diff --git a/nixos/tests/anbox.nix b/nixos/tests/anbox.nix index dfd6c13d93181..a00116536db7e 100644 --- a/nixos/tests/anbox.nix +++ b/nixos/tests/anbox.nix @@ -15,7 +15,7 @@ test-support.displayManager.auto.user = "alice"; virtualisation.anbox.enable = true; - boot.kernelPackages = pkgs.linuxPackages_5_15; + boot.kernelPackages = pkgs.linuxKernel.packages.linux_5_15; virtualisation.memorySize = 2500; }; diff --git a/nixos/tests/angie-api.nix b/nixos/tests/angie-api.nix new file mode 100644 index 0000000000000..4c8d6b54247b1 --- /dev/null +++ b/nixos/tests/angie-api.nix @@ -0,0 +1,148 @@ +import ./make-test-python.nix ({lib, pkgs, ...}: +let + hosts = '' + 192.168.2.101 example.com + 192.168.2.101 api.example.com + 192.168.2.101 backend.example.com + ''; + +in +{ + name = "angie-api"; + meta.maintainers = with pkgs.lib.maintainers; [ izorkin ]; + + nodes = { + server = { pkgs, ... }: { + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.101"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 80 ]; + }; + + services.nginx = { + enable = true; + package = pkgs.angie; + + upstreams = { + "backend-http" = { + servers = { "backend.example.com:8080" = { fail_timeout = "0"; }; }; + extraConfig = '' + zone upstream 256k; + ''; + }; + "backend-socket" = { + servers = { "unix:/run/example.sock" = { fail_timeout = "0"; }; }; + extraConfig = '' + zone upstream 256k; + ''; + }; + }; + + virtualHosts."api.example.com" = { + locations."/console/" = { + extraConfig = '' + api /status/; + + allow 192.168.2.201; + deny all; + ''; + }; + }; + + virtualHosts."example.com" = { + locations."/test/" = { + root = lib.mkForce (pkgs.runCommandLocal "testdir" {} '' + mkdir -p "$out/test" + cat > "$out/test/index.html" <<EOF + <html><body>Hello World!</body></html> + EOF + ''); + extraConfig = '' + status_zone test_zone; + + allow 192.168.2.201; + deny all; + ''; + }; + locations."/test/locked/" = { + extraConfig = '' + status_zone test_zone; + + deny all; + ''; + }; + locations."/test/error/" = { + extraConfig = '' + status_zone test_zone; + + allow all; + ''; + }; + locations."/upstream-http/" = { + proxyPass = "http://backend-http"; + }; + locations."/upstream-socket/" = { + proxyPass = "http://backend-socket"; + }; + }; + }; + }; + + client = { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.201"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + }; + }; + }; + + testScript = '' + start_all() + + server.wait_for_unit("nginx") + server.wait_for_open_port(80) + + # Check Angie version + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.angie.version' | grep '${pkgs.angie.version}'") + + # Check access + client.succeed("curl --verbose --head http://api.example.com/console/ | grep 'HTTP/1.1 200'") + server.succeed("curl --verbose --head http://api.example.com/console/ | grep 'HTTP/1.1 403 Forbidden'") + + # Check responses and requests + client.succeed("curl --verbose http://example.com/test/") + client.succeed("curl --verbose http://example.com/test/locked/") + client.succeed("curl --verbose http://example.com/test/locked/") + client.succeed("curl --verbose http://example.com/test/error/") + client.succeed("curl --verbose http://example.com/test/error/") + client.succeed("curl --verbose http://example.com/test/error/") + server.succeed("curl --verbose http://example.com/test/") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.location_zones.test_zone.responses.\"200\"' | grep '1'") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.location_zones.test_zone.responses.\"403\"' | grep '3'") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.location_zones.test_zone.responses.\"404\"' | grep '3'") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.location_zones.test_zone.requests.total' | grep '7'") + + # Check upstreams + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.upstreams.\"backend-http\".peers.\"192.168.2.101:8080\".state' | grep 'up'") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.upstreams.\"backend-http\".peers.\"192.168.2.101:8080\".health.fails' | grep '0'") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.upstreams.\"backend-socket\".peers.\"unix:/run/example.sock\".state' | grep 'up'") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.upstreams.\"backend-socket\".peers.\"unix:/run/example.sock\".health.fails' | grep '0'") + client.succeed("curl --verbose http://example.com/upstream-http/") + client.succeed("curl --verbose http://example.com/upstream-socket/") + client.succeed("curl --verbose http://example.com/upstream-socket/") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.upstreams.\"backend-http\".peers.\"192.168.2.101:8080\".health.fails' | grep '1'") + client.succeed("curl --verbose http://api.example.com/console/ | jq -e '.http.upstreams.\"backend-socket\".peers.\"unix:/run/example.sock\".health.fails' | grep '2'") + + server.shutdown() + client.shutdown() + ''; +}) diff --git a/nixos/tests/btrbk-section-order.nix b/nixos/tests/btrbk-section-order.nix index 20f1afcf80ec7..6082de947f66f 100644 --- a/nixos/tests/btrbk-section-order.nix +++ b/nixos/tests/btrbk-section-order.nix @@ -29,10 +29,12 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { }; testScript = '' + import difflib machine.wait_for_unit("basic.target") - got = machine.succeed("cat /etc/btrbk/local.conf") + got = machine.succeed("cat /etc/btrbk/local.conf").strip() expect = """ backend btrfs-progs-sudo + stream_compress no timestamp_format long target ssh://global-target/ ssh_user root @@ -46,6 +48,9 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { ssh_user root """.strip() print(got) + if got != expect: + diff = difflib.unified_diff(expect.splitlines(keepends=True), got.splitlines(keepends=True), fromfile="expected", tofile="got") + print("".join(diff)) assert got == expect ''; }) diff --git a/nixos/tests/ceph-single-node.nix b/nixos/tests/ceph-single-node.nix index 4a5636fac1563..a3a4072365af8 100644 --- a/nixos/tests/ceph-single-node.nix +++ b/nixos/tests/ceph-single-node.nix @@ -182,16 +182,19 @@ let monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + # This test has been commented out due to the upstream issue with pyo3 + # that has broken this dashboard + # Reference: https://www.spinics.net/lists/ceph-users/msg77812.html # Enable the dashboard and recheck health - monA.succeed( - "ceph mgr module enable dashboard", - "ceph config set mgr mgr/dashboard/ssl false", - # default is 8080 but it's better to be explicit - "ceph config set mgr mgr/dashboard/server_port 8080", - ) - monA.wait_for_open_port(8080) - monA.wait_until_succeeds("curl -q --fail http://localhost:8080") - monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + # monA.succeed( + # "ceph mgr module enable dashboard", + # "ceph config set mgr mgr/dashboard/ssl false", + # # default is 8080 but it's better to be explicit + # "ceph config set mgr mgr/dashboard/server_port 8080", + # ) + # monA.wait_for_open_port(8080) + # monA.wait_until_succeeds("curl -q --fail http://localhost:8080") + # monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") ''; in { name = "basic-single-node-ceph-cluster"; diff --git a/nixos/tests/cinnamon-wayland.nix b/nixos/tests/cinnamon-wayland.nix index 58dddbbb0866a..824a606004cc0 100644 --- a/nixos/tests/cinnamon-wayland.nix +++ b/nixos/tests/cinnamon-wayland.nix @@ -12,6 +12,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { autoLogin.user = nodes.machine.users.users.alice.name; defaultSession = "cinnamon-wayland"; }; + + # For the sessionPath subtest. + services.xserver.desktopManager.cinnamon.sessionPath = [ pkgs.gnome.gpaste ]; }; enableOCR = true; @@ -47,6 +50,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_until_succeeds("journalctl -b --grep 'Loaded applet menu@cinnamon.org'") machine.wait_until_succeeds("journalctl -b --grep 'calendar@cinnamon.org: Calendar events supported'") + with subtest("Check if sessionPath option actually works"): + machine.succeed("${eval "imports.gi.GIRepository.Repository.get_search_path\\(\\)"} | grep gpaste") + with subtest("Open Cinnamon Settings"): machine.succeed("${su "cinnamon-settings themes >&2 &"}") machine.wait_until_succeeds("${eval "global.display.focus_window.wm_class"} | grep -i 'cinnamon-settings'") diff --git a/nixos/tests/cinnamon.nix b/nixos/tests/cinnamon.nix index 7637b55a2b124..eab907d0b712c 100644 --- a/nixos/tests/cinnamon.nix +++ b/nixos/tests/cinnamon.nix @@ -7,6 +7,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { imports = [ ./common/user-account.nix ]; services.xserver.enable = true; services.xserver.desktopManager.cinnamon.enable = true; + + # For the sessionPath subtest. + services.xserver.desktopManager.cinnamon.sessionPath = [ pkgs.gnome.gpaste ]; }; enableOCR = true; @@ -49,6 +52,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_until_succeeds("journalctl -b --grep 'Loaded applet menu@cinnamon.org'") machine.wait_until_succeeds("journalctl -b --grep 'calendar@cinnamon.org: Calendar events supported'") + with subtest("Check if sessionPath option actually works"): + machine.succeed("${eval "imports.gi.GIRepository.Repository.get_search_path\\(\\)"} | grep gpaste") + with subtest("Open Cinnamon Settings"): machine.succeed("${su "cinnamon-settings themes >&2 &"}") machine.wait_until_succeeds("${eval "global.display.focus_window.wm_class"} | grep -i 'cinnamon-settings'") diff --git a/nixos/tests/code-server.nix b/nixos/tests/code-server.nix new file mode 100644 index 0000000000000..7d523dfc617e3 --- /dev/null +++ b/nixos/tests/code-server.nix @@ -0,0 +1,22 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: +{ + name = "code-server"; + + nodes = { + machine = {pkgs, ...