diff options
Diffstat (limited to 'nixos')
652 files changed, 16813 insertions, 5825 deletions
diff --git a/nixos/doc/manual/administration/service-mgmt.chapter.md b/nixos/doc/manual/administration/service-mgmt.chapter.md index bb0f9b62e9138..674c737416805 100644 --- a/nixos/doc/manual/administration/service-mgmt.chapter.md +++ b/nixos/doc/manual/administration/service-mgmt.chapter.md @@ -75,7 +75,7 @@ necessary). Packages in Nixpkgs sometimes provide systemd units with them, usually in e.g `#pkg-out#/lib/systemd/`. Putting such a package in -`environment.systemPackages` doesn\'t make the service available to +`environment.systemPackages` doesn't make the service available to users or the system. In order to enable a systemd *system* service with provided upstream @@ -87,9 +87,9 @@ systemd.packages = [ pkgs.packagekit ]; Usually NixOS modules written by the community do the above, plus take care of other details. If a module was written for a service you are -interested in, you\'d probably need only to use +interested in, you'd probably need only to use `services.#name#.enable = true;`. These services are defined in -Nixpkgs\' [ `nixos/modules/` directory +Nixpkgs' [ `nixos/modules/` directory ](https://github.com/NixOS/nixpkgs/tree/master/nixos/modules). In case the service is simple enough, the above method should work, and start the service on boot. @@ -98,8 +98,8 @@ the service on boot. differently. Given a package that has a systemd unit file at `#pkg-out#/lib/systemd/user/`, using [](#opt-systemd.packages) will make you able to start the service via `systemctl --user start`, but it -won\'t start automatically on login. However, You can imperatively -enable it by adding the package\'s attribute to +won't start automatically on login. However, You can imperatively +enable it by adding the package's attribute to [](#opt-systemd.packages) and then do this (e.g): ```ShellSession @@ -113,7 +113,7 @@ If you are interested in a timer file, use `timers.target.wants` instead of `default.target.wants` in the 1st and 2nd command. Using `systemctl --user enable syncthing.service` instead of the above, -will work, but it\'ll use the absolute path of `syncthing.service` for +will work, but it'll use the absolute path of `syncthing.service` for the symlink, and this path is in `/nix/store/.../lib/systemd/user/`. Hence [garbage collection](#sec-nix-gc) will remove that file and you will wind up with a broken symlink in your systemd configuration, which diff --git a/nixos/doc/manual/configuration/config-syntax.chapter.md b/nixos/doc/manual/configuration/config-syntax.chapter.md index 56d093c0f6e84..9f8d45d588997 100644 --- a/nixos/doc/manual/configuration/config-syntax.chapter.md +++ b/nixos/doc/manual/configuration/config-syntax.chapter.md @@ -15,5 +15,4 @@ NixOS configuration files. <xi:include href="config-file.section.xml" /> <xi:include href="abstractions.section.xml" /> <xi:include href="modularity.section.xml" /> -<xi:include href="summary.section.xml" /> ``` diff --git a/nixos/doc/manual/configuration/gpu-accel.chapter.md b/nixos/doc/manual/configuration/gpu-accel.chapter.md index 835cbad554859..aa41e25e56f3a 100644 --- a/nixos/doc/manual/configuration/gpu-accel.chapter.md +++ b/nixos/doc/manual/configuration/gpu-accel.chapter.md @@ -159,6 +159,40 @@ environment.variables.VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json"; ``` +## VA-API {#sec-gpu-accel-va-api} + +[VA-API (Video Acceleration API)](https://www.intel.com/content/www/us/en/developer/articles/technical/linuxmedia-vaapi.html) +is an open-source library and API specification, which provides access to +graphics hardware acceleration capabilities for video processing. + +VA-API drivers are loaded by `libva`. The version in nixpkgs is built to search +the opengl driver path, so drivers can be installed in +[](#opt-hardware.opengl.extraPackages). + +VA-API can be tested using: + +```ShellSession +$ nix-shell -p libva-utils --run vainfo +``` + +### Intel {#sec-gpu-accel-va-api-intel} + +Modern Intel GPUs use the iHD driver, which can be installed with: + +```nix +hardware.opengl.extraPackages = [ + intel-media-driver +]; +``` + +Older Intel GPUs use the i965 driver, which can be installed with: + +```nix +hardware.opengl.extraPackages = [ + vaapiIntel +]; +``` + ## Common issues {#sec-gpu-accel-common-issues} ### User permissions {#sec-gpu-accel-common-issues-permissions} diff --git a/nixos/doc/manual/configuration/kubernetes.chapter.md b/nixos/doc/manual/configuration/kubernetes.chapter.md index 5d7b083289d9c..f39726090e431 100644 --- a/nixos/doc/manual/configuration/kubernetes.chapter.md +++ b/nixos/doc/manual/configuration/kubernetes.chapter.md @@ -17,7 +17,7 @@ services.kubernetes = { }; ``` -Another way is to assign cluster roles (\"master\" and/or \"node\") to +Another way is to assign cluster roles ("master" and/or "node") to the host. This enables apiserver, controllerManager, scheduler, addonManager, kube-proxy and etcd: diff --git a/nixos/doc/manual/configuration/linux-kernel.chapter.md b/nixos/doc/manual/configuration/linux-kernel.chapter.md index 1d06543d4f1e3..f5bce99dd1bbe 100644 --- a/nixos/doc/manual/configuration/linux-kernel.chapter.md +++ b/nixos/doc/manual/configuration/linux-kernel.chapter.md @@ -17,6 +17,16 @@ you may want to use one of the unversioned `pkgs.linuxPackages_*` aliases such as `pkgs.linuxPackages_latest`, that are kept up to date with new versions. +Please note that the current convention in NixOS is to only keep actively +maintained kernel versions on both unstable and the currently supported stable +release(s) of NixOS. This means that a non-longterm kernel will be removed after it's +abandoned by the kernel developers, even on stable NixOS versions. If you +pin your kernel onto a non-longterm version, expect your evaluation to fail as +soon as the version is out of maintenance. + +Longterm versions of kernels will be removed before the next stable NixOS that will +exceed the maintenance period of the kernel version. + The default Linux kernel configuration should be fine for most users. You can see the configuration of your current kernel with the following command: @@ -72,61 +82,68 @@ boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120; sets the kernel's TCP keepalive time to 120 seconds. To see the available parameters, run `sysctl -a`. -## Customize your kernel {#sec-linux-config-customizing} +## Building a custom kernel {#sec-linux-config-customizing} -The first step before compiling the kernel is to generate an appropriate -`.config` configuration. Either you pass your own config via the -`configfile` setting of `linuxKernel.manualConfig`: +You can customize the default kernel configuration by overriding the arguments for your kernel package: ```nix -custom-kernel = let base_kernel = linuxKernel.kernels.linux_4_9; - in super.linuxKernel.manualConfig { - inherit (super) stdenv hostPlatform; - inherit (base_kernel) src; - version = "${base_kernel.version}-custom"; - - configfile = /home/me/my_kernel_config; - allowImportFromDerivation = true; -}; +pkgs.linux_latest.override { + ignoreConfigErrors = true; + autoModules = false; + kernelPreferBuiltin = true; + extraStructuredConfig = with lib.kernel; { + DEBUG_KERNEL = yes; + FRAME_POINTER = yes; + KGDB = yes; + KGDB_SERIAL_CONSOLE = yes; + DEBUG_INFO = yes; + }; +} ``` -You can edit the config with this snippet (by default `make - menuconfig` won\'t work out of the box on nixos): +See `pkgs/os-specific/linux/kernel/generic.nix` for details on how these arguments +affect the generated configuration. You can also build a custom version of Linux by calling +`pkgs.buildLinux` directly, which requires the `src` and `version` arguments to be specified. -```ShellSession -nix-shell -E 'with import <nixpkgs> {}; kernelToOverride.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkg-config ncurses ];})' +To use your custom kernel package in your NixOS configuration, set + +```nix +boot.kernelPackages = pkgs.linuxPackagesFor yourCustomKernel; ``` -or you can let nixpkgs generate the configuration. Nixpkgs generates it -via answering the interactive kernel utility `make config`. The answers -depend on parameters passed to -`pkgs/os-specific/linux/kernel/generic.nix` (which you can influence by -overriding `extraConfig, autoModules, - modDirVersion, preferBuiltin, extraConfig`). +Note that this method will use the common configuration defined in `pkgs/os-specific/linux/kernel/common-config.nix`, +which is suitable for a NixOS system. + +If you already have a generated configuration file, you can build a kernel that uses it with `pkgs.linuxManualConfig`: ```nix -mptcp93.override ({ - name="mptcp-local"; +let + baseKernel = pkgs.linux_latest; +in pkgs.linuxManualConfig { + inherit (baseKernel) src modDirVersion; + version = "${baseKernel.version}-custom"; + configfile = ./my_kernel_config; + allowImportFromDerivation = true; +} +``` - ignoreConfigErrors = true; - autoModules = false; - kernelPreferBuiltin = true; +::: {.note} +The build will fail if `modDirVersion` does not match the source's `kernel.release` file, +so `modDirVersion` should remain tied to `src`. +::: - enableParallelBuilding = true; +To edit the `.config` file for Linux X.Y, proceed as follows: - extraConfig = '' - DEBUG_KERNEL y - FRAME_POINTER y - KGDB y - KGDB_SERIAL_CONSOLE y - DEBUG_INFO y - ''; -}); +```ShellSession +$ nix-shell '<nixpkgs>' -A linuxKernel.kernels.linux_X_Y.configEnv +$ unpackPhase +$ cd linux-* +$ make nconfig ``` ## Developing kernel modules {#sec-linux-config-developing-modules} -When developing kernel modules it\'s often convenient to run +When developing kernel modules it's often convenient to run edit-compile-run loop as quickly as possible. See below snippet as an example of developing `mellanox` drivers. @@ -138,3 +155,26 @@ $ cd linux-* $ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules # insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko ``` + +## ZFS {#sec-linux-zfs} + +It's a common issue that the latest stable version of ZFS doesn't support the latest +available Linux kernel. It is recommended to use the latest available LTS that's compatible +with ZFS. Usually this is the default kernel provided by nixpkgs (i.e. `pkgs.linuxPackages`). + +Alternatively, it's possible to pin the system to the latest available kernel +version *that is supported by ZFS* like this: + +```nix +{ + boot.kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages; +} +``` + +Please note that the version this attribute points to isn't monotonic because the latest kernel +version only refers to kernel versions supported by the Linux developers. In other words, +the latest kernel version that ZFS is compatible with may decrease over time. + +An example: the latest version ZFS is compatible with is 5.19 which is a non-longterm version. When 5.19 +is out of maintenance, the latest supported kernel version is 5.15 because it's longterm and the versions +5.16, 5.17 and 5.18 are already out of maintenance because they're non-longterm. diff --git a/nixos/doc/manual/configuration/profiles.chapter.md b/nixos/doc/manual/configuration/profiles.chapter.md index b4ae1b7d3faaa..2c3dea27c1818 100644 --- a/nixos/doc/manual/configuration/profiles.chapter.md +++ b/nixos/doc/manual/configuration/profiles.chapter.md @@ -2,7 +2,7 @@ In some cases, it may be desirable to take advantage of commonly-used, predefined configurations provided by nixpkgs, but different from those -that come as default. This is a role fulfilled by NixOS\'s Profiles, +that come as default. This is a role fulfilled by NixOS's Profiles, which come as files living in `<nixpkgs/nixos/modules/profiles>`. That is to say, expected usage is to add them to the imports list of your `/etc/configuration.nix` as such: diff --git a/nixos/doc/manual/configuration/profiles/hardened.section.md b/nixos/doc/manual/configuration/profiles/hardened.section.md index 9fb5e18c384a2..2e9bb196c0545 100644 --- a/nixos/doc/manual/configuration/profiles/hardened.section.md +++ b/nixos/doc/manual/configuration/profiles/hardened.section.md @@ -7,7 +7,7 @@ This includes a hardened kernel, and limiting the system information available to processes through the `/sys` and `/proc` filesystems. It also disables the User Namespaces feature of the kernel, which stops Nix from being able to build anything -(this particular setting can be overriden via +(this particular setting can be overridden via [](#opt-security.allowUserNamespaces)). See the [profile source](https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix) for further detail on which settings are altered. diff --git a/nixos/doc/manual/configuration/summary.section.md b/nixos/doc/manual/configuration/summary.section.md deleted file mode 100644 index 8abbbe257fd90..0000000000000 --- a/nixos/doc/manual/configuration/summary.section.md +++ /dev/null @@ -1,46 +0,0 @@ -# Syntax Summary {#sec-nix-syntax-summary} - -Below is a summary of the most important syntactic constructs in the Nix -expression language. It's not complete. In particular, there are many -other built-in functions. See the [Nix -manual](https://nixos.org/nix/manual/#chap-writing-nix-expressions) for -the rest. - -| Example | Description | -|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------| -| *Basic values* | | -| `"Hello world"` | A string | -| `"${pkgs.bash}/bin/sh"` | A string containing an expression (expands to `"/nix/store/hash-bash-version/bin/sh"`) | -| `true`, `false` | Booleans | -| `123` | An integer | -| `./foo.png` | A path (relative to the containing Nix expression) | -| *Compound values* | | -| `{ x = 1; y = 2; }` | A set with attributes named `x` and `y` | -| `{ foo.bar = 1; }` | A nested set, equivalent to `{ foo = { bar = 1; }; }` | -| `rec { x = "foo"; y = x + "bar"; }` | A recursive set, equivalent to `{ x = "foo"; y = "foobar"; }` | -| `[ "foo" "bar" ]` | A list with two elements | -| *Operators* | | -| `"foo" + "bar"` | String concatenation | -| `1 + 2` | Integer addition | -| `"foo" == "f" + "oo"` | Equality test (evaluates to `true`) | -| `"foo" != "bar"` | Inequality test (evaluates to `true`) | -| `!true` | Boolean negation | -| `{ x = 1; y = 2; }.x` | Attribute selection (evaluates to `1`) | -| `{ x = 1; y = 2; }.z or 3` | Attribute selection with default (evaluates to `3`) | -| `{ x = 1; y = 2; } // { z = 3; }` | Merge two sets (attributes in the right-hand set taking precedence) | -| *Control structures* | | -| `if 1 + 1 == 2 then "yes!" else "no!"` | Conditional expression | -| `assert 1 + 1 == 2; "yes!"` | Assertion check (evaluates to `"yes!"`). See [](#sec-assertions) for using assertions in modules | -| `let x = "foo"; y = "bar"; in x + y` | Variable definition | -| `with pkgs.lib; head [ 1 2 3 ]` | Add all attributes from the given set to the scope (evaluates to `1`) | -| *Functions (lambdas)* | | -| `x: x + 1` | A function that expects an integer and returns it increased by 1 | -| `(x: x + 1) 100` | A function call (evaluates to 101) | -| `let inc = x: x + 1; in inc (inc (inc 100))` | A function bound to a variable and subsequently called by name (evaluates to 103) | -| `{ x, y }: x + y` | A function that expects a set with required attributes `x` and `y` and concatenates them | -| `{ x, y ? "bar" }: x + y` | A function that expects a set with required attribute `x` and optional `y`, using `"bar"` as default value for `y` | -| `{ x, y, ... }: x + y` | A function that expects a set with required attributes `x` and `y` and ignores any other attributes | -| `{ x, y } @ args: x + y` | A function that expects a set with required attributes `x` and `y`, and binds the whole set to `args` | -| *Built-in functions* | | -| `import ./foo.nix` | Load and return Nix expression in given file | -| `map (x: x + x) [ 1 2 3 ]` | Apply a function to every element of a list (evaluates to `[ 2 4 6 ]`) | diff --git a/nixos/doc/manual/configuration/user-mgmt.chapter.md b/nixos/doc/manual/configuration/user-mgmt.chapter.md index 37990664a8f1b..b35b38f6e964a 100644 --- a/nixos/doc/manual/configuration/user-mgmt.chapter.md +++ b/nixos/doc/manual/configuration/user-mgmt.chapter.md @@ -30,10 +30,9 @@ to your NixOS configuration. For instance, if you remove a user from [](#opt-users.users) and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. Passwords may still be -assigned by setting the user\'s +assigned by setting the user's [hashedPassword](#opt-users.users._name_.hashedPassword) option. A -hashed password can be generated using `mkpasswd -m - sha-512`. +hashed password can be generated using `mkpasswd`. A user ID (uid) is assigned automatically. You can also specify a uid manually by adding diff --git a/nixos/doc/manual/configuration/wayland.chapter.md b/nixos/doc/manual/configuration/wayland.chapter.md index a3a46aa3da6f2..0f195bd665673 100644 --- a/nixos/doc/manual/configuration/wayland.chapter.md +++ b/nixos/doc/manual/configuration/wayland.chapter.md @@ -4,7 +4,7 @@ While X11 (see [](#sec-x11)) is still the primary display technology on NixOS, Wayland support is steadily improving. Where X11 separates the X Server and the window manager, on Wayland those are combined: a Wayland Compositor is like an X11 window manager, but also embeds the -Wayland \'Server\' functionality. This means it is sufficient to install +Wayland 'Server' functionality. This means it is sufficient to install a Wayland Compositor such as sway without separately enabling a Wayland server: diff --git a/nixos/doc/manual/configuration/wireless.section.md b/nixos/doc/manual/configuration/wireless.section.md index 6b223d843ac5d..3299d2d7ecb8a 100644 --- a/nixos/doc/manual/configuration/wireless.section.md +++ b/nixos/doc/manual/configuration/wireless.section.md @@ -50,7 +50,7 @@ networking.wireless.networks = { echelon = { pskRaw = "dca6d6ed41f4ab5a984c9f55f6f66d4efdc720ebf66959810f4329bb391c5435"; }; -} +}; ``` or you can use it to directly generate the `wpa_supplicant.conf`: diff --git a/nixos/doc/manual/configuration/x-windows.chapter.md b/nixos/doc/manual/configuration/x-windows.chapter.md index 27d117238807b..f92403ed1c4c4 100644 --- a/nixos/doc/manual/configuration/x-windows.chapter.md +++ b/nixos/doc/manual/configuration/x-windows.chapter.md @@ -81,7 +81,7 @@ second password to login can be redundant. To enable auto-login, you need to define your default window manager and desktop environment. If you wanted no desktop environment and i3 as your -your window manager, you\'d define: +your window manager, you'd define: ```nix services.xserver.displayManager.defaultSession = "none+i3"; @@ -110,7 +110,7 @@ maintained but may perform worse in some cases (like in old chipsets). The second driver, `intel`, is specific to Intel GPUs, but not recommended by most distributions: it lacks several modern features (for -example, it doesn\'t support Glamor) and the package hasn\'t been +example, it doesn't support Glamor) and the package hasn't been officially updated since 2015. The results vary depending on the hardware, so you may have to try both @@ -162,7 +162,7 @@ with other kernel modules. AMD provides a proprietary driver for its graphics cards that is not enabled by default because it's not Free Software, is often broken in -nixpkgs and as of this writing doesn\'t offer more features or +nixpkgs and as of this writing doesn't offer more features or performance. If you still want to use it anyway, you need to explicitly set: @@ -215,7 +215,7 @@ US layout, with an additional layer to type some greek symbols by pressing the right-alt key. Create a file called `us-greek` with the following content (under a -directory called `symbols`; it\'s an XKB peculiarity that will help with +directory called `symbols`; it's an XKB peculiarity that will help with testing): ```nix @@ -249,7 +249,7 @@ The name (after `extraLayouts.`) should match the one given to the Applying this customization requires rebuilding several packages, and a broken XKB file can lead to the X session crashing at login. Therefore, -you\'re strongly advised to **test your layout before applying it**: +you're strongly advised to **test your layout before applying it**: ```ShellSession $ nix-shell -p xorg.xkbcomp @@ -313,8 +313,8 @@ prefer to keep the layout definitions inside the NixOS configuration. Unfortunately, the Xorg server does not (currently) support setting a keymap directly but relies instead on XKB rules to select the matching -components (keycodes, types, \...) of a layout. This means that -components other than symbols won\'t be loaded by default. As a +components (keycodes, types, ...) of a layout. This means that +components other than symbols won't be loaded by default. As a workaround, you can set the keymap using `setxkbmap` at the start of the session with: @@ -323,7 +323,7 @@ services.xserver.displayManager.sessionCommands = "setxkbmap -keycodes media"; ``` If you are manually starting the X server, you should set the argument -`-xkbdir /etc/X11/xkb`, otherwise X won\'t find your layout files. For +`-xkbdir /etc/X11/xkb`, otherwise X won't find your layout files. For example with `xinit` run ```ShellSession diff --git a/nixos/doc/manual/configuration/xfce.chapter.md b/nixos/doc/manual/configuration/xfce.chapter.md index ee60d465e3b30..c331e63cfe54c 100644 --- a/nixos/doc/manual/configuration/xfce.chapter.md +++ b/nixos/doc/manual/configuration/xfce.chapter.md @@ -31,8 +31,8 @@ enabled. To enable Thunar without enabling Xfce, use the configuration option [](#opt-programs.thunar.enable) instead of simply adding `pkgs.xfce.thunar` to [](#opt-environment.systemPackages). -If you\'d like to add extra plugins to Thunar, add them to -[](#opt-programs.thunar.plugins). You shouldn\'t just add them to +If you'd like to add extra plugins to Thunar, add them to +[](#opt-programs.thunar.plugins). You shouldn't just add them to [](#opt-environment.systemPackages). ## Troubleshooting {#sec-xfce-troubleshooting .unnumbered} @@ -46,7 +46,7 @@ Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with db ``` This is caused by some needed GNOME services not running. This is all -fixed by enabling \"Launch GNOME services on startup\" in the Advanced +fixed by enabling "Launch GNOME services on startup" in the Advanced tab of the Session and Startup settings panel. Alternatively, you can run this command to do the same thing. diff --git a/nixos/doc/manual/contributing-to-this-manual.chapter.md b/nixos/doc/manual/contributing-to-this-manual.chapter.md index 26813d1042d69..557599809222a 100644 --- a/nixos/doc/manual/contributing-to-this-manual.chapter.md +++ b/nixos/doc/manual/contributing-to-this-manual.chapter.md @@ -1,6 +1,6 @@ # Contributing to this manual {#chap-contributing} -The DocBook and CommonMark sources of NixOS' manual are in the [nixos/doc/manual](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the [Nixpkgs](https://github.com/NixOS/nixpkgs) repository. +The [DocBook] and CommonMark sources of the NixOS manual are in the [nixos/doc/manual](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the [Nixpkgs](https://github.com/NixOS/nixpkgs) repository. You can quickly check your edits with the following: @@ -11,3 +11,25 @@ $ nix-build nixos/release.nix -A manual.x86_64-linux ``` If the build succeeds, the manual will be in `./result/share/doc/nixos/index.html`. + +**Contributing to the man pages** + +The man pages are written in [DocBook] which is XML. + +To see what your edits look like: + +```ShellSession +$ cd /path/to/nixpkgs +$ nix-build nixos/release.nix -A manpages.x86_64-linux +``` + +You can then read the man page you edited by running + +```ShellSession +$ man --manpath=result/share/man nixos-rebuild # Replace nixos-rebuild with the command whose manual you edited +``` + +If you're on a different architecture that's supported by NixOS (check nixos/release.nix) then replace `x86_64-linux` with the architecture. +`nix-build` will complain otherwise, but should also tell you which architecture you have + the supported ones. + +[DocBook]: https://en.wikipedia.org/wiki/DocBook diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index 6db20cdd64182..9b72e840f4b10 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -102,11 +102,14 @@ let ''; manualXsltprocOptions = toString [ - "--param section.autolabel 1" - "--param section.label.includes.component.label 1" + "--param chapter.autolabel 0" + "--param part.autolabel 0" + "--param preface.autolabel 0" + "--param reference.autolabel 0" + "--param section.autolabel 0" "--stringparam html.stylesheet 'style.css overrides.css highlightjs/mono-blue.css'" "--stringparam html.script './highlightjs/highlight.pack.js ./highlightjs/loader.js'" - "--param xref.with.number.and.title 1" + "--param xref.with.number.and.title 0" "--param toc.section.depth 0" "--param generate.consistent.ids 1" "--stringparam admon.style ''" diff --git a/nixos/doc/manual/development/activation-script.section.md b/nixos/doc/manual/development/activation-script.section.md index 1aee252fddea1..c339258c6dc48 100644 --- a/nixos/doc/manual/development/activation-script.section.md +++ b/nixos/doc/manual/development/activation-script.section.md @@ -34,7 +34,7 @@ read which is set to `dry-activate` when a dry activation is done. An activation script can write to special files instructing `switch-to-configuration` to restart/reload units. The script will take these -requests into account and will incorperate the unit configuration as described +requests into account and will incorporate the unit configuration as described above. This means that the activation script will "fake" a modified unit file and `switch-to-configuration` will act accordingly. By doing so, configuration like [systemd.services.\<name\>.restartIfChanged](#opt-systemd.services) is @@ -49,7 +49,7 @@ dry activation being `/run/nixos/dry-activation-restart-list` and `/run/nixos/dry-activation-reload-list`. Those files can contain newline-separated lists of unit names where duplicates are being ignored. These files are not create automatically and activation scripts must take the -possiblility into account that they have to create them first. +possibility into account that they have to create them first. ## NixOS snippets {#sec-activation-script-nixos-snippets} diff --git a/nixos/doc/manual/development/bootspec.chapter.md b/nixos/doc/manual/development/bootspec.chapter.md new file mode 100644 index 0000000000000..96c12f24e7f1f --- /dev/null +++ b/nixos/doc/manual/development/bootspec.chapter.md @@ -0,0 +1,36 @@ +# Experimental feature: Bootspec {#sec-experimental-bootspec} + +Bootspec is a experimental feature, introduced in the [RFC-0125 proposal](https://github.com/NixOS/rfcs/pull/125), the reference implementation can be found [there](https://github.com/NixOS/nixpkgs/pull/172237) in order to standardize bootloader support +and advanced boot workflows such as SecureBoot and potentially more. + +You can enable the creation of bootspec documents through [`boot.bootspec.enable = true`](options.html#opt-boot.bootspec.enable), which will prompt a warning until [RFC-0125](https://github.com/NixOS/rfcs/pull/125) is officially merged. + +## Schema {#sec-experimental-bootspec-schema} + +The bootspec schema is versioned and validated against [a CUE schema file](https://cuelang.org/) which should considered as the source of truth for your applications. + +You will find the current version [here](../../../modules/system/activation/bootspec.cue). + +## Extensions mechanism {#sec-experimental-bootspec-extensions} + +Bootspec cannot account for all usecases. + +For this purpose, Bootspec offers a generic extension facility [`boot.bootspec.extensions`](options.html#opt-boot.bootspec.extensions) which can be used to inject any data needed for your usecases. + +An example for SecureBoot is to get the Nix store path to `/etc/os-release` in order to bake it into a unified kernel image: + +```nix +{ config, lib, ... }: { + boot.bootspec.extensions = { + "org.secureboot.osRelease" = config.environment.etc."os-release".source; + }; +} +``` + +To reduce incompatibility and prevent names from clashing between applications, it is **highly recommended** to use a unique namespace for your extensions. + +## External bootloaders {#sec-experimental-bootspec-external-bootloaders} + +It is possible to enable your own bootloader through [`boot.loader.external.installHook`](options.html#opt-boot.loader.external.installHook) which can wrap an existing bootloader. + +Currently, there is no good story to compose existing bootloaders to enrich their features, e.g. SecureBoot, etc. It will be necessary to reimplement or reuse existing parts. diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml index 624ee3931659b..949468c9021df 100644 --- a/nixos/doc/manual/development/development.xml +++ b/nixos/doc/manual/development/development.xml @@ -12,6 +12,7 @@ <xi:include href="../from_md/development/sources.chapter.xml" /> <xi:include href="../from_md/development/writing-modules.chapter.xml" /> <xi:include href="../from_md/development/building-parts.chapter.xml" /> + <xi:include href="../from_md/development/bootspec.chapter.xml" /> <xi:include href="../from_md/development/what-happens-during-a-system-switch.chapter.xml" /> <xi:include href="../from_md/development/writing-documentation.chapter.xml" /> <xi:include href="../from_md/development/nixos-tests.chapter.xml" /> diff --git a/nixos/doc/manual/development/option-declarations.section.md b/nixos/doc/manual/development/option-declarations.section.md index 88617ab1920a9..f89aae5730682 100644 --- a/nixos/doc/manual/development/option-declarations.section.md +++ b/nixos/doc/manual/development/option-declarations.section.md @@ -149,7 +149,7 @@ multiple modules, or as an alternative to related `enable` options. As an example, we will take the case of display managers. There is a central display manager module for generic display manager options and a -module file per display manager backend (sddm, gdm \...). +module file per display manager backend (sddm, gdm ...). There are two approaches we could take with this module structure: diff --git a/nixos/doc/manual/development/option-def.section.md b/nixos/doc/manual/development/option-def.section.md index 91b24cd4a3a16..22cf38873cf07 100644 --- a/nixos/doc/manual/development/option-def.section.md +++ b/nixos/doc/manual/development/option-def.section.md @@ -59,17 +59,35 @@ config = { ## Setting Priorities {#sec-option-definitions-setting-priorities .unnumbered} A module can override the definitions of an option in other modules by -setting a *priority*. All option definitions that do not have the lowest +setting an *override priority*. All option definitions that do not have the lowest priority value are discarded. By default, option definitions have -priority 1000. You can specify an explicit priority by using -`mkOverride`, e.g. +priority 100 and option defaults have priority 1500. +You can specify an explicit priority by using `mkOverride`, e.g. ```nix services.openssh.enable = mkOverride 10 false; ``` This definition causes all other definitions with priorities above 10 to -be discarded. The function `mkForce` is equal to `mkOverride 50`. +be discarded. The function `mkForce` is equal to `mkOverride 50`, and +`mkDefault` is equal to `mkOverride 1000`. + +## Ordering Definitions {#sec-option-definitions-ordering .unnumbered} + +It is also possible to influence the order in which the definitions for an option are +merged by setting an *order priority* with `mkOrder`. The default order priority is 1000. +The functions `mkBefore` and `mkAfter` are equal to `mkOrder 500` and `mkOrder 1500`, respectively. +As an example, + +```nix +hardware.firmware = mkBefore [ myFirmware ]; +``` + +This definition ensures that `myFirmware` comes before other unordered +definitions in the final list value of `hardware.firmware`. + +Note that this is different from [override priorities](#sec-option-definitions-setting-priorities): +setting an order does not affect whether the definition is included or not. ## Merging Configurations {#sec-option-definitions-merging .unnumbered} diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index 40b4d78b250e2..0e9c4a4d16be4 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -92,11 +92,11 @@ merging is handled. : A free-form attribute set. ::: {.warning} - This type will be deprecated in the future because it doesn\'t + This type will be deprecated in the future because it doesn't recurse into attribute sets, silently drops earlier attribute - definitions, and doesn\'t discharge `lib.mkDefault`, `lib.mkIf` + definitions, and doesn't discharge `lib.mkDefault`, `lib.mkIf` and co. For allowing arbitrary attribute sets, prefer - `types.attrsOf types.anything` instead which doesn\'t have these + `types.attrsOf types.anything` instead which doesn't have these problems. ::: @@ -222,7 +222,7 @@ Submodules are detailed in [Submodule](#section-option-types-submodule). - *`specialArgs`* An attribute set of extra arguments to be passed to the module functions. The option `_module.args` should be used instead for most arguments since it allows overriding. - *`specialArgs`* should only be used for arguments that can\'t go + *`specialArgs`* should only be used for arguments that can't go through the module fixed-point, because of infinite recursion or other problems. An example is overriding the `lib` argument, because `lib` itself is used to define `_module.args`, which @@ -236,7 +236,7 @@ Submodules are detailed in [Submodule](#section-option-types-submodule). In such a case it would allow the option to be set with `the-submodule.config = "value"` instead of requiring `the-submodule.config.config = "value"`. This is because - only when modules *don\'t* set the `config` or `options` + only when modules *don't* set the `config` or `options` keys, all keys are interpreted as option definitions in the `config` section. Enabling this option implicitly puts all attributes in the `config` section. @@ -324,7 +324,7 @@ Composed types are types that take a type as parameter. `listOf : Type *`t1`* or type *`t2`*, e.g. `with types; either int str`. Multiple definitions cannot be merged. -`types.oneOf` \[ *`t1 t2`* \... \] +`types.oneOf` \[ *`t1 t2`* ... \] : Type *`t1`* or type *`t2`* and so forth, e.g. `with types; oneOf [ int str bool ]`. Multiple definitions cannot be @@ -345,7 +345,7 @@ that are handled like a separate module. It takes a parameter *`o`*, that should be a set, or a function returning a set with an `options` key defining the sub-options. Submodule option definitions are type-checked accordingly to the `options` declarations. -Of course, you can nest submodule option definitons for even higher +Of course, you can nest submodule option definitions for even higher modularity. The option set can be defined directly diff --git a/nixos/doc/manual/development/replace-modules.section.md b/nixos/doc/manual/development/replace-modules.section.md index 0700a82004c1e..0c0d6a7ac2f19 100644 --- a/nixos/doc/manual/development/replace-modules.section.md +++ b/nixos/doc/manual/development/replace-modules.section.md @@ -2,7 +2,7 @@ Modules that are imported can also be disabled. The option declarations, config implementation and the imports of a disabled module will be -ignored, allowing another to take it\'s place. This can be used to +ignored, allowing another to take its place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. @@ -14,7 +14,7 @@ relative to the modules path (eg. \<nixpkgs/nixos/modules> for nixos). This example will replace the existing postgresql module with the version defined in the nixos-unstable channel while keeping the rest of the modules and packages from the original nixos channel. This only -overrides the module definition, this won\'t use postgresql from +overrides the module definition, this won't use postgresql from nixos-unstable unless explicitly configured to do so. ```nix @@ -35,7 +35,7 @@ nixos-unstable unless explicitly configured to do so. This example shows how to define a custom module as a replacement for an existing module. Importing this module will disable the original module -without having to know it\'s implementation details. +without having to know its implementation details. ```nix { config, lib, pkgs, ... }: diff --git a/nixos/doc/manual/development/settings-options.section.md b/nixos/doc/manual/development/settings-options.section.md index d569e23adbdcb..334149d021cb4 100644 --- a/nixos/doc/manual/development/settings-options.section.md +++ b/nixos/doc/manual/development/settings-options.section.md @@ -9,10 +9,10 @@ can be declared. File formats can be separated into two categories: `{ foo = { bar = 10; }; }`. Other examples are INI, YAML and TOML. The following section explains the convention for these settings. -- Non-nix-representable ones: These can\'t be trivially mapped to a +- Non-nix-representable ones: These can't be trivially mapped to a subset of Nix syntax. Most generic programming languages are in this group, e.g. bash, since the statement `if true; then echo hi; fi` - doesn\'t have a trivial representation in Nix. + doesn't have a trivial representation in Nix. Currently there are no fixed conventions for these, but it is common to have a `configFile` option for setting the configuration file @@ -24,7 +24,7 @@ can be declared. File formats can be separated into two categories: an `extraConfig` option of type `lines` to allow arbitrary text after the autogenerated part of the file. -## Nix-representable Formats (JSON, YAML, TOML, INI, \...) {#sec-settings-nix-representable} +## Nix-representable Formats (JSON, YAML, TOML, INI, ...) {#sec-settings-nix-representable} By convention, formats like this are handled with a generic `settings` option, representing the full program configuration as a Nix value. The diff --git a/nixos/doc/manual/development/writing-documentation.chapter.md b/nixos/doc/manual/development/writing-documentation.chapter.md index 7c29f600d7012..4986c9f0a81b6 100644 --- a/nixos/doc/manual/development/writing-documentation.chapter.md +++ b/nixos/doc/manual/development/writing-documentation.chapter.md @@ -19,7 +19,7 @@ $ nix-shell nix-shell$ make ``` -Once you are done making modifications to the manual, it\'s important to +Once you are done making modifications to the manual, it's important to build it before committing. You can do that as follows: ```ShellSession diff --git a/nixos/doc/manual/development/writing-modules.chapter.md b/nixos/doc/manual/development/writing-modules.chapter.md index 0c41cbd3cb757..fa24679b7fc83 100644 --- a/nixos/doc/manual/development/writing-modules.chapter.md +++ b/nixos/doc/manual/development/writing-modules.chapter.md @@ -71,7 +71,7 @@ The meaning of each part is as follows. - This `imports` list enumerates the paths to other NixOS modules that should be included in the evaluation of the system configuration. A default set of modules is defined in the file `modules/module-list.nix`. - These don\'t need to be added in the import list. + These don't need to be added in the import list. - The attribute `options` is a nested set of *option declarations* (described below). diff --git a/nixos/doc/manual/development/writing-nixos-tests.section.md b/nixos/doc/manual/development/writing-nixos-tests.section.md index 2efe52b9883c2..5bcdf6e58eb17 100644 --- a/nixos/doc/manual/development/writing-nixos-tests.section.md +++ b/nixos/doc/manual/development/writing-nixos-tests.section.md @@ -165,7 +165,7 @@ The following methods are available on machine objects: `get_screen_text_variants` : Return a list of different interpretations of what is currently - visible on the machine\'s screen using optical character + visible on the machine's screen using optical character recognition. The number and order of the interpretations is not specified and is subject to change, but if no exception is raised at least one will be returned. @@ -177,7 +177,7 @@ The following methods are available on machine objects: `get_screen_text` : Return a textual representation of what is currently visible on the - machine\'s screen using optical character recognition. + machine's screen using optical character recognition. ::: {.note} This requires [`enableOCR`](#test-opt-enableOCR) to be set to `true`. @@ -273,12 +273,13 @@ The following methods are available on machine objects: `wait_for_open_port` -: Wait until a process is listening on the given TCP port (on - `localhost`, at least). +: Wait until a process is listening on the given TCP port and IP address + (default `localhost`). `wait_for_closed_port` -: Wait until nobody is listening on the given TCP port. +: Wait until nobody is listening on the given TCP port and IP address + (default `localhost`). `wait_for_x` @@ -298,7 +299,7 @@ The following methods are available on machine objects: : Wait until the supplied regular expressions match a line of the serial console output. This method is useful when OCR is not - possibile or accurate enough. + possible or accurate enough. `wait_for_window` @@ -350,8 +351,8 @@ machine.wait_for_unit("xautolock.service", "x-session-user") This applies to `systemctl`, `get_unit_info`, `wait_for_unit`, `start_job` and `stop_job`. -For faster dev cycles it\'s also possible to disable the code-linters -(this shouldn\'t be commited though): +For faster dev cycles it's also possible to disable the code-linters +(this shouldn't be committed though): ```nix { @@ -370,7 +371,7 @@ For faster dev cycles it\'s also possible to disable the code-linters This will produce a Nix warning at evaluation time. To fully disable the linter, wrap the test script in comment directives to disable the Black -linter directly (again, don\'t commit this within the Nixpkgs +linter directly (again, don't commit this within the Nixpkgs repository): ```nix diff --git a/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml b/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml index 4243d2bf53f9b..35dfaf30f4575 100644 --- a/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml +++ b/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml @@ -23,7 +23,7 @@ $ nix-collect-garbage this unit automatically at certain points in time, for instance, every night at 03:15: </para> - <programlisting language="bash"> + <programlisting language="nix"> nix.gc.automatic = true; nix.gc.dates = "03:15"; </programlisting> diff --git a/nixos/doc/manual/from_md/administration/container-networking.section.xml b/nixos/doc/manual/from_md/administration/container-networking.section.xml index 788a2b7b0acbd..a64053cdfa5e0 100644 --- a/nixos/doc/manual/from_md/administration/container-networking.section.xml +++ b/nixos/doc/manual/from_md/administration/container-networking.section.xml @@ -31,7 +31,7 @@ $ ping -c1 10.233.4.2 address. This can be accomplished using the following configuration on the host: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "eth0"; @@ -45,7 +45,7 @@ networking.nat.externalInterface = "eth0"; If you are using Network Manager, you need to explicitly prevent it from managing container interfaces: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/administration/control-groups.chapter.xml b/nixos/doc/manual/from_md/administration/control-groups.chapter.xml index 8dab2c9d44b49..f78c05878031e 100644 --- a/nixos/doc/manual/from_md/administration/control-groups.chapter.xml +++ b/nixos/doc/manual/from_md/administration/control-groups.chapter.xml @@ -42,7 +42,7 @@ $ systemd-cgls process would get 1/1001 of the cgroup’s CPU time.) You can limit a service’s CPU share in <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.services.httpd.serviceConfig.CPUShares = 512; </programlisting> <para> @@ -57,7 +57,7 @@ systemd.services.httpd.serviceConfig.CPUShares = 512; <literal>configuration.nix</literal>; for instance, to limit <literal>httpd.service</literal> to 512 MiB of RAM (excluding swap): </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.services.httpd.serviceConfig.MemoryLimit = "512M"; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml index 4831c9c74e848..efc3432ba1a14 100644 --- a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml +++ b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml @@ -6,7 +6,7 @@ following specifies that there shall be a container named <literal>database</literal> running PostgreSQL: </para> - <programlisting language="bash"> + <programlisting language="nix"> containers.database = { config = { config, pkgs, ... }: @@ -29,7 +29,7 @@ containers.database = However, they cannot change the network configuration. You can give a container its own network as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> containers.database = { privateNetwork = true; hostAddress = "192.168.100.10"; diff --git a/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml b/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml index 8b01b8f896a4a..3b7bd6cd30cf5 100644 --- a/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml +++ b/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml @@ -85,21 +85,21 @@ Jan 07 15:55:57 hagbard systemd[1]: Started PostgreSQL Server. Packages in Nixpkgs sometimes provide systemd units with them, usually in e.g <literal>#pkg-out#/lib/systemd/</literal>. Putting such a package in <literal>environment.systemPackages</literal> - doesn't make the service available to users or the system. + doesn’t make the service available to users or the system. </para> <para> In order to enable a systemd <emphasis>system</emphasis> service with provided upstream package, use (e.g): </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.packages = [ pkgs.packagekit ]; </programlisting> <para> Usually NixOS modules written by the community do the above, plus take care of other details. If a module was written for a service - you are interested in, you'd probably need only to use + you are interested in, you’d probably need only to use <literal>services.#name#.enable = true;</literal>. These services - are defined in Nixpkgs' + are defined in Nixpkgs’ <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/modules"> <literal>nixos/modules/</literal> directory </link>. In case the service is simple enough, the above method should work, and start @@ -111,8 +111,8 @@ systemd.packages = [ pkgs.packagekit ]; unit file at <literal>#pkg-out#/lib/systemd/user/</literal>, using <xref linkend="opt-systemd.packages" /> will make you able to start the service via <literal>systemctl --user start</literal>, - but it won't start automatically on login. However, You can - imperatively enable it by adding the package's attribute to + but it won’t start automatically on login. However, You can + imperatively enable it by adding the package’s attribute to <xref linkend="opt-systemd.packages" /> and then do this (e.g): </para> <programlisting> @@ -129,7 +129,7 @@ $ systemctl --user enable syncthing.service </para> <para> Using <literal>systemctl --user enable syncthing.service</literal> - instead of the above, will work, but it'll use the absolute path + instead of the above, will work, but it’ll use the absolute path of <literal>syncthing.service</literal> for the symlink, and this path is in <literal>/nix/store/.../lib/systemd/user/</literal>. Hence <link linkend="sec-nix-gc">garbage collection</link> will diff --git a/nixos/doc/manual/from_md/configuration/abstractions.section.xml b/nixos/doc/manual/from_md/configuration/abstractions.section.xml index c71e23e34adfd..469e85979e0f6 100644 --- a/nixos/doc/manual/from_md/configuration/abstractions.section.xml +++ b/nixos/doc/manual/from_md/configuration/abstractions.section.xml @@ -4,7 +4,7 @@ If you find yourself repeating yourself over and over, it’s time to abstract. Take, for instance, this Apache HTTP Server configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.virtualHosts = { "blog.example.org" = { @@ -29,7 +29,7 @@ the only difference is the document root directories. To prevent this duplication, we can use a <literal>let</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> let commonConfig = { adminAddr = "alice@example.org"; @@ -55,7 +55,7 @@ in You can write a <literal>let</literal> wherever an expression is allowed. Thus, you also could have written: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.virtualHosts = let commonConfig = ...; in @@ -74,7 +74,7 @@ in of different virtual hosts, all with identical configuration except for the document root. This can be done as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.virtualHosts = let diff --git a/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml b/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml index 035ee3122e157..516022dc16d24 100644 --- a/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml +++ b/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml @@ -7,7 +7,7 @@ network configuration not covered by the existing NixOS modules. For instance, to statically configure an IPv6 address: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.localCommands = '' ip -6 addr add 2001:610:685:1::1/64 dev eth0 diff --git a/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml b/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml index 07f541666cbe1..b1a1a8df32477 100644 --- a/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml +++ b/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml @@ -28,7 +28,7 @@ $ cd nixpkgs manual. Finally, you add it to <xref linkend="opt-environment.systemPackages" />, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.my-package ]; </programlisting> <para> @@ -45,7 +45,7 @@ environment.systemPackages = [ pkgs.my-package ]; Hello</link> package directly in <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = let my-hello = with pkgs; stdenv.mkDerivation rec { @@ -62,13 +62,13 @@ environment.systemPackages = Of course, you can also move the definition of <literal>my-hello</literal> into a separate Nix expression, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ (import ./my-hello.nix) ]; </programlisting> <para> where <literal>my-hello.nix</literal> contains: </para> - <programlisting language="bash"> + <programlisting language="nix"> with import <nixpkgs> {}; # bring all of Nixpkgs into scope stdenv.mkDerivation rec { @@ -98,7 +98,7 @@ Hello, world! need to install <literal>appimage-run</literal>: add to <literal>/etc/nixos/configuration.nix</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.appimage-run ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/config-file.section.xml b/nixos/doc/manual/from_md/configuration/config-file.section.xml index 9792116eb08d5..f6c8f70cffc54 100644 --- a/nixos/doc/manual/from_md/configuration/config-file.section.xml +++ b/nixos/doc/manual/from_md/configuration/config-file.section.xml @@ -3,7 +3,7 @@ <para> The NixOS configuration file generally looks like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { option definitions @@ -21,7 +21,7 @@ the name of an option and <literal>value</literal> is its value. For example, </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { services.httpd.enable = true; @@ -44,7 +44,7 @@ <literal>true</literal>. This means that the example above can also be written as: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { services = { @@ -96,7 +96,7 @@ The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is no <para> Strings are enclosed in double quotes, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.hostName = "dexter"; </programlisting> <para> @@ -107,7 +107,7 @@ networking.hostName = "dexter"; Multi-line strings can be enclosed in <emphasis>double single quotes</emphasis>, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.extraHosts = '' 127.0.0.2 other-localhost @@ -135,7 +135,7 @@ networking.extraHosts = These can be <literal>true</literal> or <literal>false</literal>, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.enable = true; networking.firewall.allowPing = false; </programlisting> @@ -149,7 +149,7 @@ networking.firewall.allowPing = false; <para> For example, </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60; </programlisting> <para> @@ -171,7 +171,7 @@ boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60; Sets were introduced above. They are name/value pairs enclosed in braces, as in the option definition </para> - <programlisting language="bash"> + <programlisting language="nix"> fileSystems."/boot" = { device = "/dev/sda1"; fsType = "ext4"; @@ -189,13 +189,13 @@ fileSystems."/boot" = The important thing to note about lists is that list elements are separated by whitespace, like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ]; </programlisting> <para> List elements can be any other type, e.g. sets: </para> - <programlisting language="bash"> + <programlisting language="nix"> swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; </programlisting> </listitem> @@ -211,7 +211,7 @@ swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; through the function argument <literal>pkgs</literal>. Typical uses: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.thunderbird pkgs.emacs diff --git a/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml b/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml index 01446e53e38ff..baf9639554cc2 100644 --- a/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/config-syntax.chapter.xml @@ -17,5 +17,4 @@ <xi:include href="config-file.section.xml" /> <xi:include href="abstractions.section.xml" /> <xi:include href="modularity.section.xml" /> - <xi:include href="summary.section.xml" /> </chapter> diff --git a/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml b/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml index f78b5dc5460c5..8026c4102b486 100644 --- a/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml +++ b/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml @@ -22,7 +22,7 @@ a dependency on GTK 2. If you want to build it against GTK 3, you can specify that as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ]; </programlisting> <para> @@ -46,7 +46,7 @@ environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ]; the package, such as the source code. For instance, if you want to override the source code of Emacs, you can say: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ (pkgs.emacs.overrideAttrs (oldAttrs: { name = "emacs-25.0-pre"; @@ -72,7 +72,7 @@ environment.systemPackages = [ everything depend on your customised instance, you can apply a <emphasis>global</emphasis> override as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> nixpkgs.config.packageOverrides = pkgs: { emacs = pkgs.emacs.override { gtk = pkgs.gtk3; }; }; diff --git a/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml b/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml index da31f18d9233e..bee310c2e34bf 100644 --- a/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml +++ b/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml @@ -7,7 +7,7 @@ adding the following line to <literal>configuration.nix</literal> enables the Mozilla Thunderbird email application: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.thunderbird ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml b/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml index 71441d8b4a5b3..e5285c7975556 100644 --- a/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml @@ -7,7 +7,7 @@ <literal>/dev/disk/by-label/data</literal> onto the mount point <literal>/data</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> fileSystems."/data" = { device = "/dev/disk/by-label/data"; fsType = "ext4"; diff --git a/nixos/doc/manual/from_md/configuration/firewall.section.xml b/nixos/doc/manual/from_md/configuration/firewall.section.xml index 24c19bb1c66d7..6e1ffab72c540 100644 --- a/nixos/doc/manual/from_md/configuration/firewall.section.xml +++ b/nixos/doc/manual/from_md/configuration/firewall.section.xml @@ -6,14 +6,14 @@ both IPv4 and IPv6 traffic. It is enabled by default. It can be disabled as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.enable = false; </programlisting> <para> If the firewall is enabled, you can open specific TCP ports to the outside world: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.allowedTCPPorts = [ 80 443 ]; </programlisting> <para> @@ -26,7 +26,7 @@ networking.firewall.allowedTCPPorts = [ 80 443 ]; <para> To open ranges of TCP ports: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.allowedTCPPortRanges = [ { from = 4000; to = 4007; } { from = 8000; to = 8010; } diff --git a/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml b/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml index cc559a1933d92..c95d3dc865256 100644 --- a/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml @@ -62,7 +62,7 @@ Platform Vendor Advanced Micro Devices, Inc. <xref linkend="opt-hardware.opengl.extraPackages" /> enables OpenCL support: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ rocm-opencl-icd ]; @@ -85,7 +85,7 @@ hardware.opengl.extraPackages = [ enable OpenCL support. For example, for Gen8 and later GPUs, the following configuration can be used: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ intel-compute-runtime ]; @@ -162,7 +162,7 @@ GPU1: makes amdvlk the default driver and hides radv and lavapipe from the device list. A specific driver can be forced as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ pkgs.amdvlk ]; @@ -180,6 +180,48 @@ environment.variables.VK_ICD_FILENAMES = </programlisting> </section> </section> + <section xml:id="sec-gpu-accel-va-api"> + <title>VA-API</title> + <para> + <link xlink:href="https://www.intel.com/content/www/us/en/developer/articles/technical/linuxmedia-vaapi.html">VA-API + (Video Acceleration API)</link> is an open-source library and API + specification, which provides access to graphics hardware + acceleration capabilities for video processing. + </para> + <para> + VA-API drivers are loaded by <literal>libva</literal>. The version + in nixpkgs is built to search the opengl driver path, so drivers + can be installed in + <xref linkend="opt-hardware.opengl.extraPackages" />. + </para> + <para> + VA-API can be tested using: + </para> + <programlisting> +$ nix-shell -p libva-utils --run vainfo +</programlisting> + <section xml:id="sec-gpu-accel-va-api-intel"> + <title>Intel</title> + <para> + Modern Intel GPUs use the iHD driver, which can be installed + with: + </para> + <programlisting language="nix"> +hardware.opengl.extraPackages = [ + intel-media-driver +]; +</programlisting> + <para> + Older Intel GPUs use the i965 driver, which can be installed + with: + </para> + <programlisting language="nix"> +hardware.opengl.extraPackages = [ + vaapiIntel +]; +</programlisting> + </section> + </section> <section xml:id="sec-gpu-accel-common-issues"> <title>Common issues</title> <section xml:id="sec-gpu-accel-common-issues-permissions"> diff --git a/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml b/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml index 047ba2165f070..49ec6f5952ecf 100644 --- a/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml +++ b/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml @@ -6,7 +6,7 @@ interfaces. However, you can configure an interface manually as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.interfaces.eth0.ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; @@ -16,7 +16,7 @@ networking.interfaces.eth0.ipv4.addresses = [ { Typically you’ll also want to set a default gateway and set of name servers: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.defaultGateway = "192.168.1.1"; networking.nameservers = [ "8.8.8.8" ]; </programlisting> @@ -32,7 +32,7 @@ networking.nameservers = [ "8.8.8.8" ]; The host name is set using <xref linkend="opt-networking.hostName" />: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.hostName = "cartman"; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml b/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml index 137c3d772a86d..2adb106226245 100644 --- a/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml +++ b/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml @@ -10,21 +10,21 @@ <xref linkend="opt-networking.interfaces._name_.tempAddress" />. You can disable IPv6 support globally by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.enableIPv6 = false; </programlisting> <para> You can disable IPv6 on a single interface using a normal sysctl (in this example, we use interface <literal>eth0</literal>): </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernel.sysctl."net.ipv6.conf.eth0.disable_ipv6" = true; </programlisting> <para> As with IPv4 networking interfaces are automatically configured via DHCPv6. You can configure an interface manually: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.interfaces.eth0.ipv6.addresses = [ { address = "fe00:aa:bb:cc::2"; prefixLength = 64; @@ -34,7 +34,7 @@ networking.interfaces.eth0.ipv6.addresses = [ { For configuring a gateway, optionally with explicitly specified interface: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.defaultGateway6 = { address = "fe00::1"; interface = "enp0s3"; diff --git a/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml b/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml index 1de19f64bdad1..da9ba323f18cf 100644 --- a/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml @@ -10,7 +10,7 @@ way is to enable and configure cluster components appropriately by hand: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes = { apiserver.enable = true; controllerManager.enable = true; @@ -21,24 +21,24 @@ services.kubernetes = { }; </programlisting> <para> - Another way is to assign cluster roles ("master" and/or - "node") to the host. This enables apiserver, + Another way is to assign cluster roles (<quote>master</quote> and/or + <quote>node</quote>) to the host. This enables apiserver, controllerManager, scheduler, addonManager, kube-proxy and etcd: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes.roles = [ "master" ]; </programlisting> <para> While this will enable the kubelet and kube-proxy only: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes.roles = [ "node" ]; </programlisting> <para> Assigning both the master and node roles is usable if you want a single node Kubernetes cluster for dev or testing purposes: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes.roles = [ "master" "node" ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml b/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml index a1d6815af29c1..f889306d51c02 100644 --- a/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml @@ -5,7 +5,7 @@ option <literal>boot.kernelPackages</literal>. For instance, this selects the Linux 3.10 kernel: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelPackages = pkgs.linuxKernel.packages.linux_3_10; </programlisting> <para> @@ -22,6 +22,19 @@ boot.kernelPackages = pkgs.linuxKernel.packages.linux_3_10; date with new versions. </para> <para> + Please note that the current convention in NixOS is to only keep + actively maintained kernel versions on both unstable and the + currently supported stable release(s) of NixOS. This means that a + non-longterm kernel will be removed after it’s abandoned by the + kernel developers, even on stable NixOS versions. If you pin your + kernel onto a non-longterm version, expect your evaluation to fail + as soon as the version is out of maintenance. + </para> + <para> + Longterm versions of kernels will be removed before the next stable + NixOS that will exceed the maintenance period of the kernel version. + </para> + <para> The default Linux kernel configuration should be fine for most users. You can see the configuration of your current kernel with the following command: @@ -35,7 +48,7 @@ zcat /proc/config.gz <xref linkend="sec-customising-packages" />). For instance, to enable support for the kernel debugger KGDB: </para> - <programlisting language="bash"> + <programlisting language="nix"> nixpkgs.config.packageOverrides = pkgs: pkgs.lib.recursiveUpdate pkgs { linuxKernel.kernels.linux_5_10 = pkgs.linuxKernel.kernels.linux_5_10.override { extraConfig = '' @@ -56,7 +69,7 @@ nixpkgs.config.packageOverrides = pkgs: pkgs.lib.recursiveUpdate pkgs { automatically by <literal>udev</literal>. You can force a module to be loaded via <xref linkend="opt-boot.kernelModules" />, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ]; </programlisting> <para> @@ -64,7 +77,7 @@ boot.kernelModules = [ "fuse" "kvm-intel" "coretemp&quo root file system), you can use <xref linkend="opt-boot.initrd.kernelModules" />: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.kernelModules = [ "cifs" ]; </programlisting> <para> @@ -75,7 +88,7 @@ boot.initrd.kernelModules = [ "cifs" ]; Kernel runtime parameters can be set through <xref linkend="opt-boot.kernel.sysctl" />, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120; </programlisting> <para> @@ -83,65 +96,82 @@ boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120; available parameters, run <literal>sysctl -a</literal>. </para> <section xml:id="sec-linux-config-customizing"> - <title>Customize your kernel</title> + <title>Building a custom kernel</title> <para> - The first step before compiling the kernel is to generate an - appropriate <literal>.config</literal> configuration. Either you - pass your own config via the <literal>configfile</literal> setting - of <literal>linuxKernel.manualConfig</literal>: + You can customize the default kernel configuration by overriding + the arguments for your kernel package: </para> - <programlisting language="bash"> -custom-kernel = let base_kernel = linuxKernel.kernels.linux_4_9; - in super.linuxKernel.manualConfig { - inherit (super) stdenv hostPlatform; - inherit (base_kernel) src; - version = "${base_kernel.version}-custom"; - - configfile = /home/me/my_kernel_config; - allowImportFromDerivation = true; -}; + <programlisting language="nix"> +pkgs.linux_latest.override { + ignoreConfigErrors = true; + autoModules = false; + kernelPreferBuiltin = true; + extraStructuredConfig = with lib.kernel; { + DEBUG_KERNEL = yes; + FRAME_POINTER = yes; + KGDB = yes; + KGDB_SERIAL_CONSOLE = yes; + DEBUG_INFO = yes; + }; +} </programlisting> <para> - You can edit the config with this snippet (by default - <literal>make menuconfig</literal> won't work out of the box on - nixos): + See <literal>pkgs/os-specific/linux/kernel/generic.nix</literal> + for details on how these arguments affect the generated + configuration. You can also build a custom version of Linux by + calling <literal>pkgs.buildLinux</literal> directly, which + requires the <literal>src</literal> and <literal>version</literal> + arguments to be specified. </para> - <programlisting> -nix-shell -E 'with import <nixpkgs> {}; kernelToOverride.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkg-config ncurses ];})' + <para> + To use your custom kernel package in your NixOS configuration, set + </para> + <programlisting language="nix"> +boot.kernelPackages = pkgs.linuxPackagesFor yourCustomKernel; </programlisting> <para> - or you can let nixpkgs generate the configuration. Nixpkgs - generates it via answering the interactive kernel utility - <literal>make config</literal>. The answers depend on parameters - passed to - <literal>pkgs/os-specific/linux/kernel/generic.nix</literal> - (which you can influence by overriding - <literal>extraConfig, autoModules, modDirVersion, preferBuiltin, extraConfig</literal>). + Note that this method will use the common configuration defined in + <literal>pkgs/os-specific/linux/kernel/common-config.nix</literal>, + which is suitable for a NixOS system. </para> - <programlisting language="bash"> -mptcp93.override ({ - name="mptcp-local"; - - ignoreConfigErrors = true; - autoModules = false; - kernelPreferBuiltin = true; - - enableParallelBuilding = true; - - extraConfig = '' - DEBUG_KERNEL y - FRAME_POINTER y - KGDB y - KGDB_SERIAL_CONSOLE y - DEBUG_INFO y - ''; -}); + <para> + If you already have a generated configuration file, you can build + a kernel that uses it with + <literal>pkgs.linuxManualConfig</literal>: + </para> + <programlisting language="nix"> +let + baseKernel = pkgs.linux_latest; +in pkgs.linuxManualConfig { + inherit (baseKernel) src modDirVersion; + version = "${baseKernel.version}-custom"; + configfile = ./my_kernel_config; + allowImportFromDerivation = true; +} +</programlisting> + <note> + <para> + The build will fail if <literal>modDirVersion</literal> does not + match the source’s <literal>kernel.release</literal> file, so + <literal>modDirVersion</literal> should remain tied to + <literal>src</literal>. + </para> + </note> + <para> + To edit the <literal>.config</literal> file for Linux X.Y, proceed + as follows: + </para> + <programlisting> +$ nix-shell '<nixpkgs>' -A linuxKernel.kernels.linux_X_Y.configEnv +$ unpackPhase +$ cd linux-* +$ make nconfig </programlisting> </section> <section xml:id="sec-linux-config-developing-modules"> <title>Developing kernel modules</title> <para> - When developing kernel modules it's often convenient to run + When developing kernel modules it’s often convenient to run edit-compile-run loop as quickly as possible. See below snippet as an example of developing <literal>mellanox</literal> drivers. </para> @@ -154,4 +184,38 @@ $ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox module # insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko </programlisting> </section> + <section xml:id="sec-linux-zfs"> + <title>ZFS</title> + <para> + It’s a common issue that the latest stable version of ZFS doesn’t + support the latest available Linux kernel. It is recommended to + use the latest available LTS that’s compatible with ZFS. Usually + this is the default kernel provided by nixpkgs (i.e. + <literal>pkgs.linuxPackages</literal>). + </para> + <para> + Alternatively, it’s possible to pin the system to the latest + available kernel version <emphasis>that is supported by + ZFS</emphasis> like this: + </para> + <programlisting language="nix"> +{ + boot.kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages; +} +</programlisting> + <para> + Please note that the version this attribute points to isn’t + monotonic because the latest kernel version only refers to kernel + versions supported by the Linux developers. In other words, the + latest kernel version that ZFS is compatible with may decrease + over time. + </para> + <para> + An example: the latest version ZFS is compatible with is 5.19 + which is a non-longterm version. When 5.19 is out of maintenance, + the latest supported kernel version is 5.15 because it’s longterm + and the versions 5.16, 5.17 and 5.18 are already out of + maintenance because they’re non-longterm. + </para> + </section> </chapter> diff --git a/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml b/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml index 42b766eba98b4..144a5acecae30 100644 --- a/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml +++ b/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml @@ -30,7 +30,7 @@ Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: *** at boot time as <literal>/</literal>, add the following to <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; fileSystems."/".device = "/dev/mapper/crypted"; </programlisting> @@ -39,7 +39,7 @@ fileSystems."/".device = "/dev/mapper/crypted"; located on an encrypted partition, it is necessary to add the following grub option: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.loader.grub.enableCryptodisk = true; </programlisting> <section xml:id="sec-luks-file-systems-fido2"> @@ -67,7 +67,7 @@ Added to key to device /dev/sda2, slot: 2 compatible key, add the following to <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.luks.fido2Support = true; boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7"; </programlisting> @@ -77,7 +77,7 @@ boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200 protected, such as <link xlink:href="https://trezor.io/">Trezor</link>. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true; </programlisting> </section> diff --git a/nixos/doc/manual/from_md/configuration/modularity.section.xml b/nixos/doc/manual/from_md/configuration/modularity.section.xml index a7688090fcc59..987b2fc43c013 100644 --- a/nixos/doc/manual/from_md/configuration/modularity.section.xml +++ b/nixos/doc/manual/from_md/configuration/modularity.section.xml @@ -14,7 +14,7 @@ other modules by including them from <literal>configuration.nix</literal>, e.g.: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { imports = [ ./vpn.nix ./kde.nix ]; @@ -28,7 +28,7 @@ <literal>vpn.nix</literal> and <literal>kde.nix</literal>. The latter might look like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { services.xserver.enable = true; @@ -50,7 +50,7 @@ you want it to appear first, you can use <literal>mkBefore</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelModules = mkBefore [ "kvm-intel" ]; </programlisting> <para> @@ -70,7 +70,7 @@ The unique option `services.httpd.adminAddr' is defined multiple times, in `/etc When that happens, it’s possible to force one definition take precedence over the others: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org"; </programlisting> <para> @@ -93,7 +93,7 @@ services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org"; <xref linkend="opt-services.xserver.enable" /> is set to <literal>true</literal> somewhere else: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { environment.systemPackages = @@ -137,7 +137,7 @@ nix-repl> map (x: x.hostName) config.services.httpd.virtualHosts below would have the same effect as importing a file which sets those options. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: let netConfig = hostName: { diff --git a/nixos/doc/manual/from_md/configuration/network-manager.section.xml b/nixos/doc/manual/from_md/configuration/network-manager.section.xml index 8f0d6d680ae07..c49618b4b9427 100644 --- a/nixos/doc/manual/from_md/configuration/network-manager.section.xml +++ b/nixos/doc/manual/from_md/configuration/network-manager.section.xml @@ -4,7 +4,7 @@ To facilitate network configuration, some desktop environments use NetworkManager. You can enable NetworkManager by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.networkmanager.enable = true; </programlisting> <para> @@ -15,7 +15,7 @@ networking.networkmanager.enable = true; All users that should have permission to change network settings must belong to the <literal>networkmanager</literal> group: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.alice.extraGroups = [ "networkmanager" ]; </programlisting> <para> @@ -36,7 +36,7 @@ users.users.alice.extraGroups = [ "networkmanager" ]; used together if desired. To do this you need to instruct NetworkManager to ignore those interfaces like: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.networkmanager.unmanaged = [ "*" "except:type:wwan" "except:type:gsm" ]; diff --git a/nixos/doc/manual/from_md/configuration/profiles.chapter.xml b/nixos/doc/manual/from_md/configuration/profiles.chapter.xml index 6f5fc130c6a07..f3aacfc0a2451 100644 --- a/nixos/doc/manual/from_md/configuration/profiles.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/profiles.chapter.xml @@ -4,12 +4,12 @@ In some cases, it may be desirable to take advantage of commonly-used, predefined configurations provided by nixpkgs, but different from those that come as default. This is a role fulfilled - by NixOS's Profiles, which come as files living in + by NixOS’s Profiles, which come as files living in <literal><nixpkgs/nixos/modules/profiles></literal>. That is to say, expected usage is to add them to the imports list of your <literal>/etc/configuration.nix</literal> as such: </para> - <programlisting language="bash"> + <programlisting language="nix"> imports = [ <nixpkgs/nixos/modules/profiles/profile-name.nix> ]; diff --git a/nixos/doc/manual/from_md/configuration/profiles/hardened.section.xml b/nixos/doc/manual/from_md/configuration/profiles/hardened.section.xml index 44c11786d9406..1fd5a9179887f 100644 --- a/nixos/doc/manual/from_md/configuration/profiles/hardened.section.xml +++ b/nixos/doc/manual/from_md/configuration/profiles/hardened.section.xml @@ -9,7 +9,7 @@ available to processes through the <literal>/sys</literal> and <literal>/proc</literal> filesystems. It also disables the User Namespaces feature of the kernel, which stops Nix from being able to - build anything (this particular setting can be overriden via + build anything (this particular setting can be overridden via <xref linkend="opt-security.allowUserNamespaces" />). See the <link xlink:href="https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix">profile source</link> for further detail on which settings are altered. diff --git a/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml b/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml index 88c9e624c82ff..fca99edcbaea3 100644 --- a/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml +++ b/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml @@ -30,7 +30,7 @@ the interface with MAC address <literal>52:54:00:12:01:01</literal> using a netword link unit: </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.network.links."10-wan" = { matchConfig.PermanentMACAddress = "52:54:00:12:01:01"; linkConfig.Name = "wan"; @@ -43,7 +43,7 @@ systemd.network.links."10-wan" = { <para> Alternatively, we can use a plain old udev rule: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.udev.initrdRules = '' SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \ ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan" diff --git a/nixos/doc/manual/from_md/configuration/ssh.section.xml b/nixos/doc/manual/from_md/configuration/ssh.section.xml index 037418d8ea4dd..a330457f51d63 100644 --- a/nixos/doc/manual/from_md/configuration/ssh.section.xml +++ b/nixos/doc/manual/from_md/configuration/ssh.section.xml @@ -3,7 +3,7 @@ <para> Secure shell (SSH) access to your machine can be enabled by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.openssh.enable = true; </programlisting> <para> @@ -16,7 +16,7 @@ services.openssh.enable = true; You can declaratively specify authorised RSA/DSA public keys for a user as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.alice.openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ]; </programlisting> diff --git a/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml b/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml index 5d74712f35dc3..26984dd411a11 100644 --- a/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml +++ b/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml @@ -54,7 +54,7 @@ SHA256:yjxl3UbTn31fLWeyLYTAKYJPRmzknjQZoyG8gSNEoIE my-user@workstation <link linkend="opt-fileSystems">fileSystems</link> option. Here’s a typical setup: </para> - <programlisting language="bash"> + <programlisting language="nix"> { system.fsPackages = [ pkgs.sshfs ]; @@ -80,7 +80,7 @@ SHA256:yjxl3UbTn31fLWeyLYTAKYJPRmzknjQZoyG8gSNEoIE my-user@workstation well, for example you can change the default SSH port or specify a jump proxy: </para> - <programlisting language="bash"> + <programlisting language="nix"> { options = [ "ProxyJump=bastion@example.com" @@ -92,7 +92,7 @@ SHA256:yjxl3UbTn31fLWeyLYTAKYJPRmzknjQZoyG8gSNEoIE my-user@workstation It’s also possible to change the <literal>ssh</literal> command used by SSHFS to connect to the server. For example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { options = [ (builtins.replaceStrings [" "] ["\\040"] diff --git a/nixos/doc/manual/from_md/configuration/subversion.chapter.xml b/nixos/doc/manual/from_md/configuration/subversion.chapter.xml index 794c2c34e3994..4390fc54ab534 100644 --- a/nixos/doc/manual/from_md/configuration/subversion.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/subversion.chapter.xml @@ -25,7 +25,7 @@ Apache HTTP, setting <xref linkend="opt-services.httpd.adminAddr" /> appropriately: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.httpd.enable = true; services.httpd.adminAddr = ...; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -40,7 +40,7 @@ networking.firewall.allowedTCPPorts = [ 80 443 ]; <literal>.authz</literal> file describing access permission, and <literal>AuthUserFile</literal> to the password file. </para> - <programlisting language="bash"> + <programlisting language="nix"> services.httpd.extraModules = [ # note that order is *super* important here { name = "dav_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_dav_svn.so"; } @@ -106,7 +106,7 @@ $ htpasswd -s PASSWORD_FILE USER_NAME <literal>ACCESS_FILE</literal> will look something like the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> [/] * = r diff --git a/nixos/doc/manual/from_md/configuration/summary.section.xml b/nixos/doc/manual/from_md/configuration/summary.section.xml deleted file mode 100644 index 96a178c4930ed..0000000000000 --- a/nixos/doc/manual/from_md/configuration/summary.section.xml +++ /dev/null @@ -1,332 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-nix-syntax-summary"> - <title>Syntax Summary</title> - <para> - Below is a summary of the most important syntactic constructs in the - Nix expression language. It’s not complete. In particular, there are - many other built-in functions. See the - <link xlink:href="https://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix - manual</link> for the rest. - </para> - <informaltable> - <tgroup cols="2"> - <colspec align="left" /> - <colspec align="left" /> - <thead> - <row> - <entry> - Example - </entry> - <entry> - Description - </entry> - </row> - </thead> - <tbody> - <row> - <entry> - <emphasis>Basic values</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>"Hello world"</literal> - </entry> - <entry> - A string - </entry> - </row> - <row> - <entry> - <literal>"${pkgs.bash}/bin/sh"</literal> - </entry> - <entry> - A string containing an expression (expands to - <literal>"/nix/store/hash-bash-version/bin/sh"</literal>) - </entry> - </row> - <row> - <entry> - <literal>true</literal>, <literal>false</literal> - </entry> - <entry> - Booleans - </entry> - </row> - <row> - <entry> - <literal>123</literal> - </entry> - <entry> - An integer - </entry> - </row> - <row> - <entry> - <literal>./foo.png</literal> - </entry> - <entry> - A path (relative to the containing Nix expression) - </entry> - </row> - <row> - <entry> - <emphasis>Compound values</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; }</literal> - </entry> - <entry> - A set with attributes named <literal>x</literal> and - <literal>y</literal> - </entry> - </row> - <row> - <entry> - <literal>{ foo.bar = 1; }</literal> - </entry> - <entry> - A nested set, equivalent to - <literal>{ foo = { bar = 1; }; }</literal> - </entry> - </row> - <row> - <entry> - <literal>rec { x = "foo"; y = x + "bar"; }</literal> - </entry> - <entry> - A recursive set, equivalent to - <literal>{ x = "foo"; y = "foobar"; }</literal> - </entry> - </row> - <row> - <entry> - <literal>[ "foo" "bar" ]</literal> - </entry> - <entry> - A list with two elements - </entry> - </row> - <row> - <entry> - <emphasis>Operators</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>"foo" + "bar"</literal> - </entry> - <entry> - String concatenation - </entry> - </row> - <row> - <entry> - <literal>1 + 2</literal> - </entry> - <entry> - Integer addition - </entry> - </row> - <row> - <entry> - <literal>"foo" == "f" + "oo"</literal> - </entry> - <entry> - Equality test (evaluates to <literal>true</literal>) - </entry> - </row> - <row> - <entry> - <literal>"foo" != "bar"</literal> - </entry> - <entry> - Inequality test (evaluates to <literal>true</literal>) - </entry> - </row> - <row> - <entry> - <literal>!true</literal> - </entry> - <entry> - Boolean negation - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; }.x</literal> - </entry> - <entry> - Attribute selection (evaluates to <literal>1</literal>) - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; }.z or 3</literal> - </entry> - <entry> - Attribute selection with default (evaluates to - <literal>3</literal>) - </entry> - </row> - <row> - <entry> - <literal>{ x = 1; y = 2; } // { z = 3; }</literal> - </entry> - <entry> - Merge two sets (attributes in the right-hand set taking - precedence) - </entry> - </row> - <row> - <entry> - <emphasis>Control structures</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>if 1 + 1 == 2 then "yes!" else "no!"</literal> - </entry> - <entry> - Conditional expression - </entry> - </row> - <row> - <entry> - <literal>assert 1 + 1 == 2; "yes!"</literal> - </entry> - <entry> - Assertion check (evaluates to - <literal>"yes!"</literal>). See - <xref linkend="sec-assertions" /> for using assertions in - modules - </entry> - </row> - <row> - <entry> - <literal>let x = "foo"; y = "bar"; in x + y</literal> - </entry> - <entry> - Variable definition - </entry> - </row> - <row> - <entry> - <literal>with pkgs.lib; head [ 1 2 3 ]</literal> - </entry> - <entry> - Add all attributes from the given set to the scope - (evaluates to <literal>1</literal>) - </entry> - </row> - <row> - <entry> - <emphasis>Functions (lambdas)</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>x: x + 1</literal> - </entry> - <entry> - A function that expects an integer and returns it increased - by 1 - </entry> - </row> - <row> - <entry> - <literal>(x: x + 1) 100</literal> - </entry> - <entry> - A function call (evaluates to 101) - </entry> - </row> - <row> - <entry> - <literal>let inc = x: x + 1; in inc (inc (inc 100))</literal> - </entry> - <entry> - A function bound to a variable and subsequently called by - name (evaluates to 103) - </entry> - </row> - <row> - <entry> - <literal>{ x, y }: x + y</literal> - </entry> - <entry> - A function that expects a set with required attributes - <literal>x</literal> and <literal>y</literal> and - concatenates them - </entry> - </row> - <row> - <entry> - <literal>{ x, y ? "bar" }: x + y</literal> - </entry> - <entry> - A function that expects a set with required attribute - <literal>x</literal> and optional <literal>y</literal>, - using <literal>"bar"</literal> as default value - for <literal>y</literal> - </entry> - </row> - <row> - <entry> - <literal>{ x, y, ... }: x + y</literal> - </entry> - <entry> - A function that expects a set with required attributes - <literal>x</literal> and <literal>y</literal> and ignores - any other attributes - </entry> - </row> - <row> - <entry> - <literal>{ x, y } @ args: x + y</literal> - </entry> - <entry> - A function that expects a set with required attributes - <literal>x</literal> and <literal>y</literal>, and binds the - whole set to <literal>args</literal> - </entry> - </row> - <row> - <entry> - <emphasis>Built-in functions</emphasis> - </entry> - <entry> - </entry> - </row> - <row> - <entry> - <literal>import ./foo.nix</literal> - </entry> - <entry> - Load and return Nix expression in given file - </entry> - </row> - <row> - <entry> - <literal>map (x: x + x) [ 1 2 3 ]</literal> - </entry> - <entry> - Apply a function to every element of a list (evaluates to - <literal>[ 2 4 6 ]</literal>) - </entry> - </row> - </tbody> - </tgroup> - </informaltable> -</section> diff --git a/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml b/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml index 06492d5c25126..d61b248d5eef6 100644 --- a/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml @@ -7,7 +7,7 @@ states that a user account named <literal>alice</literal> shall exist: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.alice = { isNormalUser = true; home = "/home/alice"; @@ -36,16 +36,16 @@ users.users.alice = { <xref linkend="opt-users.users" /> and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. - Passwords may still be assigned by setting the user's + Passwords may still be assigned by setting the user’s <link linkend="opt-users.users._name_.hashedPassword">hashedPassword</link> option. A hashed password can be generated using - <literal>mkpasswd -m sha-512</literal>. + <literal>mkpasswd</literal>. </para> <para> A user ID (uid) is assigned automatically. You can also specify a uid manually by adding </para> - <programlisting language="bash"> + <programlisting language="nix"> uid = 1000; </programlisting> <para> @@ -55,7 +55,7 @@ uid = 1000; Groups can be specified similarly. The following states that a group named <literal>students</literal> shall exist: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.groups.students.gid = 1000; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/wayland.chapter.xml b/nixos/doc/manual/from_md/configuration/wayland.chapter.xml index 1e90d4f31177c..07892c875bb25 100644 --- a/nixos/doc/manual/from_md/configuration/wayland.