}: { + services.code-server = { + enable = true; + auth = "none"; + }; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("code-server.service") + machine.wait_for_open_port(4444) + machine.succeed("curl -k --fail http://localhost:4444", timeout=10) + ''; + + meta.maintainers = [ lib.maintainers.drupol ]; +}) diff --git a/nixos/tests/containers-custom-pkgs.nix b/nixos/tests/containers-custom-pkgs.nix index e8740ac631345..57184787c85f6 100644 --- a/nixos/tests/containers-custom-pkgs.nix +++ b/nixos/tests/containers-custom-pkgs.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let in { name = "containers-custom-pkgs"; meta = { - maintainers = with lib.maintainers; [ adisbladis erikarvstedt ]; + maintainers = with lib.maintainers; [ erikarvstedt ]; }; nodes.machine = { config, ... }: { diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 18bec1db78e88..fff00e4f73a85 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -13,6 +13,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { nix.settings.sandbox = false; nix.settings.substituters = []; # don't try to access cache.nixos.org + virtualisation.memorySize = 2048; virtualisation.writableStore = true; # Make sure we always have all the required dependencies for creating a # container available within the VM, because we don't have network access. diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix index 021042fafdb10..8d7082c114001 100644 --- a/nixos/tests/dhparams.nix +++ b/nixos/tests/dhparams.nix @@ -18,6 +18,8 @@ import ./make-test-python.nix { systemd.services.foo = { description = "Check systemd Ordering"; wantedBy = [ "multi-user.target" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig = { # This is to make sure that the dhparams generation of foo occurs # before this service so we need this service to start as early as diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index fcdfa586fd55d..90af817e75ed3 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -11,7 +11,7 @@ let # Rootfs diffs for layers 1 and 2 are identical (and empty) layer1 = pkgs.dockerTools.buildImage { name = "empty"; }; layer2 = layer1.overrideAttrs (_: { fromImage = layer1; }); - repeatedRootfsDiffs = pkgs.runCommandNoCC "image-with-links.tar" { + repeatedRootfsDiffs = pkgs.runCommand "image-with-links.tar" { nativeBuildInputs = [pkgs.jq]; } '' mkdir contents diff --git a/nixos/tests/drawterm.nix b/nixos/tests/drawterm.nix new file mode 100644 index 0000000000000..1d444bb55433b --- /dev/null +++ b/nixos/tests/drawterm.nix @@ -0,0 +1,58 @@ +{ system, pkgs }: +let + tests = { + xorg = { + node = { pkgs, ... }: { + imports = [ ./common/user-account.nix ./common/x11.nix ]; + services.xserver.enable = true; + services.xserver.displayManager.sessionCommands = '' + ${pkgs.drawterm}/bin/drawterm -g 1024x768 & + ''; + test-support.displayManager.auto.user = "alice"; + }; + systems = [ "x86_64-linux" "aarch64-linux" ]; + }; + wayland = { + node = { pkgs, ... }: { + imports = [ ./common/wayland-cage.nix ]; + services.cage.program = "${pkgs.drawterm-wayland}/bin/drawterm"; + }; + systems = [ "x86_64-linux" ]; + }; + }; + + mkTest = name: machine: + import ./make-test-python.nix ({ pkgs, ... }: { + inherit name; + + nodes = { "${name}" = machine; }; + + meta = with pkgs.lib.maintainers; { + maintainers = [ moody ]; + }; + + enableOCR = true; + + testScript = '' + @polling_condition + def drawterm_running(): + machine.succeed("pgrep drawterm") + + start_all() + + machine.wait_for_unit("graphical.target") + drawterm_running.wait() # type: ignore[union-attr] + machine.wait_for_text("cpu") + machine.send_chars("cpu\n") + machine.wait_for_text("auth") + machine.send_chars("cpu\n") + machine.wait_for_text("ending") + machine.screenshot("out.png") + ''; + + }); + mkTestOn = systems: name: machine: + if pkgs.lib.elem system systems then mkTest name machine + else { ... }: { }; +in +builtins.mapAttrs (k: v: mkTestOn v.systems k v.node { inherit system; }) tests diff --git a/nixos/tests/ft2-clone.nix b/nixos/tests/ft2-clone.nix index a8395d4ebaa62..5476b38c00bd2 100644 --- a/nixos/tests/ft2-clone.nix +++ b/nixos/tests/ft2-clone.nix @@ -4,12 +4,11 @@ import ./make-test-python.nix ({ pkgs, ... }: { maintainers = [ fgaz ]; }; - nodes.machine = { config, pkgs, ... }: { + nodes.machine = { pkgs, ... }: { imports = [ ./common/x11.nix ]; - services.xserver.enable = true; sound.enable = true; environment.systemPackages = [ pkgs.ft2-clone ]; }; @@ -30,4 +29,3 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.screenshot("screen") ''; }) - diff --git a/nixos/tests/gitlab.nix b/nixos/tests/gitlab.nix index 88cd774f815a5..8d31264253119 100644 --- a/nixos/tests/gitlab.nix +++ b/nixos/tests/gitlab.nix @@ -34,7 +34,7 @@ in { gitlab = { ... }: { imports = [ common/user-account.nix ]; - virtualisation.memorySize = if pkgs.stdenv.is64bit then 4096 else 2047; + virtualisation.memorySize = 6144; virtualisation.cores = 4; virtualisation.useNixStoreImage = true; virtualisation.writableStore = false; diff --git a/nixos/tests/gns3-server.nix b/nixos/tests/gns3-server.nix new file mode 100644 index 0000000000000..e37d751f5f640 --- /dev/null +++ b/nixos/tests/gns3-server.nix @@ -0,0 +1,55 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "gns3-server"; + meta.maintainers = [ lib.maintainers.anthonyroussel ]; + + nodes.machine = + { ... }: + let + tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 365 \ + -subj '/CN=localhost' + install -D -t $out key.pem cert.pem + ''; + in { + services.gns3-server = { + enable = true; + auth = { + enable = true; + user = "user"; + passwordFile = pkgs.writeText "gns3-auth-password-file" "password"; + }; + ssl = { + enable = true; + certFile = "${tls-cert}/cert.pem"; + keyFile = "${tls-cert}/key.pem"; + }; + dynamips.enable = true; + ubridge.enable = true; + vpcs.enable = true; + }; + + security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; + }; + + testScript = let + createProject = pkgs.writeText "createProject.json" (builtins.toJSON { + name = "test_project"; + }); + in + '' + start_all() + + machine.wait_for_unit("gns3-server.service") + machine.wait_for_open_port(3080) + + with subtest("server is listening"): + machine.succeed("curl -sSfL -u user:password https://localhost:3080/v2/version") + + with subtest("create dummy project"): + machine.succeed("curl -sSfL -u user:password https://localhost:3080/v2/projects -d @${createProject}") + + with subtest("logging works"): + log_path = "/var/log/gns3/server.log" + machine.wait_for_file(log_path) + ''; +}) diff --git a/nixos/tests/google-oslogin/default.nix b/nixos/tests/google-oslogin/default.nix index 72c87d7153bdf..cd05af6b9ed7a 100644 --- a/nixos/tests/google-oslogin/default.nix +++ b/nixos/tests/google-oslogin/default.nix @@ -12,7 +12,7 @@ let in { name = "google-oslogin"; meta = with pkgs.lib.maintainers; { - maintainers = [ adisbladis flokli ]; + maintainers = [ flokli ]; }; nodes = { @@ -71,4 +71,3 @@ in { ) ''; }) - diff --git a/nixos/tests/guix/basic.nix b/nixos/tests/guix/basic.nix index 7f90bdeeb1e0f..9b943b8965e60 100644 --- a/nixos/tests/guix/basic.nix +++ b/nixos/tests/guix/basic.nix @@ -11,7 +11,10 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { nodes.machine = { config, ... }: { environment.etc."guix/scripts".source = ./scripts; - services.guix.enable = true; + services.guix = { + enable = true; + gc.enable = true; + }; }; testScript = '' @@ -19,6 +22,7 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { machine.wait_for_unit("multi-user.target") machine.wait_for_unit("guix-daemon.service") + machine.succeed("systemctl start guix-gc.service") # Can't do much here since the environment has restricted network access. with subtest("Guix basic package management"): diff --git a/nixos/tests/incron.nix b/nixos/tests/incron.nix index c978ff27dfad5..d016360ba0ef8 100644 --- a/nixos/tests/incron.nix +++ b/nixos/tests/incron.nix @@ -13,9 +13,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: ''; # ensure the directory to be monitored exists before incron is started - system.activationScripts.incronTest = '' - mkdir /test - ''; + systemd.tmpfiles.settings.incron-test = { + "/test".d = { }; + }; }; testScript = '' diff --git a/nixos/tests/incus/container.nix b/nixos/tests/incus/container.nix index 2d3fa49e5bd18..2fa1709c7484b 100644 --- a/nixos/tests/incus/container.nix +++ b/nixos/tests/incus/container.nix @@ -56,6 +56,10 @@ in retry(instance_is_up) machine.succeed("echo true | incus exec container /run/current-system/sw/bin/bash -") + with subtest("Container mounts lxcfs overlays"): + machine.succeed("incus exec container mount | grep 'lxcfs on /proc/cpuinfo type fuse.lxcfs'") + machine.succeed("incus exec container mount | grep 'lxcfs on /proc/meminfo type fuse.lxcfs'") + with subtest("Container CPU limits can be managed"): set_container("limits.cpu 1") cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip() diff --git a/nixos/tests/incus/virtual-machine.nix b/nixos/tests/incus/virtual-machine.nix index be5746ef63e26..343a25ca72970 100644 --- a/nixos/tests/incus/virtual-machine.nix +++ b/nixos/tests/incus/virtual-machine.nix @@ -53,5 +53,8 @@ in with subtest("lxd-agent is started"): machine.succeed("incus exec ${instance-name} systemctl is-active lxd-agent") + + with subtest("lxd-agent has a valid path"): + machine.succeed("incus exec ${instance-name} -- bash -c 'true'") ''; }) diff --git a/nixos/tests/initrd-network-openvpn/default.nix b/nixos/tests/initrd-network-openvpn/default.nix index 769049905eb8c..69db7dd1037f7 100644 --- a/nixos/tests/initrd-network-openvpn/default.nix +++ b/nixos/tests/initrd-network-openvpn/default.nix @@ -59,18 +59,19 @@ import ../make-test-python.nix ({ lib, ...}: # This command does not fork to keep the VM in the state where # only the initramfs is loaded - preLVMCommands = - '' - /bin/nc -p 1234 -lke /bin/echo TESTVALUE - ''; + preLVMCommands = lib.mkIf (!systemdStage1) + '' + /bin/nc -p 1234 -lke /bin/echo TESTVALUE + ''; network = { enable = true; # Work around udhcpc only getting a lease on eth0 - postCommands = '' - /bin/ip addr add 192.168.1.2/24 dev eth1 - ''; + postCommands = lib.mkIf (!systemdStage1) + '' + /bin/ip addr add 192.168.1.2/24 dev eth1 + ''; # Example configuration for OpenVPN # This is the main reason for this test diff --git a/nixos/tests/installed-tests/flatpak.nix b/nixos/tests/installed-tests/flatpak.nix index 9524d890c4025..fa191202f52d4 100644 --- a/nixos/tests/installed-tests/flatpak.nix +++ b/nixos/tests/installed-tests/flatpak.nix @@ -7,6 +7,7 @@ makeInstalledTest { testConfig = { xdg.portal.enable = true; xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; + xdg.portal.config.common.default = "gtk"; services.flatpak.enable = true; environment.systemPackages = with pkgs; [ gnupg ostree python3 ]; virtualisation.memorySize = 2047; diff --git a/nixos/tests/installer-systemd-stage-1.nix b/nixos/tests/installer-systemd-stage-1.nix index d0c01a779ef18..662017935412c 100644 --- a/nixos/tests/installer-systemd-stage-1.nix +++ b/nixos/tests/installer-systemd-stage-1.nix @@ -22,6 +22,7 @@ # lvm separateBoot separateBootFat + separateBootZfs simple simpleLabels simpleProvided diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index f7fc168eba8cf..d83e49a3e8f7c 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -878,6 +878,78 @@ in { ''; }; + # Same as the previous, but with ZFS /boot. + separateBootZfs = makeInstallerTest "separateBootZfs" { + extraInstallerConfig = { + boot.supportedFilesystems = [ "zfs" ]; + }; + + extraConfig = '' + # Using by-uuid overrides the default of by-id, and is unique + # to the qemu disks, as they don't produce by-id paths for + # some reason. + boot.zfs.devNodes = "/dev/disk/by-uuid/"; + networking.hostId = "00000000"; + ''; + + createPartitions = '' + machine.succeed( + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" + + " mkpart primary ext2 1M 256MB" # /boot + + " mkpart primary linux-swap 256MB 1280M" + + " mkpart primary ext2 1280M -1s", # / + "udevadm settle", + + "mkswap /dev/vda2 -L swap", + "swapon -L swap", + + "mkfs.ext4 -L nixos /dev/vda3", + "mount LABEL=nixos /mnt", + + # Use as many ZFS features as possible to verify that GRUB can handle them + "zpool create" + " -o compatibility=grub2" + " -O utf8only=on" + " -O normalization=formD" + " -O compression=lz4" # Activate the lz4_compress feature + " -O xattr=sa" + " -O acltype=posixacl" + " bpool /dev/vda1", + "zfs create" + " -o recordsize=1M" # Prepare activating the large_blocks feature + " -o mountpoint=legacy" + " -o relatime=on" + " -o quota=1G" + " -o filesystem_limit=100" # Activate the filesystem_limits features + " bpool/boot", + + # Snapshotting the top-level dataset would trigger a bug in GRUB2: https://github.com/openzfs/zfs/issues/13873 + "zfs snapshot bpool/boot@snap-1", # Prepare activating the livelist and bookmarks features + "zfs clone bpool/boot@snap-1 bpool/test", # Activate the livelist feature + "zfs bookmark bpool/boot@snap-1 bpool/boot#bookmark", # Activate the bookmarks feature + "zpool checkpoint bpool", # Activate the zpool_checkpoint feature + "mkdir -p /mnt/boot", + "mount -t zfs bpool/boot /mnt/boot", + "touch /mnt/boot/empty", # Activate zilsaxattr feature + "dd if=/dev/urandom of=/mnt/boot/test bs=1M count=1", # Activate the large_blocks feature + + # Print out all enabled and active ZFS features (and some other stuff) + "sync /mnt/boot", + "zpool get all bpool >&2", + + # Abort early if GRUB2 doesn't like the disks + "grub-probe --target=device /mnt/boot >&2", + ) + ''; + + # umount & export bpool before shutdown + # this is a fix for "cannot import 'bpool': pool was previously in use from another system." + postInstallCommands = '' + machine.succeed("umount /mnt/boot") + machine.succeed("zpool export bpool") + ''; + }; + # zfs on / with swap zfsroot = makeInstallerTest "zfs-root" { extraInstallerConfig = { @@ -897,7 +969,7 @@ in { createPartitions = '' machine.succeed( "flock /dev/vda parted --script /dev/vda -- mklabel msdos" - + " mkpart primary 1M 100MB" # bpool + + " mkpart primary 1M 100MB" # /boot + " mkpart primary linux-swap 100M 1024M" + " mkpart primary 1024M -1s", # rpool "udevadm settle", @@ -909,20 +981,12 @@ in { "zfs create -o mountpoint=legacy rpool/root/usr", "mkdir /mnt/usr", "mount -t zfs rpool/root/usr /mnt/usr", - "zpool create -o compatibility=grub2 bpool /dev/vda1", - "zfs create -o mountpoint=legacy bpool/boot", + "mkfs.vfat -n BOOT /dev/vda1", "mkdir /mnt/boot", - "mount -t zfs bpool/boot /mnt/boot", + "mount LABEL=BOOT /mnt/boot", "udevadm settle", ) ''; - - # umount & export bpool before shutdown - # this is a fix for "cannot import 'bpool': pool was previously in use from another system." - postInstallCommands = '' - machine.succeed("umount /mnt/boot") - machine.succeed("zpool export bpool") - ''; }; # Create two physical LVM partitions combined into one volume group diff --git a/nixos/tests/invidious.nix b/nixos/tests/invidious.nix index 701e8e5e7a3fc..e31cd87f6a004 100644 --- a/nixos/tests/invidious.nix +++ b/nixos/tests/invidious.nix @@ -5,48 +5,72 @@ import ./make-test-python.nix ({ pkgs, ... }: { maintainers = [ sbruder ]; }; - nodes.machine = { config, lib, pkgs, ... }: { - services.invidious = { - enable = true; + nodes = { + postgres-tcp = { config, pkgs, ... }: { + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "init-postgres-with-password" '' + CREATE USER invidious WITH PASSWORD 'correct horse battery staple'; + CREATE DATABASE invidious WITH OWNER invidious; + ''; + enableTCPIP = true; + authentication = '' + host invidious invidious samenet scram-sha-256 + ''; + }; + networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ]; }; + machine = { config, lib, pkgs, ... }: { + services.invidious = { + enable = true; + }; - specialisation = { - nginx.configuration = { - services.invidious = { - nginx.enable = true; - domain = "invidious.example.com"; - }; - services.nginx.virtualHosts."invidious.example.com" = { - forceSSL = false; - enableACME = false; + specialisation = { + nginx.configuration = { + services.invidious = { + nginx.enable = true; + domain = "invidious.example.com"; + }; + services.nginx.virtualHosts."invidious.example.com" = { + forceSSL = false; + enableACME = false; + }; + networking.hosts."127.0.0.1" = [ "invidious.example.com" ]; }; - networking.hosts."127.0.0.1" = [ "invidious.example.com" ]; - }; - postgres-tcp.configuration = { - services.invidious = { - database = { - createLocally = false; - host = "127.0.0.1"; - passwordFile = toString (pkgs.writeText "database-password" "correct horse battery staple"); + nginx-scale.configuration = { + services.invidious = { + nginx.enable = true; + domain = "invidious.example.com"; + serviceScale = 3; + }; + services.nginx.virtualHosts."invidious.example.com" = { + forceSSL = false; + enableACME = false; }; + networking.hosts."127.0.0.1" = [ "invidious.example.com" ]; }; - # Normally not needed because when connecting to postgres over TCP/IP - # the database is most likely on another host. - systemd.services.invidious = { - after = [ "postgresql.service" ]; - requires = [ "postgresql.service" ]; + nginx-scale-ytproxy.configuration = { + services.invidious = { + nginx.enable = true; + http3-ytproxy.enable = true; + domain = "invidious.example.com"; + serviceScale = 3; + }; + services.nginx.virtualHosts."invidious.example.com" = { + forceSSL = false; + enableACME = false; + }; + networking.hosts."127.0.0.1" = [ "invidious.example.com" ]; }; - services.postgresql = - let - inherit (config.services.invidious.settings.db) dbname user; - in - { - enable = true; - initialScript = pkgs.writeText "init-postgres-with-password" '' - CREATE USER kemal WITH PASSWORD 'correct horse battery staple'; - CREATE DATABASE invidious OWNER kemal; - ''; + postgres-tcp.configuration = { + services.invidious = { + database = { + createLocally = false; + host = "postgres-tcp"; + passwordFile = toString (pkgs.writeText "database-password" "correct horse battery staple"); + }; }; + }; }; }; }; @@ -63,6 +87,9 @@ import ./make-test-python.nix ({ pkgs, ... }: { url = "http://localhost:${toString nodes.machine.config.services.invidious.port}" port = ${toString nodes.machine.config.services.invidious.port} + # start postgres vm now + postgres_tcp.start() + machine.wait_for_open_port(port) curl_assert_status_code(f"{url}/search", 200) @@ -70,9 +97,26 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.wait_for_open_port(80) curl_assert_status_code("http://invidious.example.com/search", 200) - # Remove the state so the `initialScript` gets run - machine.succeed("systemctl stop postgresql") - machine.succeed("rm -r /var/lib/postgresql") + activate_specialisation("nginx-scale") + machine.wait_for_open_port(80) + # this depends on nginx round-robin behaviour for the upstream servers + curl_assert_status_code("http://invidious.example.com/search", 200) + curl_assert_status_code("http://invidious.example.com/search", 200) + curl_assert_status_code("http://invidious.example.com/search", 200) + machine.succeed("journalctl -eu invidious.service | grep -o '200 GET /search'") + machine.succeed("journalctl -eu invidious-1.service | grep -o '200 GET /search'") + machine.succeed("journalctl -eu invidious-2.service | grep -o '200 GET /search'") + + activate_specialisation("nginx-scale-ytproxy") + machine.wait_for_unit("http3-ytproxy.service") + machine.wait_for_open_port(80) + machine.wait_until_succeeds("ls /run/http3-ytproxy/socket/http-proxy.sock") + curl_assert_status_code("http://invidious.example.com/search", 200) + # this should error out as no internet connectivity is available in the test + curl_assert_status_code("http://invidious.example.com/vi/dQw4w9WgXcQ/mqdefault.jpg", 502) + machine.succeed("journalctl -eu http3-ytproxy.service | grep -o 'dQw4w9WgXcQ'") + + postgres_tcp.wait_for_unit("postgresql.service") activate_specialisation("postgres-tcp") machine.wait_for_open_port(port) curl_assert_status_code(f"{url}/search", 200) diff --git a/nixos/tests/iscsi-root.nix b/nixos/tests/iscsi-root.nix index eb0719edc3796..0d7c48464eecc 100644 --- a/nixos/tests/iscsi-root.nix +++ b/nixos/tests/iscsi-root.nix @@ -7,8 +7,8 @@ import ./make-test-python.nix ( { name = "iscsi"; meta = { - maintainers = pkgs.lib.teams.deshaw.members - ++ (with pkgs.lib.maintainers; [ ajs124 ]); + maintainers = lib.teams.deshaw.members + ++ lib.teams.helsinki-systems.members; }; nodes = { diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 352deb521a478..72d31246b75d3 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -31,6 +31,7 @@ let linux_5_15_hardened linux_6_1_hardened linux_6_5_hardened + linux_6_6_hardened linux_rt_5_4 linux_rt_5_10 linux_rt_5_15 diff --git a/nixos/tests/kubo/default.nix b/nixos/tests/kubo/default.nix index 629922fc366db..d8c0c69dc1fbd 100644 --- a/nixos/tests/kubo/default.nix +++ b/nixos/tests/kubo/default.nix @@ -1,5 +1,7 @@ { recurseIntoAttrs, runTest }: recurseIntoAttrs { kubo = runTest ./kubo.nix; - kubo-fuse = runTest ./kubo-fuse.nix; + # The FUSE functionality is completely broken since Kubo v0.24.0 + # See https://github.com/ipfs/kubo/issues/10242 + # kubo-fuse = runTest ./kubo-fuse.nix; } diff --git a/nixos/tests/kubo/kubo.nix b/nixos/tests/kubo/kubo.nix index 7965ad2773854..b8222c652b33c 100644 --- a/nixos/tests/kubo/kubo.nix +++ b/nixos/tests/kubo/kubo.nix @@ -46,6 +46,13 @@ f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2" ) + machine.stop_job("ipfs") + + with subtest("Socket activation for the Gateway"): + machine.succeed( + f"curl 'http://127.0.0.1:8080/ipfs/{ipfs_hash.strip()}' | grep fnord2" + ) + with subtest("Setting dataDir works properly with the hardened systemd unit"): machine.succeed("test -e /mnt/ipfs/config") machine.succeed("test ! -e /var/lib/ipfs/") diff --git a/nixos/tests/livebook-service.nix b/nixos/tests/livebook-service.nix index 9397e3cb75ffa..56b4eb932f343 100644 --- a/nixos/tests/livebook-service.nix +++ b/nixos/tests/livebook-service.nix @@ -11,7 +11,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { enableUserService = true; port = 20123; environmentFile = pkgs.writeText "livebook.env" '' - LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; + LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ''; options = { cookie = "chocolate chip"; @@ -22,7 +22,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { testScript = { nodes, ... }: let - user = nodes.machine.config.users.users.alice; + user = nodes.machine.users.users.alice; sudo = lib.concatStringsSep " " [ "XDG_RUNTIME_DIR=/run/user/${toString user.uid}" "sudo" diff --git a/nixos/tests/lvm2/systemd-stage-1.nix b/nixos/tests/lvm2/systemd-stage-1.nix index b581f2b23507e..1c95aadfcb3f1 100644 --- a/nixos/tests/lvm2/systemd-stage-1.nix +++ b/nixos/tests/lvm2/systemd-stage-1.nix @@ -54,9 +54,9 @@ ''; }.${flavour}; -in import ../make-test-python.nix ({ pkgs, ... }: { +in import ../make-test-python.nix ({ pkgs, lib, ... }: { name = "lvm2-${flavour}-systemd-stage-1"; - meta.maintainers = with pkgs.lib.maintainers; [ das_j ]; + meta.maintainers = lib.teams.helsinki-systems.members; nodes.machine = { pkgs, lib, ... }: { imports = [ extraConfig ]; diff --git a/nixos/tests/lvm2/thinpool.nix b/nixos/tests/lvm2/thinpool.nix index 14781a8a60459..f49c8980613ce 100644 --- a/nixos/tests/lvm2/thinpool.nix +++ b/nixos/tests/lvm2/thinpool.nix @@ -1,7 +1,7 @@ { kernelPackages ? null }: import ../make-test-python.nix ({ pkgs, lib, ... }: { name = "lvm2-thinpool"; - meta.maintainers = with pkgs.lib.maintainers; [ ajs124 ]; + meta.maintainers = lib.teams.helsinki-systems.members; nodes.machine = { pkgs, lib, ... }: { virtualisation.emptyDiskImages = [ 4096 ]; diff --git a/nixos/tests/lvm2/vdo.nix b/nixos/tests/lvm2/vdo.nix index 5b014c2f72223..75c1fc094e97f 100644 --- a/nixos/tests/lvm2/vdo.nix +++ b/nixos/tests/lvm2/vdo.nix @@ -1,7 +1,7 @@ { kernelPackages ? null }: -import ../make-test-python.nix ({ pkgs, ... }: { +import ../make-test-python.nix ({ pkgs, lib, ... }: { name = "lvm2-vdo"; - meta.maintainers = with pkgs.lib.maintainers; [ ajs124 ]; + meta.maintainers = lib.teams.helsinki-systems.members; nodes.machine = { pkgs, lib, ... }: { # Minimum required size for VDO volume: 5063921664 bytes diff --git a/nixos/tests/mate.nix b/nixos/tests/mate.nix index 78ba59c5fc20d..48582e18d520c 100644 --- a/nixos/tests/mate.nix +++ b/nixos/tests/mate.nix @@ -27,9 +27,12 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { hardware.pulseaudio.enable = true; }; + enableOCR = true; + testScript = { nodes, ... }: let user = nodes.machine.users.users.alice; + env = "DISPLAY=:0.0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/${toString user.uid}/bus"; in '' with subtest("Wait for login"): @@ -48,11 +51,31 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_for_window("Bottom Panel") machine.wait_until_succeeds("pgrep caja") machine.wait_for_window("Caja") + machine.wait_for_text('(Applications|Places|System)') + machine.wait_for_text('(Computer|Home|Trash)') + + with subtest("Lock the screen"): + machine.wait_until_succeeds("su - ${user.name} -c '${env} mate-screensaver-command -q' | grep 'The screensaver is inactive'") + machine.succeed("su - ${user.name} -c '${env} mate-screensaver-command -l >&2 &'") + machine.wait_until_succeeds("su - ${user.name} -c '${env} mate-screensaver-command -q' | grep 'The screensaver is active'") + machine.sleep(2) + machine.send_chars("${user.password}", delay=0.2) + machine.wait_for_text("${user.description}") + machine.screenshot("screensaver") + machine.send_chars("\n") + machine.wait_until_succeeds("su - ${user.name} -c '${env} mate-screensaver-command -q' | grep 'The screensaver is inactive'") + + with subtest("Open MATE control center"): + machine.succeed("su - ${user.name} -c '${env} mate-control-center >&2 &'") + machine.wait_for_window("Control Center") + machine.wait_for_text('(Groups|Administration|Hardware)') with subtest("Open MATE terminal"): - machine.succeed("su - ${user.name} -c 'DISPLAY=:0.0 mate-terminal >&2 &'") + machine.succeed("su - ${user.name} -c '${env} mate-terminal >&2 &'") machine.wait_for_window("Terminal") - machine.sleep(20) + + with subtest("Check if MATE has ever coredumped"): + machine.fail("coredumpctl --json=short | grep -E 'mate|marco|caja'") machine.screenshot("screen") ''; }) diff --git a/nixos/tests/munin.nix b/nixos/tests/munin.nix index 4ec17e0339df0..e371b2dffa6b8 100644 --- a/nixos/tests/munin.nix +++ b/nixos/tests/munin.nix @@ -37,8 +37,10 @@ import ./make-test-python.nix ({ pkgs, ...} : { with subtest("ensure munin-node starts and listens on 4949"): one.wait_for_unit("munin-node.service") one.wait_for_open_port(4949) + with subtest("ensure munin-cron output is correct"): one.wait_for_file("/var/lib/munin/one/one-uptime-uptime-g.rrd") one.wait_for_file("/var/www/munin/one/index.html") + one.wait_for_file("/var/www/munin/one/one/diskstat_iops_vda-day.png", timeout=60) ''; }) diff --git a/nixos/tests/musescore.nix b/nixos/tests/musescore.nix index 6aeb0558a49db..0720631ed284b 100644 --- a/nixos/tests/musescore.nix +++ b/nixos/tests/musescore.nix @@ -63,14 +63,11 @@ in machine.send_key("tab") machine.send_key("tab") - machine.send_key("tab") - machine.send_key("tab") - machine.send_key("right") - machine.send_key("right") machine.send_key("ret") - machine.sleep(1) + machine.sleep(2) + machine.send_key("tab") # Type the beginning of https://de.wikipedia.org/wiki/Alle_meine_Entchen machine.send_chars("cdef6gg5aaaa7g") machine.sleep(1) diff --git a/nixos/tests/mympd.nix b/nixos/tests/mympd.nix new file mode 100644 index 0000000000000..ac6a896966e6b --- /dev/null +++ b/nixos/tests/mympd.nix @@ -0,0 +1,27 @@ +import ./make-test-python.nix ({pkgs, lib, ... }: { + name = "mympd"; + + nodes.mympd = { + services.mympd = { + enable = true; + settings = { + http_port = 8081; + }; + }; + + services.mpd.enable = true; + }; + + testScript = '' + start_all(); + machine.wait_for_unit("mympd.service"); + + # Ensure that mympd can connect to mpd + machine.wait_until_succeeds( + "journalctl -eu mympd -o cat | grep 'Connected to MPD'" + ) + + # Ensure that the web server is working + machine.succeed("curl http://localhost:8081 --compressed | grep -o myMPD") + ''; +}) diff --git a/nixos/tests/mysql/mariadb-galera.nix b/nixos/tests/mysql/mariadb-galera.nix index c9962f49c02fd..7455abbce5fb0 100644 --- a/nixos/tests/mysql/mariadb-galera.nix +++ b/nixos/tests/mysql/mariadb-galera.nix @@ -17,8 +17,8 @@ let galeraPackage ? pkgs.mariadb-galera }: makeTest { name = "${name}-galera-mariabackup"; - meta = with pkgs.lib.maintainers; { - maintainers = [ izorkin ajs124 das_j ]; + meta = { + maintainers = with lib.maintainers; [ izorkin ] ++ lib.teams.helsinki-systems.members; }; # The test creates a Galera cluster with 3 nodes and is checking if mariabackup-based SST works. The cluster is tested by creating a DB and an empty table on one node, diff --git a/nixos/tests/mysql/mysql-replication.nix b/nixos/tests/mysql/mysql-replication.nix index 8f1695eb97e27..83da1e7b6cb88 100644 --- a/nixos/tests/mysql/mysql-replication.nix +++ b/nixos/tests/mysql/mysql-replication.nix @@ -18,8 +18,8 @@ let name ? mkTestName package, }: makeTest { name = "${name}-replication"; - meta = with pkgs.lib.maintainers; { - maintainers = [ ajs124 das_j ]; + meta = { + maintainers = lib.teams.helsinki-systems.members; }; nodes = { diff --git a/nixos/tests/mysql/mysql.nix b/nixos/tests/mysql/mysql.nix index 3e059cad09e97..0a61f9d38fe2e 100644 --- a/nixos/tests/mysql/mysql.nix +++ b/nixos/tests/mysql/mysql.nix @@ -18,8 +18,8 @@ let hasRocksDB ? pkgs.stdenv.hostPlatform.is64bit }: makeTest { inherit name; - meta = with lib.maintainers; { - maintainers = [ ajs124 das_j ]; + meta = { + maintainers = lib.teams.helsinki-systems.members; }; nodes = { diff --git a/nixos/tests/nebula.nix b/nixos/tests/nebula.nix index 1bece2200f238..89b91d89fcb3f 100644 --- a/nixos/tests/nebula.nix +++ b/nixos/tests/nebula.nix @@ -144,7 +144,6 @@ in restartAndCheckNebula = name: ip: '' ${name}.systemctl("restart nebula@smoke.service") - ${name}.wait_for_unit("nebula@smoke.service") ${name}.succeed("ping -c5 ${ip}") ''; @@ -180,8 +179,6 @@ in ${nodeB}.succeed("iptables -I INPUT -s " + node_a + " -j DROP") ${nodeA}.systemctl("restart nebula@smoke.service") ${nodeB}.systemctl("restart nebula@smoke.service") - ${nodeA}.wait_for_unit("nebula@smoke.service") - ${nodeB}.wait_for_unit("nebula@smoke.service") ''; allowTrafficBetween = nodeA: nodeB: '' node_a = ${getPublicIp nodeA} @@ -190,8 +187,6 @@ in ${nodeB}.succeed("iptables -D INPUT -s " + node_a + " -j DROP") ${nodeA}.systemctl("restart nebula@smoke.service") ${nodeB}.systemctl("restart nebula@smoke.service") - ${nodeA}.wait_for_unit("nebula@smoke.service") - ${nodeB}.wait_for_unit("nebula@smoke.service") ''; in '' # Create the certificate and sign the lighthouse's keys. diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index ab1d8353dba0b..428fe0aa10db9 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -13,10 +13,12 @@ in { # The only thing the client needs to do is download a file. client = { ... }: { services.davfs2.enable = true; - system.activationScripts.davfs2-secrets = '' - echo "http://nextcloud/remote.php/dav/files/${adminuser} ${adminuser} ${adminpass}" > /tmp/davfs2-secrets - chmod 600 /tmp/davfs2-secrets - ''; + systemd.tmpfiles.settings.nextcloud = { + "/tmp/davfs2-secrets"."f+" = { + mode = "0600"; + argument = "http://nextcloud/remote.php/dav/files/${adminuser} ${adminuser} ${adminpass}"; + }; + }; virtualisation.fileSystems = { "/mnt/dav" = { device = "http://nextcloud/remote.php/dav/files/${adminuser}"; diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index 19d04b28b4f99..84ac371537271 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -22,4 +22,4 @@ foldl }; }) { } - [ 26 27 ] + [ 26 27 28 ] diff --git a/nixos/tests/nextcloud/with-postgresql-and-redis.nix b/nixos/tests/nextcloud/with-postgresql-and-redis.nix index 586bf50fd939c..d95af8a89d07a 100644 --- a/nixos/tests/nextcloud/with-postgresql-and-redis.nix +++ b/nixos/tests/nextcloud/with-postgresql-and-redis.nix @@ -32,7 +32,6 @@ in { adminpassFile = toString (pkgs.writeText "admin-pass-file" '' ${adminpass} ''); - trustedProxies = [ "::1" ]; }; notify_push = { enable = true; @@ -42,6 +41,7 @@ in { extraApps = { inherit (pkgs."nextcloud${lib.versions.major config.services.nextcloud.package.version}Packages".apps) notify_push; }; + extraOptions.trusted_proxies = [ "::1" ]; }; services.redis.servers."nextcloud".enable = true; diff --git a/nixos/tests/nginx-http3.nix b/nixos/tests/nginx-http3.nix index fc9f31037f989..22f7f61f10ce6 100644 --- a/nixos/tests/nginx-http3.nix +++ b/nixos/tests/nginx-http3.nix @@ -1,97 +1,113 @@ -import ./make-test-python.nix ({lib, pkgs, ...