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/wayland.chapter.xml @@ -5,11 +5,12 @@ display technology on NixOS, Wayland support is steadily improving. Where X11 separates the X Server and the window manager, on Wayland those are combined: a Wayland Compositor is like an X11 window - manager, but also embeds the Wayland 'Server' functionality. This - means it is sufficient to install a Wayland Compositor such as sway - without separately enabling a Wayland server: + manager, but also embeds the Wayland <quote>Server</quote> + functionality. This means it is sufficient to install a Wayland + Compositor such as sway without separately enabling a Wayland + server: </para> - <programlisting language="bash"> + <programlisting language="nix"> programs.sway.enable = true; </programlisting> <para> @@ -21,7 +22,7 @@ programs.sway.enable = true; be able to share your screen, you might want to activate this option: </para> - <programlisting language="bash"> + <programlisting language="nix"> xdg.portal.wlr.enable = true; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/wireless.section.xml b/nixos/doc/manual/from_md/configuration/wireless.section.xml index 82bc201351574..79feab47203a5 100644 --- a/nixos/doc/manual/from_md/configuration/wireless.section.xml +++ b/nixos/doc/manual/from_md/configuration/wireless.section.xml @@ -9,13 +9,13 @@ <para> NixOS will start wpa_supplicant for you if you enable this setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.wireless.enable = true; </programlisting> <para> NixOS lets you specify networks for wpa_supplicant declaratively: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.wireless.networks = { echelon = { # SSID with no spaces or special characters psk = "abcdefgh"; @@ -49,12 +49,12 @@ network={ psk=dca6d6ed41f4ab5a984c9f55f6f66d4efdc720ebf66959810f4329bb391c5435 } </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> networking.wireless.networks = { echelon = { pskRaw = "dca6d6ed41f4ab5a984c9f55f6f66d4efdc720ebf66959810f4329bb391c5435"; }; -} +}; </programlisting> <para> or you can use it to directly generate the diff --git a/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml b/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml index c17e98983b27d..c5a8b9bae84d2 100644 --- a/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml @@ -4,7 +4,7 @@ The X Window System (X11) provides the basis of NixOS’ graphical user interface. It can be enabled as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.enable = true; </programlisting> <para> @@ -13,7 +13,7 @@ services.xserver.enable = true; and <literal>intel</literal>). You can also specify a driver manually, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "r128" ]; </programlisting> <para> @@ -25,7 +25,7 @@ services.xserver.videoDrivers = [ "r128" ]; <literal>xterm</literal> window. Thus you should pick one or more of the following lines: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.desktopManager.plasma5.enable = true; services.xserver.desktopManager.xfce.enable = true; services.xserver.desktopManager.gnome.enable = true; @@ -42,14 +42,14 @@ services.xserver.windowManager.herbstluftwm.enable = true; LightDM. You can select an alternative one by picking one of the following lines: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.sddm.enable = true; services.xserver.displayManager.gdm.enable = true; </programlisting> <para> You can set the keyboard layout (and optionally the layout variant): </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.layout = "de"; services.xserver.xkbVariant = "neo"; </programlisting> @@ -57,7 +57,7 @@ services.xserver.xkbVariant = "neo"; The X server is started automatically at boot time. If you don’t want this to happen, you can set: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.autorun = false; </programlisting> <para> @@ -70,7 +70,7 @@ services.xserver.autorun = false; On 64-bit systems, if you want OpenGL for 32-bit programs such as in Wine, you should also set the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.driSupport32Bit = true; </programlisting> <section xml:id="sec-x11-auto-login"> @@ -88,16 +88,16 @@ hardware.opengl.driSupport32Bit = true; <para> To enable auto-login, you need to define your default window manager and desktop environment. If you wanted no desktop - environment and i3 as your your window manager, you'd define: + environment and i3 as your your window manager, you’d define: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.defaultSession = "none+i3"; </programlisting> <para> Every display manager in NixOS supports auto-login, here is an example using lightdm for a user <literal>alice</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.lightdm.enable = true; services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.user = "alice"; @@ -122,8 +122,8 @@ services.xserver.displayManager.autoLogin.user = "alice"; <para> The second driver, <literal>intel</literal>, is specific to Intel GPUs, but not recommended by most distributions: it lacks several - modern features (for example, it doesn't support Glamor) and the - package hasn't been officially updated since 2015. + modern features (for example, it doesn’t support Glamor) and the + package hasn’t been officially updated since 2015. </para> <para> The results vary depending on the hardware, so you may have to try @@ -131,14 +131,14 @@ services.xserver.displayManager.autoLogin.user = "alice"; <xref linkend="opt-services.xserver.videoDrivers" /> to set one. The recommended configuration for modern systems is: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "modesetting" ]; </programlisting> <para> If you experience screen tearing no matter what, this configuration was reported to resolve the issue: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "intel" ]; services.xserver.deviceSection = '' Option "DRI" "2" @@ -159,14 +159,14 @@ services.xserver.deviceSection = '' enabled by default because it’s not free software. You can enable it as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "nvidia" ]; </programlisting> <para> Or if you have an older card, you may have to use one of the legacy drivers: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "nvidiaLegacy390" ]; services.xserver.videoDrivers = [ "nvidiaLegacy340" ]; services.xserver.videoDrivers = [ "nvidiaLegacy304" ]; @@ -181,11 +181,11 @@ services.xserver.videoDrivers = [ "nvidiaLegacy304" ]; <para> AMD provides a proprietary driver for its graphics cards that is not enabled by default because it’s not Free Software, is often - broken in nixpkgs and as of this writing doesn't offer more + broken in nixpkgs and as of this writing doesn’t offer more features or performance. If you still want to use it anyway, you need to explicitly set: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "amdgpu-pro" ]; </programlisting> <para> @@ -199,14 +199,14 @@ services.xserver.videoDrivers = [ "amdgpu-pro" ]; Support for Synaptics touchpads (found in many laptops such as the Dell Latitude series) can be enabled as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.libinput.enable = true; </programlisting> <para> The driver has many options (see <xref linkend="ch-options" />). For instance, the following disables tap-to-click behavior: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.libinput.touchpad.tapping = false; </programlisting> <para> @@ -222,7 +222,7 @@ services.xserver.libinput.touchpad.tapping = false; applications look similar to GTK ones, you can use the following configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> qt5.enable = true; qt5.platformTheme = "gtk2"; qt5.style = "gtk2"; @@ -244,10 +244,10 @@ qt5.style = "gtk2"; <para> Create a file called <literal>us-greek</literal> with the following content (under a directory called - <literal>symbols</literal>; it's an XKB peculiarity that will help + <literal>symbols</literal>; it’s an XKB peculiarity that will help with testing): </para> - <programlisting language="bash"> + <programlisting language="nix"> xkb_symbols "us-greek" { include "us(basic)" // includes the base US keys @@ -263,7 +263,7 @@ xkb_symbols "us-greek" <para> A minimal layout specification must include the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.extraLayouts.us-greek = { description = "US layout with alt-gr greek"; languages = [ "eng" ]; @@ -279,7 +279,7 @@ services.xserver.extraLayouts.us-greek = { <para> Applying this customization requires rebuilding several packages, and a broken XKB file can lead to the X session crashing at login. - Therefore, you're strongly advised to <emphasis role="strong">test + Therefore, you’re strongly advised to <emphasis role="strong">test your layout before applying it</emphasis>: </para> <programlisting> @@ -312,7 +312,7 @@ $ echo "$(nix-build --no-out-link '<nixpkgs>' -A xorg.xkeyboardconfig interest, then create a <literal>media-key</literal> file to hold the keycodes definitions </para> - <programlisting language="bash"> + <programlisting language="nix"> xkb_keycodes "media" { <volUp> = 123; @@ -322,7 +322,7 @@ xkb_keycodes "media" <para> Now use the newly define keycodes in <literal>media-sym</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> xkb_symbols "media" { key.type = "ONE_LEVEL"; @@ -333,7 +333,7 @@ xkb_symbols "media" <para> As before, to install the layout do </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.extraLayouts.media = { description = "Multimedia keys remapping"; languages = [ "eng" ]; @@ -352,18 +352,18 @@ services.xserver.extraLayouts.media = { <para> Unfortunately, the Xorg server does not (currently) support setting a keymap directly but relies instead on XKB rules to - select the matching components (keycodes, types, ...) of a layout. - This means that components other than symbols won't be loaded by + select the matching components (keycodes, types, …) of a layout. + This means that components other than symbols won’t be loaded by default. As a workaround, you can set the keymap using <literal>setxkbmap</literal> at the start of the session with: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.sessionCommands = "setxkbmap -keycodes media"; </programlisting> <para> If you are manually starting the X server, you should set the argument <literal>-xkbdir /etc/X11/xkb</literal>, otherwise X - won't find your layout files. For example with + won’t find your layout files. For example with <literal>xinit</literal> run </para> <programlisting> diff --git a/nixos/doc/manual/from_md/configuration/xfce.chapter.xml b/nixos/doc/manual/from_md/configuration/xfce.chapter.xml index 42e70d1d81d30..7ec69b5e9b8ff 100644 --- a/nixos/doc/manual/from_md/configuration/xfce.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/xfce.chapter.xml @@ -3,7 +3,7 @@ <para> To enable the Xfce Desktop Environment, set </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.desktopManager.xfce.enable = true; services.xserver.displayManager.defaultSession = "xfce"; </programlisting> @@ -11,7 +11,7 @@ services.xserver.displayManager.defaultSession = "xfce"; Optionally, <emphasis>picom</emphasis> can be enabled for nice graphical effects, some example settings: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.picom = { enable = true; fade = true; @@ -36,8 +36,8 @@ services.picom = { <xref linkend="opt-environment.systemPackages" />. </para> <para> - If you'd like to add extra plugins to Thunar, add them to - <xref linkend="opt-programs.thunar.plugins" />. You shouldn't just + If you’d like to add extra plugins to Thunar, add them to + <xref linkend="opt-programs.thunar.plugins" />. You shouldn’t just add them to <xref linkend="opt-environment.systemPackages" />. </para> </section> @@ -54,9 +54,10 @@ Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with db </programlisting> <para> This is caused by some needed GNOME services not running. This is - all fixed by enabling "Launch GNOME services on startup" - in the Advanced tab of the Session and Startup settings panel. - Alternatively, you can run this command to do the same thing. + all fixed by enabling <quote>Launch GNOME services on + startup</quote> in the Advanced tab of the Session and Startup + settings panel. Alternatively, you can run this command to do the + same thing. </para> <programlisting> $ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true diff --git a/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml index a9b0c6a5eefa1..99dc5ce30b4b1 100644 --- a/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml +++ b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml @@ -1,7 +1,9 @@ <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="chap-contributing"> <title>Contributing to this manual</title> <para> - The DocBook and CommonMark sources of NixOS’ manual are in the + The + <link xlink:href="https://en.wikipedia.org/wiki/DocBook">DocBook</link> + and CommonMark sources of the NixOS manual are in the <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual">nixos/doc/manual</link> subdirectory of the <link xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link> @@ -19,4 +21,32 @@ $ nix-build nixos/release.nix -A manual.x86_64-linux If the build succeeds, the manual will be in <literal>./result/share/doc/nixos/index.html</literal>. </para> + <para> + <emphasis role="strong">Contributing to the man pages</emphasis> + </para> + <para> + The man pages are written in + <link xlink:href="https://en.wikipedia.org/wiki/DocBook">DocBook</link> + which is XML. + </para> + <para> + To see what your edits look like: + </para> + <programlisting> +$ cd /path/to/nixpkgs +$ nix-build nixos/release.nix -A manpages.x86_64-linux +</programlisting> + <para> + You can then read the man page you edited by running + </para> + <programlisting> +$ man --manpath=result/share/man nixos-rebuild # Replace nixos-rebuild with the command whose manual you edited +</programlisting> + <para> + If you’re on a different architecture that’s supported by NixOS + (check nixos/release.nix) then replace + <literal>x86_64-linux</literal> with the architecture. + <literal>nix-build</literal> will complain otherwise, but should + also tell you which architecture you have + the supported ones. + </para> </chapter> diff --git a/nixos/doc/manual/from_md/development/activation-script.section.xml b/nixos/doc/manual/from_md/development/activation-script.section.xml index 981ebf37e60f0..429b45c93defc 100644 --- a/nixos/doc/manual/from_md/development/activation-script.section.xml +++ b/nixos/doc/manual/from_md/development/activation-script.section.xml @@ -22,7 +22,7 @@ these dependencies into account and order the snippets accordingly. As a simple example: </para> - <programlisting language="bash"> + <programlisting language="nix"> system.activationScripts.my-activation-script = { deps = [ "etc" ]; # supportsDryActivation = true; @@ -45,7 +45,7 @@ system.activationScripts.my-activation-script = { An activation script can write to special files instructing <literal>switch-to-configuration</literal> to restart/reload units. The script will take these requests into account and will - incorperate the unit configuration as described above. This means + incorporate the unit configuration as described above. This means that the activation script will <quote>fake</quote> a modified unit file and <literal>switch-to-configuration</literal> will act accordingly. By doing so, configuration like @@ -66,7 +66,7 @@ system.activationScripts.my-activation-script = { <literal>/run/nixos/dry-activation-reload-list</literal>. Those files can contain newline-separated lists of unit names where duplicates are being ignored. These files are not create - automatically and activation scripts must take the possiblility into + automatically and activation scripts must take the possibility into account that they have to create them first. </para> <section xml:id="sec-activation-script-nixos-snippets"> diff --git a/nixos/doc/manual/from_md/development/assertions.section.xml b/nixos/doc/manual/from_md/development/assertions.section.xml index 0844d484d60f6..13f04d5d1883e 100644 --- a/nixos/doc/manual/from_md/development/assertions.section.xml +++ b/nixos/doc/manual/from_md/development/assertions.section.xml @@ -18,7 +18,7 @@ <para> This is an example of using <literal>warnings</literal>. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, ... }: { config = lib.mkIf config.services.foo.enable { @@ -42,7 +42,7 @@ assertion is useful to prevent such a broken system from being built. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, ... }: { config = lib.mkIf config.services.syslogd.enable { diff --git a/nixos/doc/manual/from_md/development/bootspec.chapter.xml b/nixos/doc/manual/from_md/development/bootspec.chapter.xml new file mode 100644 index 0000000000000..9ecbe1d1beede --- /dev/null +++ b/nixos/doc/manual/from_md/development/bootspec.chapter.xml @@ -0,0 +1,73 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-experimental-bootspec"> + <title>Experimental feature: Bootspec</title> + <para> + Bootspec is a experimental feature, introduced in the + <link xlink:href="https://github.com/NixOS/rfcs/pull/125">RFC-0125 + proposal</link>, the reference implementation can be found + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/172237">there</link> + in order to standardize bootloader support and advanced boot + workflows such as SecureBoot and potentially more. + </para> + <para> + You can enable the creation of bootspec documents through + <link xlink:href="options.html#opt-boot.bootspec.enable"><literal>boot.bootspec.enable = true</literal></link>, + which will prompt a warning until + <link xlink:href="https://github.com/NixOS/rfcs/pull/125">RFC-0125</link> + is officially merged. + </para> + <section xml:id="sec-experimental-bootspec-schema"> + <title>Schema</title> + <para> + The bootspec schema is versioned and validated against + <link xlink:href="https://cuelang.org/">a CUE schema file</link> + which should considered as the source of truth for your + applications. + </para> + <para> + You will find the current version + <link xlink:href="../../../modules/system/activation/bootspec.cue">here</link>. + </para> + </section> + <section xml:id="sec-experimental-bootspec-extensions"> + <title>Extensions mechanism</title> + <para> + Bootspec cannot account for all usecases. + </para> + <para> + For this purpose, Bootspec offers a generic extension facility + <link xlink:href="options.html#opt-boot.bootspec.extensions"><literal>boot.bootspec.extensions</literal></link> + which can be used to inject any data needed for your usecases. + </para> + <para> + An example for SecureBoot is to get the Nix store path to + <literal>/etc/os-release</literal> in order to bake it into a + unified kernel image: + </para> + <programlisting language="nix"> +{ config, lib, ... }: { + boot.bootspec.extensions = { + "org.secureboot.osRelease" = config.environment.etc."os-release".source; + }; +} +</programlisting> + <para> + To reduce incompatibility and prevent names from clashing between + applications, it is <emphasis role="strong">highly + recommended</emphasis> to use a unique namespace for your + extensions. + </para> + </section> + <section xml:id="sec-experimental-bootspec-external-bootloaders"> + <title>External bootloaders</title> + <para> + It is possible to enable your own bootloader through + <link xlink:href="options.html#opt-boot.loader.external.installHook"><literal>boot.loader.external.installHook</literal></link> + which can wrap an existing bootloader. + </para> + <para> + Currently, there is no good story to compose existing bootloaders + to enrich their features, e.g. SecureBoot, etc. It will be + necessary to reimplement or reuse existing parts. + </para> + </section> +</chapter> diff --git a/nixos/doc/manual/from_md/development/freeform-modules.section.xml b/nixos/doc/manual/from_md/development/freeform-modules.section.xml index 86a9cf3140d88..c51bc76ff966e 100644 --- a/nixos/doc/manual/from_md/development/freeform-modules.section.xml +++ b/nixos/doc/manual/from_md/development/freeform-modules.section.xml @@ -30,7 +30,7 @@ type-checked <literal>settings</literal> attribute</link> for a more complete example. </para> - <programlisting language="bash"> + <programlisting language="nix"> { lib, config, ... }: { options.settings = lib.mkOption { @@ -52,7 +52,7 @@ <para> And the following shows what such a module then allows </para> - <programlisting language="bash"> + <programlisting language="nix"> { # Not a declared option, but the freeform type allows this settings.logLevel = "debug"; @@ -72,7 +72,7 @@ Freeform attributes cannot depend on other attributes of the same set without infinite recursion: </para> - <programlisting language="bash"> + <programlisting language="nix"> { # This throws infinite recursion encountered settings.logLevel = lib.mkIf (config.settings.port == 80) "debug"; diff --git a/nixos/doc/manual/from_md/development/importing-modules.section.xml b/nixos/doc/manual/from_md/development/importing-modules.section.xml index cb04dde67c831..96e5e1bb16b88 100644 --- a/nixos/doc/manual/from_md/development/importing-modules.section.xml +++ b/nixos/doc/manual/from_md/development/importing-modules.section.xml @@ -4,7 +4,7 @@ Sometimes NixOS modules need to be used in configuration but exist outside of Nixpkgs. These modules can be imported: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: { @@ -23,18 +23,18 @@ Nixpkgs NixOS modules. Like any NixOS module, this module can import additional modules: </para> - <programlisting language="bash"> + <programlisting language="nix"> # ./module-list/default.nix [ ./example-module1 ./example-module2 ] </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> # ./extra-module/default.nix { imports = import ./module-list.nix; } </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> # NIXOS_EXTRA_MODULE_PATH=/absolute/path/to/extra-module { config, lib, pkgs, ... }: diff --git a/nixos/doc/manual/from_md/development/meta-attributes.section.xml b/nixos/doc/manual/from_md/development/meta-attributes.section.xml index 1eb6e0f303682..9cc58afa1fdda 100644 --- a/nixos/doc/manual/from_md/development/meta-attributes.section.xml +++ b/nixos/doc/manual/from_md/development/meta-attributes.section.xml @@ -15,7 +15,7 @@ Each of the meta-attributes must be defined at most once per module file. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: { options = { diff --git a/nixos/doc/manual/from_md/development/option-declarations.section.xml b/nixos/doc/manual/from_md/development/option-declarations.section.xml index 0932a51a18cdb..2e6a12d530953 100644 --- a/nixos/doc/manual/from_md/development/option-declarations.section.xml +++ b/nixos/doc/manual/from_md/development/option-declarations.section.xml @@ -6,7 +6,7 @@ hasn’t been declared in any module. An option declaration generally looks like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> options = { name = mkOption { type = type specification; @@ -127,7 +127,7 @@ options = { For example: </para> <anchor xml:id="ex-options-declarations-util-mkEnableOption-magic" /> - <programlisting language="bash"> + <programlisting language="nix"> lib.mkEnableOption "magic" # is like lib.mkOption { @@ -142,7 +142,7 @@ lib.mkOption { <para> Usage: </para> - <programlisting language="bash"> + <programlisting language="nix"> mkPackageOption pkgs "name" { default = [ "path" "in" "pkgs" ]; example = "literal example"; } </programlisting> <para> @@ -177,7 +177,7 @@ mkPackageOption pkgs "name" { default = [ "path" "in&qu Examples: </para> <anchor xml:id="ex-options-declarations-util-mkPackageOption-hello" /> - <programlisting language="bash"> + <programlisting language="nix"> lib.mkPackageOption pkgs "hello" { } # is like lib.mkOption { @@ -188,7 +188,7 @@ lib.mkOption { } </programlisting> <anchor xml:id="ex-options-declarations-util-mkPackageOption-ghc" /> - <programlisting language="bash"> + <programlisting language="nix"> lib.mkPackageOption pkgs "GHC" { default = [ "ghc" ]; example = "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])"; @@ -222,7 +222,7 @@ lib.mkOption { As an example, we will take the case of display managers. There is a central display manager module for generic display manager options and a module file per display - manager backend (sddm, gdm ...). + manager backend (sddm, gdm …). </para> <para> There are two approaches we could take with this module @@ -287,7 +287,7 @@ lib.mkOption { <emphasis role="strong">Example: Extensible type placeholder in the service module</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.enable = mkOption { description = "Display manager to use"; type = with types; nullOr (enum [ ]); @@ -299,7 +299,7 @@ services.xserver.displayManager.enable = mkOption { <literal>services.xserver.displayManager.enable</literal> in the <literal>gdm</literal> module</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.enable = mkOption { type = with types; nullOr (enum [ "gdm" ]); }; @@ -310,7 +310,7 @@ services.xserver.displayManager.enable = mkOption { <literal>services.xserver.displayManager.enable</literal> in the <literal>sddm</literal> module</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.enable = mkOption { type = with types; nullOr (enum [ "sddm" ]); }; diff --git a/nixos/doc/manual/from_md/development/option-def.section.xml b/nixos/doc/manual/from_md/development/option-def.section.xml index 8c9ef181affd2..87b290ec39c66 100644 --- a/nixos/doc/manual/from_md/development/option-def.section.xml +++ b/nixos/doc/manual/from_md/development/option-def.section.xml @@ -4,7 +4,7 @@ Option definitions are generally straight-forward bindings of values to option names, like </para> - <programlisting language="bash"> + <programlisting language="nix"> config = { services.httpd.enable = true; }; @@ -21,7 +21,7 @@ config = { another option, you may need to use <literal>mkIf</literal>. Consider, for instance: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = if config.services.httpd.enable then { environment.systemPackages = [ ... ]; ... @@ -34,7 +34,7 @@ config = if config.services.httpd.enable then { value being constructed here. After all, you could also write the clearly circular and contradictory: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = if config.services.httpd.enable then { services.httpd.enable = false; } else { @@ -44,7 +44,7 @@ config = if config.services.httpd.enable then { <para> The solution is to write: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = mkIf config.services.httpd.enable { environment.systemPackages = [ ... ]; ... @@ -55,7 +55,7 @@ config = mkIf config.services.httpd.enable { of the conditional to be <quote>pushed down</quote> into the individual definitions, as if you had written: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = { environment.systemPackages = if config.services.httpd.enable then [ ... ] else []; ... @@ -66,19 +66,47 @@ config = { <title>Setting Priorities</title> <para> A module can override the definitions of an option in other - modules by setting a <emphasis>priority</emphasis>. All option - definitions that do not have the lowest priority value are - discarded. By default, option definitions have priority 1000. You - can specify an explicit priority by using - <literal>mkOverride</literal>, e.g. + modules by setting an <emphasis>override priority</emphasis>. All + option definitions that do not have the lowest priority value are + discarded. By default, option definitions have priority 100 and + option defaults have priority 1500. You can specify an explicit + priority by using <literal>mkOverride</literal>, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> services.openssh.enable = mkOverride 10 false; </programlisting> <para> This definition causes all other definitions with priorities above 10 to be discarded. The function <literal>mkForce</literal> is - equal to <literal>mkOverride 50</literal>. + equal to <literal>mkOverride 50</literal>, and + <literal>mkDefault</literal> is equal to + <literal>mkOverride 1000</literal>. + </para> + </section> + <section xml:id="sec-option-definitions-ordering"> + <title>Ordering Definitions</title> + <para> + It is also possible to influence the order in which the + definitions for an option are merged by setting an <emphasis>order + priority</emphasis> with <literal>mkOrder</literal>. The default + order priority is 1000. The functions <literal>mkBefore</literal> + and <literal>mkAfter</literal> are equal to + <literal>mkOrder 500</literal> and + <literal>mkOrder 1500</literal>, respectively. As an example, + </para> + <programlisting language="nix"> +hardware.firmware = mkBefore [ myFirmware ]; +</programlisting> + <para> + This definition ensures that <literal>myFirmware</literal> comes + before other unordered definitions in the final list value of + <literal>hardware.firmware</literal>. + </para> + <para> + Note that this is different from + <link linkend="sec-option-definitions-setting-priorities">override + priorities</link>: setting an order does not affect whether the + definition is included or not. </para> </section> <section xml:id="sec-option-definitions-merging"> @@ -89,7 +117,7 @@ services.openssh.enable = mkOverride 10 false; to be merged together as if they were declared in separate modules. This can be done using <literal>mkMerge</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = mkMerge [ # Unconditional stuff. { environment.systemPackages = [ ... ]; diff --git a/nixos/doc/manual/from_md/development/option-types.section.xml b/nixos/doc/manual/from_md/development/option-types.section.xml index 4036bc0ba7437..363399b086610 100644 --- a/nixos/doc/manual/from_md/development/option-types.section.xml +++ b/nixos/doc/manual/from_md/development/option-types.section.xml @@ -81,14 +81,14 @@ <para> Two definitions of this type like </para> - <programlisting language="bash"> + <programlisting language="nix"> { str = lib.mkDefault "foo"; pkg.hello = pkgs.hello; fun.fun = x: x + 1; } </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> { str = lib.mkIf true "bar"; pkg.gcc = pkgs.gcc; @@ -98,7 +98,7 @@ <para> will get merged to </para> - <programlisting language="bash"> + <programlisting language="nix"> { str = "bar"; pkg.gcc = pkgs.gcc; @@ -152,13 +152,13 @@ <warning> <para> This type will be deprecated in the future because it - doesn't recurse into attribute sets, silently drops - earlier attribute definitions, and doesn't discharge + doesn’t recurse into attribute sets, silently drops + earlier attribute definitions, and doesn’t discharge <literal>lib.mkDefault</literal>, <literal>lib.mkIf</literal> and co. For allowing arbitrary attribute sets, prefer <literal>types.attrsOf types.anything</literal> instead - which doesn't have these problems. + which doesn’t have these problems. </para> </warning> </listitem> @@ -453,7 +453,7 @@ <literal>_module.args</literal> should be used instead for most arguments since it allows overriding. <emphasis><literal>specialArgs</literal></emphasis> - should only be used for arguments that can't go through + should only be used for arguments that can’t go through the module fixed-point, because of infinite recursion or other problems. An example is overriding the <literal>lib</literal> argument, because @@ -477,7 +477,7 @@ instead of requiring <literal>the-submodule.config.config = "value"</literal>. This is because only when modules - <emphasis>don't</emphasis> set the + <emphasis>don’t</emphasis> set the <literal>config</literal> or <literal>options</literal> keys, all keys are interpreted as option definitions in the <literal>config</literal> section. Enabling this @@ -668,7 +668,7 @@ <varlistentry> <term> <literal>types.oneOf</literal> [ - <emphasis><literal>t1 t2</literal></emphasis> ... ] + <emphasis><literal>t1 t2</literal></emphasis> … ] </term> <listitem> <para> @@ -712,7 +712,7 @@ <literal>options</literal> key defining the sub-options. Submodule option definitions are type-checked accordingly to the <literal>options</literal> declarations. Of course, you can nest - submodule option definitons for even higher modularity. + submodule option definitions for even higher modularity. </para> <para> The option set can be defined directly @@ -732,7 +732,7 @@ <emphasis role="strong">Example: Directly defined submodule</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> options.mod = mkOption { description = "submodule example"; type = with types; submodule { @@ -752,7 +752,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Submodule defined as a reference</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> let modOptions = { options = { @@ -787,7 +787,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Declaration of a list of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> options.mod = mkOption { description = "submodule example"; type = with types; listOf (submodule { @@ -807,7 +807,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Definition of a list of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> config.mod = [ { foo = 1; bar = "one"; } { foo = 2; bar = "two"; } @@ -827,7 +827,7 @@ config.mod = [ <emphasis role="strong">Example: Declaration of attribute sets of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> options.mod = mkOption { description = "submodule example"; type = with types; attrsOf (submodule { @@ -847,7 +847,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Definition of attribute sets of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> config.mod.one = { foo = 1; bar = "one"; }; config.mod.two = { foo = 2; bar = "two"; }; </programlisting> @@ -878,7 +878,7 @@ config.mod.two = { foo = 2; bar = "two"; }; <emphasis role="strong">Example: Adding a type check</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> byte = mkOption { description = "An integer between 0 and 255."; type = types.addCheck types.int (x: x >= 0 && x <= 255); @@ -889,7 +889,7 @@ byte = mkOption { <emphasis role="strong">Example: Overriding a type check</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> nixThings = mkOption { description = "words that start with 'nix'"; type = types.str // { diff --git a/nixos/doc/manual/from_md/development/replace-modules.section.xml b/nixos/doc/manual/from_md/development/replace-modules.section.xml index cf8a39ba844fa..d8aaf59df366f 100644 --- a/nixos/doc/manual/from_md/development/replace-modules.section.xml +++ b/nixos/doc/manual/from_md/development/replace-modules.section.xml @@ -3,8 +3,8 @@ <para> Modules that are imported can also be disabled. The option declarations, config implementation and the imports of a disabled - module will be ignored, allowing another to take it's place. This - can be used to import a set of modules from another channel while + module will be ignored, allowing another to take its place. This can + be used to import a set of modules from another channel while keeping the rest of the system on a stable release. </para> <para> @@ -19,10 +19,10 @@ This example will replace the existing postgresql module with the version defined in the nixos-unstable channel while keeping the rest of the modules and packages from the original nixos channel. This - only overrides the module definition, this won't use postgresql from + only overrides the module definition, this won’t use postgresql from nixos-unstable unless explicitly configured to do so. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: { @@ -40,9 +40,9 @@ <para> This example shows how to define a custom module as a replacement for an existing module. Importing this module will disable the - original module without having to know it's implementation details. + original module without having to know its implementation details. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: with lib; diff --git a/nixos/doc/manual/from_md/development/settings-options.section.xml b/nixos/doc/manual/from_md/development/settings-options.section.xml index d26dd96243dbe..898cd3b2b6e97 100644 --- a/nixos/doc/manual/from_md/development/settings-options.section.xml +++ b/nixos/doc/manual/from_md/development/settings-options.section.xml @@ -19,10 +19,10 @@ </listitem> <listitem> <para> - Non-nix-representable ones: These can't be trivially mapped to a + Non-nix-representable ones: These can’t be trivially mapped to a subset of Nix syntax. Most generic programming languages are in this group, e.g. bash, since the statement - <literal>if true; then echo hi; fi</literal> doesn't have a + <literal>if true; then echo hi; fi</literal> doesn’t have a trivial representation in Nix. </para> <para> @@ -42,8 +42,7 @@ </listitem> </itemizedlist> <section xml:id="sec-settings-nix-representable"> - <title>Nix-representable Formats (JSON, YAML, TOML, INI, - ...)</title> + <title>Nix-representable Formats (JSON, YAML, TOML, INI, …)</title> <para> By convention, formats like this are handled with a generic <literal>settings</literal> option, representing the full program @@ -318,7 +317,7 @@ used, along with some other related best practices. See the comments for explanations. </para> - <programlisting language="bash"> + <programlisting language="nix"> { options, config, lib, pkgs, ... }: let cfg = config.services.foo; @@ -391,7 +390,7 @@ in { <emphasis role="strong">Example: Declaring a type-checked <literal>settings</literal> attribute</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> settings = lib.mkOption { type = lib.types.submodule { diff --git a/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml b/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml index 079c800605762..0d8a33df2069a 100644 --- a/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml +++ b/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml @@ -23,7 +23,7 @@ $ nix-shell nix-shell$ make </programlisting> <para> - Once you are done making modifications to the manual, it's + Once you are done making modifications to the manual, it’s important to build it before committing. You can do that as follows: </para> diff --git a/nixos/doc/manual/from_md/development/writing-modules.chapter.xml b/nixos/doc/manual/from_md/development/writing-modules.chapter.xml index 367731eda0900..35e94845c97e7 100644 --- a/nixos/doc/manual/from_md/development/writing-modules.chapter.xml +++ b/nixos/doc/manual/from_md/development/writing-modules.chapter.xml @@ -32,7 +32,7 @@ In <xref linkend="sec-configuration-syntax" />, we saw the following structure of NixOS modules: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { option definitions @@ -50,7 +50,7 @@ <emphasis role="strong">Example: Structure of NixOS Modules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { @@ -90,7 +90,7 @@ This <literal>imports</literal> list enumerates the paths to other NixOS modules that should be included in the evaluation of the system configuration. A default set of modules is defined in - the file <literal>modules/module-list.nix</literal>. These don't + the file <literal>modules/module-list.nix</literal>. These don’t need to be added in the import list. </para> </listitem> @@ -146,7 +146,7 @@ <emphasis role="strong">Example: NixOS Module for the <quote>locate</quote> Service</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: with lib; @@ -208,7 +208,7 @@ in { <emphasis role="strong">Example: Escaping in Exec directives</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, utils, ... }: with lib; diff --git a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml index 4db196273dad2..308f7c6fb0f6d 100644 --- a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml +++ b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml @@ -3,7 +3,7 @@ <para> A NixOS test is a module that has the following structure: </para> - <programlisting language="bash"> + <programlisting language="nix"> { # One or more machines: @@ -58,14 +58,14 @@ Tests that are part of NixOS are added to <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/all-tests.nix"><literal>nixos/tests/all-tests.nix</literal></link>. </para> - <programlisting language="bash"> + <programlisting language="nix"> hostname = runTest ./hostname.nix; </programlisting> <para> Overrides can be added by defining an anonymous module in <literal>all-tests.nix</literal>. </para> - <programlisting language="bash"> + <programlisting language="nix"> hostname = runTest { imports = [ ./hostname.nix ]; defaults.networking.firewall.enable = false; @@ -87,7 +87,7 @@ nix-build -A nixosTests.hostname Outside the <literal>nixpkgs</literal> repository, you can instantiate the test by first importing the NixOS library, </para> - <programlisting language="bash"> + <programlisting language="nix"> let nixos-lib = import (nixpkgs + "/nixos/lib") { }; in @@ -255,7 +255,7 @@ start_all() <listitem> <para> Return a list of different interpretations of what is - currently visible on the machine's screen using optical + currently visible on the machine’s screen using optical character recognition. The number and order of the interpretations is not specified and is subject to change, but if no exception is raised at least one will be returned. @@ -276,7 +276,7 @@ start_all() <listitem> <para> Return a textual representation of what is currently visible - on the machine's screen using optical character recognition. + on the machine’s screen using optical character recognition. </para> <note> <para> @@ -483,8 +483,8 @@ start_all() </term> <listitem> <para> - Wait until a process is listening on the given TCP port (on - <literal>localhost</literal>, at least). + Wait until a process is listening on the given TCP port and + IP address (default <literal>localhost</literal>). </para> </listitem> </varlistentry> @@ -494,7 +494,8 @@ start_all() </term> <listitem> <para> - Wait until nobody is listening on the given TCP port. + Wait until nobody is listening on the given TCP port and IP + address (default <literal>localhost</literal>). </para> </listitem> </varlistentry> @@ -536,7 +537,7 @@ start_all() <para> Wait until the supplied regular expressions match a line of the serial console output. This method is useful when OCR is - not possibile or accurate enough. + not possible or accurate enough. </para> </listitem> </varlistentry> @@ -630,10 +631,10 @@ machine.wait_for_unit("xautolock.service", "x-session-user") <literal>stop_job</literal>. </para> <para> - For faster dev cycles it's also possible to disable the - code-linters (this shouldn't be commited though): + For faster dev cycles it’s also possible to disable the + code-linters (this shouldn’t be committed though): </para> - <programlisting language="bash"> + <programlisting language="nix"> { skipLint = true; nodes.machine = @@ -650,10 +651,10 @@ machine.wait_for_unit("xautolock.service", "x-session-user") <para> This will produce a Nix warning at evaluation time. To fully disable the linter, wrap the test script in comment directives to - disable the Black linter directly (again, don't commit this within + disable the Black linter directly (again, don’t commit this within the Nixpkgs repository): </para> - <programlisting language="bash"> + <programlisting language="nix"> testScript = '' # fmt: off @@ -665,7 +666,7 @@ machine.wait_for_unit("xautolock.service", "x-session-user") Similarly, the type checking of test scripts can be disabled in the following way: </para> - <programlisting language="bash"> + <programlisting language="nix"> { skipTypeCheck = true; nodes.machine = @@ -700,25 +701,37 @@ with foo_running: <literal>polling_condition</literal> takes the following (optional) arguments: </para> - <para> - <literal>seconds_interval</literal> - </para> - <para> - : specifies how often the condition should be polled: - </para> + <variablelist> + <varlistentry> + <term> + <literal>seconds_interval</literal> + </term> + <listitem> + <para> + specifies how often the condition should be polled: + </para> + </listitem> + </varlistentry> + </variablelist> <programlisting language="python"> @polling_condition(seconds_interval=10) def foo_running(): machine.succeed("pgrep -x foo") </programlisting> - <para> - <literal>description</literal> - </para> - <para> - : is used in the log when the condition is checked. If this is not - provided, the description is pulled from the docstring of the - function. These two are therefore equivalent: - </para> + <variablelist> + <varlistentry> + <term> + <literal>description</literal> + </term> + <listitem> + <para> + is used in the log when the condition is checked. If this is + not provided, the description is pulled from the docstring + of the function. These two are therefore equivalent: + </para> + </listitem> + </varlistentry> + </variablelist> <programlisting language="python"> @polling_condition def foo_running(): @@ -739,7 +752,7 @@ def foo_running(): <literal>extraPythonPackages</literal>. For example, you could add <literal>numpy</literal> like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { extraPythonPackages = p: [ p.numpy ]; diff --git a/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml b/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml index ea2d01bebcc2f..0e46c1d48ca65 100644 --- a/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml +++ b/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml @@ -24,7 +24,7 @@ </itemizedlist> <para> System images, such as the live installer ones, know how to enforce - configuration settings on wich they immediately depend in order to + configuration settings on which they immediately depend in order to work correctly. </para> <para> @@ -62,7 +62,7 @@ $ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd can create the following file at <literal>modules/installer/cd-dvd/installation-cd-graphical-gnome-macbook.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, ... }: { @@ -102,7 +102,7 @@ $ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd it needs at a minimum for correct functioning, while the installer base image overrides the entire file system layout because there can’t be any other guarantees on a live medium than those given by - the live medium itself. The latter is especially true befor + the live medium itself. The latter is especially true before formatting the target block device(s). On the other hand, the netboot iso only overrides its minimum dependencies since netboot images are always made-to-target. diff --git a/nixos/doc/manual/from_md/installation/changing-config.chapter.xml b/nixos/doc/manual/from_md/installation/changing-config.chapter.xml index 86f0b15b41c58..727c61c45d273 100644 --- a/nixos/doc/manual/from_md/installation/changing-config.chapter.xml +++ b/nixos/doc/manual/from_md/installation/changing-config.chapter.xml @@ -16,7 +16,7 @@ </para> <warning> <para> - This command doesn't start/stop + This command doesn’t start/stop <link linkend="opt-systemd.user.services">user services</link> automatically. <literal>nixos-rebuild</literal> only runs a <literal>daemon-reload</literal> for each user with running user @@ -64,8 +64,8 @@ <para> which causes the new configuration (and previous ones created using <literal>-p test</literal>) to show up in the GRUB submenu - <quote>NixOS - Profile 'test'</quote>. This can be useful to - separate test configurations from <quote>stable</quote> + <quote>NixOS - Profile <quote>test</quote></quote>. This can be + useful to separate test configurations from <quote>stable</quote> configurations. </para> <para> @@ -94,7 +94,7 @@ $ ./result/bin/run-*-vm unless you have set <literal>mutableUsers = false</literal>. Another way is to temporarily add the following to your configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.your-user.initialHashedPassword = "test"; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml b/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml index a551807cd47c7..00b4e87667183 100644 --- a/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml @@ -11,7 +11,7 @@ <literal>/mnt/etc/nixos/configuration.nix</literal> to keep the internet accessible after reboot. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.proxy.default = "http://user:password@proxy:port/"; networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; </programlisting> diff --git a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml index 024a24379dd6d..5f18d528d32d0 100644 --- a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml @@ -53,7 +53,7 @@ $ . $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell Switch to the NixOS channel: </para> <para> - If you've just installed Nix on a non-NixOS distribution, you + If you’ve just installed Nix on a non-NixOS distribution, you will be on the <literal>nixpkgs</literal> channel by default. </para> <programlisting> @@ -78,11 +78,11 @@ $ nix-channel --add https://nixos.org/channels/nixos-version nixpkgs Install the NixOS installation tools: </para> <para> - You'll need <literal>nixos-generate-config</literal> and + You’ll need <literal>nixos-generate-config</literal> and <literal>nixos-install</literal>, but this also makes some man pages and <literal>nixos-enter</literal> available, just in case you want to chroot into your NixOS partition. NixOS installs - these by default, but you don't have NixOS yet.. + these by default, but you don’t have NixOS yet.. </para> <programlisting> $ nix-env -f '<nixpkgs>' -iA nixos-install-tools @@ -105,7 +105,7 @@ $ nix-env -f '<nixpkgs>' -iA nixos-install-tools mounting steps of <xref linkend="sec-installation" /> </para> <para> - If you're about to install NixOS in place using + If you’re about to install NixOS in place using <literal>NIXOS_LUSTRATE</literal> there is nothing to do for this step. </para> @@ -118,18 +118,18 @@ $ nix-env -f '<nixpkgs>' -iA nixos-install-tools $ sudo `which nixos-generate-config` --root /mnt </programlisting> <para> - You'll probably want to edit the configuration files. Refer to + You’ll probably want to edit the configuration files. Refer to the <literal>nixos-generate-config</literal> step in <xref linkend="sec-installation" /> for more information. </para> <para> Consider setting up the NixOS bootloader to give you the ability to boot on your existing Linux partition. For instance, if - you're using GRUB and your existing distribution is running + you’re using GRUB and your existing distribution is running Ubuntu, you may want to add something like this to your <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.loader.grub.extraEntries = '' menuentry "Ubuntu" { search --set=ubuntu --fs-uuid 3cc3e652-0c1f-4800-8451-033754f68e6e @@ -211,25 +211,25 @@ $ sudo groupdel nixbld Generate your NixOS configuration: </para> <programlisting> -$ sudo `which nixos-generate-config` --root / +$ sudo `which nixos-generate-config` </programlisting> <para> Note that this will place the generated configuration files in - <literal>/etc/nixos</literal>. You'll probably want to edit the + <literal>/etc/nixos</literal>. You’ll probably want to edit the configuration files. Refer to the <literal>nixos-generate-config</literal> step in <xref linkend="sec-installation" /> for more information. </para> <para> - You'll likely want to set a root password for your first boot - using the configuration files because you won't have a chance to - enter a password until after you reboot. You can initalize the + You’ll likely want to set a root password for your first boot + using the configuration files because you won’t have a chance to + enter a password until after you reboot. You can initialize the root password to an empty one with this line: (and of course - don't forget to set one once you've rebooted or to lock the + don’t forget to set one once you’ve rebooted or to lock the account with <literal>sudo passwd -l root</literal> if you use <literal>sudo</literal>) </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.root.initialHashedPassword = ""; </programlisting> </listitem> @@ -262,7 +262,7 @@ $ sudo chown -R 0:0 /nix </para> <para> <literal>/etc/NIXOS_LUSTRATE</literal> tells the NixOS bootup - scripts to move <emphasis>everything</emphasis> that's in the + scripts to move <emphasis>everything</emphasis> that’s in the root partition to <literal>/old-root</literal>. This will move your existing distribution out of the way in the very early stages of the NixOS bootup. There are exceptions (we do need to @@ -290,12 +290,12 @@ $ sudo chown -R 0:0 /nix <note> <para> Support for <literal>NIXOS_LUSTRATE</literal> was added in - NixOS 16.09. The act of "lustrating" refers to the - wiping of the existing distribution. Creating + NixOS 16.09. The act of <quote>lustrating</quote> refers to + the wiping of the existing distribution. Creating <literal>/etc/NIXOS_LUSTRATE</literal> can also be used on NixOS to remove all mutable files from your root partition - (anything that's not in <literal>/nix</literal> or - <literal>/boot</literal> gets "lustrated" on the + (anything that’s not in <literal>/nix</literal> or + <literal>/boot</literal> gets <quote>lustrated</quote> on the next boot. </para> <para> @@ -307,14 +307,14 @@ $ sudo chown -R 0:0 /nix </para> </note> <para> - Let's create the files: + Let’s create the files: </para> <programlisting> $ sudo touch /etc/NIXOS $ sudo touch /etc/NIXOS_LUSTRATE </programlisting> <para> - Let's also make sure the NixOS configuration files are kept once + Let’s also make sure the NixOS configuration files are kept once we reboot on NixOS: </para> <programlisting> @@ -331,7 +331,7 @@ $ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE <warning> <para> Once you complete this step, your current distribution will no - longer be bootable! If you didn't get all the NixOS + longer be bootable! If you didn’t get all the NixOS configuration right, especially those settings pertaining to boot loading and root partition, NixOS may not be bootable either. Have a USB rescue device ready in case this happens. @@ -349,7 +349,7 @@ sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot <listitem> <para> If for some reason you want to revert to the old distribution, - you'll need to boot on a USB rescue disk and do something along + you’ll need to boot on a USB rescue disk and do something along these lines: </para> <programlisting> @@ -367,7 +367,7 @@ sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot loader. </para> <para> - And of course, if you're happy with NixOS and no longer need the + And of course, if you’re happy with NixOS and no longer need the old distribution: </para> <programlisting> @@ -376,7 +376,7 @@ sudo rm -rf /old-root </listitem> <listitem> <para> - It's also worth noting that this whole process can be automated. + It’s also worth noting that this whole process can be automated. This is especially useful for Cloud VMs, where provider do not provide NixOS. For instance, <link xlink:href="https://github.com/elitak/nixos-infect">nixos-infect</link> diff --git a/nixos/doc/manual/from_md/installation/installing-kexec.section.xml b/nixos/doc/manual/from_md/installation/installing-kexec.section.xml index 46ea0d59b6c30..40a697c74096e 100644 --- a/nixos/doc/manual/from_md/installation/installing-kexec.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-kexec.section.xml @@ -54,7 +54,7 @@ nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>' running Linux Distribution. </para> <para> - Note it’s symlinks pointing elsewhere, so <literal>cd</literal> in, + Note its symlinks pointing elsewhere, so <literal>cd</literal> in, and use <literal>scp * root@$destination</literal> to copy it over, rather than rsync. </para> @@ -69,7 +69,7 @@ nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>' instead of the default installer image, you can build your own <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> { modulesPath, ... }: { imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") diff --git a/nixos/doc/manual/from_md/installation/installing-usb.section.xml b/nixos/doc/manual/from_md/installation/installing-usb.section.xml index 9d12ac45aac21..cb0fd95bc7c5f 100644 --- a/nixos/doc/manual/from_md/installation/installing-usb.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-usb.section.xml @@ -110,15 +110,15 @@ diskutil unmountDisk diskX sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m </programlisting> <para> - After <literal>dd</literal> completes, a GUI dialog "The disk - you inserted was not readable by this computer" will pop up, - which can be ignored. + After <literal>dd</literal> completes, a GUI dialog <quote>The + disk you inserted was not readable by this computer</quote> will + pop up, which can be ignored. </para> <note> <para> - Using the 'raw' <literal>rdiskX</literal> device instead of - <literal>diskX</literal> with dd completes in minutes instead of - hours. + Using the <quote>raw</quote> <literal>rdiskX</literal> device + instead of <literal>diskX</literal> with dd completes in minutes + instead of hours. </para> </note> <orderedlist numeration="arabic" spacing="compact"> diff --git a/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml b/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml index c8bb286c8f336..e435081852993 100644 --- a/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml @@ -1,4 +1,4 @@ -<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-instaling-virtualbox-guest"> +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-installing-virtualbox-guest"> <title>Installing in a VirtualBox guest</title> <para> Installing NixOS into a VirtualBox guest is convenient for users who @@ -11,8 +11,8 @@ <orderedlist numeration="arabic"> <listitem> <para> - Add a New Machine in VirtualBox with OS Type "Linux / Other - Linux" + Add a New Machine in VirtualBox with OS Type <quote>Linux / + Other Linux</quote> </para> </listitem> <listitem> @@ -38,7 +38,7 @@ <listitem> <para> Click on Settings / System / Acceleration and enable - "VT-x/AMD-V" acceleration + <quote>VT-x/AMD-V</quote> acceleration </para> </listitem> <listitem> @@ -58,25 +58,25 @@ There are a few modifications you should make in configuration.nix. Enable booting: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.loader.grub.device = "/dev/sda"; </programlisting> <para> Also remove the fsck that runs at startup. It will always fail to run, stopping your boot until you press <literal>*</literal>. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.checkJournalingFS = false; </programlisting> <para> Shared folders can be given a name and a path in the host system in the VirtualBox settings (Machine / Settings / Shared Folders, then - click on the "Add" icon). Add the following to the + click on the <quote>Add</quote> icon). Add the following to the <literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you do not add <literal>"nofail"</literal>, the system will not boot properly. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ...} : { fileSystems."/virtualboxshare" = { diff --git a/nixos/doc/manual/from_md/installation/installing.chapter.xml b/nixos/doc/manual/from_md/installation/installing.chapter.xml index 02a0f14b984ac..5654eb424fc3b 100644 --- a/nixos/doc/manual/from_md/installation/installing.chapter.xml +++ b/nixos/doc/manual/from_md/installation/installing.chapter.xml @@ -256,7 +256,7 @@ $ sudo -i </para> <para> On the minimal installer, NetworkManager is not available, so - configuration must be perfomed manually. To configure the wifi, + configuration must be performed manually. To configure the wifi, first start wpa_supplicant with <literal>sudo systemctl start wpa_supplicant</literal>, then run <literal>wpa_cli</literal>. For most home networks, you need to @@ -345,12 +345,12 @@ OK <!-- legacy anchor --> </para> <para> - Here's an example partition scheme for UEFI, using + Here’s an example partition scheme for UEFI, using <literal>/dev/sda</literal> as the device. </para> <note> <para> - You can safely ignore <literal>parted</literal>'s + You can safely ignore <literal>parted</literal>’s informational message about needing to update /etc/fstab. </para> </note> @@ -415,12 +415,12 @@ OK <!-- legacy anchor --> </para> <para> - Here's an example partition scheme for Legacy Boot, using + Here’s an example partition scheme for Legacy Boot, using <literal>/dev/sda</literal> as the device. </para> <note> <para> - You can safely ignore <literal>parted</literal>'s + You can safely ignore <literal>parted</literal>’s informational message about needing to update /etc/fstab. </para> </note> @@ -455,8 +455,8 @@ OK <listitem> <para> Finally, add a <emphasis>swap</emphasis> partition. The - size required will vary according to needs, here a 8GiB - one is created. + size required will vary according to needs, here a 8GB one + is created. </para> <programlisting> # parted /dev/sda -- mkpart primary linux-swap -8GB 100% @@ -814,8 +814,8 @@ $ passwd eelco </para> <programlisting> # parted /dev/sda -- mklabel msdos -# parted /dev/sda -- mkpart primary 1MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% +# parted /dev/sda -- mkpart primary 1MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% </programlisting> <anchor xml:id="ex-partition-scheme-UEFI" /> <para> @@ -824,9 +824,9 @@ $ passwd eelco </para> <programlisting> # parted /dev/sda -- mklabel gpt -# parted /dev/sda -- mkpart primary 512MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% -# parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB +# parted /dev/sda -- mkpart primary 512MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% +# parted /dev/sda -- mkpart ESP fat32 1MB 512MB # parted /dev/sda -- set 3 esp on </programlisting> <anchor xml:id="ex-install-sequence" /> diff --git a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml index 11fe1d317ccdd..9f4cfaf36b628 100644 --- a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml +++ b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml @@ -12,7 +12,7 @@ <listitem> <para> <emphasis>Stable channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.05</literal></link>. + <link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.11</literal></link>. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), @@ -33,7 +33,7 @@ <listitem> <para> <emphasis>Small channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.05-small</literal></link> + <link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.11-small</literal></link> or <link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>. These are identical to the stable and unstable channels @@ -60,8 +60,8 @@ <para> When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For - instance, if you installed from a 22.05 ISO, you will be subscribed - to the <literal>nixos-22.05</literal> channel. To see which NixOS + instance, if you installed from a 22.11 ISO, you will be subscribed + to the <literal>nixos-22.11</literal> channel. To see which NixOS channel you’re subscribed to, run the following as root: </para> <programlisting> @@ -76,17 +76,17 @@ nixos https://nixos.org/channels/nixos-unstable </programlisting> <para> (Be sure to include the <literal>nixos</literal> parameter at the - end.) For instance, to use the NixOS 22.05 stable channel: + end.) For instance, to use the NixOS 22.11 stable channel: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos </programlisting> <para> If you have a server, you may want to use the <quote>small</quote> channel instead: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos </programlisting> <para> And if you want to live on the bleeding edge: @@ -128,7 +128,7 @@ nixos https://nixos.org/channels/nixos-unstable You can keep a NixOS system up-to-date automatically by adding the following to <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> system.autoUpgrade.enable = true; system.autoUpgrade.allowReboot = true; </programlisting> @@ -145,8 +145,8 @@ system.autoUpgrade.allowReboot = true; contains a different kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. </para> - <programlisting language="bash"> -system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; + <programlisting language="nix"> +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11; </programlisting> </section> </chapter> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml index 8771623b468a4..5686545c1afb9 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml @@ -79,7 +79,7 @@ the NixOS configuration. For instance, if a package <literal>foo</literal> provides systemd units, you can say: </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.packages = [ pkgs.foo ]; } @@ -88,7 +88,7 @@ to enable those units. You can then set or override unit options in the usual way, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.foo.wantedBy = [ "multi-user.target" ]; systemd.services.foo.serviceConfig.MemoryLimit = "512M"; @@ -105,7 +105,7 @@ NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> { nixpkgs.config.allowUnfree = true; } @@ -123,7 +123,7 @@ The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set: </para> - <programlisting language="bash"> + <programlisting language="nix"> { nixpkgs.config.allowUnfree = true; nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox @@ -136,7 +136,7 @@ The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly: </para> - <programlisting language="bash"> + <programlisting language="nix"> { networking.firewall.enable = false; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml index 3b6af73359d69..ccaa4f6bd0812 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml @@ -370,7 +370,7 @@ documentation</link> for details. If you wish to continue to use httpd 2.2, add the following line to your NixOS configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.package = pkgs.apacheHttpd_2_2; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml index 68d2ab389e8f6..96b51a0510666 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml @@ -9,12 +9,12 @@ <para> The <link xlink:href="http://haskell.org/">Haskell</link> packages infrastructure has been re-designed from the ground up - ("Haskell NG"). NixOS now distributes the latest + (<quote>Haskell NG</quote>). NixOS now distributes the latest version of every single package registered on <link xlink:href="http://hackage.haskell.org/">Hackage</link> -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the - <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User’s Guide to the Haskell Infrastructure</link>. Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we @@ -23,8 +23,8 @@ Haskell</link> release since version 0.0 as well as the most recent <link xlink:href="http://www.stackage.org/">Stackage Nightly</link> snapshot. The announcement - <link xlink:href="https://nixos.org/nix-dev/2015-September/018138.html">"Full - Stackage Support in Nixpkgs"</link> gives additional + <link xlink:href="https://nixos.org/nix-dev/2015-September/018138.html"><quote>Full + Stackage Support in Nixpkgs</quote></link> gives additional details. </para> </listitem> @@ -42,7 +42,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { system.autoUpgrade.enable = true; } @@ -432,7 +432,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { system.stateVersion = "14.12"; } @@ -464,7 +464,7 @@ </listitem> <listitem> <para> - Steam now doesn't need root rights to work. Instead of using + Steam now doesn’t need root rights to work. Instead of using <literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>. <literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>, and old @@ -523,7 +523,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { fileSystems."/shiny" = { device = "myshinysharedfolder"; @@ -534,15 +534,15 @@ <itemizedlist spacing="compact"> <listitem> <para> - "<literal>nix-env -qa</literal>" no longer discovers - Haskell packages by name. The only packages visible in the - global scope are <literal>ghc</literal>, + <quote><literal>nix-env -qa</literal></quote> no longer + discovers Haskell packages by name. The only packages visible in + the global scope are <literal>ghc</literal>, <literal>cabal-install</literal>, and <literal>stack</literal>, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most <literal>nix-env -qa</literal> operations would become much - slower if we'd add the entire Hackage database into the top + slower if we’d add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running: </para> @@ -566,13 +566,13 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc <para> Previous versions of NixOS came with a feature called <literal>ghc-wrapper</literal>, a small script that allowed GHC - to transparently pick up on libraries installed in the user's + to transparently pick up on libraries installed in the user’s profile. This feature has been deprecated; <literal>ghc-wrapper</literal> was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the <literal>haskellPackages.ghcWithPackages</literal> function. The - <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User’s Guide to the Haskell Infrastructure</link> provides more information about this subject. </para> @@ -593,7 +593,7 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc have a function attribute called <literal>extension</literal> that users could override in their <literal>~/.nixpkgs/config.nix</literal> files to configure - additional attributes, etc. That function still exists, but it's + additional attributes, etc. That function still exists, but it’s now called <literal>overrides</literal>. </para> </listitem> @@ -662,7 +662,7 @@ infinite recursion encountered <literal>lib</literal>, after adding it as argument of the module. The following module </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: with pkgs.lib; @@ -677,7 +677,7 @@ with pkgs.lib; <para> should be modified to look like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, lib, ... }: with lib; @@ -695,7 +695,7 @@ with lib; replaced by <literal>(import <nixpkgs> {})</literal>. The following module </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: let @@ -712,7 +712,7 @@ in <para> should be modified to look like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: let @@ -748,7 +748,7 @@ in <literal>/etc/ssh/moduli</literal> file with respect to the <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities discovered in the Diffie-Hellman key exchange</link> can now - replace OpenSSH's default version with one they generated + replace OpenSSH’s default version with one they generated themselves using the new <literal>services.openssh.moduliFile</literal> option. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml index 172b800b5992f..25b356e0aa6ad 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml @@ -378,7 +378,7 @@ You will need to add an import statement to your NixOS configuration in order to use it, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> { imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; } @@ -395,7 +395,7 @@ to be built in. All modules now reside in <literal>nginxModules</literal> set. Example configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> nginx.override { modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ]; } @@ -403,7 +403,7 @@ nginx.override { </listitem> <listitem> <para> - <literal>s3sync</literal> is removed, as it hasn't been + <literal>s3sync</literal> is removed, as it hasn’t been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at <literal>tarsnap</literal> and others. @@ -411,7 +411,7 @@ nginx.override { </listitem> <listitem> <para> - <literal>ruby_1_8</literal> has been removed as it's not + <literal>ruby_1_8</literal> has been removed as it’s not supported from upstream anymore and probably contains security issues. </para> @@ -439,7 +439,7 @@ nginx.override { <listitem> <para> The <literal>Ctrl+Alt+Backspace</literal> key combination no - longer kills the X server by default. There's a new option + longer kills the X server by default. There’s a new option <literal>services.xserver.enableCtrlAltBackspace</literal> allowing to enable the combination again. </para> @@ -457,7 +457,7 @@ nginx.override { <literal>/var/lib/postfix</literal>. Old configurations are migrated automatically. <literal>service.postfix</literal> module has also received many improvements, such as correct - directories' access rights, new <literal>aliasFiles</literal> + directories’ access rights, new <literal>aliasFiles</literal> and <literal>mapFiles</literal> options and more. </para> </listitem> @@ -468,7 +468,7 @@ nginx.override { continue to work, but print a warning, until the 16.09 release. An example of the new style: </para> - <programlisting language="bash"> + <programlisting language="nix"> { fileSystems."/example" = { device = "/dev/sdc"; @@ -497,7 +497,7 @@ nginx.override { <para> There are also Gutenprint improvements; in particular, a new option <literal>services.printing.gutenprint</literal> is added - to enable automatic updating of Gutenprint PPMs; it's greatly + to enable automatic updating of Gutenprint PPMs; it’s greatly recommended to enable it instead of adding <literal>gutenprint</literal> to the <literal>drivers</literal> list. @@ -524,7 +524,7 @@ nginx.override { used input method name, <literal>"ibus"</literal> for ibus. An example of the new style: </para> - <programlisting language="bash"> + <programlisting language="nix"> { i18n.inputMethod.enabled = "ibus"; i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ]; @@ -533,7 +533,7 @@ nginx.override { <para> That is equivalent to the old version: </para> - <programlisting language="bash"> + <programlisting language="nix"> { programs.ibus.enable = true; programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ]; @@ -545,7 +545,7 @@ nginx.override { <literal>services.udev.extraRules</literal> option now writes rules to <literal>99-local.rules</literal> instead of <literal>10-local.rules</literal>. This makes all the user rules - apply after others, so their results wouldn't be overriden by + apply after others, so their results wouldn’t be overridden by anything else. </para> </listitem> @@ -587,7 +587,7 @@ $TTL 1800 point to exact folder where syncthing is writing to. Example configuration should look something like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.syncthing = { enable = true; @@ -632,8 +632,8 @@ error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be creat The <literal>services.xserver.startGnuPGAgent</literal> option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even - supports) the "start everything as a child of the - agent" scheme we've implemented in NixOS for older + supports) the <quote>start everything as a child of the + agent</quote> scheme we’ve implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to <literal>~/.bashrc</literal> or some file that’s sourced when your shell is started: @@ -670,7 +670,7 @@ export GPG_TTY </programlisting> <para> The <literal>gpg-agent(1)</literal> man page has more details - about this subject, i.e. in the "EXAMPLES" section. + about this subject, i.e. in the <quote>EXAMPLES</quote> section. </para> </listitem> </itemizedlist> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml index 0fba40a0e78d0..c2adbc88f5caa 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml @@ -78,7 +78,7 @@ LTS Haskell package set. That support has been dropped. The previously provided <literal>haskell.packages.lts-x_y</literal> package sets still exist in name to aviod breaking user code, - but these package sets don't actually contain the versions + but these package sets don’t actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and @@ -119,7 +119,7 @@ </listitem> <listitem> <para> - Gitlab's maintainance script <literal>gitlab-runner</literal> + Gitlab’s maintainance script <literal>gitlab-runner</literal> was removed and split up into the more clearer <literal>gitlab-run</literal> and <literal>gitlab-rake</literal> scripts, because <literal>gitlab-runner</literal> is a component @@ -164,7 +164,7 @@ <para> <literal>goPackages</literal> was replaced with separated Go applications in appropriate <literal>nixpkgs</literal> - categories. Each Go package uses its own dependency set. There's + categories. Each Go package uses its own dependency set. There’s also a new <literal>go2nix</literal> tool introduced to generate a Go package definition from its Go source automatically. </para> @@ -192,7 +192,7 @@ interface has been streamlined. Desktop users should be able to simply set </para> - <programlisting language="bash"> + <programlisting language="nix"> { security.grsecurity.enable = true; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml index 1119ec53dfc9a..8667063f37e08 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml @@ -22,7 +22,7 @@ </listitem> <listitem> <para> - The default desktop environment now is KDE's Plasma 5. KDE 4 + The default desktop environment now is KDE’s Plasma 5. KDE 4 has been removed </para> </listitem> @@ -560,7 +560,7 @@ Parsoid service now uses YAML configuration format. <literal>service.parsoid.interwikis</literal> is now called <literal>service.parsoid.wikis</literal> and is a list of - either API URLs or attribute sets as specified in parsoid's + either API URLs or attribute sets as specified in parsoid’s documentation. </para> </listitem> @@ -581,7 +581,7 @@ <literal>service.nylon</literal> is now declared using named instances. As an example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nylon = { enable = true; @@ -594,7 +594,7 @@ <para> should be replaced with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nylon.myvpn = { enable = true; @@ -615,7 +615,7 @@ <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> overlays</link>. For example, the following code: </para> - <programlisting language="bash"> + <programlisting language="nix"> let pkgs = import <nixpkgs> {}; in @@ -624,7 +624,7 @@ in <para> should be replaced by: </para> - <programlisting language="bash"> + <programlisting language="nix"> let pkgs = import <nixpkgs> {}; in @@ -647,7 +647,7 @@ in <listitem> <para> <literal>local_recipient_maps</literal> is not set to empty - value by Postfix service. It's an insecure default as stated + value by Postfix service. It’s an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via <literal>services.postfix.extraConfig</literal>. @@ -669,7 +669,7 @@ in <listitem> <para> The socket handling of the <literal>services.rmilter</literal> - module has been fixed and refactored. As rmilter doesn't + module has been fixed and refactored. As rmilter doesn’t support binding to more than one socket, the options <literal>bindUnixSockets</literal> and <literal>bindInetSockets</literal> have been replaced by @@ -729,7 +729,7 @@ in improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless - workloads it's recommended to use + workloads it’s recommended to use <literal>jre_headless</literal>. </para> </listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml index 8f0efe816e516..849ec868c783b 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml @@ -26,10 +26,10 @@ The module option <literal>services.xserver.xrandrHeads</literal> now causes the first head specified in this list to be set as the primary - head. Apart from that, it's now possible to also set + head. Apart from that, it’s now possible to also set additional options by using an attribute set, for example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.xrandrHeads = [ "HDMI-0" { @@ -543,7 +543,7 @@ </listitem> <listitem> <para> - Radicale's default package has changed from 1.x to 2.x. + Radicale’s default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by @@ -582,7 +582,7 @@ </listitem> <listitem> <para> - <literal>flexget</literal>'s state database cannot be upgraded + <literal>flexget</literal>’s state database cannot be upgraded to its new internal format, requiring removal of any existing <literal>db-config.sqlite</literal> which will be automatically recreated. @@ -590,9 +590,9 @@ </listitem> <listitem> <para> - The <literal>ipfs</literal> service now doesn't ignore the - <literal>dataDir</literal> option anymore. If you've ever set - this option to anything other than the default you'll have to + The <literal>ipfs</literal> service now doesn’t ignore the + <literal>dataDir</literal> option anymore. If you’ve ever set + this option to anything other than the default you’ll have to either unset it (so the default gets used) or migrate the old data manually with </para> @@ -651,22 +651,22 @@ rmdir /var/lib/ipfs/.ipfs </listitem> <listitem> <para> - <literal>cc-wrapper</literal>'s setup-hook now exports a + <literal>cc-wrapper</literal><quote>s setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. <literal>LD</literal>, <literal>STRIP</literal>, <literal>RANLIB</literal>, etc). - This is done to prevent packages' build systems guessing, - which is harder to predict, especially when cross-compiling. - However, some packages have broken due to this—their build - systems either not supporting, or claiming to support without - adequate testing, taking such environment variables as - parameters. + This is done to prevent packages</quote> build systems + guessing, which is harder to predict, especially when + cross-compiling. However, some packages have broken due to + this—their build systems either not supporting, or claiming to + support without adequate testing, taking such environment + variables as parameters. </para> </listitem> <listitem> <para> <literal>services.firefox.syncserver</literal> now runs by - default as a non-root user. To accomodate this change, the + default as a non-root user. To accommodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details. @@ -688,10 +688,10 @@ rmdir /var/lib/ipfs/.ipfs </listitem> <listitem> <para> - grsecurity/PaX support has been dropped, following upstream's + grsecurity/PaX support has been dropped, following upstream’s decision to cease free support. See <link xlink:href="https://grsecurity.net/passing_the_baton.php"> - upstream's announcement</link> for more information. No + upstream’s announcement</link> for more information. No complete replacement for grsecurity/PaX is available presently. </para> @@ -794,7 +794,7 @@ FLUSH PRIVILEGES; <para> Modules can now be disabled by using <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules"> - disabledModules</link>, allowing another to take it's place. + disabledModules</link>, allowing another to take it’s place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. @@ -808,7 +808,7 @@ FLUSH PRIVILEGES; provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems - and hopefully with each font designer's intent. Some + and hopefully with each font designer’s intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml index 910cad467e9d8..f197c52906b01 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml @@ -16,9 +16,9 @@ <listitem> <para> Platform support: x86_64-linux and x86_64-darwin since release - time (the latter isn't NixOS, really). Binaries for + time (the latter isn’t NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as - it's waiting for some test fixes, etc. + it’s waiting for some test fixes, etc. </para> </listitem> <listitem> @@ -495,11 +495,11 @@ <para> The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly - documented in the "Specifying dependencies" section - of the "Standard Environment" chapter of the nixpkgs - manual. The old logic isn't but is easy to describe: - dependencies were propagated as the same type of dependency no - matter what. In practice, that means that many + documented in the <quote>Specifying dependencies</quote> + section of the <quote>Standard Environment</quote> chapter of + the nixpkgs manual. The old logic isn’t but is easy to + describe: dependencies were propagated as the same type of + dependency no matter what. In practice, that means that many <literal>propagatedNativeBuildInputs</literal> should instead be <literal>propagatedBuildInputs</literal>. Thankfully, that was and is the least used type of dependency. Also, it means @@ -541,7 +541,7 @@ Previously, if other options in the Postfix module like <literal>services.postfix.useSrs</literal> were set and the user set config options that were also set by such options, - the resulting config wouldn't include all options that were + the resulting config wouldn’t include all options that were needed. They are now merged correctly. If config options need to be overridden, <literal>lib.mkForce</literal> or <literal>lib.mkOverride</literal> can be used. @@ -626,7 +626,7 @@ if <literal>config.networking.domain</literal> is set, <literal>matomo.${config.networking.hostName}</literal> if it is not set. If you change your - <literal>serverName</literal>, remember you'll need to + <literal>serverName</literal>, remember you’ll need to update the <literal>trustedHosts[]</literal> array in <literal>/var/lib/matomo/config/config.ini.php</literal> as well. @@ -793,7 +793,7 @@ <para> <literal>services.btrfs.autoScrub</literal> has been added, to periodically check btrfs filesystems for data corruption. If - there's a correct copy available, it will automatically repair + there’s a correct copy available, it will automatically repair corrupted blocks. </para> </listitem> @@ -830,7 +830,7 @@ <para> In order to have the previous default configuration add </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.displayManager.lightdm.greeters.gtk.indicators = [ "~host" "~spacer" diff --git a/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml index aa4637a99b606..4bbfa7be398eb 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml @@ -54,7 +54,7 @@ <para> For example </para> - <programlisting language="bash"> + <programlisting language="nix"> { programs.firejail = { enable = true; @@ -523,8 +523,8 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <listitem> <para> The <literal>netcat</literal> package is now taken directly - from OpenBSD's <literal>libressl</literal>, instead of relying - on Debian's fork. The new version should be very close to the + from OpenBSD’s <literal>libressl</literal>, instead of relying + on Debian’s fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command. @@ -533,7 +533,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <listitem> <para> The <literal>services.docker-registry.extraConfig</literal> - object doesn't contain environment variables anymore. Instead + object doesn’t contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the @@ -543,7 +543,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <listitem> <para> <literal>gnucash</literal> has changed from version 2.4 to - 3.x. If you've been using <literal>gnucash</literal> (version + 3.x. If you’ve been using <literal>gnucash</literal> (version 2.4) instead of <literal>gnucash26</literal> (version 2.6) you must open your Gnucash data file(s) with <literal>gnucash26</literal> and then save them to upgrade the @@ -695,7 +695,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { inherit (pkgs.nixos { boot.loader.grub.enable = false; @@ -791,7 +791,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <para> An example usage of this would be: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, ... }: { @@ -874,7 +874,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' The <literal>programs.screen</literal> module provides allows to configure <literal>/etc/screenrc</literal>, however the module behaved fairly counterintuitive as the config exists, - but the package wasn't available. Since 18.09 + but the package wasn’t available. Since 18.09 <literal>pkgs.screen</literal> will be added to <literal>environment.systemPackages</literal>. </para> @@ -920,7 +920,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <para> NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive - newlines, so it's no longer necessary to use + newlines, so it’s no longer necessary to use <literal></para><para></literal> to start a new paragraph. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml index f26e68e132000..ed26f2ba45d05 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml @@ -29,9 +29,9 @@ <para> By default, <literal>services.xserver.desktopManager.pantheon</literal> - enables LightDM as a display manager, as pantheon's screen + enables LightDM as a display manager, as pantheon’s screen locking implementation relies on it. Because of that it is - recommended to leave LightDM enabled. If you'd like to + recommended to leave LightDM enabled. If you’d like to disable it anyway, set <literal>services.xserver.displayManager.lightdm.enable</literal> to <literal>false</literal> and enable your preferred @@ -39,8 +39,8 @@ </para> </note> <para> - Also note that Pantheon's LightDM greeter is not enabled by - default, because it has numerous issues in NixOS and isn't + Also note that Pantheon’s LightDM greeter is not enabled by + default, because it has numerous issues in NixOS and isn’t optimal for use here yet. </para> </listitem> @@ -200,7 +200,7 @@ <listitem> <para> The <literal>ntp</literal> module now has sane default - restrictions. If you're relying on the previous defaults, + restrictions. If you’re relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set <literal>services.ntp.restrictDefault</literal> and @@ -271,7 +271,7 @@ <listitem> <para> The versioned <literal>postgresql</literal> have been renamed - to use underscore number seperators. For example, + to use underscore number separators. For example, <literal>postgresql96</literal> has been renamed to <literal>postgresql_9_6</literal>. </para> @@ -342,7 +342,7 @@ preserved when also setting interface specific rules such as <literal>networking.firewall.interfaces.en0.allow*</literal>. These rules continue to use the pseudo device - "default" + <quote>default</quote> (<literal>networking.firewall.interfaces.default.*</literal>), and assigning to this pseudo device will override the (<literal>networking.firewall.allow*</literal>) options. @@ -360,9 +360,9 @@ presence of <literal>services.sssd.enable = true</literal> because nscd caching would interfere with <literal>sssd</literal> in unpredictable ways as well. Because - we're using nscd not for caching, but for convincing glibc to + we’re using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, - we have decided to disable caching globally now, as it's + we have decided to disable caching globally now, as it’s usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the @@ -374,7 +374,7 @@ setting the <literal>services.nscd.config</literal> option with the desired caching parameters. </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nscd.config = '' @@ -453,7 +453,7 @@ with its control field set to <literal>sufficient</literal> instead of <literal>required</literal>, so that password managed only by later PAM password modules are being executed. - Previously, for example, changing an LDAP account's password + Previously, for example, changing an LDAP account’s password through PAM was not possible: the whole password module verification was exited prematurely by <literal>pam_unix</literal>, preventing @@ -497,11 +497,11 @@ <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the last version to accept self-signed certificates</link>. As such, it is now recommended to use a proper certificate - verified by a root CA (for example Let's Encrypt). The new + verified by a root CA (for example Let’s Encrypt). The new <link linkend="module-services-matrix">manual chapter on Matrix</link> contains a working example of using nginx as a reverse proxy in front of <literal>matrix-synapse</literal>, - using Let's Encrypt certificates. + using Let’s Encrypt certificates. </para> </listitem> <listitem> @@ -682,7 +682,7 @@ <link xlink:href="options.html#opt-services.ndppd.enable">all config options</link> provided by the current upstream version as service options. Additionally the <literal>ndppd</literal> - package doesn't contain the systemd unit configuration from + package doesn’t contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml index 83cd649f4ea0f..3bf83e1eccbd0 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml @@ -82,13 +82,13 @@ </listitem> <listitem> <para> - We've updated to Xfce 4.14, which brings a new module + We’ve updated to Xfce 4.14, which brings a new module <literal>services.xserver.desktopManager.xfce4-14</literal>. - If you'd like to upgrade, please switch from the + If you’d like to upgrade, please switch from the <literal>services.xserver.desktopManager.xfce</literal> module - as it will be deprecated in a future release. They're - incompatibilities with the current Xfce module; it doesn't - support <literal>thunarPlugins</literal> and it isn't + as it will be deprecated in a future release. They’re + incompatibilities with the current Xfce module; it doesn’t + support <literal>thunarPlugins</literal> and it isn’t recommended to use <literal>services.xserver.desktopManager.xfce</literal> and <literal>services.xserver.desktopManager.xfce4-14</literal> @@ -125,7 +125,7 @@ </itemizedlist> <para> With these options we hope to give users finer grained control - over their systems. Prior to this change you'd either have to + over their systems. Prior to this change you’d either have to manually disable options or use <literal>environment.gnome3.excludePackages</literal> which only excluded the optional applications. @@ -138,7 +138,7 @@ <listitem> <para> Orthogonal to the previous changes to the GNOME 3 desktop - manager module, we've updated all default services and + manager module, we’ve updated all default services and applications to match as close as possible to a default reference GNOME 3 experience. </para> @@ -295,7 +295,7 @@ <literal>services.xserver.desktopManager.mate</literal> Note Mate uses <literal>programs.system-config-printer</literal> as it - doesn't use it as a service, but its graphical interface + doesn’t use it as a service, but its graphical interface directly. </para> </listitem> @@ -347,7 +347,7 @@ <literal>services.prometheus.alertmanager.user</literal> and <literal>services.prometheus.alertmanager.group</literal> have been removed because the alertmanager service is now using - systemd's + systemd’s <link xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html"> DynamicUser mechanism</link> which obviates these options. </para> @@ -366,7 +366,7 @@ The <literal>services.nzbget.configFile</literal> and <literal>services.nzbget.openFirewall</literal> options were removed as they are managed internally by the nzbget. The - <literal>services.nzbget.dataDir</literal> option hadn't + <literal>services.nzbget.dataDir</literal> option hadn’t actually been used by the module for some time and so was removed as cleanup. </para> @@ -475,7 +475,7 @@ Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system - in a state where it doesn't boot anymore. + in a state where it doesn’t boot anymore. </para> <para> If you are actively using the <literal>autoLuks</literal> @@ -498,7 +498,7 @@ <listitem> <para> The <literal>prometheus-nginx-exporter</literal> package now - uses the offical exporter provided by NGINX Inc. Its metrics + uses the official exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the <link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official @@ -524,7 +524,7 @@ <para> By default, prometheus exporters are now run with <literal>DynamicUser</literal> enabled. Exporters that need a - real user, now run under a seperate user and group which + real user, now run under a separate user and group which follow the pattern <literal><exporter-name>-exporter</literal>, instead of the previous default <literal>nobody</literal> and @@ -667,7 +667,7 @@ instead of depending on the catch-all <literal>acme-certificates.target</literal>. This target unit was also removed from the codebase. This will mean nginx will - no longer depend on certificates it isn't explicitly managing + no longer depend on certificates it isn’t explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at @@ -687,8 +687,8 @@ <literal>services.xserver.desktopManager.xterm</literal> is now disabled by default if <literal>stateVersion</literal> is 19.09 or higher. Previously the xterm desktopManager was - enabled when xserver was enabled, but it isn't useful for all - people so it didn't make sense to have any desktopManager + enabled when xserver was enabled, but it isn’t useful for all + people so it didn’t make sense to have any desktopManager enabled default. </para> </listitem> @@ -696,7 +696,7 @@ <para> The WeeChat plugin <literal>pkgs.weechatScripts.weechat-xmpp</literal> has been - removed as it doesn't receive any updates from upstream and + removed as it doesn’t receive any updates from upstream and depends on outdated Python2-based modules. </para> </listitem> @@ -744,11 +744,11 @@ <literal>services.gitlab.secrets.dbFile</literal>, <literal>services.gitlab.secrets.otpFile</literal> and <literal>services.gitlab.secrets.jwsFile</literal>). This was - done so that secrets aren't stored in the world-readable nix - store, but means that for each option you'll have to create a - file with the same exact string, add "File" to the - end of the option name, and change the definition to a string - pointing to the corresponding file; e.g. + done so that secrets aren’t stored in the world-readable nix + store, but means that for each option you’ll have to create a + file with the same exact string, add <quote>File</quote> to + the end of the option name, and change the definition to a + string pointing to the corresponding file; e.g. <literal>services.gitlab.databasePassword = "supersecurepassword"</literal> becomes <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal> @@ -791,7 +791,7 @@ <listitem> <para> The <literal>nodejs-11_x</literal> package has been removed as - it's EOLed by upstream. + it’s EOLed by upstream. </para> </listitem> <listitem> @@ -961,7 +961,7 @@ from the upstream default <literal>speex-float-1</literal> to <literal>speex-float-5</literal>. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so - you'll need to set + you’ll need to set <literal>hardware.pulseaudio.daemon.config.resample-method</literal> back to <literal>speex-float-1</literal>. </para> @@ -1004,7 +1004,7 @@ </listitem> <listitem> <para> - It's now possible to change configuration in + It’s now possible to change configuration in <link xlink:href="options.html#opt-services.nextcloud.enable">services.nextcloud</link> after the initial deploy since all config parameters are persisted in an additional config file generated by the @@ -1178,7 +1178,7 @@ <link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release notes</link> for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by - the package and module. Note: There's been some issues with + the package and module. Note: There’s been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch. diff --git a/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml index 53e6e1329a942..35fbb7447c70d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml @@ -73,7 +73,7 @@ <listitem> <para> The graphical installer image starts the graphical session - automatically. Before you'd be greeted by a tty and asked to + automatically. Before you’d be greeted by a tty and asked to enter <literal>systemctl start display-manager</literal>. It is now possible to disable the display-manager from running by selecting the <literal>Disable display-manager</literal> quirk @@ -93,7 +93,7 @@ <link xlink:href="options.html#opt-services.xserver.desktopManager.pantheon.enable">services.xserver.desktopManager.pantheon.enable</link>, we now default to also use <link xlink:href="https://blog.elementary.io/say-hello-to-the-new-greeter/"> - Pantheon's newly designed greeter </link>. Contrary to NixOS's + Pantheon’s newly designed greeter </link>. Contrary to NixOS’s usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible. </para> @@ -133,7 +133,7 @@ option to improve support for upstream session files. If you used something like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.desktopManager.default = "xfce"; services.xserver.windowManager.default = "icewm"; @@ -142,7 +142,7 @@ <para> you should change it to: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.displayManager.defaultSession = "xfce+icewm"; } @@ -196,7 +196,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. </listitem> <listitem> <para> - UPower's configuration is now managed by NixOS and can be + UPower’s configuration is now managed by NixOS and can be customized via <literal>services.upower</literal>. </para> </listitem> @@ -505,7 +505,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>. </para> <para> - We already don't support the global + We already don’t support the global <link xlink:href="options.html#opt-networking.useDHCP">networking.useDHCP</link>, <link xlink:href="options.html#opt-networking.defaultGateway">networking.defaultGateway</link> and @@ -522,7 +522,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables. Before, it itself used <literal>set -u</literal> but was careful to unset it so - other packages' code ran as before. Now, all bash code is held + other packages’ code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. </para> @@ -558,7 +558,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of - the release's development (if viable). + the release’s development (if viable). </para> </listitem> <listitem> @@ -662,7 +662,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <listitem> <para> The <literal>dump1090</literal> derivation has been changed to - use FlightAware's dump1090 as its upstream. However, this + use FlightAware’s dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the <literal>share/dump1090</literal> directory of the derivation can be used in conjunction with an external @@ -821,7 +821,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. is a <literal>loaOf</literal> option that is commonly used as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users = [ { name = "me"; @@ -836,7 +836,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. value of <literal>name</literal> as the name of the attribute set: </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users.me = { description = "My personal user."; @@ -890,7 +890,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <listitem> <para> The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> - option has been removed, as it's not necessary to deploy + option has been removed, as it’s not necessary to deploy public keys to clone private repositories. </para> </listitem> @@ -932,7 +932,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. The <literal>services.xserver.displayManager.auto</literal> module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it - being a special display manager when it's actually LightDM. + being a special display manager when it’s actually LightDM. Please use the <literal>services.xserver.displayManager.lightdm.autoLogin</literal> options instead, or any other display manager in NixOS as they @@ -940,7 +940,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. because it permitted root auto-login you can override the lightdm-autologin pam module like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { security.pam.services.lightdm-autologin.text = lib.mkForce '' auth requisite pam_nologin.so @@ -962,13 +962,13 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. auth required pam_succeed_if.so quiet </programlisting> <para> - line, where default it's: + line, where default it’s: </para> <programlisting> auth required pam_succeed_if.so uid >= 1000 quiet </programlisting> <para> - not permitting users with uid's below 1000 (like root). All + not permitting users with uid’s below 1000 (like root). All other display managers in NixOS are configured like this. </para> </listitem> @@ -1004,7 +1004,7 @@ auth required pam_succeed_if.so quiet Additionally, some Postfix configuration must now be set manually instead of automatically by the Mailman module: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; @@ -1051,14 +1051,14 @@ auth required pam_succeed_if.so quiet <listitem> <para> The <literal>*psu</literal> versions of oraclejdk8 have been - removed as they aren't provided by upstream anymore. + removed as they aren’t provided by upstream anymore. </para> </listitem> <listitem> <para> The <literal>services.dnscrypt-proxy</literal> module has been removed as it used the deprecated version of dnscrypt-proxy. - We've added + We’ve added <link xlink:href="options.html#opt-services.dnscrypt-proxy2.enable">services.dnscrypt-proxy2.enable</link> to use the supported version. This module supports configuration via the Nix attribute set @@ -1066,7 +1066,7 @@ auth required pam_succeed_if.so quiet or by passing a TOML configuration file via <link xlink:href="options.html#opt-services.dnscrypt-proxy2.configFile">services.dnscrypt-proxy2.configFile</link>. </para> - <programlisting language="bash"> + <programlisting language="nix"> { # Example configuration: services.dnscrypt-proxy2.enable = true; @@ -1093,7 +1093,7 @@ auth required pam_succeed_if.so quiet </listitem> <listitem> <para> - sqldeveloper_18 has been removed as it's not maintained + sqldeveloper_18 has been removed as it’s not maintained anymore, sqldeveloper has been updated to version <literal>19.4</literal>. Please note that this means that this means that the oraclejdk is now required. For further @@ -1110,7 +1110,7 @@ auth required pam_succeed_if.so quiet the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different - dependency parameters and don't need to algorithmically + dependency parameters and don’t need to algorithmically partition anything. </para> <para> @@ -1123,7 +1123,7 @@ auth required pam_succeed_if.so quiet </listitem> <listitem> <para> - The gcc-snapshot-package has been removed. It's marked as + The gcc-snapshot-package has been removed. It’s marked as broken for >2 years and used to point to a fairly old snapshot from the gcc7-branch. </para> @@ -1158,7 +1158,7 @@ auth required pam_succeed_if.so quiet <listitem> <para> nextcloud has been updated to <literal>v18.0.2</literal>. This - means that users from NixOS 19.09 can't upgrade directly since + means that users from NixOS 19.09 can’t upgrade directly since you can only move one version forward and 19.09 uses <literal>v16.0.8</literal>. </para> @@ -1181,7 +1181,7 @@ auth required pam_succeed_if.so quiet Existing setups will be detected using <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>: by default, nextcloud17 will be used, but will raise a - warning which notes that after that deploy it's + warning which notes that after that deploy it’s recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>. @@ -1194,7 +1194,7 @@ auth required pam_succeed_if.so quiet get an evaluation error by default. This is done to ensure that our <link xlink:href="options.html#opt-services.nextcloud.package">package</link>-option - doesn't select an older version by accident. It's + doesn’t select an older version by accident. It’s recommended to use pkgs.nextcloud18 or to set <link xlink:href="options.html#opt-services.nextcloud.package">package</link> to pkgs.nextcloud explicitly. @@ -1203,7 +1203,7 @@ auth required pam_succeed_if.so quiet </itemizedlist> <warning> <para> - Please note that if you're coming from + Please note that if you’re coming from <literal>19.03</literal> or older, you have to manually upgrade to <literal>19.09</literal> first to upgrade your server to Nextcloud v16. @@ -1215,7 +1215,7 @@ auth required pam_succeed_if.so quiet Hydra has gained a massive performance improvement due to <link xlink:href="https://github.com/NixOS/hydra/pull/710">some database schema changes</link> by adding several IDs and - better indexing. However, it's necessary to upgrade Hydra in + better indexing. However, it’s necessary to upgrade Hydra in multiple steps: </para> <itemizedlist> @@ -1229,7 +1229,7 @@ auth required pam_succeed_if.so quiet when upgrading. Otherwise, the package can be deployed using the following config: </para> - <programlisting language="bash"> + <programlisting language="nix"> { pkgs, ... }: { services.hydra.package = pkgs.hydra-migration; } @@ -1266,12 +1266,12 @@ $ hydra-backfill-ids <link xlink:href="options.html#opt-system.stateVersion">stateVersion</link> is set to <literal>20.03</literal> or greater, hydra-unstable will be used automatically! This will break - your setup if you didn't run the migration. + your setup if you didn’t run the migration. </para> </warning> <para> Please note that Hydra is currently not available with - nixStable as this doesn't compile anymore. + nixStable as this doesn’t compile anymore. </para> <warning> <para> @@ -1281,7 +1281,7 @@ $ hydra-backfill-ids assertion error will be thrown. To circumvent this, you need to set <link xlink:href="options.html#opt-services.hydra.package">services.hydra.package</link> - to pkgs.hydra explicitly and make sure you know what you're + to pkgs.hydra explicitly and make sure you know what you’re doing! </para> </warning> @@ -1319,7 +1319,7 @@ $ hydra-backfill-ids <para> To continue to use the old approach, you can configure: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; systemd.services.nginx.serviceConfig.User = lib.mkForce "root"; @@ -1413,14 +1413,14 @@ $ hydra-backfill-ids <itemizedlist> <listitem> <para> - If you use <literal>sqlite3</literal> you don't need to do + If you use <literal>sqlite3</literal> you don’t need to do anything. </para> </listitem> <listitem> <para> If you use <literal>postgresql</literal> on a different - server, you don't need to change anything as well since + server, you don’t need to change anything as well since this module was never designed to configure remote databases. </para> @@ -1432,7 +1432,7 @@ $ hydra-backfill-ids older, you simply need to enable postgresql-support explicitly: </para> - <programlisting language="bash"> + <programlisting language="nix"> { ... }: { services.matrix-synapse = { enable = true; @@ -1460,7 +1460,7 @@ $ hydra-backfill-ids <literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release, your database is misconfigured due to a regression in NixOS. For now, - matrix-synapse will startup with a warning, but it's + matrix-synapse will startup with a warning, but it’s recommended to reconfigure the database to set the values <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to @@ -1473,7 +1473,7 @@ $ hydra-backfill-ids <link xlink:href="options.html#opt-systemd.network.links">systemd.network.links</link> option is now respected even when <link xlink:href="options.html#opt-systemd.network.enable">systemd-networkd</link> - is disabled. This mirrors the behaviour of systemd - It's udev + is disabled. This mirrors the behaviour of systemd - It’s udev that parses <literal>.link</literal> files, not <literal>systemd-networkd</literal>. </para> @@ -1486,8 +1486,8 @@ $ hydra-backfill-ids <para> Please note that mongodb has been relicensed under their own <link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal> sspl</literal></link>-license. - Since it's not entirely free and not OSI-approved, it's - listed as non-free. This means that Hydra doesn't provide + Since it’s not entirely free and not OSI-approved, it’s + listed as non-free. This means that Hydra doesn’t provide prebuilt mongodb-packages and needs to be built locally. </para> </warning> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml index edebd92b327a6..a1b007e711d73 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml @@ -722,7 +722,7 @@ See <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication from MariaDB 10.4</link>. unix_socket auth plugin does not use - a password, and uses the connecting user's UID instead. When a + a password, and uses the connecting user’s UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: @@ -730,7 +730,7 @@ traditional mysql_native_password plugin method, one must run the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret"); @@ -755,7 +755,7 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; } @@ -766,7 +766,7 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write access to <literal>/var/data</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; } @@ -864,7 +864,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> <literal>buildGoModule</literal> now internally creates a vendor directory in the source tree for downloaded modules - instead of using go's + instead of using go’s <link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module proxy protocol</link>. This storage format is simpler and therefore less likely to break with future versions of go. As @@ -885,7 +885,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <literal>phantomJsSupport = true</literal> to the package instantiation: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { phantomJsSupport = true; @@ -941,24 +941,24 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> If you used the <literal>boot.initrd.network.ssh.host*Key</literal> options, - you'll get an error explaining how to convert your host keys + you’ll get an error explaining how to convert your host keys and migrate to the new <literal>boot.initrd.network.ssh.hostKeys</literal> option. - Otherwise, if you don't have any host keys set, you'll need to + Otherwise, if you don’t have any host keys set, you’ll need to generate some; see the <literal>hostKeys</literal> option documentation for instructions. </para> </listitem> <listitem> <para> - Since this release there's an easy way to customize your PHP + Since this release there’s an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions <literal>imagick</literal>, <literal>opcache</literal>, <literal>pdo</literal> and <literal>pdo_mysql</literal> loaded: </para> - <programlisting language="bash"> + <programlisting language="nix"> { environment.systemPackages = [ (pkgs.php.withExtensions @@ -973,7 +973,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ } </programlisting> <para> - The default <literal>php</literal> attribute hasn't lost any + The default <literal>php</literal> attribute hasn’t lost any extensions. The <literal>opcache</literal> extension has been added. All upstream PHP extensions are available under php.extensions.<name?>. @@ -997,7 +997,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ The remaining configuration flags can now be set directly on the <literal>php</literal> attribute. For example, instead of </para> - <programlisting language="bash"> + <programlisting language="nix"> { php.override { config.php.embed = true; @@ -1008,7 +1008,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> you should now write </para> - <programlisting language="bash"> + <programlisting language="nix"> { php.override { embedSupport = true; @@ -1062,7 +1062,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ writing to other folders, use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; } @@ -1076,7 +1076,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ docs</link> for details). If you require serving files from home directories, you may choose to set e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; } @@ -1093,7 +1093,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> Replace a <literal>nesting.clone</literal> entry with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { specialisation.example-sub-configuration = { configuration = { @@ -1104,7 +1104,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> Replace a <literal>nesting.children</literal> entry with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { specialisation.example-sub-configuration = { inheritParentConfig = false; @@ -1162,7 +1162,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <para> The <literal>systemd-networkd</literal> option <literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal> - has been removed following upstream systemd's deprecation of + has been removed following upstream systemd’s deprecation of the same. It is recommended to use <literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal> instead. See systemd.network 5 for details. @@ -1174,7 +1174,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <literal>systemd.network.networks._name_.dhcpConfig</literal> has been renamed to <link xlink:href="options.html#opt-systemd.network.networks._name_.dhcpV4Config">systemd.network.networks.<emphasis>name</emphasis>.dhcpV4Config</link> - following upstream systemd's documentation change. See + following upstream systemd’s documentation change. See systemd.network 5 for details. </para> </listitem> @@ -1283,7 +1283,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link> package and NixOS module have been removed from Nixpkgs as the - software is unmaintained and can't be built. For more + software is unmaintained and can’t be built. For more information see issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>. </para> @@ -1350,7 +1350,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test </listitem> <listitem> <para> - Radicale's default package has changed from 2.x to 3.x. An + Radicale’s default package has changed from 2.x to 3.x. An upgrade checklist can be found <link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>. You can use the newer version in the NixOS service by setting @@ -1385,7 +1385,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test multi-instance config with an existing bitcoind data directory and user, you have to adjust the original config, e.g.: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.bitcoind = { enable = true; @@ -1397,7 +1397,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <para> To something similar: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.bitcoind.mainnet = { enable = true; @@ -1447,7 +1447,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test the original SSL settings, you have to adjust the original config, e.g.: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dokuwiki = { enable = true; @@ -1458,7 +1458,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <para> To something similar: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dokuwiki."mywiki" = { enable = true; @@ -1472,8 +1472,8 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test </programlisting> <para> The base package has also been upgraded to the 2020-07-29 - "Hogfather" release. Plugins might be incompatible - or require upgrading. + <quote>Hogfather</quote> release. Plugins might be + incompatible or require upgrading. </para> </listitem> <listitem> @@ -1492,7 +1492,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test option is (<literal>/var/db/postgresql</literal>) and then explicitly set this value to maintain compatibility: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.postgresql.dataDir = "/var/db/postgresql"; } @@ -1587,7 +1587,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <listitem> <para> The <literal>security.rngd</literal> service is now disabled - by default. This choice was made because there's krngd in the + by default. This choice was made because there’s krngd in the linux kernel space making it (for most usecases) functionally redundent. </para> @@ -1609,13 +1609,13 @@ CREATE ROLE postgres LOGIN SUPERUSER; will be EOL (end of life) within the lifetime of 20.09</link>. </para> <para> - It's necessary to upgrade to nextcloud19: + It’s necessary to upgrade to nextcloud19: </para> <itemizedlist> <listitem> <para> From nextcloud17, you have to upgrade to nextcloud18 first - as Nextcloud doesn't allow going multiple major revisions + as Nextcloud doesn’t allow going multiple major revisions forward in a single upgrade. This is possible by setting <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> to nextcloud18. @@ -1623,7 +1623,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; </listitem> <listitem> <para> - From nextcloud18, it's possible to directly upgrade to + From nextcloud18, it’s possible to directly upgrade to nextcloud19 by setting <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> to nextcloud19. @@ -1685,7 +1685,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <listitem> <para> The notmuch package moves its emacs-related binaries and emacs - lisp files to a separate output. They're not part of the + lisp files to a separate output. They’re not part of the default <literal>out</literal> output anymore - if you relied on the <literal>notmuch-emacs-mua</literal> binary or the emacs lisp files, access them via the @@ -1736,11 +1736,11 @@ CREATE ROLE postgres LOGIN SUPERUSER; </listitem> <listitem> <para> - The cc- and binutils-wrapper's "infix salt" and + The cc- and binutils-wrapper’s <quote>infix salt</quote> and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> - user infixes have been replaced with with a "suffix - salt" and suffixes and <literal>_FOR_BUILD</literal> and - <literal>_FOR_TARGET</literal>. This matches the autotools + user infixes have been replaced with with a <quote>suffix + salt</quote> and suffixes and <literal>_FOR_BUILD</literal> + and <literal>_FOR_TARGET</literal>. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. </para> @@ -1774,8 +1774,8 @@ CREATE ROLE postgres LOGIN SUPERUSER; <literal>network-link-*</literal> units, which have been removed. Bringing the interface up has been moved to the beginning of the <literal>network-addresses-*</literal> unit. - Note this doesn't require <literal>systemd-networkd</literal> - - it's udev that parses <literal>.link</literal> files. Extra + Note this doesn’t require <literal>systemd-networkd</literal> + - it’s udev that parses <literal>.link</literal> files. Extra care needs to be taken in the presence of <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy udev rules</link> to rename interfaces, as MAC Address and MTU @@ -1825,7 +1825,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; you must include those directories into the <literal>BindPaths</literal> of the service: </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; } @@ -1835,7 +1835,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <literal>transmission-daemon</literal> is now only available on the local network interface by default. Use: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.transmission.settings.rpc-bind-address = "0.0.0.0"; } @@ -1850,7 +1850,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; With this release <literal>systemd-networkd</literal> (when enabled through <link xlink:href="options.html#opt-networking.useNetworkd">networking.useNetworkd</link>) - has it's netlink socket created through a + has it’s netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices @@ -1873,7 +1873,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; </para> <para> Since the actual memory requirements depend on hardware, - timing, exact configurations etc. it isn't currently possible + timing, exact configurations etc. it isn’t currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of <literal>systemd-networkd</literal> for @@ -1882,7 +1882,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; </para> <para> Note: Increasing the <literal>ReceiveBufferSize=</literal> - doesn't allocate any memory. It just increases the upper bound + doesn’t allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket. @@ -1900,7 +1900,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <para> This means that a configuration like this </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dovecot2.mailboxes = [ { name = "Junk"; @@ -1912,7 +1912,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <para> should now look like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dovecot2.mailboxes = { Junk.auto = "create"; @@ -1934,8 +1934,8 @@ CREATE ROLE postgres LOGIN SUPERUSER; </para> <para> If you have an existing installation, please make sure that - you're on nextcloud18 before upgrading to nextcloud19 since - Nextcloud doesn't support upgrades across multiple major + you’re on nextcloud18 before upgrading to nextcloud19 since + Nextcloud doesn’t support upgrades across multiple major versions. </para> </listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml index fb11b19229e28..868c1709879d2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml @@ -235,9 +235,9 @@ <para> The <literal>networking.wireless.iwd</literal> module now installs the upstream-provided 80-iwd.link file, which sets - the NamePolicy= for all wlan devices to "keep - kernel", to avoid race conditions between iwd and - networkd. If you don't want this, you can set + the NamePolicy= for all wlan devices to <quote>keep + kernel</quote>, to avoid race conditions between iwd and + networkd. If you don’t want this, you can set <literal>systemd.network.links."80-iwd" = lib.mkForce {}</literal>. </para> </listitem> @@ -245,7 +245,7 @@ <para> <literal>rubyMinimal</literal> was removed due to being unused and unusable. The default ruby interpreter includes JIT - support, which makes it reference it's compiler. Since JIT + support, which makes it reference it’s compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by @@ -330,7 +330,7 @@ <literal>mediatomb</literal> package. If you want to keep the old behavior, you must declare it with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mediatomb.package = pkgs.mediatomb; } @@ -341,7 +341,7 @@ service declaration to add the firewall rules itself before, you should now declare it with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mediatomb.openFirewall = true; } @@ -368,7 +368,7 @@ <link xlink:href="options.html#opt-services.uwsgi.capabilities">services.uwsgi.capabilities</link>. The previous behaviour can be restored by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.uwsgi.user = "root"; services.uwsgi.group = "root"; @@ -427,7 +427,7 @@ <para> <link xlink:href="options.html#opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>, which is off by default, had a <literal>chmod</literal> race - condition fixed. As an aside, the parent directory's + condition fixed. As an aside, the parent directory’s permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read @@ -527,7 +527,7 @@ $ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. - Examples: <literal>root</literal>'s SSH key is only added if + Examples: <literal>root</literal>’s SSH key is only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from user data if they do not exist in <literal>/etc/ssh</literal>. @@ -550,9 +550,9 @@ $ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' configures Privoxy, and the <literal>services.tor.client.privoxy.enable</literal> option has been removed. To enable Privoxy, and to configure it to - use Tor's faster port, use the following configuration: + use Tor’s faster port, use the following configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { opt-services.privoxy.enable = true; opt-services.privoxy.enableTor = true; @@ -628,7 +628,7 @@ $ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the - exporter's <literal>/probe</literal> endpoint. In the + exporter’s <literal>/probe</literal> endpoint. In the prometheus scrape configuration the scrape target might look like this: </para> @@ -689,7 +689,7 @@ http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/e <literal>mpich</literal> instead of the default <literal>openmpi</literal> can now be achived like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> self: super: { mpi = super.mpich; @@ -790,7 +790,7 @@ self: super: for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the - kernel's RNG. + kernel’s RNG. </para> <para> The default SMTP port for GitLab has been changed to @@ -850,7 +850,7 @@ self: super: kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp addons: </para> - <programlisting language="bash"> + <programlisting language="nix"> { environment.systemPackages = [ pkgs.kodi @@ -867,7 +867,7 @@ self: super: and as a result the above configuration should now be written as: </para> - <programlisting language="bash"> + <programlisting language="nix"> { environment.systemPackages = [ (pkgs.kodi.withPackages (p: with p; [ @@ -893,7 +893,7 @@ self: super: <literal>services.minio.dataDir</literal> changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the - service doesn't enforce nor checks the correct number of paths + service doesn’t enforce nor checks the correct number of paths to correspond to minio requirements. </para> </listitem> @@ -910,7 +910,7 @@ self: super: <literal>dvorak-programmer</literal> in <literal>console.keyMap</literal> now instead of <literal>dvp</literal>. In - <literal>services.xserver.xkbVariant</literal> it's still + <literal>services.xserver.xkbVariant</literal> it’s still <literal>dvp</literal>. </para> </listitem> @@ -954,7 +954,7 @@ self: super: supported. </para> <para> - Furthermore, Radicale's systemd unit was hardened which might + Furthermore, Radicale’s systemd unit was hardened which might break some deployments. In particular, a non-default <literal>filesystem_folder</literal> has to be added to <literal>systemd.services.radicale.serviceConfig.ReadWritePaths</literal> @@ -991,7 +991,7 @@ self: super: <listitem> <para> <link xlink:href="https://www.gnuradio.org/">GNURadio</link> - has a <literal>pkgs</literal> attribute set, and there's a + has a <literal>pkgs</literal> attribute set, and there’s a <literal>gnuradio.callPackage</literal> function that extends <literal>pkgs</literal> with a <literal>mkDerivation</literal>, and a @@ -1027,7 +1027,7 @@ self: super: <listitem> <para> <link xlink:href="https://kodi.tv/">Kodi</link> has been - updated to version 19.1 "Matrix". See the + updated to version 19.1 <quote>Matrix</quote>. See the <link xlink:href="https://kodi.tv/article/kodi-19-0-matrix-release">announcement</link> for further details. </para> @@ -1098,9 +1098,9 @@ self: super: <listitem> <para> The default-version of <literal>nextcloud</literal> is - nextcloud21. Please note that it's <emphasis>not</emphasis> + nextcloud21. Please note that it’s <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal> across - multiple major versions! This means that it's e.g. not + multiple major versions! This means that it’s e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most <literal>20.09</literal> users will have to upgrade to nextcloud20 first. @@ -1122,7 +1122,7 @@ self: super: </listitem> <listitem> <para> - NixOS now emits a deprecation warning if systemd's + NixOS now emits a deprecation warning if systemd’s <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and @@ -1158,7 +1158,7 @@ self: super: users to declare autoscan media directories from their nixos configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mediatomb.mediaDirectories = [ { path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; } @@ -1255,8 +1255,8 @@ self: super: <listitem> <para> The <literal>services.dnscrypt-proxy2</literal> module now - takes the upstream's example configuration and updates it with - the user's settings. An option has been added to restore the + takes the upstream’s example configuration and updates it with + the user’s settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. </para> @@ -1298,13 +1298,14 @@ self: super: <para> The zookeeper package does not provide <literal>zooInspector.sh</literal> anymore, as that - "contrib" has been dropped from upstream releases. + <quote>contrib</quote> has been dropped from upstream + releases. </para> </listitem> <listitem> <para> In the ACME module, the data used to build the hash for the - account directory has changed to accomodate new features to + account directory has changed to accommodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new @@ -1317,7 +1318,7 @@ self: super: now always ensures home directory permissions to be <literal>0700</literal>. Permissions had previously been ignored for already existing home directories, possibly - leaving them readable by others. The option's description was + leaving them readable by others. The option’s description was incorrect regarding ownership management and has been simplified greatly. </para> @@ -1518,7 +1519,7 @@ self: super: been dropped. Users that still want it should add the following to their system configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.gvfs.package = pkgs.gvfs.override { samba = null; }; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index b7790c99a91e5..48a717916535e 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -561,6 +561,14 @@ <link xlink:href="options.html#opt-services.prometheus.exporters.smartctl.enable">services.prometheus.exporters.smartctl</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://docs.twingate.com/docs/linux">twingate</link>, + a high performance, easy to use zero trust solution that + enables access to private resources from any device with + better security than a VPN. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-incompatibilities"> @@ -634,7 +642,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { services.paperless-ng.extraConfig = { # Provide languages as ISO 639-2 codes @@ -715,7 +723,7 @@ Superuser created successfully. </listitem> <listitem> <para> - The <literal>erigon</literal> ethereum node has moved it’s + The <literal>erigon</literal> ethereum node has moved its database location in <literal>2021-08-03</literal>, users upgrading must manually move their chaindata (see <link xlink:href="https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03">release @@ -729,7 +737,7 @@ Superuser created successfully. insecure. Out-of-tree modules are likely to require adaptation: instead of </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users.foo = { isSystemUser = true; @@ -739,7 +747,7 @@ Superuser created successfully. <para> also create a group for your user: </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users.foo = { isSystemUser = true; @@ -1435,7 +1443,7 @@ Superuser created successfully. <para> The default GNAT version has been changed: The <literal>gnat</literal> attribute now points to - <literal>gnat11</literal> instead of <literal>gnat9</literal>. + <literal>gnat12</literal> instead of <literal>gnat9</literal>. </para> </listitem> <listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 97e993e83ff04..64217c53c3b8d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -16,8 +16,20 @@ </para> <itemizedlist> <listitem> -<literallayout>Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the <literal>nix</literal> command as experimental which now has to be enabled via the configuration explicitly. For more information and instructions for upgrades, see the relase notes for <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html">nix-2.4</link>, -<link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html">nix-2.5</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html">nix-2.6</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html">nix-2.7</link> and <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html">nix-2.8</link></literallayout> + <para> + Nix has been updated from 2.3 to 2.8. This mainly brings + experimental support for Flakes, but also marks the + <literal>nix</literal> command as experimental which now has + to be enabled via the configuration explicitly. For more + information and instructions for upgrades, see the relase + notes for + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html">nix-2.4</link>, + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html">nix-2.5</link>, + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html">nix-2.6</link>, + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html">nix-2.7</link> + and + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html">nix-2.8</link> + </para> </listitem> <listitem> <para> @@ -328,7 +340,7 @@ <listitem> <para> <link xlink:href="https://maddy.email/">Maddy</link>, a free - an open source mail server. Availabe as + an open source mail server. Available as <link linkend="opt-services.maddy.enable">services.maddy</link>. </para> </listitem> @@ -714,7 +726,7 @@ <literal>programs.msmtp.*</literal> can be used instead for an equivalent setup. For example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { # Original ssmtp configuration: services.ssmtp = { @@ -847,7 +859,7 @@ <literal>config.nixpkgs.config.allowUnfree</literal> are enabled. If you still want these fonts, use: </para> - <programlisting language="bash"> + <programlisting language="nix"> { fonts.fonts = [ pkgs.xorg.fontbhlucidatypewriter100dpi @@ -942,7 +954,7 @@ <para> Before: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.matrix-synapse = { enable = true; @@ -977,7 +989,7 @@ <para> After: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.matrix-synapse = { enable = true; @@ -1143,7 +1155,7 @@ <para> Before: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.keycloak = { enable = true; httpPort = "8080"; @@ -1157,7 +1169,7 @@ <para> After: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.keycloak = { enable = true; settings = { @@ -1422,7 +1434,7 @@ derivation if <literal>name</literal> is <literal>"vim"</literal> (the default). This makes the <literal>wrapManual</literal> argument obsolete, - but this behavior can be overriden by setting the + but this behavior can be overridden by setting the <literal>standalone</literal> argument. </para> </listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index d5cc14a3bdfdd..2d7226caa5b56 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -1,484 +1,300 @@ <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.11"> - <title>Release 22.11 (“Raccoon”, 2022.11/??)</title> + <title>Release 22.11 (“Raccoon”, 2022.11/30)</title> <para> - Support is planned until the end of June 2023, handing over to - 23.05. + The NixOS release team is happy to announce a new version of NixOS + 22.11. NixOS is a Linux distribution, whose set of packages can also + be used on other Linux systems and macOS. + </para> + <para> + This release is supported until the end of June 2023, handing over + to NixOS 23.05. + </para> + <para> + To upgrade to the latest release follow the + <link linkend="sec-upgrading">upgrade chapter</link>. </para> <section xml:id="sec-release-22.11-highlights"> <title>Highlights</title> <para> In addition to numerous new and upgraded packages, this release - has the following highlights: + includes the following highlights: </para> <itemizedlist> <listitem> <para> - GNOME has been upgraded to 43. Please take a look at their - <link xlink:href="https://release.gnome.org/43/">Release - Notes</link> for details. - </para> - </listitem> - <listitem> - <para> - During cross-compilation, tests are now executed if the test - suite can be executed by the build platform. This is the case - when doing “native” cross-compilation where the build and host - platforms are largely the same, but the nixpkgs’ cross - compilation infrastructure is used, e.g. - <literal>pkgsStatic</literal> and <literal>pkgsLLVM</literal>. - Another possibility is that the build platform is a superset - of the host platform, e.g. when cross-compiling from - <literal>x86_64-unknown-linux</literal> to - <literal>i686-unknown-linux</literal>. The predicate gating - test suite execution is the newly added - <literal>canExecute</literal> predicate: You can e.g. check if - <literal>stdenv.buildPlatform</literal> can execute binaries - built for <literal>stdenv.hostPlatform</literal> (i.e. - produced by <literal>stdenv.cc</literal>) by evaluating - <literal>stdenv.buildPlatform.canExecute stdenv.hostPlatform</literal>. - </para> - </listitem> - <listitem> - <para> - The <literal>nixpkgs.hostPlatform</literal> and - <literal>nixpkgs.buildPlatform</literal> options have been - added. These cover and override the - <literal>nixpkgs.{system,localSystem,crossSystem}</literal> - options. + Software that uses the <literal>crypt</literal> password + hashing API is now using the implementation provided by + <link xlink:href="https://github.com/besser82/libxcrypt"><literal>libxcrypt</literal></link> + instead of glibc’s, which enables support for more secure + algorithms. </para> <itemizedlist spacing="compact"> <listitem> <para> - <literal>hostPlatform</literal> is the platform or - <quote><literal>system</literal></quote> string of the - NixOS system described by the configuration. + Support for algorithms that <literal>libxcrypt</literal> + <link xlink:href="https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41">does + not consider strong</link> are + <emphasis role="strong">deprecated</emphasis> as of this + release, and will be removed in NixOS 23.05. </para> </listitem> <listitem> <para> - <literal>buildPlatform</literal> is the platform that is - responsible for building the NixOS configuration. It - defaults to the <literal>hostPlatform</literal>, for a - non-cross build configuration. To cross compile, set - <literal>buildPlatform</literal> to a different value. + This includes system login passwords. Given this, we + <emphasis role="strong">strongly encourage</emphasis> all + users to update their system passwords, as you will be + unable to login if password hashes are not migrated by the + time their support is removed. </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + When using + <literal>users.users.<name>.hashedPassword</literal> + to configure user passwords, run + <literal>mkpasswd</literal>, and use the yescrypt hash + that is provided as the new value. + </para> + </listitem> + <listitem> + <para> + On the other hand, for interactively configured user + passwords, simply re-set the passwords for all users + with <literal>passwd</literal>. + </para> + </listitem> + <listitem> + <para> + This release introduces warnings for the use of + deprecated hash algorithms for both methods of + configuring passwords. To make sure you migrated + correctly, run + <literal>nixos-rebuild switch</literal>. + </para> + </listitem> + </itemizedlist> </listitem> </itemizedlist> - <para> - The new options convey the same information, but with fewer - options, and following the Nixpkgs terminology. - </para> - <para> - The existing options - <literal>nixpkgs.{system,localSystem,crossSystem}</literal> - have not been formally deprecated, to allow for evaluation of - the change and to allow for a transition period so that in - time the ecosystem can switch without breaking compatibility - with any supported NixOS release. - </para> </listitem> <listitem> <para> - <literal>emacs</literal> enables native compilation which - means: + The NixOS documentation is now generated from markdown. While + docbook is still part of the documentation build process, it’s + a big step towards the full migration. </para> - <itemizedlist spacing="compact"> - <listitem> - <para> - emacs packages from nixpkgs, builtin or not, will do - native compilation ahead of time so you can enjoy the - benefit of native compilation without compiling them on - you machine; - </para> - </listitem> - <listitem> - <para> - emacs packages from somewhere else, e.g. - <literal>package-install</literal>, will do asynchronously - deferred native compilation. If you do not want this, - maybe to avoid CPU consumption for compilation, you can - use - <literal>(setq native-comp-deferred-compilation nil)</literal> - to disable it while still enjoy the benefit of native - compilation for packages from nixpkgs. - </para> - </listitem> - </itemizedlist> </listitem> <listitem> <para> - <literal>nixos-generate-config</literal> now generates - configurations that can be built in pure mode. This is - achieved by setting the new - <literal>nixpkgs.hostPlatform</literal> option. - </para> - <para> - You may have to unset the <literal>system</literal> parameter - in <literal>lib.nixosSystem</literal>, or similarly remove - definitions of the - <literal>nixpkgs.