}: +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; + let hosts = '' 192.168.2.101 acme.test ''; in -{ - name = "nginx-http3"; - meta.maintainers = with pkgs.lib.maintainers; [ izorkin ]; - - nodes = { - server = { pkgs, ... }: { - networking = { - interfaces.eth1 = { - ipv4.addresses = [ - { address = "192.168.2.101"; prefixLength = 24; } - ]; - }; - extraHosts = hosts; - firewall.allowedTCPPorts = [ 443 ]; - firewall.allowedUDPPorts = [ 443 ]; - }; - - security.pki.certificates = [ - (builtins.readFile ./common/acme/server/ca.cert.pem) - ]; - - services.nginx = { - enable = true; - package = pkgs.nginxQuic; - - virtualHosts."acme.test" = { - onlySSL = true; - sslCertificate = ./common/acme/server/acme.test.cert.pem; - sslCertificateKey = ./common/acme/server/acme.test.key.pem; - http2 = true; - http3 = true; - http3_hq = false; - quic = true; - reuseport = true; - root = lib.mkForce (pkgs.runCommandLocal "testdir" {} '' - mkdir "$out" - cat > "$out/index.html" <<EOF - <html><body>Hello World!</body></html> - EOF - cat > "$out/example.txt" <<EOF - Check http3 protocol. - EOF - ''); - }; - }; - }; - - client = { pkgs, ... }: { - environment.systemPackages = [ pkgs.curlHTTP3 ]; - networking = { - interfaces.eth1 = { - ipv4.addresses = [ - { address = "192.168.2.201"; prefixLength = 24; } - ]; - }; - extraHosts = hosts; - }; - security.pki.certificates = [ - (builtins.readFile ./common/acme/server/ca.cert.pem) - ]; - }; - }; +builtins.listToAttrs ( + builtins.map + (nginxPackage: + { + name = pkgs.lib.getName nginxPackage; + value = makeTest { + name = "nginx-http3-${pkgs.lib.getName nginxPackage}"; + meta.maintainers = with pkgs.lib.maintainers; [ izorkin ]; - testScript = '' - start_all() + nodes = { + server = { lib, pkgs, ... }: { + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.101"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 443 ]; + firewall.allowedUDPPorts = [ 443 ]; + }; - server.wait_for_unit("nginx") - server.wait_for_open_port(443) + security.pki.certificates = [ + (builtins.readFile ./common/acme/server/ca.cert.pem) + ]; - # Check http connections - client.succeed("curl --verbose --http3-only https://acme.test | grep 'Hello World!'") + services.nginx = { + enable = true; + package = nginxPackage; - # Check downloadings - client.succeed("curl --verbose --http3-only https://acme.test/example.txt --output /tmp/example.txt") - client.succeed("cat /tmp/example.txt | grep 'Check http3 protocol.'") + virtualHosts."acme.test" = { + onlySSL = true; + sslCertificate = ./common/acme/server/acme.test.cert.pem; + sslCertificateKey = ./common/acme/server/acme.test.key.pem; + http2 = true; + http3 = true; + http3_hq = false; + quic = true; + reuseport = true; + root = lib.mkForce (pkgs.runCommandLocal "testdir" {} '' + mkdir "$out" + cat > "$out/index.html" <<EOF + <html><body>Hello World!</body></html> + EOF + cat > "$out/example.txt" <<EOF + Check http3 protocol. + EOF + ''); + }; + }; + }; - # Check header reading - client.succeed("curl --verbose --http3-only --head https://acme.test | grep 'content-type'") - client.succeed("curl --verbose --http3-only --head https://acme.test | grep 'HTTP/3 200'") - client.succeed("curl --verbose --http3-only --head https://acme.test/error | grep 'HTTP/3 404'") + client = { pkgs, ... }: { + environment.systemPackages = [ pkgs.curlHTTP3 ]; + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.201"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + }; - # Check change User-Agent - client.succeed("curl --verbose --http3-only --user-agent 'Curl test 3.0' https://acme.test") - server.succeed("cat /var/log/nginx/access.log | grep 'Curl test 3.0'") + security.pki.certificates = [ + (builtins.readFile ./common/acme/server/ca.cert.pem) + ]; + }; + }; - server.shutdown() - client.shutdown() - ''; -}) + testScript = '' + start_all() + + server.wait_for_unit("nginx") + server.wait_for_open_port(443) + + # Check http connections + client.succeed("curl --verbose --http3-only https://acme.test | grep 'Hello World!'") + + # Check downloadings + client.succeed("curl --verbose --http3-only https://acme.test/example.txt --output /tmp/example.txt") + client.succeed("cat /tmp/example.txt | grep 'Check http3 protocol.'") + + # Check header reading + client.succeed("curl --verbose --http3-only --head https://acme.test | grep 'content-type'") + client.succeed("curl --verbose --http3-only --head https://acme.test | grep 'HTTP/3 200'") + client.succeed("curl --verbose --http3-only --head https://acme.test/error | grep 'HTTP/3 404'") + + # Check change User-Agent + client.succeed("curl --verbose --http3-only --user-agent 'Curl test 3.0' https://acme.test") + server.succeed("cat /var/log/nginx/access.log | grep 'Curl test 3.0'") + + server.shutdown() + client.shutdown() + ''; + }; + } + ) + [ pkgs.angieQuic pkgs.nginxQuic ] +) diff --git a/nixos/tests/nginx-redirectcode.nix b/nixos/tests/nginx-redirectcode.nix new file mode 100644 index 0000000000000..f60434a21a85d --- /dev/null +++ b/nixos/tests/nginx-redirectcode.nix @@ -0,0 +1,25 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "nginx-redirectcode"; + meta.maintainers = with lib.maintainers; [ misterio77 ]; + + nodes = { + webserver = { pkgs, lib, ... }: { + services.nginx = { + enable = true; + virtualHosts.localhost = { + globalRedirect = "example.com/foo"; + # With 308 (and 307), the method and body are to be kept when following it + redirectCode = 308; + }; + }; + }; + }; + + testScript = '' + webserver.wait_for_unit("nginx") + webserver.wait_for_open_port(80) + + # Check the status code + webserver.succeed("curl -si http://localhost | grep '^HTTP/[0-9.]\+ 308 Permanent Redirect'") + ''; +}) diff --git a/nixos/tests/nginx-variants.nix b/nixos/tests/nginx-variants.nix index 0faa0127669dd..8c24052aacce3 100644 --- a/nixos/tests/nginx-variants.nix +++ b/nixos/tests/nginx-variants.nix @@ -7,17 +7,17 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; builtins.listToAttrs ( builtins.map - (nginxName: + (nginxPackage: { - name = nginxName; + name = pkgs.lib.getName nginxPackage; value = makeTest { - name = "nginx-variant-${nginxName}"; + name = "nginx-variant-${pkgs.lib.getName nginxPackage}"; nodes.machine = { pkgs, ... }: { services.nginx = { enable = true; virtualHosts.localhost.locations."/".return = "200 'foo'"; - package = pkgs."${nginxName}"; + package = nginxPackage; }; }; @@ -29,5 +29,5 @@ builtins.listToAttrs ( }; } ) - [ "nginxStable" "nginxMainline" "nginxQuic" "nginxShibboleth" "openresty" "tengine" ] + [ pkgs.angie pkgs.angieQuic pkgs.nginxStable pkgs.nginxMainline pkgs.nginxQuic pkgs.nginxShibboleth pkgs.openresty pkgs.tengine ] ) diff --git a/nixos/tests/nitter.nix b/nixos/tests/nitter.nix index 8bc55ba8c69fc..114f1aac7c7af 100644 --- a/nixos/tests/nitter.nix +++ b/nixos/tests/nitter.nix @@ -1,13 +1,28 @@ import ./make-test-python.nix ({ pkgs, ... }: +let + # In a real deployment this should naturally not common from the nix store + # and be seeded via agenix or as a non-nix managed file. + # + # These credentials are from the nitter wiki and are expired. We must provide + # credentials in the correct format, otherwise nitter fails to start. They + # must not be valid, as unauthorized errors are handled gracefully. + guestAccountFile = pkgs.writeText "guest_accounts.jsonl" '' + {"oauth_token":"1719213587296620928-BsXY2RIJEw7fjxoNwbBemgjJhueK0m","oauth_token_secret":"N0WB0xhL4ng6WTN44aZO82SUJjz7ssI3hHez2CUhTiYqy"} + ''; +in { name = "nitter"; meta.maintainers = with pkgs.lib.maintainers; [ erdnaxe ]; nodes.machine = { - services.nitter.enable = true; - # Test CAP_NET_BIND_SERVICE - services.nitter.server.port = 80; + services.nitter = { + enable = true; + # Test CAP_NET_BIND_SERVICE + server.port = 80; + # Provide dummy guest accounts + guestAccounts = guestAccountFile; + }; }; testScript = '' diff --git a/nixos/tests/nixos-rebuild-specialisations.nix b/nixos/tests/nixos-rebuild-specialisations.nix index 444ff7a3b9771..9192b8a8a030b 100644 --- a/nixos/tests/nixos-rebuild-specialisations.nix +++ b/nixos/tests/nixos-rebuild-specialisations.nix @@ -23,7 +23,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { virtualisation = { cores = 2; - memorySize = 2048; + memorySize = 4096; }; }; }; diff --git a/nixos/tests/npmrc.nix b/nixos/tests/npmrc.nix new file mode 100644 index 0000000000000..dbf24d372feb4 --- /dev/null +++ b/nixos/tests/npmrc.nix @@ -0,0 +1,22 @@ +import ./make-test-python.nix ({ ... }: +let + machineName = "machine"; + settingName = "prefix"; + settingValue = "/some/path"; +in +{ + name = "npmrc"; + + nodes."