{system,localSystem,crossSystem}</literal> - options. - </para> - <para> - Alternatively, you can remove the - <literal>hostPlatform</literal> line and use NixOS like you - would in NixOS 22.05 and earlier. + <literal>aarch64-linux</literal> is now included in the + <literal>nixos-22.11</literal> and + <literal>nixos-22.11-small</literal> channels. This means that + when those channel update, both + <literal>x86_64-linux</literal> and + <literal>aarch64-linux</literal> will be available in the + binary cache. </para> </listitem> <listitem> <para> - PHP now defaults to PHP 8.1, updated from 8.0. + <literal>aarch64-linux</literal> ISOs are now available on the + <link xlink:href="https://nixos.org/download.html">downloads + page</link>. </para> </listitem> <listitem> <para> - PHP is now built <literal>NTS</literal> (Non-Thread Safe) - style by default, for Apache and <literal>mod_php</literal> - usage we still enable <literal>ZTS</literal> (Zend Thread - Safe). This has been a common practice for a long time in - other distributions. + <literal>nsncd</literal> is now available as a replacement of + <literal>nscd</literal>. </para> - </listitem> - <listitem> <para> - <literal>protonup</literal> has been aliased to and replaced - by <literal>protonup-ng</literal> due to upstream not - maintaining it. + <literal>nscd</literal> is responsible for resolving + hostnames, users and more in NixOS and has been a long + standing source of bugs, such as sporadic network freezes. </para> - </listitem> - <listitem> <para> - Perl has been updated to 5.36, and its core module - <literal>HTTP::Tiny</literal> was patched to verify SSL/TLS - certificates by default. + More context in this + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/135888">issue</link>. </para> - </listitem> - <listitem> <para> - Improved performances of - <literal>lib.closePropagation</literal> which was previously - quadratic. This is used in e.g. - <literal>ghcWithPackages</literal>. Please see backward - incompatibilities notes below. + Help us test the new implementation by setting + <literal>services.nscd.enableNsncd</literal> to + <literal>true</literal>. </para> - </listitem> - <listitem> <para> - Cinnamon has been updated to 5.4. While at it, the cinnamon - module now defaults to blueman as bluetooth manager and - slick-greeter as lightdm greeter to match upstream. + We plan to use <literal>nsncd</literal> by default in NixOS + 23.05. </para> </listitem> <listitem> <para> - OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. + Linode cloud images are now supported by importing + <literal>${modulesPath}/virtualisation/linode-image.nix</literal> + and accessing <literal>system.build.linodeImage</literal> on + the output. </para> </listitem> <listitem> <para> - An image configuration and generator has been added for Linode - images, largely based on the present GCE configuration and - image. + <literal>hardware.nvidia</literal> has a new option, + <literal>hardware.nvidia.open</literal>, that can be used to + enable the usage of NVIDIA’s open-source kernel driver. Note + that the driver’s support for GeForce and Workstation GPUs is + still alpha quality, see + <link xlink:href="https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/">the + release announcement</link> for more information. </para> </listitem> <listitem> <para> - <literal>hardware.nvidia</literal> has a new option - <literal>open</literal> that can be used to opt in the - opensource version of NVIDIA kernel driver. Note that the - driver’s support for GeForce and Workstation GPUs is still - alpha quality, see - <link xlink:href="https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/">NVIDIA - Releases Open-Source GPU Kernel Modules</link> for the - official announcement. + The <literal>emacs</literal> package now makes use of native + compilation which means: </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Emacs packages from Nixpkgs, builtin or not, will do + native compilation ahead of time so you can enjoy the + benefit of native compilation without compiling them on + you machine; + </para> + </listitem> + <listitem> + <para> + Emacs packages from somewhere else, e.g. + <literal>package-install</literal>, will perform + asynchronously deferred native compilation. If you do not + want this, maybe to avoid CPU consumption for compilation, + you can use + <literal>(setq native-comp-deferred-compilation nil)</literal> + to disable it while still benefiting from native + compilation for packages from Nixpkgs. + </para> + </listitem> + </itemizedlist> </listitem> </itemizedlist> </section> - <section xml:id="sec-release-22.11-new-services"> - <title>New Services</title> + <section xml:id="sec-release-22.11-internal"> + <title>Internal changes</title> <itemizedlist> <listitem> <para> - <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, - Nix based app VMs. Available as - <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. - </para> - </listitem> - <listitem> - <para> - [xray] (https://github.com/XTLS/Xray-core), a fully compatible - v2ray-core replacement. Features XTLS, which when enabled on - server and client, brings UDP FullCone NAT to proxy setups. - Available as - <link xlink:href="options.html#opt-services.xray.enable">services.xray</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/mozilla-services/syncstorage-rs">syncstorage-rs</link>, - a self-hostable sync server for Firefox. Available as - <link xlink:href="options.html#opt-services.firefox-syncserver.enable">services.firefox-syncserver</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://dragonflydb.io/">dragonflydb</link>, - a modern replacement for Redis and Memcached. Available as - <link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://komga.org/">Komga</link>, a free and - open source comics/mangas media server. Available as - <link linkend="opt-services.komga.enable">services.komga</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://tandoor.dev">Tandoor Recipes</link>, - a self-hosted multi-tenant recipe collection. Available as - <link xlink:href="options.html#opt-services.tandoor-recipes.enable">services.tandoor-recipes</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://hbase.apache.org/">HBase - cluster</link>, a distributed, scalable, big data store. - Available as - <link xlink:href="options.html#opt-services.hadoop.hbase.enable">services.hadoop.hbase</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/edneville/please">Please</link>, - a Sudo clone written in Rust. Available as - <link linkend="opt-security.please.enable">security.please</link> + Haskell <literal>ghcWithPackages</literal> is now up to 15 + times faster to evaluate, thanks to changing + <literal>lib.closePropagation</literal> from a quadratic to + linear complexity. Please see backward incompatibilities notes + below. + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/194391">https://github.com/NixOS/nixpkgs/pull/194391</link> </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/messagebird/sachet/">Sachet</link>, - an SMS alerting tool for the Prometheus Alertmanager. - Available as - <link linkend="opt-services.prometheus.sachet.enable">services.prometheus.sachet</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, - a hardware True Random Number Generator dongle. Available as - <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/prymitive/kthxbye">kthxbye</link>, - an alert acknowledgement management daemon for Prometheus - Alertmanager. Available as - <link xlink:href="options.html#opt-services.kthxbye.enable">services.kthxbye</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/jtroo/kanata">kanata</link>, - a tool to improve keyboard comfort and usability with advanced - customization. Available as - <link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/prymitive/karma">karma</link>, - an alert dashboard for Prometheus Alertmanager. Available as - <link xlink:href="options.html#opt-services.karma.enable">services.karma</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://languagetool.org/">languagetool</link>, - a multilingual grammar, style, and spell checker. Available as - <link xlink:href="options.html#opt-services.languagetool.enable">services.languagetool</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master">OpenRGB</link>, - a FOSS tool for controlling RGB lighting. Available as - <link xlink:href="options.html#opt-services-hardware-openrgb-enable">services.hardware.openrgb.enable</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://www.getoutline.com/">Outline</link>, - a wiki and knowledge base similar to Notion. Available as - <link linkend="opt-services.outline.enable">services.outline</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://ntfy.sh">ntfy.sh</link>, a push - notification service. Available as - <link linkend="opt-services.ntfy-sh.enable">services.ntfy-sh</link> + For cross-compilation targets that can also run on the + building machine, we now run tests. This, for example, is the + case for the <literal>pkgsStatic</literal> and + <literal>pkgsLLVM</literal> package sets or i686 packages on + <literal>x86_64</literal> machines. </para> </listitem> <listitem> <para> - <link xlink:href="https://git.sr.ht/~migadu/alps">alps</link>, - a simple and extensible webmail. Available as - <link linkend="opt-services.alps.enable">services.alps</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/skeeto/endlessh">endlessh</link>, - an SSH tarpit. Available as - <link linkend="opt-services.endlessh.enable">services.endlessh</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>, - an SSH tarpit that exposes Prometheus metrics. Available as - <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link>, - a simple object storage server for geodistributed deployments, - alternative to MinIO. Available as - <link linkend="opt-services.garage.enable">services.garage</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://netbird.io">netbird</link>, a zero - configuration VPN. Available as - <link xlink:href="options.html#opt-services.netbird.enable">services.netbird</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>, - a daemon to add virtual proxy devices that mirror a physical - input device but persist even if the underlying hardware is - hot-plugged. Available as - <link linkend="opt-services.persistent-evdev.enable">services.persistent-evdev</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://schleuder.org/">schleuder</link>, a - mailing list manager with PGP support. Enable using - <link linkend="opt-services.schleuder.enable">services.schleuder</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://www.dolibarr.org/">Dolibarr</link>, - an enterprise resource planning and customer relationship - manager. Enable using - <link linkend="opt-services.dolibarr.enable">services.dolibarr</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://freshrss.org/">FreshRSS</link>, a - free, self-hostable RSS feed aggregator. Available as - <link linkend="opt-services.freshrss.enable">services.freshrss</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://www.expressvpn.com">expressvpn</link>, - the CLI client for ExpressVPN. Available as - <link linkend="opt-services.expressvpn.enable">services.expressvpn</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://troglobit.com/projects/merecat/">merecat</link>, - a small and easy HTTP server based on thttpd. Available as - <link linkend="opt-services.merecat.enable">services.merecat</link> + To simplify cross-compilation in NixOS, this release + introduces the <literal>nixpkgs.hostPlatform</literal> and + <literal>nixpkgs.buildPlatform</literal> options. These cover + and override the + <literal>nixpkgs.{system,localSystem,crossSystem}</literal> + options. </para> - </listitem> - <listitem> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>hostPlatform</literal> is the platform or + <quote><literal>system</literal></quote> string of the + NixOS system described by the configuration. + </para> + </listitem> + <listitem> + <para> + <literal>buildPlatform</literal> is the platform that is + responsible for building the NixOS configuration. It + defaults to the <literal>hostPlatform</literal>, for a + non-cross build configuration. To cross compile, set + <literal>buildPlatform</literal> to a different value. + </para> + </listitem> + </itemizedlist> <para> - <link xlink:href="https://github.com/L11R/go-autoconfig">go-autoconfig</link>, - IMAP/SMTP autodiscover server. Available as - <link linkend="opt-services.go-autoconfig.enable">services.go-autoconfig</link>. + The new options convey the same information, but with fewer + options, and following the Nixpkgs terminology. </para> - </listitem> - <listitem> <para> - <link xlink:href="https://github.com/tmate-io/tmate-ssh-server">tmate-ssh-server</link>, - server side part of - <link xlink:href="https://tmate.io/">tmate</link>. Available - as - <link linkend="opt-services.tmate-ssh-server.enable">services.tmate-ssh-server</link>. + The existing options + <literal>nixpkgs.{system,localSystem,crossSystem}</literal> + have not been formally deprecated, to allow for evaluation of + the change and to allow for a transition period so that in + time the ecosystem can switch without breaking compatibility + with any supported NixOS release. </para> </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.11-version-updates"> + <title>Notable version updates</title> + <itemizedlist> <listitem> <para> - <link xlink:href="https://www.grafana.com/oss/tempo/">Grafana - Tempo</link>, a distributed tracing store. Available as - <link linkend="opt-services.tempo.enable">services.tempo</link>. + Nix has been upgraded from v2.8.1 to v2.11.0. For more + information, please see the release notes for + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.9.html">2.9</link>, + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.10.html">2.10</link> + and + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.11.html">2.11</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://www.ausweisapp.bund.de/">AusweisApp2</link>, - the authentication software for the German ID card. Available - as - <link linkend="opt-programs.ausweisapp.enable">programs.ausweisapp</link>. + OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/zalando/patroni">Patroni</link>, - a template for PostgreSQL HA with ZooKeeper, etcd or Consul. - Available as - <link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>. + GNOME has been upgraded to version 43. Please see the + <link xlink:href="https://release.gnome.org/43/">release + notes</link> for details. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/prometheus-community/ipmi_exporter">Prometheus - IPMI exporter</link>, an IPMI exporter for Prometheus. - Available as - <link linkend="opt-services.prometheus.exporters.ipmi.enable">services.prometheus.exporters.ipmi</link>. + KDE Plasma has been upgraded from v5.24 to v5.26. Please see + the release notes for + <link xlink:href="https://kde.org/announcements/plasma/5/5.25.0/">v5.25</link> + and + <link xlink:href="https://kde.org/announcements/plasma/5/5.26.0/">v5.26</link> + for more details on the included changes. </para> </listitem> <listitem> <para> - <link xlink:href="https://writefreely.org">WriteFreely</link>, - a simple blogging platform with ActivityPub support. Available - as - <link xlink:href="options.html#opt-services.writefreely.enable">services.writefreely</link>. + Cinnamon has been updated to 5.4, and the Cinnamon module now + defaults to Blueman as the Bluetooth manager and slick-greeter + as the LightDM greeter, to match upstream. </para> </listitem> <listitem> <para> - <link xlink:href="https://listmonk.app">Listmonk</link>, a - self-hosted newsletter manager. Enable using - <link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>. + PHP now defaults to PHP 8.1, updated from 8.0. </para> </listitem> <listitem> <para> - <link xlink:href="https://uptime.kuma.pet/">Uptime - Kuma</link>, a fancy self-hosted monitoring tool. Available as - <link linkend="opt-services.uptime-kuma.enable">services.uptime-kuma</link>. + Perl has been updated to 5.36, and its core module + <literal>HTTP::Tiny</literal> was patched to verify SSL/TLS + certificates by default. </para> </listitem> <listitem> <para> - <link xlink:href="https://mepo.milesalan.com">Mepo</link>, a - fast, simple, hackable OSM map viewer for mobile and desktop - Linux. Available as - <link linkend="opt-programs.mepo.enable">programs.mepo.enable</link>. + Python now defaults to 3.10, updated from 3.9. </para> </listitem> </itemizedlist> @@ -498,10 +314,7 @@ generated using <literal>lib.systems.elaborate</literal>. In most cases you will want to use the new <literal>canExecute</literal> predicate instead which also - considers the kernel / syscall interface. It is briefly - described in the release’s - <link linkend="sec-release-22.11-highlights">highlights - section</link>. + takes the kernel / syscall interface into account. <literal>lib.systems.parse.isCompatible</literal> still exists, but has changed semantically: Architectures with differing endianness modes are <emphasis>no longer considered @@ -516,20 +329,28 @@ upgrade guide</link> and <link xlink:href="https://ngrok.com/docs/ngrok-agent/changelog">changelog</link>. Notably, breaking changes are that the config file format has - changed and support for single hypen arguments was dropped. + changed and support for single hyphen arguments was dropped. </para> </listitem> <listitem> <para> - <literal>i18n.supportedLocales</literal> is now by default - only generated with the locales set in - <literal>i18n.defaultLocale</literal> and - <literal>i18n.extraLocaleSettings</literal>. This got - partially copied over from the minimal profile and reduces the - final system size by up to 200MB. If you require all locales - installed set the option to - <literal>[ "all" ]</literal>. + <literal>i18n.supportedLocales</literal> is now only generated + with the locales set in <literal>i18n.defaultLocale</literal> + and <literal>i18n.extraLocaleSettings</literal>. </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This reduces the final system closure size by up to 200MB. + </para> + </listitem> + <listitem> + <para> + If you require all locales installed, set the option to + <literal>[ "all" ]</literal>. + </para> + </listitem> + </itemizedlist> </listitem> <listitem> <para> @@ -569,12 +390,21 @@ </listitem> <listitem> <para> + The <literal>fetchgit</literal> fetcher supports sparse + checkouts via the <literal>sparseCheckout</literal> option. + This used to accept a multi-line string with + directories/patterns to check out, but now requires a list of + strings. + </para> + </listitem> + <listitem> + <para> <literal>openssh</literal> was updated to version 9.1, disabling the generation of DSA keys when using <literal>ssh-keygen -A</literal> as they are insecure. Also, <literal>SetEnv</literal> directives in <literal>ssh_config</literal> and - <literal>sshd_config</literal> are now first-match-wins + <literal>sshd_config</literal> are now first-match-wins. </para> </listitem> <listitem> @@ -618,6 +448,23 @@ </listitem> <listitem> <para> + The OpenSSL extension for the PHP interpreter used by + Nextcloud is built against OpenSSL 1.1 if + <xref linkend="opt-system.stateVersion" /> is below + <literal>22.11</literal>. This is to make sure that people + using + <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side + encryption</link> don’t lose access to their files. + </para> + <para> + In any other case, it’s safe to use OpenSSL 3 for PHP’s + OpenSSL extension. This can be done by setting + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" /> + to <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>coq</literal> package and versioned variants starting at <literal>coq_8_14</literal> no longer include CoqIDE, which is now available through @@ -662,6 +509,14 @@ </listitem> <listitem> <para> + <literal>kanidm</literal> has been updated to 1.1.0-alpha.10 + and now requires a TLS certificate and key. It will always + start <literal>https</literal> and-–-if enabled-–-an LDAPS + server and no HTTP and LDAP server anymore. + </para> + </listitem> + <listitem> + <para> riak package removed along with <literal>services.riak</literal> module, due to lack of maintainer to update the package. @@ -914,7 +769,7 @@ </listitem> <listitem> <para> - <literal>k3s</literal> no longer supports docker as runtime + <literal>k3s</literal> no longer supports Docker as runtime due to upstream dropping support. </para> </listitem> @@ -987,13 +842,19 @@ signald -d /var/lib/signald/db \ <para> <literal>stylua</literal> no longer accepts <literal>lua52Support</literal> and - <literal>luauSupport</literal> overrides, use + <literal>luauSupport</literal> overrides. Use <literal>features</literal> instead, which defaults to <literal>[ "lua54" "luau" ]</literal>. </para> </listitem> <listitem> <para> + <literal>ocamlPackages.ocaml_extlib</literal> has been renamed + to <literal>ocamlPackages.extlib</literal>. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.fetchNextcloudApp</literal> has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to apply patches. This means that your hashes @@ -1012,6 +873,24 @@ signald -d /var/lib/signald/db \ <literal>services.syncthing.dataDir</literal>. </para> </listitem> + <listitem> + <para> + <literal>services.github-runner</literal> and + <literal>services.github-runners.<name></literal> gained + the option <literal>serviceOverrides</literal> which allows + overriding the systemd <literal>serviceConfig</literal>. If + you have been overriding the systemd service configuration + (i.e., by defining + <literal>systemd.services.github-runner.serviceConfig</literal>), + you have to use the <literal>serviceOverrides</literal> option + now. Example: + </para> + <programlisting> +services.github-runner.serviceOverrides.SupplementaryGroups = [ + "docker" +]; +</programlisting> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-notable-changes"> @@ -1019,6 +898,33 @@ signald -d /var/lib/signald/db \ <itemizedlist> <listitem> <para> + PHP is now built in <literal>NTS</literal> (Non-Thread Safe) + mode by default. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + For Apache and <literal>mod_php</literal> usage, we enable + <literal>ZTS</literal> (Zend Thread Safe) mode. This has + been a common practice for a long time in other + distributions. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>firefox</literal>, <literal>thunderbird</literal> and + <literal>librewolf</literal> now come with Wayland support by + default. The <literal>firefox-wayland</literal>, + <literal>firefox-esr-wayland</literal>, + <literal>thunderbird-wayland</literal> and + <literal>librewolf-wayland</literal> attributes are obsolete + and have been aliased to their generic attribute. + </para> + </listitem> + <listitem> + <para> The <literal>xplr</literal> package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the <link xlink:href="https://github.com/sayanarijit/xplr/releases/tag/v0.19.0">upstream @@ -1027,6 +933,14 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> + Configuring multiple GitHub runners is now possible through + <literal>services.github-runners.<name></literal>. The + options under <literal>services.github-runner</literal> + remain, to configure a single runner. + </para> + </listitem> + <listitem> + <para> <literal>github-runner</literal> gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See @@ -1037,29 +951,39 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - A new module was added for the Saleae Logic device family, - providing the options + A new module was added to provide hardware support for the + Saleae Logic device family, providing the options <literal>hardware.saleae-logic.enable</literal> and <literal>hardware.saleae-logic.package</literal>. </para> </listitem> <listitem> <para> - ZFS module will not allow hibernation by default, this is a - safety measure to prevent data loss cases like the ones - described at - <link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link> - and - <link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>. - Use the <literal>boot.zfs.allowHibernation</literal> option to - configure this behaviour. + ZFS module will no longer allow hibernation by default. </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This is a safety measure to prevent data loss cases like + the ones described at + <link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link> + and + <link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>. + </para> + </listitem> + <listitem> + <para> + Use the <literal>boot.zfs.allowHibernation</literal> + option to configure this behaviour. + </para> + </listitem> + </itemizedlist> </listitem> <listitem> <para> - <literal>mastodon</literal> now automatically removes remote - media attachments older than 30 days. This is configurable - through <literal>services.mastodon.mediaAutoRemove</literal>. + Mastodon now automatically removes remote media attachments + older than 30 days. This is configurable through + <literal>services.mastodon.mediaAutoRemove</literal>. </para> </listitem> <listitem> @@ -1071,9 +995,9 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - Neo4j was updated from version 3 to version 4. See this + Neo4j was updated from version 3 to version 4. See upstream’s <link xlink:href="https://neo4j.com/docs/upgrade-migration-guide/current/">migration - guide</link> on how to migrate your Neo4j instance. + guide</link> for information on how to migrate your instance. </para> </listitem> <listitem> @@ -1106,8 +1030,8 @@ signald -d /var/lib/signald/db \ <literal>prismlauncher</literal>, a fork by the rest of the maintainers. For more details, see <link xlink:href="https://github.com/NixOS/nixpkgs/pull/196624">the - pull request that made this change</link> and - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">this + PR that made this change</link> and + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">the issue detailing the vulnerability</link>. Users with existing installations should rename <literal>~/.local/share/polymc</literal> to @@ -1128,28 +1052,151 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - The <literal>services.matrix-synapse</literal> systemd unit - has been hardened. - </para> - </listitem> - <listitem> - <para> - The <literal>services.grafana</literal> options were converted - to a - <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC - 0042</link> configuration. + Synapse’s systemd unit has been hardened. </para> </listitem> <listitem> <para> - The <literal>services.grafana.provision.datasources</literal> - and <literal>services.grafana.provision.dashboards</literal> - options were converted to a + The module <literal>services.grafana</literal> was refactored + to be compliant with <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC - 0042</link> configuration. They also now support specifying - the provisioning YAML file with <literal>path</literal> - option. + 0042</link>. To be precise, this means that the following + things have changed: </para> + <itemizedlist> + <listitem> + <para> + The newly introduced option + <xref linkend="opt-services.grafana.settings" /> is an + attribute-set that will be converted into Grafana’s INI + format. This means that the configuration from + <link xlink:href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/">Grafana’s + configuration reference</link> can be directly written as + attribute-set in Nix within this option. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.grafana.extraOptions</literal> has been + removed. This option was an association of environment + variables for Grafana. If you had an expression like + </para> + <programlisting language="nix"> +{ + services.grafana.extraOptions.SECURITY_ADMIN_USER = "foobar"; +} +</programlisting> + <para> + your Grafana instance was running with + <literal>GF_SECURITY_ADMIN_USER=foobar</literal> in its + environment. + </para> + <para> + For the migration, it is recommended to turn it into the + INI format, i.e. to declare + </para> + <programlisting language="nix"> +{ + services.grafana.settings.security.admin_user = "foobar"; +} +</programlisting> + <para> + instead. + </para> + <para> + The keys in + <literal>services.grafana.extraOptions</literal> have the + format + <literal><INI section name>_<Key Name></literal>. + Further details are outlined in the + <link xlink:href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#override-configuration-with-environment-variables">configuration + reference</link>. + </para> + <para> + Alternatively you can also set all your values from + <literal>extraOptions</literal> to + <literal>systemd.services.grafana.environment</literal>, + make sure you don’t forget to add the + <literal>GF_</literal> prefix though! + </para> + </listitem> + <listitem> + <para> + Previously, the options + <link linkend="opt-services.grafana.provision.datasources">services.grafana.provision.datasources</link> + and + <link linkend="opt-services.grafana.provision.dashboards">services.grafana.provision.dashboards</link> + expected lists of datasources or dashboards for the + <link xlink:href="https://grafana.com/docs/grafana/latest/administration/provisioning/">declarative + provisioning</link>. + </para> + <para> + To declare lists of + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <emphasis role="strong">datasources</emphasis>, please + rename your declarations to + <link linkend="opt-services.grafana.provision.datasources.settings.datasources">services.grafana.provision.datasources.settings.datasources</link>. + </para> + </listitem> + <listitem> + <para> + <emphasis role="strong">dashboards</emphasis>, please + rename your declarations to + <link linkend="opt-services.grafana.provision.dashboards.settings.providers">services.grafana.provision.dashboards.settings.providers</link>. + </para> + </listitem> + </itemizedlist> + <para> + This change was made to support more features for that: + </para> + <itemizedlist> + <listitem> + <para> + It’s possible to declare the + <literal>apiVersion</literal> of your dashboards and + datasources by + <link linkend="opt-services.grafana.provision.datasources.settings.apiVersion">services.grafana.provision.datasources.settings.apiVersion</link> + (or + <link linkend="opt-services.grafana.provision.dashboards.settings.apiVersion">services.grafana.provision.dashboards.settings.apiVersion</link>). + </para> + </listitem> + <listitem> + <para> + Instead of declaring datasources and dashboards in + pure Nix, it’s also possible to specify configuration + files (or directories) with YAML instead using + <link linkend="opt-services.grafana.provision.datasources.path">services.grafana.provision.datasources.path</link> + (or + <link linkend="opt-services.grafana.provision.dashboards.path">services.grafana.provision.dashboards.path</link>. + This is useful when having provisioning files from + non-NixOS Grafana instances that you also want to + deploy to NixOS. + </para> + <para> + <emphasis role="strong">Note:</emphasis> secrets from + these files will be leaked into the store unless you + use a + <link xlink:href="https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider"><emphasis role="strong">file</emphasis>-provider + or env-var</link> for secrets! + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-services.grafana.provision.notifiers">services.grafana.provision.notifiers</link> + is not affected by this change because this feature is + deprecated by Grafana and will probably be removed in + Grafana 10. It’s recommended to use + <literal>services.grafana.provision.alerting.contactPoints</literal> + instead. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> </listitem> <listitem> <para> @@ -1162,7 +1209,7 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - Matrix Synapse now requires entries in the + Synapse now requires entries in the <literal>state_group_edges</literal> table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was @@ -1189,15 +1236,43 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - <literal>dockerTools.buildImage</literal> deprecates the - misunderstood <literal>contents</literal> parameter, in favor - of <literal>copyToRoot</literal>. Use + The <literal>netlify-cli</literal> package has been updated + from 6.13.2 to 12.2.4, see the + <link xlink:href="https://github.com/netlify/cli/releases">changelog</link> + for more details. + </para> + </listitem> + <listitem> + <para> + <literal>dockerTools.buildImage</literal>’s + <literal>contents</literal> parameter has been deprecated in + favor of <literal>copyToRoot</literal>. Use <literal>copyToRoot = buildEnv { ... };</literal> or similar if you intend to add packages to <literal>/bin</literal>. </para> </listitem> <listitem> <para> + The <literal>proxmox.qemuConf.bios</literal> option was added, + it corresponds to <literal>Hardware->BIOS</literal> field + in Proxmox web interface. Use + <literal>"ovmf"</literal> value to build UEFI image, + default value remains <literal>"bios"</literal>. New + option <literal>proxmox.partitionTableType</literal> defaults + to either <literal>"legacy"</literal> or + <literal>"efi"</literal>, depending on the + <literal>bios</literal> value. Setting + <literal>partitionTableType</literal> to + <literal>"hybrid"</literal> results in an image, + which supports both methods + (<literal>"bios"</literal> and + <literal>"ovmf"</literal>), thereby remaining + bootable after change to Proxmox + <literal>Hardware->BIOS</literal> field. + </para> + </listitem> + <listitem> + <para> memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot’s fork is no longer available. @@ -1205,9 +1280,9 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - Option descriptions, examples, and defaults writting in - DocBook are now deprecated. Using CommonMark is preferred and - will become the default in a future release. + Option descriptions, examples, and defaults writing in DocBook + are now deprecated. Using CommonMark is preferred and will + become the default in a future release. </para> </listitem> <listitem> @@ -1224,9 +1299,16 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - The redis module now persists each instance’s configuration + The Redis module now persists each instance’s configuration file in the state directory, in order to support some more - advanced use cases like sentinel. + advanced use cases like Sentinel. + </para> + </listitem> + <listitem> + <para> + <literal>protonup</literal> has been aliased to and replaced + by <literal>protonup-ng</literal> due to upstream not + maintaining it. </para> </listitem> <listitem> @@ -1264,7 +1346,7 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - For <literal>system.stateVersion</literal> being + If <literal>system.stateVersion</literal> is <emphasis role="strong">>=22.11</emphasis>, Nextcloud 25 will be installed by default. For older versions, Nextcloud 24 will be installed. @@ -1272,7 +1354,7 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - Please ensure that you only upgrade on major release at a + Please ensure that you only upgrade one major release at a time! Nextcloud doesn’t support upgrades across multiple versions, i.e. an upgrade from <emphasis role="strong">23</emphasis> to @@ -1285,24 +1367,6 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - Add udev rules for the Teensy family of microcontrollers. - </para> - </listitem> - <listitem> - <para> - The Qt QML disk cache is now disabled by default. This fixes a - long-standing issue where updating Qt/KDE apps would sometimes - cause them to crash or behave strangely without explanation. - Those concerned about the small (~10%) performance hit to - application startup can re-enable the cache (and expose - themselves to gremlins) by setting the envrionment variable - <literal>QML_FORCE_DISK_CACHE</literal> to - <literal>1</literal> using e.g. the - <literal>environment.sessionVariables</literal> NixOS option. - </para> - </listitem> - <listitem> - <para> systemd-oomd is enabled by default. Depending on which systemd units have <literal>ManagedOOMSwap=kill</literal> or <literal>ManagedOOMMemoryPressure=kill</literal>, systemd-oomd @@ -1334,14 +1398,8 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - There is a new module for AMD SEV CPU functionality, which - grants access to the hardware. - </para> - </listitem> - <listitem> - <para> - The Wordpress module got support for installing language packs - through + The Wordpress module now has support for installing language + packs through a new option, <literal>services.wordpress.sites.<site>.languages</literal>. </para> </listitem> @@ -1359,12 +1417,12 @@ signald -d /var/lib/signald/db \ </listitem> <listitem> <para> - PowerDNS has been updated from <literal>4.6.x</literal> to - <literal>4.7.x</literal>. Please be sure to review the + PowerDNS has been updated from v4.6.2 to v4.7.2. Please be + sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master">Upgrade Notes</link> provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature - comes with a mandatory schema change for the gsql database + comes with a mandatory schema change for the GSQL database backends, which has to be manually applied. </para> </listitem> @@ -1376,21 +1434,29 @@ signald -d /var/lib/signald/db \ service and a systemd unit. The option <literal>services.xserver.desktopManager.xfce.thunarPlugins</literal> has been renamed to - <literal>programs.thunar.plugins</literal>, and in a future - release it may be removed. + <literal>programs.thunar.plugins</literal>, and may be removed + in a future release. + </para> + </listitem> + <listitem> + <para> + There is a new module for <literal>xfconf</literal> (the Xfce + configuration storage system), which has a dbus service. </para> </listitem> <listitem> <para> - There is a new module for the <literal>xfconf</literal> - program (the Xfce configuration storage system), which has a - dbus service. + The Mastodon package has been upgraded to v4.0.0. See the + <link xlink:href="https://github.com/mastodon/mastodon/releases/tag/v4.0.0">v4.0.0 + release notes</link> for a list of changes. On standard + setups, no manual migration steps are required. Nevertheless, + a database backup is recommended. </para> </listitem> <listitem> <para> - The <literal>nomad</literal> package now defaults to 1.3, - which no longer has a downgrade path to releases 1.2 or older. + The <literal>nomad</literal> package now defaults to v1.3, + which no longer has a downgrade path to v1.2 or older. </para> </listitem> <listitem> @@ -1409,7 +1475,7 @@ signald -d /var/lib/signald/db \ <para> <literal>boot.kernel.sysctl</literal> is defined as a freeformType and adds a custom merge option for - <quote>net.core.rmem_max</quote> (taking the highest value + <literal>net.core.rmem_max</literal> (taking the highest value defined to avoid conflicts between 2 services trying to set that value). </para> @@ -1433,6 +1499,343 @@ signald -d /var/lib/signald/db \ are under <literal>programs.firefox</literal>. </para> </listitem> + <listitem> + <para> + The option + <literal>services.picom.experimentalBackends</literal> was + removed since it is now the default and the option will cause + <literal>picom</literal> to quit instead. + </para> + </listitem> + <listitem> + <para> + <literal>haskellPackages.callHackage</literal> is not always + invalidated if <literal>all-cabal-hashes</literal> changes, + leading to less rebuilds of haskell dependencies. + </para> + </listitem> + <listitem> + <para> + <literal>haskellPackages.callHackage</literal> and + <literal>haskellPackages.callCabal2nix</literal> (and related + functions) no longer keep a reference to the + <literal>cabal2nix</literal> call used to generate them. As a + result, they will be garbage collected more often. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.11-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://git.sr.ht/~migadu/alps">alps</link>, + a simple and extensible webmail. Available as + <link linkend="opt-services.alps.enable">services.alps</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, + Nix based app VMs. Available as + <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.ausweisapp.bund.de/">AusweisApp2</link>, + the authentication software for the German ID card. Available + as + <link linkend="opt-programs.ausweisapp.enable">programs.ausweisapp</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/maxbrunet/automatic-timezoned">automatic-timezoned</link>. + a Linux daemon to automatically update the system timezone + based on location. Available as + <link linkend="opt-services.automatic-timezoned.enable">services.automatic-timezoned</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.dolibarr.org/">Dolibarr</link>, + an enterprise resource planning and customer relationship + manager. Enable using + <link linkend="opt-services.dolibarr.enable">services.dolibarr</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://dragonflydb.io/">dragonflydb</link>, + a modern replacement for Redis and Memcached. Available as + <link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>, + an SSH tarpit that exposes Prometheus metrics. Available as + <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/skeeto/endlessh">endlessh</link>, + an SSH tarpit. Available as + <link linkend="opt-services.endlessh.enable">services.endlessh</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://evcc.io">EVCC</link> is an EV charge + controller with PV integration. It supports a multitude of + chargers, meters, vehicle APIs and more and ties that together + with a well-tested backend and a lightweight web frontend. + Available as + <link linkend="opt-services.evcc.enable">services.evcc</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.expressvpn.com">expressvpn</link>, + the CLI client for ExpressVPN. Available as + <link linkend="opt-services.expressvpn.enable">services.expressvpn</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://freshrss.org/">FreshRSS</link>, a + free, self-hostable RSS feed aggregator. Available as + <link linkend="opt-services.freshrss.enable">services.freshrss</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link>, + a simple object storage server for geodistributed deployments, + alternative to MinIO. Available as + <link linkend="opt-services.garage.enable">services.garage</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/L11R/go-autoconfig">go-autoconfig</link>, + IMAP/SMTP autodiscover server. Available as + <link linkend="opt-services.go-autoconfig.enable">services.go-autoconfig</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.grafana.com/oss/tempo/">Grafana + Tempo</link>, a distributed tracing store. Available as + <link linkend="opt-services.tempo.enable">services.tempo</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://hbase.apache.org/">HBase + cluster</link>, a distributed, scalable, big data store. + Available as + <link xlink:href="options.html#opt-services.hadoop.hbase.enable">services.hadoop.hbase</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, + a hardware True Random Number Generator dongle. Available as + <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/jtroo/kanata">kanata</link>, + a tool to improve keyboard comfort and usability with advanced + customization. Available as + <link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prymitive/karma">karma</link>, + an alert dashboard for Prometheus Alertmanager. Available as + <link xlink:href="options.html#opt-services.karma.enable">services.karma</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://komga.org/">Komga</link>, a free and + open source comics/mangas media server. Available as + <link linkend="opt-services.komga.enable">services.komga</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prymitive/kthxbye">kthxbye</link>, + an alert acknowledgement management daemon for Prometheus + Alertmanager. Available as + <link xlink:href="options.html#opt-services.kthxbye.enable">services.kthxbye</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://languagetool.org/">languagetool</link>, + a multilingual grammar, style, and spell checker. Available as + <link xlink:href="options.html#opt-services.languagetool.enable">services.languagetool</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://listmonk.app">Listmonk</link>, a + self-hosted newsletter manager. Enable using + <link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://mepo.milesalan.com">Mepo</link>, a + fast, simple, hackable OSM map viewer for mobile and desktop + Linux. Available as + <link linkend="opt-programs.mepo.enable">programs.mepo.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://troglobit.com/projects/merecat/">merecat</link>, + a small and easy HTTP server based on thttpd. Available as + <link linkend="opt-services.merecat.enable">services.merecat</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://netbird.io">netbird</link>, a zero + configuration VPN. Available as + <link xlink:href="options.html#opt-services.netbird.enable">services.netbird</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://ntfy.sh">ntfy.sh</link>, a push + notification service. Available as + <link linkend="opt-services.ntfy-sh.enable">services.ntfy-sh</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master">OpenRGB</link>, + a FOSS tool for controlling RGB lighting. Available as + <link xlink:href="options.html#opt-services.hardware.openrgb.enable">services.hardware.openrgb.