${machineName}".programs.npm = { + enable = true; + npmrc = '' + ${settingName} = ${settingValue} + ''; + }; + + testScript = '' + ${machineName}.start() + + assert ${machineName}.succeed("npm config get ${settingName}") == "${settingValue}\n" + ''; +}) diff --git a/nixos/tests/oci-containers.nix b/nixos/tests/oci-containers.nix index 1afa9df36dfa4..205ce623d089c 100644 --- a/nixos/tests/oci-containers.nix +++ b/nixos/tests/oci-containers.nix @@ -12,7 +12,7 @@ let name = "oci-containers-${backend}"; meta.maintainers = lib.teams.serokell.members - ++ (with lib.maintainers; [ adisbladis benley mkaito ]); + ++ (with lib.maintainers; [ benley mkaito ]); nodes = { ${backend} = { pkgs, ... }: { diff --git a/nixos/tests/opentabletdriver.nix b/nixos/tests/opentabletdriver.nix index b7583f6dd2648..a71a007c41100 100644 --- a/nixos/tests/opentabletdriver.nix +++ b/nixos/tests/opentabletdriver.nix @@ -20,9 +20,11 @@ in { '' machine.start() machine.wait_for_x() + + machine.wait_for_unit('graphical.target') machine.wait_for_unit("opentabletdriver.service", "${testUser}") - machine.succeed("cat /etc/udev/rules.d/99-opentabletdriver.rules") + machine.succeed("cat /etc/udev/rules.d/70-opentabletdriver.rules") # Will fail if service is not running # Needs to run as the same user that started the service machine.succeed("su - ${testUser} -c 'otd detect'") diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 7840130d4a364..53e6626c0e324 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -431,8 +431,8 @@ let }; kea = let - controlSocketPathV4 = "/run/kea-dhcp4/dhcp4.sock"; - controlSocketPathV6 = "/run/kea-dhcp6/dhcp6.sock"; + controlSocketPathV4 = "/run/kea/dhcp4.sock"; + controlSocketPathV6 = "/run/kea/dhcp6.sock"; in { exporterConfig = { @@ -806,6 +806,7 @@ let nginx = { exporterConfig = { enable = true; + constLabels = [ "foo=bar" ]; }; metricProvider = { services.nginx = { @@ -818,7 +819,7 @@ let wait_for_unit("nginx.service") wait_for_unit("prometheus-nginx-exporter.service") wait_for_open_port(9113) - succeed("curl -sSf http://localhost:9113/metrics | grep 'nginx_up 1'") + succeed("curl -sSf http://localhost:9113/metrics | grep 'nginx_up{foo=\"bar\"} 1'") ''; }; @@ -1052,6 +1053,50 @@ let ''; }; + ping = { + exporterConfig = { + enable = true; + + settings = { + targets = [ { + "localhost" = { + alias = "local machine"; + env = "prod"; + type = "domain"; + }; + } { + "127.0.0.1" = { + alias = "local machine"; + type = "v4"; + }; + } { + "::1" = { + alias = "local machine"; + type = "v6"; + }; + } { + "google.com" = {}; + } ]; + dns = {}; + ping = { + interval = "2s"; + timeout = "3s"; + history-size = 42; + payload-size = 56; + }; + log = { + level = "warn"; + }; + }; + }; + + exporterTest = '' + wait_for_unit("prometheus-ping-exporter.service") + wait_for_open_port(9427) + succeed("curl -sSf http://localhost:9427/metrics | grep 'ping_up{.*} 1'") + ''; + }; + postfix = { exporterConfig = { enable = true; diff --git a/nixos/tests/quicktun.nix b/nixos/tests/quicktun.nix new file mode 100644 index 0000000000000..a5a6324571174 --- /dev/null +++ b/nixos/tests/quicktun.nix @@ -0,0 +1,18 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +{ + name = "quicktun"; + meta.maintainers = with lib.maintainers; [ h7x4 ]; + + nodes = { + machine = { ... }: { + services.quicktun."test-tunnel" = { + protocol = "raw"; + }; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("quicktun-test-tunnel.service") + ''; +}) diff --git a/nixos/tests/rspamd-trainer.nix b/nixos/tests/rspamd-trainer.nix new file mode 100644 index 0000000000000..9c157903d24b6 --- /dev/null +++ b/nixos/tests/rspamd-trainer.nix @@ -0,0 +1,155 @@ +import ./make-test-python.nix ({ pkgs, ... }: +let + certs = import ./common/acme/server/snakeoil-certs.nix; + domain = certs.domain; +in { + name = "rspamd-trainer"; + meta = with pkgs.lib.maintainers; { maintainers = [ onny ]; }; + + nodes = { + machine = { options, config, ... }: { + + security.pki.certificateFiles = [ + certs.ca.cert + ]; + + networking.extraHosts = '' + 127.0.0.1 ${domain} + ''; + + services.rspamd-trainer = { + enable = true; + settings = { + HOST = domain; + USERNAME = "spam@${domain}"; + INBOXPREFIX = "INBOX/"; + }; + secrets = [ + # Do not use this in production. This will make passwords + # world-readable in the Nix store + "${pkgs.writeText "secrets" '' + PASSWORD = test123 + ''}" + ]; + }; + + services.maddy = { + enable = true; + hostname = domain; + primaryDomain = domain; + ensureAccounts = [ "spam@${domain}" ]; + ensureCredentials = { + # Do not use this in production. This will make passwords world-readable + # in the Nix store + "spam@${domain}".passwordFile = "${pkgs.writeText "postmaster" "test123"}"; + }; + tls = { + loader = "file"; + certificates = [{ + certPath = "${certs.${domain}.cert}"; + keyPath = "${certs.${domain}.key}"; + }]; + }; + config = builtins.replaceStrings [ + "imap tcp://0.0.0.0:143" + "submission tcp://0.0.0.0:587" + ] [ + "imap tls://0.0.0.0:993 tcp://0.0.0.0:143" + "submission tls://0.0.0.0:465 tcp://0.0.0.0:587" + ] options.services.maddy.config.default; + }; + + services.rspamd = { + enable = true; + locals = { + "redis.conf".text = '' + servers = "${config.services.redis.servers.rspamd.unixSocket}"; + ''; + "classifier-bayes.conf".text = '' + backend = "redis"; + autolearn = true; + ''; + }; + }; + + services.redis.servers.rspamd = { + enable = true; + port = 0; + unixSocket = "/run/redis-rspamd/redis.sock"; + user = config.services.rspamd.user; + }; + + environment.systemPackages = [ + (pkgs.writers.writePython3Bin "send-testmail" { } '' + import smtplib + import ssl + from email.mime.text import MIMEText + context = ssl.create_default_context() + msg = MIMEText("Hello World") + msg['Subject'] = 'Test' + msg['From'] = "spam@${domain}" + msg['To'] = "spam@${domain}" + with smtplib.SMTP_SSL(host='${domain}', port=465, context=context) as smtp: + smtp.login('spam@${domain}', 'test123') + smtp.sendmail( + 'spam@${domain}', 'spam@${domain}', msg.as_string() + ) + '') + (pkgs.writers.writePython3Bin "create-mail-dirs" { } '' + import imaplib + with imaplib.IMAP4_SSL('${domain}') as imap: + imap.login('spam@${domain}', 'test123') + imap.create("\"INBOX/report_spam\"") + imap.create("\"INBOX/report_ham\"") + imap.create("\"INBOX/report_spam_reply\"") + imap.select("INBOX") + imap.copy("1", "\"INBOX/report_ham\"") + imap.logout() + '') + (pkgs.writers.writePython3Bin "test-imap" { } '' + import imaplib + with imaplib.IMAP4_SSL('${domain}') as imap: + imap.login('spam@${domain}', 'test123') + imap.select("INBOX/learned_ham") + status, refs = imap.search(None, 'ALL') + assert status == 'OK' + assert len(refs) == 1 + status, msg = imap.fetch(refs[0], 'BODY[TEXT]') + assert status == 'OK' + assert msg[0][1].strip() == b"Hello World" + imap.logout() + '') + ]; + + + + }; + + }; + + testScript = { nodes }: '' + start_all() + machine.wait_for_unit("maddy.service") + machine.wait_for_open_port(143) + machine.wait_for_open_port(993) + machine.wait_for_open_port(587) + machine.wait_for_open_port(465) + + # Send test mail to spam@domain + machine.succeed("send-testmail") + + # Create mail directories required for rspamd-trainer and copy mail from + # INBOX into INBOX/report_ham + machine.succeed("create-mail-dirs") + + # Start rspamd-trainer. It should read mail from INBOX/report_ham + machine.wait_for_unit("rspamd.service") + machine.wait_for_unit("redis-rspamd.service") + machine.wait_for_file("/run/rspamd/rspamd.sock") + machine.succeed("systemctl start rspamd-trainer.service") + + # Check if mail got processed by rspamd-trainer successfully and check for + # it in INBOX/learned_ham + machine.succeed("test-imap") + ''; +}) diff --git a/nixos/tests/sogo.nix b/nixos/tests/sogo.nix index acdad8d0f473b..e9059a2ab7734 100644 --- a/nixos/tests/sogo.nix +++ b/nixos/tests/sogo.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "sogo"; meta = with pkgs.lib.maintainers; { - maintainers = [ ajs124 das_j ]; + maintainers = []; }; nodes = { diff --git a/nixos/tests/ssh-agent-auth.nix b/nixos/tests/ssh-agent-auth.nix new file mode 100644 index 0000000000000..2274e463ce95a --- /dev/null +++ b/nixos/tests/ssh-agent-auth.nix @@ -0,0 +1,51 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: + let + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; + in { + name = "ssh-agent-auth"; + meta.maintainers = with lib.maintainers; [ nicoo ]; + + nodes = let nodeConfig = n: { ... }: { + users.users = { + admin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; + }; + foo.isNormalUser = true; + }; + + security.pam.enableSSHAgentAuth = true; + security.${lib.replaceStrings [ "_" ] [ "-" ] n} = { + enable = true; + wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer + }; + + # Necessary for pam_ssh_agent_auth >_>' + services.openssh.enable = true; + }; + in lib.genAttrs [ "sudo" "sudo_rs" ] nodeConfig; + + testScript = let + privateKeyPath = "/home/admin/.ssh/id_ecdsa"; + userScript = pkgs.writeShellScript "test-script" '' + set -e + ssh-add -q ${privateKeyPath} + + # faketty needed to ensure `sudo` doesn't write to the controlling PTY, + # which would break the test-driver's line-oriented protocol. + ${lib.getExe pkgs.faketty} sudo -u foo -- id -un + ''; + in '' + for vm in (sudo, sudo_rs): + sudo_impl = vm.name.replace("_", "-") + with subtest(f"wheel user can auth with ssh-agent for {sudo_impl}"): + vm.copy_from_host("${snakeOilPrivateKey}", "${privateKeyPath}") + vm.succeed("chmod -R 0700 /home/admin") + vm.succeed("chown -R admin:users /home/admin") + + # Run `userScript` in an environment with an SSH-agent available + assert vm.succeed("sudo -u admin -- ssh-agent ${userScript} 2>&1").strip() == "foo" + ''; + } +) diff --git a/nixos/tests/stub-ld.nix b/nixos/tests/stub-ld.nix new file mode 100644 index 0000000000000..25161301741b7 --- /dev/null +++ b/nixos/tests/stub-ld.nix @@ -0,0 +1,73 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "stub-ld"; + + nodes.machine = { lib, ... }: + { + environment.stub-ld.enable = true; + + specialisation.nostub = { + inheritParentConfig = true; + + configuration = { ... }: { + environment.stub-ld.enable = lib.mkForce false; + }; + }; + }; + + testScript = let + libDir = pkgs.stdenv.hostPlatform.libDir; + ldsoBasename = lib.last (lib.splitString "/" pkgs.stdenv.cc.bintools.dynamicLinker); + + check32 = pkgs.stdenv.isx86_64; + pkgs32 = pkgs.pkgsi686Linux; + + libDir32 = pkgs32.stdenv.hostPlatform.libDir; + ldsoBasename32 = lib.last (lib.splitString "/" pkgs32.stdenv.cc.bintools.dynamicLinker); + + test-exec = builtins.mapAttrs (n: v: pkgs.runCommand "test-exec-${n}" { src = pkgs.fetchurl v; } "mkdir -p $out;cd $out;tar -xzf $src") { + x86_64-linux.url = "https://github.com/rustic-rs/rustic/releases/download/v0.6.1/rustic-v0.6.1-x86_64-unknown-linux-gnu.tar.gz"; + x86_64-linux.hash = "sha256-3zySzx8MKFprMOi++yr2ZGASE0aRfXHQuG3SN+kWUCI="; + i686-linux.url = "https://github.com/rustic-rs/rustic/releases/download/v0.6.1/rustic-v0.6.1-i686-unknown-linux-gnu.tar.gz"; + i686-linux.hash = "sha256-fWNiATFeg0B2pfB5zndlnzGn7Ztl8diVS1rFLEDnSLU="; + aarch64-linux.url = "https://github.com/rustic-rs/rustic/releases/download/v0.6.1/rustic-v0.6.1-aarch64-unknown-linux-gnu.tar.gz"; + aarch64-linux.hash = "sha256-hnldbd2cctQIAhIKoEZLIWY8H3jiFBClkNy2UlyyvAs="; + }; + exec-name = "rustic"; + + if32 = pythonStatement: if check32 then pythonStatement else "pass"; + in + '' + machine.start() + machine.wait_for_unit("multi-user.target") + + with subtest("Check for stub (enabled, initial)"): + machine.succeed('test -L /${libDir}/${ldsoBasename}') + ${if32 "machine.succeed('test -L /${libDir32}/${ldsoBasename32}')"} + + with subtest("Try FHS executable"): + machine.copy_from_host('${test-exec.${pkgs.system}}','test-exec') + machine.succeed('if test-exec/${exec-name} 2>outfile; then false; else [ $? -eq 127 ];fi') + machine.succeed('grep -qi nixos outfile') + ${if32 "machine.copy_from_host('${test-exec.${pkgs32.system}}','test-exec32')"} + ${if32 "machine.succeed('if test-exec32/${exec-name} 2>outfile32; then false; else [ $? -eq 127 ];fi')"} + ${if32 "machine.succeed('grep -qi nixos outfile32')"} + + with subtest("Disable stub"): + machine.succeed("/run/booted-system/specialisation/nostub/bin/switch-to-configuration test") + + with subtest("Check for stub (disabled)"): + machine.fail('test -e /${libDir}/${ldsoBasename}') + ${if32 "machine.fail('test -e /${libDir32}/${ldsoBasename32}')"} + + with subtest("Create file in stub location (to be overwritten)"): + machine.succeed('mkdir -p /${libDir};touch /${libDir}/${ldsoBasename}') + ${if32 "machine.succeed('mkdir -p /${libDir32};touch /${libDir32}/${ldsoBasename32}')"} + + with subtest("Re-enable stub"): + machine.succeed("/run/booted-system/bin/switch-to-configuration test") + + with subtest("Check for stub (enabled, final)"): + machine.succeed('test -L /${libDir}/${ldsoBasename}') + ${if32 "machine.succeed('test -L /${libDir32}/${ldsoBasename32}')"} + ''; +}) diff --git a/nixos/tests/stunnel.nix b/nixos/tests/stunnel.nix index 07fba435d4df6..f8cfa0414761d 100644 --- a/nixos/tests/stunnel.nix +++ b/nixos/tests/stunnel.nix @@ -19,8 +19,10 @@ let makeCert = { config, pkgs, ... }: { systemd.services.create-test-cert = { wantedBy = [ "sysinit.target" ]; - before = [ "sysinit.target" ]; + before = [ "sysinit.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; script = '' ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa -nodes -out /test-cert.pem -keyout /test-key.pem -subj /CN=${config.networking.hostName} ( umask 077; cat /test-key.pem /test-cert.pem > /test-key-and-cert.pem ) diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index 256a18532b0a2..c0b37a230df0f 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -253,7 +253,7 @@ in }; garbage-collect-entry = makeTest { - name = "systemd-boot-switch-test"; + name = "systemd-boot-garbage-collect-entry"; meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ]; nodes = { diff --git a/nixos/tests/systemd-initrd-networkd.nix b/nixos/tests/systemd-initrd-networkd.nix index 9c4ddb6e4b363..691f4300d7a23 100644 --- a/nixos/tests/systemd-initrd-networkd.nix +++ b/nixos/tests/systemd-initrd-networkd.nix @@ -33,7 +33,8 @@ let boot.initrd.network.flushBeforeStage2 = flush; systemd.services.check-flush = { requiredBy = ["multi-user.target"]; - before = ["network-pre.target" "multi-user.target"]; + before = [ "network-pre.target" "multi-user.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; wants = ["network-pre.target"]; unitConfig.DefaultDependencies = false; serviceConfig.Type = "oneshot"; diff --git a/nixos/tests/telegraf.nix b/nixos/tests/telegraf.nix index af9c5c387a5dd..c3cdb1645213a 100644 --- a/nixos/tests/telegraf.nix +++ b/nixos/tests/telegraf.nix @@ -12,7 +12,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { services.telegraf.extraConfig = { agent.interval = "1s"; agent.flush_interval = "1s"; - inputs.procstat = {}; inputs.exec = { commands = [ "${pkgs.runtimeShell} -c 'echo $SECRET,tag=a i=42i'" diff --git a/nixos/tests/tomcat.nix b/nixos/tests/tomcat.nix index ff58ca8ac618b..df5cb033b78f0 100644 --- a/nixos/tests/tomcat.nix +++ b/nixos/tests/tomcat.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "tomcat"; meta.maintainers = [ lib.maintainers.anthonyroussel ]; diff --git a/nixos/tests/varnish.nix b/nixos/tests/varnish.nix index 9dcdeec9d8c8f..76cea1ada5477 100644 --- a/nixos/tests/varnish.nix +++ b/nixos/tests/varnish.nix @@ -3,12 +3,12 @@ , pkgs ? import ../.. { inherit system; } , package }: -import ./make-test-python.nix ({ pkgs, ... }: let +import ./make-test-python.nix ({ pkgs, lib, ... }: let testPath = pkgs.hello; in { name = "varnish"; - meta = with pkgs.lib.maintainers; { - maintainers = [ ajs124 ]; + meta = { + maintainers = lib.teams.helsinki-systems.members; }; nodes = { diff --git a/nixos/tests/zammad.nix b/nixos/tests/zammad.nix index 1b2f245946993..faae1949e37b9 100644 --- a/nixos/tests/zammad.nix +++ b/nixos/tests/zammad.nix @@ -7,6 +7,10 @@ import ./make-test-python.nix ( meta.maintainers = with lib.maintainers; [ taeer n0emis netali ]; nodes.machine = { config, ... }: { + virtualisation = { + memorySize = 2048; + }; + services.zammad.enable = true; services.zammad.secretKeyBaseFile = pkgs.writeText "secret" '' 52882ef142066e09ab99ce816ba72522e789505caba224a52d750ec7dc872c2c371b2fd19f16b25dfbdd435a4dd46cb3df9f82eb63fafad715056bdfe25740d6 diff --git a/nixos/tests/zfs.nix b/nixos/tests/zfs.nix index ad4ea254f34d7..8fedcf095af69 100644 --- a/nixos/tests/zfs.nix +++ b/nixos/tests/zfs.nix @@ -19,7 +19,7 @@ let makeTest { name = "zfs-" + name; meta = with pkgs.lib.maintainers; { - maintainers = [ adisbladis elvishjerricco ]; + maintainers = [ elvishjerricco ]; }; nodes.machine = { config, pkgs, lib, ... }: @@ -210,6 +210,7 @@ in { enableSystemdStage1 = true; }; + installerBoot = (import ./installer.nix { }).separateBootZfs; installer = (import ./installer.nix { }).zfsroot; expand-partitions = makeTest { |