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.getoutline.com/">Outline</link>, + a wiki and knowledge base similar to Notion. Available as + <link linkend="opt-services.outline.enable">services.outline</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/zalando/patroni">Patroni</link>, + a template for PostgreSQL HA with ZooKeeper, etcd or Consul. + Available as + <link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>, + a daemon to add virtual proxy devices that mirror a physical + input device but persist even if the underlying hardware is + hot-plugged. Available as + <link linkend="opt-services.persistent-evdev.enable">services.persistent-evdev</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/edneville/please">Please</link>, + a Sudo clone written in Rust. Available as + <link linkend="opt-security.please.enable">security.please</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus-community/ipmi_exporter">Prometheus + IPMI exporter</link>, an IPMI exporter for Prometheus. + Available as + <link linkend="opt-services.prometheus.exporters.ipmi.enable">services.prometheus.exporters.ipmi</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/messagebird/sachet/">Sachet</link>, + an SMS alerting tool for the Prometheus Alertmanager. + Available as + <link linkend="opt-services.prometheus.sachet.enable">services.prometheus.sachet</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://schleuder.org/">schleuder</link>, a + mailing list manager with PGP support. Enable using + <link linkend="opt-services.schleuder.enable">services.schleuder</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mozilla-services/syncstorage-rs">syncstorage-rs</link>, + a self-hostable sync server for Firefox. Available as + <link xlink:href="options.html#opt-services.firefox-syncserver.enable">services.firefox-syncserver</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://tandoor.dev">Tandoor Recipes</link>, + a self-hosted multi-tenant recipe collection. Available as + <link xlink:href="options.html#opt-services.tandoor-recipes.enable">services.tandoor-recipes</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="http://www.litech.org/tayga/">TAYGA</link>, + an out-of-kernel stateless NAT64 implementation. Available as + <link linkend="opt-services.tayga.enable">services.tayga</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/tmate-io/tmate-ssh-server">tmate-ssh-server</link>, + server side part of + <link xlink:href="https://tmate.io/">tmate</link>. Available + as + <link linkend="opt-services.tmate-ssh-server.enable">services.tmate-ssh-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://uptime.kuma.pet/">Uptime + Kuma</link>, a fancy self-hosted monitoring tool. Available as + <link linkend="opt-services.uptime-kuma.enable">services.uptime-kuma</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://writefreely.org">WriteFreely</link>, + a simple blogging platform with ActivityPub support. Available + as + <link xlink:href="options.html#opt-services.writefreely.enable">services.writefreely</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/XTLS/Xray-core">xray</link>, + a fully compatible v2ray-core replacement. Features XTLS, + which when enabled on server and client, brings UDP FullCone + NAT to proxy setups. Available as + <link xlink:href="options.html#opt-services.xray.enable">services.xray</link>. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml new file mode 100644 index 0000000000000..4fb5749e71c88 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -0,0 +1,491 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-23.05"> + <title>Release 23.05 (“Stoat”, 2023.05/??)</title> + <para> + Support is planned until the end of December 2023, handing over to + 23.11. + </para> + <section xml:id="sec-release-23.05-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Cinnamon has been updated to 5.6, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204">the + pull request</link> for what is changed. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-23.05-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://akkoma.social">Akkoma</link>, an + ActivityPub microblogging server. Available as + <link xlink:href="options.html#opt-services.akkoma.enable">services.akkoma</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/akinomyoga/ble.sh">blesh</link>, + a line editor written in pure bash. Available as + <link linkend="opt-programs.bash.blesh.enable">programs.bash.blesh</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/adnanh/webhook">webhook</link>, + a lightweight webhook server. Available as + <link linkend="opt-services.webhook.enable">services.webhook</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/alexivkin/CUPS-PDF-to-PDF">cups-pdf-to-pdf</link>, + a pdf-generating cups backend based on + <link xlink:href="https://www.cups-pdf.de/">cups-pdf</link>. + Available as + <link linkend="opt-services.printing.cups-pdf.enable">services.printing.cups-pdf</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/junegunn/fzf">fzf</link>, + a command line fuzzyfinder. Available as + <link linkend="opt-programs.fzf.fuzzyCompletion">programs.fzf</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ellie/atuin">atuin</link>, + a sync server for shell history. Available as + <link linkend="opt-services.atuin.enable">services.atuin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://gitlab.com/kop316/mmsd">mmsd</link>, + a lower level daemon that transmits and recieves MMSes. + Available as + <link linkend="opt-services.mmsd.enable">services.mmsd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://v2raya.org">v2rayA</link>, a Linux + web GUI client of Project V which supports V2Ray, Xray, SS, + SSR, Trojan and Pingtunnel. Available as + <link xlink:href="options.html#opt-services.v2raya.enable">services.v2raya</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.netfilter.org/projects/ulogd/index.html">ulogd</link>, + a userspace logging daemon for netfilter/iptables related + logging. Available as + <link xlink:href="options.html#opt-services.ulogd.enable">services.ulogd</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-23.05-incompatibilities"> + <title>Backward Incompatibilities</title> + <itemizedlist> + <listitem> + <para> + <literal>carnix</literal> and <literal>cratesIO</literal> has + been removed due to being unmaintained, use alternatives such + as + <link xlink:href="https://github.com/nix-community/naersk">naersk</link> + and + <link xlink:href="https://github.com/kolloch/crate2nix">crate2nix</link> + instead. + </para> + </listitem> + <listitem> + <para> + <literal>borgbackup</literal> module now has an option for + inhibiting system sleep while backups are running, defaulting + to off (not inhibiting sleep), available as + <link linkend="opt-services.borgbackup.jobs._name_.inhibitsSleep"><literal>services.borgbackup.jobs.<name>.inhibitsSleep</literal></link>. + </para> + </listitem> + <listitem> + <para> + The EC2 image module no longer fetches instance metadata in + stage-1. This results in a significantly smaller initramfs, + since network drivers no longer need to be included, and + faster boots, since metadata fetching can happen in parallel + with startup of other services. This breaks services which + rely on metadata being present by the time stage-2 is entered. + Anything which reads EC2 metadata from + <literal>/etc/ec2-metadata</literal> should now have an + <literal>after</literal> dependency on + <literal>fetch-ec2-metadata.service</literal> + </para> + </listitem> + <listitem> + <para> + <literal>minio</literal> removed support for its legacy + filesystem backend in + <link xlink:href="https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z">RELEASE.2022-10-29T06-21-33Z</link>. + This means if your storage was created with the old format, + minio will no longer start. Unfortunately minio doesn’t + provide a an automatic migration, they only provide + <link xlink:href="https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html">instructions + how to manually convert the node</link>. To facilitate this + migration we keep around the last version that still supports + the old filesystem backend as + <literal>minio_legacy_fs</literal>. Use it via + <literal>services.minio.package = minio_legacy_fs;</literal> + to export your data before switching to the new version. See + the corresponding + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/199318">issue</link> + for more details. + </para> + </listitem> + <listitem> + <para> + <literal>services.sourcehut.dispatch</literal> and the + corresponding package + (<literal>sourcehut.dispatchsrht</literal>) have been removed + due to + <link xlink:href="https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/">upstream + deprecation</link>. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.snapserver.openFirewall">services.snapserver.openFirewall</link> + module option default value has been changed from + <literal>true</literal> to <literal>false</literal>. You will + need to explicitly set this option to <literal>true</literal>, + or configure your firewall. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.tmate-ssh-server.openFirewall">services.tmate-ssh-server.openFirewall</link> + module option default value has been changed from + <literal>true</literal> to <literal>false</literal>. You will + need to explicitly set this option to <literal>true</literal>, + or configure your firewall. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.unifi-video.openFirewall">services.unifi-video.openFirewall</link> + module option default value has been changed from + <literal>true</literal> to <literal>false</literal>. You will + need to explicitly set this option to <literal>true</literal>, + or configure your firewall. + </para> + </listitem> + <listitem> + <para> + The Nginx module now validates the syntax of config files at + build time. For more complex configurations (using + <literal>include</literal> with out-of-store files notably) + you may need to disable this check by setting + <link linkend="opt-services.nginx.validateConfig">services.nginx.validateConfig</link> + to <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + The EC2 image module previously detected and automatically + mounted ext3-formatted instance store devices and partitions + in stage-1 (initramfs), storing <literal>/tmp</literal> on the + first discovered device. This behaviour, which only catered to + very specific use cases and could not be disabled, has been + removed. Users relying on this should provide their own + implementation, and probably use ext4 and perform the mount in + stage-2. + </para> + </listitem> + <listitem> + <para> + The EC2 image module previously detected and activated + swap-formatted instance store devices and partitions in + stage-1 (initramfs). This behaviour has been removed. Users + relying on this should provide their own implementation. + </para> + </listitem> + <listitem> + <para> + Qt 5.12 and 5.14 have been removed, as the corresponding + branches have been EOL upstream for a long time. This affected + under 10 packages in nixpkgs, largely unmaintained upstream as + well, however, out-of-tree package expressions may need to be + updated manually. + </para> + </listitem> + <listitem> + <para> + In <literal>mastodon</literal> it is now necessary to specify + location of file with <literal>PostgreSQL</literal> database + password. In + <literal>services.mastodon.database.passwordFile</literal> + parameter default value + <literal>/var/lib/mastodon/secrets/db-password</literal> has + been changed to <literal>null</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>nix.readOnlyStore</literal> option has been + renamed to <literal>boot.readOnlyNixStore</literal> to clarify + that it configures the NixOS boot process, not the Nix daemon. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-23.05-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + <literal>vim_configurable</literal> has been renamed to + <literal>vim-full</literal> to avoid confusion: + <literal>vim-full</literal>’s build-time features are + configurable, but both <literal>vim</literal> and + <literal>vim-full</literal> are + <emphasis>customizable</emphasis> (in the sense of user + configuration, like vimrc). + </para> + </listitem> + <listitem> + <para> + The module for the application firewall + <literal>opensnitch</literal> got the ability to configure + rules. Available as + <link linkend="opt-services.opensnitch.rules">services.opensnitch.rules</link> + </para> + </listitem> + <listitem> + <para> + The module <literal>usbmuxd</literal> now has the ability to + change the package used by the daemon. In case you’re + experiencing issues with <literal>usbmuxd</literal> you can + try an alternative program like <literal>usbmuxd2</literal>. + Available as + <link linkend="opt-services.usbmuxd.package">services.usbmuxd.package</link> + </para> + </listitem> + <listitem> + <para> + <literal>services.mastodon</literal> gained a tootctl wrapped + named <literal>mastodon-tootctl</literal> similar to + <literal>nextcloud-occ</literal> which can be executed from + any user and switches to the configured mastodon user with + sudo and sources the environment variables. + </para> + </listitem> + <listitem> + <para> + The <literal>dnsmasq</literal> service now takes configuration + via the <literal>services.dnsmasq.settings</literal> attribute + set. The option + <literal>services.dnsmasq.extraConfig</literal> will be + deprecated when NixOS 22.11 reaches end of life. + </para> + </listitem> + <listitem> + <para> + To reduce closure size in + <literal>nixos/modules/profiles/minimal.nix</literal> profile + disabled installation documentations and manuals. Also + disabled <literal>logrotate</literal> and + <literal>udisks2</literal> services. + </para> + </listitem> + <listitem> + <para> + The minimal ISO image now uses the + <literal>nixos/modules/profiles/minimal.nix</literal> profile. + </para> + </listitem> + <listitem> + <para> + <literal>mastodon</literal> now supports connection to a + remote <literal>PostgreSQL</literal> database. + </para> + </listitem> + <listitem> + <para> + <literal>services.peertube</literal> now requires you to + specify the secret file + <literal>secrets.secretsFile</literal>. It can be generated by + running <literal>openssl rand -hex 32</literal>. Before + upgrading, read the release notes for PeerTube: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0">Release + v5.0.0</link> + </para> + </listitem> + </itemizedlist> + <para> + And backup your data. + </para> + </listitem> + <listitem> + <para> + <literal>services.chronyd</literal> is now started with + additional systemd sandbox/hardening options for better + security. + </para> + </listitem> + <listitem> + <para> + The module <literal>services.headscale</literal> was + refactored to be compliant with + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link>. To be precise, this means that the following + things have changed: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Most settings has been migrated under + <link linkend="opt-services.headscale.settings">services.headscale.settings</link> + which is an attribute-set that will be converted into + headscale’s YAML config format. This means that the + configuration from + <link xlink:href="https://github.com/juanfont/headscale/blob/main/config-example.yaml">headscale’s + example configuration</link> can be directly written as + attribute-set in Nix within this option. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>nixos/lib/make-disk-image.nix</literal> can now + mutate EFI variables, run user-provided EFI firmware or + variable templates. This is now extensively documented in the + NixOS manual. + </para> + </listitem> + <listitem> + <para> + <literal>services.grafana</literal> listens only on localhost + by default again. This was changed to upstreams default of + <literal>0.0.0.0</literal> by accident in the freeform setting + conversion. + </para> + </listitem> + <listitem> + <para> + A new <literal>virtualisation.rosetta</literal> module was + added to allow running <literal>x86_64</literal> binaries + through + <link xlink:href="https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment">Rosetta</link> + inside virtualised NixOS guests on Apple silicon. This feature + works by default with the + <link xlink:href="https://docs.getutm.app/">UTM</link> + virtualisation + <link xlink:href="https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm">package</link>. + </para> + </listitem> + <listitem> + <para> + The new option <literal>users.motdFile</literal> allows + configuring a Message Of The Day that can be updated + dynamically. + </para> + </listitem> + <listitem> + <para> + Enabling global redirect in + <literal>services.nginx.virtualHosts</literal> now allows one + to add exceptions with the <literal>locations</literal> + option. + </para> + </listitem> + <listitem> + <para> + A new option <literal>recommendedBrotliSettings</literal> has + been added to <literal>services.nginx</literal>. Learn more + about compression in Brotli format + <link xlink:href="https://github.com/google/ngx_brotli/blob/master/README.md">here</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link> + version is based on + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>, + existing installations will keep using version 0.7. New + installations will use version 0.8. In order to upgrade a + Garage cluster, please follow + <link xlink:href="https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/">upstream + instructions</link> and force + <link xlink:href="options.html#opt-services.garage.package">services.garage.package</link> + or upgrade accordingly + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>. + </para> + </listitem> + <listitem> + <para> + Resilio sync secret keys can now be provided using a secrets + file at runtime, preventing these secrets from ending up in + the Nix store. + </para> + </listitem> + <listitem> + <para> + The <literal>firewall</literal> and <literal>nat</literal> + module now has a nftables based implementation. Enable + <literal>networking.nftables</literal> to use it. + </para> + </listitem> + <listitem> + <para> + The <literal>services.fwupd</literal> module now allows + arbitrary daemon settings to be configured in a structured + manner + (<link linkend="opt-services.fwupd.daemonSettings"><literal>services.fwupd.daemonSettings</literal></link>). + </para> + </listitem> + <listitem> + <para> + The <literal>unifi-poller</literal> package and corresponding + NixOS module have been renamed to <literal>unpoller</literal> + to match upstream. + </para> + </listitem> + <listitem> + <para> + The new option + <literal>services.tailscale.useRoutingFeatures</literal> + controls various settings for using Tailscale features like + exit nodes and subnet routers. If you wish to use your machine + as an exit node, you can set this setting to + <literal>server</literal>, otherwise if you wish to use an + exit node you can set this setting to + <literal>client</literal>. The strict RPF warning has been + removed as the RPF will be loosened automatically based on the + value of this setting. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://xastir.org/index.php/Main_Page">Xastir</link> + can now access AX.25 interfaces via the + <literal>libax25</literal> package. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/installation/building-nixos.chapter.md b/nixos/doc/manual/installation/building-nixos.chapter.md index 17da261fbdaa4..7b0b5ea1c447a 100644 --- a/nixos/doc/manual/installation/building-nixos.chapter.md +++ b/nixos/doc/manual/installation/building-nixos.chapter.md @@ -9,7 +9,7 @@ You have two options: - Combine them with (any of) your host config(s) System images, such as the live installer ones, know how to enforce configuration settings -on wich they immediately depend in order to work correctly. +on which they immediately depend in order to work correctly. However, if you are confident, you can opt to override those enforced values with `mkForce`. @@ -75,6 +75,6 @@ configuration values upon which the correct functioning of the image depends. For example, the iso base image overrides those file systems which it needs at a minimum for correct functioning, while the installer base image overrides the entire file system layout because there can't be any other guarantees on a live medium than those given -by the live medium itself. The latter is especially true befor formatting the target +by the live medium itself. The latter is especially true before formatting the target block device(s). On the other hand, the netboot iso only overrides its minimum dependencies since netboot images are always made-to-target. diff --git a/nixos/doc/manual/installation/changing-config.chapter.md b/nixos/doc/manual/installation/changing-config.chapter.md index 8a404f085d7cf..11b49ccb1f671 100644 --- a/nixos/doc/manual/installation/changing-config.chapter.md +++ b/nixos/doc/manual/installation/changing-config.chapter.md @@ -13,7 +13,7 @@ booting, and try to realise the configuration in the running system (e.g., by restarting system services). ::: {.warning} -This command doesn\'t start/stop [user services](#opt-systemd.user.services) +This command doesn't start/stop [user services](#opt-systemd.user.services) automatically. `nixos-rebuild` only runs a `daemon-reload` for each user with running user services. ::: @@ -51,7 +51,7 @@ GRUB 2 boot screen by giving it a different *profile name*, e.g. ``` which causes the new configuration (and previous ones created using -`-p test`) to show up in the GRUB submenu "NixOS - Profile \'test\'". +`-p test`) to show up in the GRUB submenu "NixOS - Profile 'test'". This can be useful to separate test configurations from "stable" configurations. diff --git a/nixos/doc/manual/installation/installing-from-other-distro.section.md b/nixos/doc/manual/installation/installing-from-other-distro.section.md index fa8806f791d52..921592fe53573 100644 --- a/nixos/doc/manual/installation/installing-from-other-distro.section.md +++ b/nixos/doc/manual/installation/installing-from-other-distro.section.md @@ -30,7 +30,7 @@ The first steps to all these are the same: 1. Switch to the NixOS channel: - If you\'ve just installed Nix on a non-NixOS distribution, you will + If you've just installed Nix on a non-NixOS distribution, you will be on the `nixpkgs` channel by default. ```ShellSession @@ -49,10 +49,10 @@ The first steps to all these are the same: 1. Install the NixOS installation tools: - You\'ll need `nixos-generate-config` and `nixos-install`, but this + You'll need `nixos-generate-config` and `nixos-install`, but this also makes some man pages and `nixos-enter` available, just in case you want to chroot into your NixOS partition. NixOS installs these - by default, but you don\'t have NixOS yet.. + by default, but you don't have NixOS yet.. ```ShellSession $ nix-env -f '<nixpkgs>' -iA nixos-install-tools @@ -70,7 +70,7 @@ The first steps to all these are the same: refer to the partitioning, file-system creation, and mounting steps of [](#sec-installation) - If you\'re about to install NixOS in place using `NIXOS_LUSTRATE` + If you're about to install NixOS in place using `NIXOS_LUSTRATE` there is nothing to do for this step. 1. Generate your NixOS configuration: @@ -79,12 +79,12 @@ The first steps to all these are the same: $ sudo `which nixos-generate-config` --root /mnt ``` - You\'ll probably want to edit the configuration files. Refer to the + You'll probably want to edit the configuration files. Refer to the `nixos-generate-config` step in [](#sec-installation) for more information. Consider setting up the NixOS bootloader to give you the ability to - boot on your existing Linux partition. For instance, if you\'re + boot on your existing Linux partition. For instance, if you're using GRUB and your existing distribution is running Ubuntu, you may want to add something like this to your `configuration.nix`: @@ -148,19 +148,19 @@ The first steps to all these are the same: Generate your NixOS configuration: ```ShellSession - $ sudo `which nixos-generate-config` --root / + $ sudo `which nixos-generate-config` ``` Note that this will place the generated configuration files in - `/etc/nixos`. You\'ll probably want to edit the configuration files. + `/etc/nixos`. You'll probably want to edit the configuration files. Refer to the `nixos-generate-config` step in [](#sec-installation) for more information. - You\'ll likely want to set a root password for your first boot using - the configuration files because you won\'t have a chance to enter a - password until after you reboot. You can initalize the root password - to an empty one with this line: (and of course don\'t forget to set - one once you\'ve rebooted or to lock the account with + You'll likely want to set a root password for your first boot using + the configuration files because you won't have a chance to enter a + password until after you reboot. You can initialize the root password + to an empty one with this line: (and of course don't forget to set + one once you've rebooted or to lock the account with `sudo passwd -l root` if you use `sudo`) ```nix @@ -186,7 +186,7 @@ The first steps to all these are the same: bootup scripts require its presence). `/etc/NIXOS_LUSTRATE` tells the NixOS bootup scripts to move - *everything* that\'s in the root partition to `/old-root`. This will + *everything* that's in the root partition to `/old-root`. This will move your existing distribution out of the way in the very early stages of the NixOS bootup. There are exceptions (we do need to keep NixOS there after all), so the NixOS lustrate process will not @@ -201,10 +201,10 @@ The first steps to all these are the same: ::: {.note} Support for `NIXOS_LUSTRATE` was added in NixOS 16.09. The act of - \"lustrating\" refers to the wiping of the existing distribution. + "lustrating" refers to the wiping of the existing distribution. Creating `/etc/NIXOS_LUSTRATE` can also be used on NixOS to remove - all mutable files from your root partition (anything that\'s not in - `/nix` or `/boot` gets \"lustrated\" on the next boot. + all mutable files from your root partition (anything that's not in + `/nix` or `/boot` gets "lustrated" on the next boot. lustrate /ˈlʌstreɪt/ verb. @@ -212,14 +212,14 @@ The first steps to all these are the same: ritual action. ::: - Let\'s create the files: + Let's create the files: ```ShellSession $ sudo touch /etc/NIXOS $ sudo touch /etc/NIXOS_LUSTRATE ``` - Let\'s also make sure the NixOS configuration files are kept once we + Let's also make sure the NixOS configuration files are kept once we reboot on NixOS: ```ShellSession @@ -233,7 +233,7 @@ The first steps to all these are the same: ::: {.warning} Once you complete this step, your current distribution will no - longer be bootable! If you didn\'t get all the NixOS configuration + longer be bootable! If you didn't get all the NixOS configuration right, especially those settings pertaining to boot loading and root partition, NixOS may not be bootable either. Have a USB rescue device ready in case this happens. @@ -247,7 +247,7 @@ The first steps to all these are the same: Cross your fingers, reboot, hopefully you should get a NixOS prompt! 1. If for some reason you want to revert to the old distribution, - you\'ll need to boot on a USB rescue disk and do something along + you'll need to boot on a USB rescue disk and do something along these lines: ```ShellSession @@ -264,14 +264,14 @@ The first steps to all these are the same: This may work as is or you might also need to reinstall the boot loader. - And of course, if you\'re happy with NixOS and no longer need the + And of course, if you're happy with NixOS and no longer need the old distribution: ```ShellSession sudo rm -rf /old-root ``` -1. It\'s also worth noting that this whole process can be automated. +1. It's also worth noting that this whole process can be automated. This is especially useful for Cloud VMs, where provider do not provide NixOS. For instance, [nixos-infect](https://github.com/elitak/nixos-infect) uses the diff --git a/nixos/doc/manual/installation/installing-kexec.section.md b/nixos/doc/manual/installation/installing-kexec.section.md index 286cbbda6a69e..61d8e8e5999b9 100644 --- a/nixos/doc/manual/installation/installing-kexec.section.md +++ b/nixos/doc/manual/installation/installing-kexec.section.md @@ -30,7 +30,7 @@ This will create a `result` directory containing the following: These three files are meant to be copied over to the other already running Linux Distribution. -Note it's symlinks pointing elsewhere, so `cd` in, and use +Note its symlinks pointing elsewhere, so `cd` in, and use `scp * root@$destination` to copy it over, rather than rsync. Once you finished copying, execute `kexec-boot` *on the destination*, and after diff --git a/nixos/doc/manual/installation/installing-usb.section.md b/nixos/doc/manual/installation/installing-usb.section.md index da32935a7a108..adfe22ea2f00e 100644 --- a/nixos/doc/manual/installation/installing-usb.section.md +++ b/nixos/doc/manual/installation/installing-usb.section.md @@ -56,12 +56,12 @@ select the image, select the USB flash drive and click "Write". sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m ``` - After `dd` completes, a GUI dialog \"The disk - you inserted was not readable by this computer\" will pop up, which can + After `dd` completes, a GUI dialog "The disk + you inserted was not readable by this computer" will pop up, which can be ignored. ::: {.note} - Using the \'raw\' `rdiskX` device instead of `diskX` with dd completes in + Using the 'raw' `rdiskX` device instead of `diskX` with dd completes in minutes instead of hours. ::: diff --git a/nixos/doc/manual/installation/installing-virtualbox-guest.section.md b/nixos/doc/manual/installation/installing-virtualbox-guest.section.md index e9c2a621c1bba..004838e586be6 100644 --- a/nixos/doc/manual/installation/installing-virtualbox-guest.section.md +++ b/nixos/doc/manual/installation/installing-virtualbox-guest.section.md @@ -1,4 +1,4 @@ -# Installing in a VirtualBox guest {#sec-instaling-virtualbox-guest} +# Installing in a VirtualBox guest {#sec-installing-virtualbox-guest} Installing NixOS into a VirtualBox guest is convenient for users who want to try NixOS without installing it on bare metal. If you want to @@ -6,7 +6,7 @@ use a pre-made VirtualBox appliance, it is available at [the downloads page](https://nixos.org/nixos/download.html). If you want to set up a VirtualBox guest manually, follow these instructions: -1. Add a New Machine in VirtualBox with OS Type \"Linux / Other Linux\" +1. Add a New Machine in VirtualBox with OS Type "Linux / Other Linux" 1. Base Memory Size: 768 MB or higher. @@ -16,7 +16,7 @@ VirtualBox guest manually, follow these instructions: 1. Click on Settings / System / Processor and enable PAE/NX -1. Click on Settings / System / Acceleration and enable \"VT-x/AMD-V\" +1. Click on Settings / System / Acceleration and enable "VT-x/AMD-V" acceleration 1. Click on Settings / Display / Screen and select VMSVGA as Graphics @@ -41,7 +41,7 @@ boot.initrd.checkJournalingFS = false; Shared folders can be given a name and a path in the host system in the VirtualBox settings (Machine / Settings / Shared Folders, then click on -the \"Add\" icon). Add the following to the +the "Add" icon). Add the following to the `/etc/nixos/configuration.nix` to auto-mount them. If you do not add `"nofail"`, the system will not boot properly. diff --git a/nixos/doc/manual/installation/installing.chapter.md b/nixos/doc/manual/installation/installing.chapter.md index 44e7e29421d65..ac7cf5a7bfc59 100644 --- a/nixos/doc/manual/installation/installing.chapter.md +++ b/nixos/doc/manual/installation/installing.chapter.md @@ -162,7 +162,7 @@ network manually, disable NetworkManager with `systemctl stop NetworkManager`. On the minimal installer, NetworkManager is not available, so -configuration must be perfomed manually. To configure the wifi, first +configuration must be performed manually. To configure the wifi, first start wpa_supplicant with `sudo systemctl start wpa_supplicant`, then run `wpa_cli`. For most home networks, you need to type in the following commands: @@ -230,11 +230,11 @@ The recommended partition scheme differs depending if the computer uses #### UEFI (GPT) {#sec-installation-manual-partitioning-UEFI} []{#sec-installation-partitioning-UEFI} <!-- legacy anchor --> -Here\'s an example partition scheme for UEFI, using `/dev/sda` as the +Here's an example partition scheme for UEFI, using `/dev/sda` as the device. ::: {.note} -You can safely ignore `parted`\'s informational message about needing to +You can safely ignore `parted`'s informational message about needing to update /etc/fstab. ::: @@ -279,11 +279,11 @@ Once complete, you can follow with #### Legacy Boot (MBR) {#sec-installation-manual-partitioning-MBR} []{#sec-installation-partitioning-MBR} <!-- legacy anchor --> -Here\'s an example partition scheme for Legacy Boot, using `/dev/sda` as +Here's an example partition scheme for Legacy Boot, using `/dev/sda` as the device. ::: {.note} -You can safely ignore `parted`\'s informational message about needing to +You can safely ignore `parted`'s informational message about needing to update /etc/fstab. ::: @@ -307,7 +307,7 @@ update /etc/fstab. ``` 4. Finally, add a *swap* partition. The size required will vary - according to needs, here a 8GiB one is created. + according to needs, here a 8GB one is created. ```ShellSession # parted /dev/sda -- mkpart primary linux-swap -8GB 100% @@ -543,8 +543,8 @@ corresponding configuration Nix expression. ::: ```ShellSession # parted /dev/sda -- mklabel msdos -# parted /dev/sda -- mkpart primary 1MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% +# parted /dev/sda -- mkpart primary 1MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% ``` ::: @@ -554,9 +554,9 @@ corresponding configuration Nix expression. ::: ```ShellSession # parted /dev/sda -- mklabel gpt -# parted /dev/sda -- mkpart primary 512MiB -8GiB -# parted /dev/sda -- mkpart primary linux-swap -8GiB 100% -# parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB +# parted /dev/sda -- mkpart primary 512MB -8GB +# parted /dev/sda -- mkpart primary linux-swap -8GB 100% +# parted /dev/sda -- mkpart ESP fat32 1MB 512MB # parted /dev/sda -- set 3 esp on ``` ::: diff --git a/nixos/doc/manual/installation/upgrading.chapter.md b/nixos/doc/manual/installation/upgrading.chapter.md index 2644979bc9db2..249bcd97cec84 100644 --- a/nixos/doc/manual/installation/upgrading.chapter.md +++ b/nixos/doc/manual/installation/upgrading.chapter.md @@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated automatically from NixOS's Git repository after certain tests have passed and all packages have been built. These channels are: -- *Stable channels*, such as [`nixos-22.05`](https://nixos.org/channels/nixos-22.05). +- *Stable channels*, such as [`nixos-22.11`](https://nixos.org/channels/nixos-22.05). These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not @@ -19,7 +19,7 @@ passed and all packages have been built. These channels are: radical changes between channel updates. It's not recommended for production systems. -- *Small channels*, such as [`nixos-22.05-small`](https://nixos.org/channels/nixos-22.05-small) +- *Small channels*, such as [`nixos-22.11-small`](https://nixos.org/channels/nixos-22.05-small) or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small). These are identical to the stable and unstable channels described above, except that they contain fewer binary packages. This means they get updated @@ -38,8 +38,8 @@ newest supported stable release. When you first install NixOS, you're automatically subscribed to the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 22.05 ISO, you will be subscribed to -the `nixos-22.05` channel. To see which NixOS channel you're subscribed +instance, if you installed from a 22.11 ISO, you will be subscribed to +the `nixos-22.11` channel. To see which NixOS channel you're subscribed to, run the following as root: ```ShellSession @@ -54,16 +54,16 @@ To switch to a different NixOS channel, do ``` (Be sure to include the `nixos` parameter at the end.) For instance, to -use the NixOS 22.05 stable channel: +use the NixOS 22.11 stable channel: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos ``` If you have a server, you may want to use the "small" channel instead: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos ``` And if you want to live on the bleeding edge: @@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. ```nix -system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11; ``` diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml index ea96f49fa9772..cab871661a755 100644 --- a/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixos/doc/manual/man-nixos-rebuild.xml @@ -134,7 +134,7 @@ </arg> <arg> <option>-I</option> - <replaceable>path</replaceable> + <replaceable>NIX_PATH</replaceable> </arg> <arg> <group choice='req'> @@ -624,7 +624,7 @@ <para> In addition, <command>nixos-rebuild</command> accepts various Nix-related - flags, including <option>--max-jobs</option> / <option>-j</option>, + flags, including <option>--max-jobs</option> / <option>-j</option>, <option>-I</option>, <option>--show-trace</option>, <option>--keep-failed</option>, <option>--keep-going</option>, <option>--impure</option>, and <option>--verbose</option> / <option>-v</option>. See the Nix manual for details. @@ -649,6 +649,20 @@ <varlistentry> <term> + <envar>NIX_PATH</envar> + </term> + <listitem> + <para> + A colon-separated list of directories used to look up Nix expressions enclosed in angle brackets (e.g <nixpkgs>). Example + <screen> + nixpkgs=./my-nixpkgs + </screen> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <envar>NIX_SSHOPTS</envar> </term> <listitem> diff --git a/nixos/doc/manual/md-to-db.sh b/nixos/doc/manual/md-to-db.sh index beb0ff9f70828..6eca9f3b2c3d8 100755 --- a/nixos/doc/manual/md-to-db.sh +++ b/nixos/doc/manual/md-to-db.sh @@ -1,5 +1,5 @@ #! /usr/bin/env nix-shell -#! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/tarball/21.11 -i bash -p pandoc +#! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/tarball/22.11 -i bash -p pandoc # This script is temporarily needed while we transition the manual to # CommonMark. It converts the .md files in the regular manual folder diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index ee5009faf6f46..bb5cc677afb80 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -8,6 +8,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. </para> + <xi:include href="../from_md/release-notes/rl-2305.section.xml" /> <xi:include href="../from_md/release-notes/rl-2211.section.xml" /> <xi:include href="../from_md/release-notes/rl-2205.section.xml" /> <xi:include href="../from_md/release-notes/rl-2111.section.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-1509.section.md b/nixos/doc/manual/release-notes/rl-1509.section.md index 55804ddb988ae..1422ae4c299cd 100644 --- a/nixos/doc/manual/release-notes/rl-1509.section.md +++ b/nixos/doc/manual/release-notes/rl-1509.section.md @@ -2,7 +2,7 @@ In addition to numerous new and upgraded packages, this release has the following highlights: -- The [Haskell](http://haskell.org/) packages infrastructure has been re-designed from the ground up (\"Haskell NG\"). NixOS now distributes the latest version of every single package registered on [Hackage](http://hackage.haskell.org/) \-- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the [User\'s Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure). Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single [LTS Haskell](http://www.stackage.org/) release since version 0.0 as well as the most recent [Stackage Nightly](http://www.stackage.org/) snapshot. The announcement [\"Full Stackage Support in Nixpkgs\"](https://nixos.org/nix-dev/2015-September/018138.html) gives additional details. +- The [Haskell](http://haskell.org/) packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on [Hackage](http://hackage.haskell.org/) \-- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the [User's Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure). Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single [LTS Haskell](http://www.stackage.org/) release since version 0.0 as well as the most recent [Stackage Nightly](http://www.stackage.org/) snapshot. The announcement ["Full Stackage Support in Nixpkgs"](https://nixos.org/nix-dev/2015-September/018138.html) gives additional details. - Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security. @@ -178,7 +178,7 @@ The new option `system.stateVersion` ensures that certain configuration changes - Nix now requires binary caches to be cryptographically signed. If you have unsigned binary caches that you want to continue to use, you should set `nix.requireSignedBinaryCaches = false`. -- Steam now doesn\'t need root rights to work. Instead of using `*-steam-chrootenv`, you should now just run `steam`. `steamChrootEnv` package was renamed to `steam`, and old `steam` package \-- to `steamOriginal`. +- Steam now doesn't need root rights to work. Instead of using `*-steam-chrootenv`, you should now just run `steam`. `steamChrootEnv` package was renamed to `steam`, and old `steam` package \-- to `steamOriginal`. - CMPlayer has been renamed to bomi upstream. Package `cmplayer` was accordingly renamed to `bomi` @@ -203,7 +203,7 @@ The new option `system.stateVersion` ensures that certain configuration changes } ``` -- \"`nix-env -qa`\" no longer discovers Haskell packages by name. The only packages visible in the global scope are `ghc`, `cabal-install`, and `stack`, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most `nix-env -qa` operations would become much slower if we\'d add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running: +- "`nix-env -qa`" no longer discovers Haskell packages by name. The only packages visible in the global scope are `ghc`, `cabal-install`, and `stack`, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most `nix-env -qa` operations would become much slower if we'd add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running: ```ShellSession nix-env -f "<nixpkgs>" -qaP -A haskellPackages @@ -217,11 +217,11 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc Installing Haskell _libraries_ this way, however, is no longer supported. See the next item for more details. -- Previous versions of NixOS came with a feature called `ghc-wrapper`, a small script that allowed GHC to transparently pick up on libraries installed in the user\'s profile. This feature has been deprecated; `ghc-wrapper` was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the `haskellPackages.ghcWithPackages` function. The [User\'s Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure) provides more information about this subject. +- Previous versions of NixOS came with a feature called `ghc-wrapper`, a small script that allowed GHC to transparently pick up on libraries installed in the user's profile. This feature has been deprecated; `ghc-wrapper` was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the `haskellPackages.ghcWithPackages` function. The [User's Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure) provides more information about this subject. - All Haskell builds that have been generated with version 1.x of the `cabal2nix` utility are now invalid and need to be re-generated with a current version of `cabal2nix` to function. The most recent version of this tool can be installed by running `nix-env -i cabal2nix`. -- The `haskellPackages` set in Nixpkgs used to have a function attribute called `extension` that users could override in their `~/.nixpkgs/config.nix` files to configure additional attributes, etc. That function still exists, but it\'s now called `overrides`. +- The `haskellPackages` set in Nixpkgs used to have a function attribute called `extension` that users could override in their `~/.nixpkgs/config.nix` files to configure additional attributes, etc. That function still exists, but it's now called `overrides`. - The OpenBLAS library has been updated to version `0.2.14`. Support for the `x86_64-darwin` platform was added. Dynamic architecture detection was enabled; OpenBLAS now selects microarchitecture-optimized routines at runtime, so optimal performance is achieved without the need to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages which use an optimized BLAS or LAPACK implementation. @@ -312,7 +312,7 @@ Other notable improvements: - The nixos and nixpkgs channels were unified, so one _can_ use `nix-env -iA nixos.bash` instead of `nix-env -iA nixos.pkgs.bash`. See [the commit](https://github.com/NixOS/nixpkgs/commit/2cd7c1f198) for details. -- Users running an SSH server who worry about the quality of their `/etc/ssh/moduli` file with respect to the [vulnerabilities discovered in the Diffie-Hellman key exchange](https://stribika.github.io/2015/01/04/secure-secure-shell.html) can now replace OpenSSH\'s default version with one they generated themselves using the new `services.openssh.moduliFile` option. +- Users running an SSH server who worry about the quality of their `/etc/ssh/moduli` file with respect to the [vulnerabilities discovered in the Diffie-Hellman key exchange](https://stribika.github.io/2015/01/04/secure-secure-shell.html) can now replace OpenSSH's default version with one they generated themselves using the new `services.openssh.moduliFile` option. - A newly packaged TeX Live 2015 is provided in `pkgs.texlive`, split into 6500 nix packages. For basic user documentation see [the source](https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1). Beware of [an issue](https://github.com/NixOS/nixpkgs/issues/9757) when installing a too large package set. The plan is to deprecate and maybe delete the original TeX packages until the next release. diff --git a/nixos/doc/manual/release-notes/rl-1603.section.md b/nixos/doc/manual/release-notes/rl-1603.section.md index dce879ec16d07..532a16f937b05 100644 --- a/nixos/doc/manual/release-notes/rl-1603.section.md +++ b/nixos/doc/manual/release-notes/rl-1603.section.md @@ -152,19 +152,19 @@ When upgrading from a previous release, please be aware of the following incompa } ``` -- `s3sync` is removed, as it hasn\'t been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at `tarsnap` and others. +- `s3sync` is removed, as it hasn't been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at `tarsnap` and others. -- `ruby_1_8` has been removed as it\'s not supported from upstream anymore and probably contains security issues. +- `ruby_1_8` has been removed as it's not supported from upstream anymore and probably contains security issues. - `tidy-html5` package is removed. Upstream only provided `(lib)tidy5` during development, and now they went back to `(lib)tidy` to work as a drop-in replacement of the original package that has been unmaintained for years. You can (still) use the `html-tidy` package, which got updated to a stable release from this new upstream. - `extraDeviceOptions` argument is removed from `bumblebee` package. Instead there are now two separate arguments: `extraNvidiaDeviceOptions` and `extraNouveauDeviceOptions` for setting extra X11 options for nvidia and nouveau drivers, respectively. -- The `Ctrl+Alt+Backspace` key combination no longer kills the X server by default. There\'s a new option `services.xserver.enableCtrlAltBackspace` allowing to enable the combination again. +- The `Ctrl+Alt+Backspace` key combination no longer kills the X server by default. There's a new option `services.xserver.enableCtrlAltBackspace` allowing to enable the combination again. - `emacsPackagesNg` now contains all packages from the ELPA, MELPA, and MELPA Stable repositories. -- Data directory for Postfix MTA server is moved from `/var/postfix` to `/var/lib/postfix`. Old configurations are migrated automatically. `service.postfix` module has also received many improvements, such as correct directories\' access rights, new `aliasFiles` and `mapFiles` options and more. +- Data directory for Postfix MTA server is moved from `/var/postfix` to `/var/lib/postfix`. Old configurations are migrated automatically. `service.postfix` module has also received many improvements, such as correct directories' access rights, new `aliasFiles` and `mapFiles` options and more. - Filesystem options should now be configured as a list of strings, not a comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style: @@ -180,7 +180,7 @@ When upgrading from a previous release, please be aware of the following incompa - CUPS, installed by `services.printing` module, now has its data directory in `/var/lib/cups`. Old configurations from `/etc/cups` are moved there automatically, but there might be problems. Also configuration options `services.printing.cupsdConf` and `services.printing.cupsdFilesConf` were removed because they had been allowing one to override configuration variables required for CUPS to work at all on NixOS. For most use cases, `services.printing.extraConf` and new option `services.printing.extraFilesConf` should be enough; if you encounter a situation when they are not, please file a bug. - There are also Gutenprint improvements; in particular, a new option `services.printing.gutenprint` is added to enable automatic updating of Gutenprint PPMs; it\'s greatly recommended to enable it instead of adding `gutenprint` to the `drivers` list. + There are also Gutenprint improvements; in particular, a new option `services.printing.gutenprint` is added to enable automatic updating of Gutenprint PPMs; it's greatly recommended to enable it instead of adding `gutenprint` to the `drivers` list. - `services.xserver.vaapiDrivers` has been removed. Use `hardware.opengl.extraPackages{,32}` instead. You can also specify VDPAU drivers there. @@ -202,7 +202,7 @@ When upgrading from a previous release, please be aware of the following incompa } ``` -- `services.udev.extraRules` option now writes rules to `99-local.rules` instead of `10-local.rules`. This makes all the user rules apply after others, so their results wouldn\'t be overriden by anything else. +- `services.udev.extraRules` option now writes rules to `99-local.rules` instead of `10-local.rules`. This makes all the user rules apply after others, so their results wouldn't be overridden by anything else. - Large parts of the `services.gitlab` module has been been rewritten. There are new configuration options available. The `stateDir` option was renamned to `statePath` and the `satellitesDir` option was removed. Please review the currently available options. @@ -246,7 +246,7 @@ When upgrading from a previous release, please be aware of the following incompa you should either re-run `nixos-generate-config` or manually replace `"${config.boot.kernelPackages.broadcom_sta}"` by `config.boot.kernelPackages.broadcom_sta` in your `/etc/nixos/hardware-configuration.nix`. More discussion is on [ the github issue](https://github.com/NixOS/nixpkgs/pull/12595). -- The `services.xserver.startGnuPGAgent` option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even supports) the \"start everything as a child of the agent\" scheme we\'ve implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to `~/.bashrc` or some file that's sourced when your shell is started: +- The `services.xserver.startGnuPGAgent` option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even supports) the "start everything as a child of the agent" scheme we've implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to `~/.bashrc` or some file that's sourced when your shell is started: ```shell GPG_TTY=$(tty) @@ -273,7 +273,7 @@ When upgrading from a previous release, please be aware of the following incompa gpg --import ~/.gnupg/secring.gpg ``` - The `gpg-agent(1)` man page has more details about this subject, i.e. in the \"EXAMPLES\" section. + The `gpg-agent(1)` man page has more details about this subject, i.e. in the "EXAMPLES" section. Other notable improvements: diff --git a/nixos/doc/manual/release-notes/rl-1609.section.md b/nixos/doc/manual/release-notes/rl-1609.section.md index 075f0cf52cd1a..e9c650cf40724 100644 --- a/nixos/doc/manual/release-notes/rl-1609.section.md +++ b/nixos/doc/manual/release-notes/rl-1609.section.md @@ -20,7 +20,7 @@ When upgrading from a previous release, please be aware of the following incompa - A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages [were changed](https://github.com/NixOS/nixpkgs/pull/14766) late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.) -- Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided `haskell.packages.lts-x_y` package sets still exist in name to aviod breaking user code, but these package sets don\'t actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. [The motivation for this change](https://nixos.org/nix-dev/2016-June/020585.html) has been discussed at length on the `nix-dev` mailing list and in [Github issue \#14897](https://github.com/NixOS/nixpkgs/issues/14897). Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in [another nix-dev article](https://nixos.org/nix-dev/2016-June/020642.html). +- Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided `haskell.packages.lts-x_y` package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. [The motivation for this change](https://nixos.org/nix-dev/2016-June/020585.html) has been discussed at length on the `nix-dev` mailing list and in [Github issue \#14897](https://github.com/NixOS/nixpkgs/issues/14897). Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in [another nix-dev article](https://nixos.org/nix-dev/2016-June/020642.html). - Shell aliases for systemd sub-commands [were dropped](https://github.com/NixOS/nixpkgs/pull/15598): `start`, `stop`, `restart`, `status`. @@ -28,7 +28,7 @@ When upgrading from a previous release, please be aware of the following incompa - `/var/empty` is now immutable. Activation script runs `chattr +i` to forbid any modifications inside the folder. See [ the pull request](https://github.com/NixOS/nixpkgs/pull/18365) for what bugs this caused. -- Gitlab\'s maintainance script `gitlab-runner` was removed and split up into the more clearer `gitlab-run` and `gitlab-rake` scripts, because `gitlab-runner` is a component of Gitlab CI. +- Gitlab's maintainance script `gitlab-runner` was removed and split up into the more clearer `gitlab-run` and `gitlab-rake` scripts, because `gitlab-runner` is a component of Gitlab CI. - `services.xserver.libinput.accelProfile` default changed from `flat` to `adaptive`, as per [ official documentation](https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79). @@ -38,7 +38,7 @@ When upgrading from a previous release, please be aware of the following incompa - `pkgs.linuxPackages.virtualbox` now contains only the kernel modules instead of the VirtualBox user space binaries. If you want to reference the user space binaries, you have to use the new `pkgs.virtualbox` instead. -- `goPackages` was replaced with separated Go applications in appropriate `nixpkgs` categories. Each Go package uses its own dependency set. There\'s also a new `go2nix` tool introduced to generate a Go package definition from its Go source automatically. +- `goPackages` was replaced with separated Go applications in appropriate `nixpkgs` categories. Each Go package uses its own dependency set. There's also a new `go2nix` tool introduced to generate a Go package definition from its Go source automatically. - `services.mongodb.extraConfig` configuration format was changed to YAML. diff --git a/nixos/doc/manual/release-notes/rl-1703.section.md b/nixos/doc/manual/release-notes/rl-1703.section.md index 7f424f2a6ce32..b82c41e28ca34 100644 --- a/nixos/doc/manual/release-notes/rl-1703.section.md +++ b/nixos/doc/manual/release-notes/rl-1703.section.md @@ -8,7 +8,7 @@ In addition to numerous new and upgraded packages, this release has the followin - This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8. -- The default desktop environment now is KDE\'s Plasma 5. KDE 4 has been removed +- The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed - The setuid wrapper functionality now supports setting capabilities. @@ -208,7 +208,7 @@ When upgrading from a previous release, please be aware of the following incompa - Two lone top-level dict dbs moved into `dictdDBs`. This affects: `dictdWordnet` which is now at `dictdDBs.wordnet` and `dictdWiktionary` which is now at `dictdDBs.wiktionary` -- Parsoid service now uses YAML configuration format. `service.parsoid.interwikis` is now called `service.parsoid.wikis` and is a list of either API URLs or attribute sets as specified in parsoid\'s documentation. +- Parsoid service now uses YAML configuration format. `service.parsoid.interwikis` is now called `service.parsoid.wikis` and is a list of either API URLs or attribute sets as specified in parsoid's documentation. - `Ntpd` was replaced by `systemd-timesyncd` as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by setting `services.ntp.enable` to `true`. Upstream time servers for all NTP implementations are now configured using `networking.timeServers`. @@ -260,11 +260,11 @@ When upgrading from a previous release, please be aware of the following incompa - Autoloading connection tracking helpers is now disabled by default. This default was also changed in the Linux kernel and is considered insecure if not configured properly in your firewall. If you need connection tracking helpers (i.e. for active FTP) please enable `networking.firewall.autoLoadConntrackHelpers` and tune `networking.firewall.connectionTrackingModules` to suit your needs. -- `local_recipient_maps` is not set to empty value by Postfix service. It\'s an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via `services.postfix.extraConfig`. +- `local_recipient_maps` is not set to empty value by Postfix service. It's an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via `services.postfix.extraConfig`. - Iputils no longer provide ping6 and traceroute6. The functionality of these tools has been integrated into ping and traceroute respectively. To enforce an address family the new flags `-4` and `-6` have been added. One notable incompatibility is that specifying an interface (for link-local IPv6 for instance) is no longer done with the `-I` flag, but by encoding the interface into the address (`ping fe80::1%eth0`). -- The socket handling of the `services.rmilter` module has been fixed and refactored. As rmilter doesn\'t support binding to more than one socket, the options `bindUnixSockets` and `bindInetSockets` have been replaced by `services.rmilter.bindSocket.*`. The default is still a unix socket in `/run/rmilter/rmilter.sock`. Refer to the options documentation for more information. +- The socket handling of the `services.rmilter` module has been fixed and refactored. As rmilter doesn't support binding to more than one socket, the options `bindUnixSockets` and `bindInetSockets` have been replaced by `services.rmilter.bindSocket.*`. The default is still a unix socket in `/run/rmilter/rmilter.sock`. Refer to the options documentation for more information. - The `fetch*` functions no longer support md5, please use sha256 instead. @@ -278,7 +278,7 @@ When upgrading from a previous release, please be aware of the following incompa - Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules. -- `jre` now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it\'s recommended to use `jre_headless`. +- `jre` now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it's recommended to use `jre_headless`. - Python 2.6 interpreter and package set have been removed. diff --git a/nixos/doc/manual/release-notes/rl-1709.section.md b/nixos/doc/manual/release-notes/rl-1709.section.md index e5af22721b0c7..9f49549901bef 100644 --- a/nixos/doc/manual/release-notes/rl-1709.section.md +++ b/nixos/doc/manual/release-notes/rl-1709.section.md @@ -8,7 +8,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused. -- The module option `services.xserver.xrandrHeads` now causes the first head specified in this list to be set as the primary head. Apart from that, it\'s now possible to also set additional options by using an attribute set, for example: +- The module option `services.xserver.xrandrHeads` now causes the first head specified in this list to be set as the primary head. Apart from that, it's now possible to also set additional options by using an attribute set, for example: ```nix { services.xserver.xrandrHeads = [ @@ -208,7 +208,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `mysql` default `dataDir` has changed from `/var/mysql` to `/var/lib/mysql`. - - Radicale\'s default package has changed from 1.x to 2.x. Instructions to migrate can be found [ here ](http://radicale.org/1to2/). It is also possible to use the newer version by setting the `package` to `radicale2`, which is done automatically when `stateVersion` is 17.09 or higher. The `extraArgs` option has been added to allow passing the data migration arguments specified in the instructions; see the `radicale.nix` NixOS test for an example migration. + - Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found [ here ](http://radicale.org/1to2/). It is also possible to use the newer version by setting the `package` to `radicale2`, which is done automatically when `stateVersion` is 17.09 or higher. The `extraArgs` option has been added to allow passing the data migration arguments specified in the instructions; see the `radicale.nix` NixOS test for an example migration. - The `aiccu` package was removed. This is due to SixXS [ sunsetting](https://www.sixxs.net/main/) its IPv6 tunnel. @@ -216,9 +216,9 @@ When upgrading from a previous release, please be aware of the following incompa - Top-level `idea` package collection was renamed. All JetBrains IDEs are now at `jetbrains`. -- `flexget`\'s state database cannot be upgraded to its new internal format, requiring removal of any existing `db-config.sqlite` which will be automatically recreated. +- `flexget`'s state database cannot be upgraded to its new internal format, requiring removal of any existing `db-config.sqlite` which will be automatically recreated. -- The `ipfs` service now doesn\'t ignore the `dataDir` option anymore. If you\'ve ever set this option to anything other than the default you\'ll have to either unset it (so the default gets used) or migrate the old data manually with +- The `ipfs` service now doesn't ignore the `dataDir` option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with ```ShellSession dataDir=<valueOfDataDir> @@ -236,15 +236,15 @@ When upgrading from a previous release, please be aware of the following incompa - `wvdial` package and module were removed. This is due to the project being dead and not building with openssl 1.1. -- `cc-wrapper`\'s setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. `LD`, `STRIP`, `RANLIB`, etc). This is done to prevent packages\' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this---their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters. +- `cc-wrapper`'s setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. `LD`, `STRIP`, `RANLIB`, etc). This is done to prevent packages' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this---their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters. -- `services.firefox.syncserver` now runs by default as a non-root user. To accomodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details. +- `services.firefox.syncserver` now runs by default as a non-root user. To accommodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details. - The `compiz` window manager and package was removed. The system support had been broken for several years. - Touchpad support should now be enabled through `libinput` as `synaptics` is now deprecated. See the option `services.xserver.libinput.enable`. -- grsecurity/PaX support has been dropped, following upstream\'s decision to cease free support. See [ upstream\'s announcement](https://grsecurity.net/passing_the_baton.php) for more information. No complete replacement for grsecurity/PaX is available presently. +- grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See [ upstream's announcement](https://grsecurity.net/passing_the_baton.php) for more information. No complete replacement for grsecurity/PaX is available presently. - `services.mysql` now has declarative configuration of databases and users with the `ensureDatabases` and `ensureUsers` options. @@ -283,9 +283,9 @@ When upgrading from a previous release, please be aware of the following incompa ## Other Notable Changes {#sec-release-17.09-notable-changes} -- Modules can now be disabled by using [ disabledModules](https://nixos.org/nixpkgs/manual/#sec-replace-modules), allowing another to take it\'s place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. +- Modules can now be disabled by using [ disabledModules](https://nixos.org/nixpkgs/manual/#sec-replace-modules), allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. -- Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer\'s intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available. +- Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available. - ZFS/SPL have been updated to 0.7.0, `zfsUnstable, splUnstable` have therefore been removed. diff --git a/nixos/doc/manual/release-notes/rl-1803.section.md b/nixos/doc/manual/release-notes/rl-1803.section.md index c5146015d4499..681894eb13ece 100644 --- a/nixos/doc/manual/release-notes/rl-1803.section.md +++ b/nixos/doc/manual/release-notes/rl-1803.section.md @@ -6,7 +6,7 @@ In addition to numerous new and upgraded packages, this release has the followin - End of support is planned for end of October 2018, handing over to 18.09. -- Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn\'t NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it\'s waiting for some test fixes, etc. +- Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc. - Nix now defaults to 2.0; see its [release notes](https://nixos.org/nix/manual/#ssec-relnotes-2.0). @@ -176,7 +176,7 @@ When upgrading from a previous release, please be aware of the following incompa - `cc-wrapper` has been split in two; there is now also a `bintools-wrapper`. The most commonly used files in `nix-support` are now split between the two wrappers. Some commonly used ones, like `nix-support/dynamic-linker`, are duplicated for backwards compatability, even though they rightly belong only in `bintools-wrapper`. Other more obscure ones are just moved. -- The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the \"Specifying dependencies\" section of the \"Standard Environment\" chapter of the nixpkgs manual. The old logic isn\'t but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many `propagatedNativeBuildInputs` should instead be `propagatedBuildInputs`. Thankfully, that was and is the least used type of dependency. Also, it means that some `propagatedBuildInputs` should instead be `depsTargetTargetPropagated`. Other types dependencies should be unaffected. +- The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many `propagatedNativeBuildInputs` should instead be `propagatedBuildInputs`. Thankfully, that was and is the least used type of dependency. Also, it means that some `propagatedBuildInputs` should instead be `depsTargetTargetPropagated`. Other types dependencies should be unaffected. - `lib.addPassthru drv passthru` is removed. Use `lib.extendDerivation true passthru drv` instead. @@ -184,7 +184,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `hardware.amdHybridGraphics.disable` option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports. -- The merging of config options for `services.postfix.config` was buggy. Previously, if other options in the Postfix module like `services.postfix.useSrs` were set and the user set config options that were also set by such options, the resulting config wouldn\'t include all options that were needed. They are now merged correctly. If config options need to be overridden, `lib.mkForce` or `lib.mkOverride` can be used. +- The merging of config options for `services.postfix.config` was buggy. Previously, if other options in the Postfix module like `services.postfix.useSrs` were set and the user set config options that were also set by such options, the resulting config wouldn't include all options that were needed. They are now merged correctly. If config options need to be overridden, `lib.mkForce` or `lib.mkOverride` can be used. - The following changes apply if the `stateVersion` is changed to 18.03 or higher. For `stateVersion = "17.09"` or lower the old behavior is preserved. @@ -204,7 +204,7 @@ When upgrading from a previous release, please be aware of the following incompa - The data directory `/var/lib/piwik` was renamed to `/var/lib/matomo`. All files will be moved automatically on first startup, but you might need to adjust your backup scripts. - - The default `serverName` for the nginx configuration changed from `piwik.${config.networking.hostName}` to `matomo.${config.networking.hostName}.${config.networking.domain}` if `config.networking.domain` is set, `matomo.${config.networking.hostName}` if it is not set. If you change your `serverName`, remember you\'ll need to update the `trustedHosts[]` array in `/var/lib/matomo/config/config.ini.php` as well. + - The default `serverName` for the nginx configuration changed from `piwik.${config.networking.hostName}` to `matomo.${config.networking.hostName}.${config.networking.domain}` if `config.networking.domain` is set, `matomo.${config.networking.hostName}` if it is not set. If you change your `serverName`, remember you'll need to update the `trustedHosts[]` array in `/var/lib/matomo/config/config.ini.php` as well. - The `piwik` user was renamed to `matomo`. The service will adjust ownership automatically for files in the data directory. If you use unix socket authentication, remember to give the new `matomo` user access to the database and to change the `username` to `matomo` in the `[database]` section of `/var/lib/matomo/config/config.ini.php`. @@ -250,7 +250,7 @@ When upgrading from a previous release, please be aware of the following incompa - The option `services.logstash.listenAddress` is now `127.0.0.1` by default. Previously the default behaviour was to listen on all interfaces. -- `services.btrfs.autoScrub` has been added, to periodically check btrfs filesystems for data corruption. If there\'s a correct copy available, it will automatically repair corrupted blocks. +- `services.btrfs.autoScrub` has been added, to periodically check btrfs filesystems for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks. - `displayManager.lightdm.greeters.gtk.clock-format.` has been added, the clock format string (as expected by strftime, e.g. `%H:%M`) to use with the lightdm gtk greeter panel. diff --git a/nixos/doc/manual/release-notes/rl-1809.section.md b/nixos/doc/manual/release-notes/rl-1809.section.md index 3443db37c97e1..71afc71d5a89a 100644 --- a/nixos/doc/manual/release-notes/rl-1809.section.md +++ b/nixos/doc/manual/release-notes/rl-1809.section.md @@ -204,11 +204,11 @@ When upgrading from a previous release, please be aware of the following incompa - The `clementine` package points now to the free derivation. `clementineFree` is removed now and `clementineUnfree` points to the package which is bundled with the unfree `libspotify` package. -- The `netcat` package is now taken directly from OpenBSD\'s `libressl`, instead of relying on Debian\'s fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command. +- The `netcat` package is now taken directly from OpenBSD's `libressl`, instead of relying on Debian's fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command. -- The `services.docker-registry.extraConfig` object doesn\'t contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in [the `docker/distribution` docs](https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md). +- The `services.docker-registry.extraConfig` object doesn't contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in [the `docker/distribution` docs](https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md). -- `gnucash` has changed from version 2.4 to 3.x. If you\'ve been using `gnucash` (version 2.4) instead of `gnucash26` (version 2.6) you must open your Gnucash data file(s) with `gnucash26` and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade [documentation](https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade). Gnucash 2.4 is still available under the attribute `gnucash24`. +- `gnucash` has changed from version 2.4 to 3.x. If you've been using `gnucash` (version 2.4) instead of `gnucash26` (version 2.6) you must open your Gnucash data file(s) with `gnucash26` and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade [documentation](https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade). Gnucash 2.4 is still available under the attribute `gnucash24`. - `services.munge` now runs as user (and group) `munge` instead of root. Make sure the key file is accessible to the daemon. @@ -315,7 +315,7 @@ When upgrading from a previous release, please be aware of the following incompa - The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set `services.kubernetes.addons.dashboard.rbac.clusterAdmin` to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: `kubectl delete clusterrolebinding kubernetes-dashboard` -- The `programs.screen` module provides allows to configure `/etc/screenrc`, however the module behaved fairly counterintuitive as the config exists, but the package wasn\'t available. Since 18.09 `pkgs.screen` will be added to `environment.systemPackages`. +- The `programs.screen` module provides allows to configure `/etc/screenrc`, however the module behaved fairly counterintuitive as the config exists, but the package wasn't available. Since 18.09 `pkgs.screen` will be added to `environment.systemPackages`. - The module `services.networking.hostapd` now uses WPA2 by default. @@ -327,6 +327,6 @@ When upgrading from a previous release, please be aware of the following incompa - The default display manager is now LightDM. To use SLiM set `services.xserver.displayManager.slim.enable` to `true`. -- NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it\'s no longer necessary to use `</para><para>` to start a new paragraph. +- NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it's no longer necessary to use `</para><para>` to start a new paragraph. - Top-level `buildPlatform`, `hostPlatform`, and `targetPlatform` in Nixpkgs are deprecated. Please use their equivalents in `stdenv` instead: `stdenv.buildPlatform`, `stdenv.hostPlatform`, and `stdenv.targetPlatform`. diff --git a/nixos/doc/manual/release-notes/rl-1903.section.md b/nixos/doc/manual/release-notes/rl-1903.section.md index 7637a70c1bf8b..b43518c471fd2 100644 --- a/nixos/doc/manual/release-notes/rl-1903.section.md +++ b/nixos/doc/manual/release-notes/rl-1903.section.md @@ -11,11 +11,11 @@ In addition to numerous new and upgraded packages, this release has the followin - Added the Pantheon desktop environment. It can be enabled through `services.xserver.desktopManager.pantheon.enable`. ::: {.note} - By default, `services.xserver.desktopManager.pantheon` enables LightDM as a display manager, as pantheon\'s screen locking implementation relies on it. - Because of that it is recommended to leave LightDM enabled. If you\'d like to disable it anyway, set `services.xserver.displayManager.lightdm.enable` to `false` and enable your preferred display manager. + By default, `services.xserver.desktopManager.pantheon` enables LightDM as a display manager, as pantheon's screen locking implementation relies on it. + Because of that it is recommended to leave LightDM enabled. If you'd like to disable it anyway, set `services.xserver.displayManager.lightdm.enable` to `false` and enable your preferred display manager. ::: - Also note that Pantheon\'s LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn\'t optimal for use here yet. + Also note that Pantheon's LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn't optimal for use here yet. - A major refactoring of the Kubernetes module has been completed. Refactorings primarily focus on decoupling components and enhancing security. Two-way TLS and RBAC has been enabled by default for all components, which slightly changes the way the module is configured. See: [](#sec-kubernetes) for details. @@ -57,7 +57,7 @@ When upgrading from a previous release, please be aware of the following incompa - The Syncthing state and configuration data has been moved from `services.syncthing.dataDir` to the newly defined `services.syncthing.configDir`, which default to `/var/lib/syncthing/.config/syncthing`. This change makes possible to share synced directories using ACLs without Syncthing resetting the permission on every start. -- The `ntp` module now has sane default restrictions. If you\'re relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set `services.ntp.restrictDefault` and `services.ntp.restrictSource` to `[]`. +- The `ntp` module now has sane default restrictions. If you're relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set `services.ntp.restrictDefault` and `services.ntp.restrictSource` to `[]`. - Package `rabbitmq_server` is renamed to `rabbitmq-server`. @@ -73,7 +73,7 @@ When upgrading from a previous release, please be aware of the following incompa - OpenSMTPD has been upgraded to version 6.4.0p1. This release makes backwards-incompatible changes to the configuration file format. See `man smtpd.conf` for more information on the new file format. -- The versioned `postgresql` have been renamed to use underscore number seperators. For example, `postgresql96` has been renamed to `postgresql_9_6`. +- The versioned `postgresql` have been renamed to use underscore number separators. For example, `postgresql96` has been renamed to `postgresql_9_6`. - Package `consul-ui` and passthrough `consul.ui` have been removed. The package `consul` now uses upstream releases that vendor the UI into the binary. See [\#48714](https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834) for details. @@ -89,9 +89,9 @@ When upgrading from a previous release, please be aware of the following incompa - The option `services.xserver.displayManager.job.logToFile` which was previously set to `true` when using the display managers `lightdm`, `sddm` or `xpra` has been reset to the default value (`false`). -- Network interface indiscriminate NixOS firewall options (`networking.firewall.allow*`) are now preserved when also setting interface specific rules such as `networking.firewall.interfaces.en0.allow*`. These rules continue to use the pseudo device \"default\" (`networking.firewall.interfaces.default.*`), and assigning to this pseudo device will override the (`networking.firewall.allow*`) options. +- Network interface indiscriminate NixOS firewall options (`networking.firewall.allow*`) are now preserved when also setting interface specific rules such as `networking.firewall.interfaces.en0.allow*`. These rules continue to use the pseudo device "default" (`networking.firewall.interfaces.default.*`), and assigning to this pseudo device will override the (`networking.firewall.allow*`) options. -- The `nscd` service now disables all caching of `passwd` and `group` databases by default. This was interferring with the correct functioning of the `libnss_systemd.so` module which is used by `systemd` to manage uids and usernames in the presence of `DynamicUser=` in systemd services. This was already the default behaviour in presence of `services.sssd.enable = true` because nscd caching would interfere with `sssd` in unpredictable ways as well. Because we\'re using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it\'s usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network. +- The `nscd` service now disables all caching of `passwd` and `group` databases by default. This was interferring with the correct functioning of the `libnss_systemd.so` module which is used by `systemd` to manage uids and usernames in the presence of `DynamicUser=` in systemd services. This was already the default behaviour in presence of `services.sssd.enable = true` because nscd caching would interfere with `sssd` in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network. If the old behaviour is desired, this can be restored by setting the `services.nscd.config` option with the desired caching parameters. @@ -137,7 +137,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `pam_unix` account module is now loaded with its control field set to `required` instead of `sufficient`, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to `pam_unix`. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previosuly shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting `security.pam.services.<name?>.text`. -- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account\'s password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should. +- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should. - `fish` has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See the `fish` [release notes](https://github.com/fish-shell/fish-shell/releases/tag/3.0.0) for more information. @@ -145,7 +145,7 @@ When upgrading from a previous release, please be aware of the following incompa - NixOS module system type `types.optionSet` and `lib.mkOption` argument `options` are deprecated. Use `types.submodule` instead. ([\#54637](https://github.com/NixOS/nixpkgs/pull/54637)) -- `matrix-synapse` has been updated to version 0.99. It will [no longer generate a self-signed certificate on first launch](https://github.com/matrix-org/synapse/pull/4509) and will be [the last version to accept self-signed certificates](https://matrix.org/blog/2019/02/05/synapse-0-99-0/). As such, it is now recommended to use a proper certificate verified by a root CA (for example Let\'s Encrypt). The new [manual chapter on Matrix](#module-services-matrix) contains a working example of using nginx as a reverse proxy in front of `matrix-synapse`, using Let\'s Encrypt certificates. +- `matrix-synapse` has been updated to version 0.99. It will [no longer generate a self-signed certificate on first launch](https://github.com/matrix-org/synapse/pull/4509) and will be [the last version to accept self-signed certificates](https://matrix.org/blog/2019/02/05/synapse-0-99-0/). As such, it is now recommended to use a proper certificate verified by a root CA (for example Let's Encrypt). The new [manual chapter on Matrix](#module-services-matrix) contains a working example of using nginx as a reverse proxy in front of `matrix-synapse`, using Let's Encrypt certificates. - `mailutils` now works by default when `sendmail` is not in a setuid wrapper. As a consequence, the `sendmailPath` argument, having lost its main use, has been removed. @@ -191,7 +191,7 @@ When upgrading from a previous release, please be aware of the following incompa With this change application specific volumes are relative to the master volume which can be adjusted independently, whereas before they were absolute; meaning that in effect, it scaled the device-volume with the volume of the loudest application. ::: -- The [`ndppd`](https://github.com/DanielAdolfsson/ndppd) module now supports [all config options](options.html#opt-services.ndppd.enable) provided by the current upstream version as service options. Additionally the `ndppd` package doesn\'t contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now. +- The [`ndppd`](https://github.com/DanielAdolfsson/ndppd) module now supports [all config options](options.html#opt-services.ndppd.enable) provided by the current upstream version as service options. Additionally the `ndppd` package doesn't contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now. - New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in `services.redmine.package` while existing installs of NixOS will default to the Redmine 3.x series. diff --git a/nixos/doc/manual/release-notes/rl-1909.section.md b/nixos/doc/manual/release-notes/rl-1909.section.md index 572f1bf5a255f..428352388193f 100644 --- a/nixos/doc/manual/release-notes/rl-1909.section.md +++ b/nixos/doc/manual/release-notes/rl-1909.section.md @@ -34,7 +34,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The installer now uses a less privileged `nixos` user whereas before we logged in as root. To gain root privileges use `sudo -i` without a password. -- We\'ve updated to Xfce 4.14, which brings a new module `services.xserver.desktopManager.xfce4-14`. If you\'d like to upgrade, please switch from the `services.xserver.desktopManager.xfce` module as it will be deprecated in a future release. They\'re incompatibilities with the current Xfce module; it doesn\'t support `thunarPlugins` and it isn\'t recommended to use `services.xserver.desktopManager.xfce` and `services.xserver.desktopManager.xfce4-14` simultaneously or to downgrade from Xfce 4.14 after upgrading. +- We've updated to Xfce 4.14, which brings a new module `services.xserver.desktopManager.xfce4-14`. If you'd like to upgrade, please switch from the `services.xserver.desktopManager.xfce` module as it will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support `thunarPlugins` and it isn't recommended to use `services.xserver.desktopManager.xfce` and `services.xserver.desktopManager.xfce4-14` simultaneously or to downgrade from Xfce 4.14 after upgrading. - The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games. @@ -46,9 +46,9 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.gnome3.games.enable` - With these options we hope to give users finer grained control over their systems. Prior to this change you\'d either have to manually disable options or use `environment.gnome3.excludePackages` which only excluded the optional applications. `environment.gnome3.excludePackages` is now unguarded, it can exclude any package installed with `environment.systemPackages` in the GNOME 3 module. + With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use `environment.gnome3.excludePackages` which only excluded the optional applications. `environment.gnome3.excludePackages` is now unguarded, it can exclude any package installed with `environment.systemPackages` in the GNOME 3 module. -- Orthogonal to the previous changes to the GNOME 3 desktop manager module, we\'ve updated all default services and applications to match as close as possible to a default reference GNOME 3 experience. +- Orthogonal to the previous changes to the GNOME 3 desktop manager module, we've updated all default services and applications to match as close as possible to a default reference GNOME 3 experience. **The following changes were enacted in `services.gnome3.core-utilities.enable`** @@ -104,7 +104,7 @@ The following new services were added since the last release: - `services.xserver.desktopManager.pantheon` - - `services.xserver.desktopManager.mate` Note Mate uses `programs.system-config-printer` as it doesn\'t use it as a service, but its graphical interface directly. + - `services.xserver.desktopManager.mate` Note Mate uses `programs.system-config-printer` as it doesn't use it as a service, but its graphical interface directly. - [services.blueman.enable](options.html#opt-services.blueman.enable) has been added. If you previously had blueman installed via `environment.systemPackages` please migrate to using the NixOS module, as this would result in an insufficiently configured blueman. @@ -118,11 +118,11 @@ When upgrading from a previous release, please be aware of the following incompa - PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed. -- The options `services.prometheus.alertmanager.user` and `services.prometheus.alertmanager.group` have been removed because the alertmanager service is now using systemd\'s [ DynamicUser mechanism](http://0pointer.net/blog/dynamic-users-with-systemd.html) which obviates these options. +- The options `services.prometheus.alertmanager.user` and `services.prometheus.alertmanager.group` have been removed because the alertmanager service is now using systemd's [ DynamicUser mechanism](http://0pointer.net/blog/dynamic-users-with-systemd.html) which obviates these options. - The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again. -- The `services.nzbget.configFile` and `services.nzbget.openFirewall` options were removed as they are managed internally by the nzbget. The `services.nzbget.dataDir` option hadn\'t actually been used by the module for some time and so was removed as cleanup. +- The `services.nzbget.configFile` and `services.nzbget.openFirewall` options were removed as they are managed internally by the nzbget. The `services.nzbget.dataDir` option hadn't actually been used by the module for some time and so was removed as cleanup. - The `services.mysql.pidDir` option was removed, as it was only used by the wordpress apache-httpd service to wait for mysql to have started up. This can be accomplished by either describing a dependency on mysql.service (preferred) or waiting for the (hardcoded) `/run/mysqld/mysql.sock` file to appear. @@ -148,19 +148,19 @@ When upgrading from a previous release, please be aware of the following incompa A new knob named `nixops.enableDeprecatedAutoLuks` has been introduced to disable the eval failure and to acknowledge the notice was received and read. If you plan on using the feature please note that it might break with subsequent updates. - Make sure you set the `_netdev` option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn\'t boot anymore. + Make sure you set the `_netdev` option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn't boot anymore. If you are actively using the `autoLuks` module please let us know in [issue \#62211](https://github.com/NixOS/nixpkgs/issues/62211). - The setopt declarations will be evaluated at the end of `/etc/zshrc`, so any code in [programs.zsh.interactiveShellInit](options.html#opt-programs.zsh.interactiveShellInit), [programs.zsh.loginShellInit](options.html#opt-programs.zsh.loginShellInit) and [programs.zsh.promptInit](options.html#opt-programs.zsh.promptInit) may break if it relies on those options being set. -- The `prometheus-nginx-exporter` package now uses the offical exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the [official repo](https://github.com/nginxinc/nginx-prometheus-exporter). +- The `prometheus-nginx-exporter` package now uses the official exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the [official repo](https://github.com/nginxinc/nginx-prometheus-exporter). - The `shibboleth-sp` package has been updated to version 3. It is largely backward compatible, for further information refer to the [release notes](https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes) and [upgrade guide](https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2). Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped. -- By default, prometheus exporters are now run with `DynamicUser` enabled. Exporters that need a real user, now run under a seperate user and group which follow the pattern `<exporter-name>-exporter`, instead of the previous default `nobody` and `nogroup`. Only some exporters are affected by the latter, namely the exporters `dovecot`, `node`, `postfix` and `varnish`. +- By default, prometheus exporters are now run with `DynamicUser` enabled. Exporters that need a real user, now run under a separate user and group which follow the pattern `<exporter-name>-exporter`, instead of the previous default `nobody` and `nogroup`. Only some exporters are affected by the latter, namely the exporters `dovecot`, `node`, `postfix` and `varnish`. - The `ibus-qt` package is not installed by default anymore when [i18n.inputMethod.enabled](options.html#opt-i18n.inputMethod.enabled) is set to `ibus`. If IBus support in Qt 4.x applications is required, add the `ibus-qt` package to your [environment.systemPackages](options.html#opt-environment.systemPackages) manually. @@ -196,13 +196,13 @@ When upgrading from a previous release, please be aware of the following incompa Furthermore, the acme module will not automatically add a dependency on `lighttpd.service` anymore. If you are using certficates provided by letsencrypt for lighttpd, then you should depend on the certificate service `acme-${cert}.service>` manually. - For nginx, the dependencies are still automatically managed when `services.nginx.virtualhosts.<name>.enableACME` is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all `acme-certificates.target`. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn\'t explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at [NixOS/nixpkgs\#60180](https://github.com/NixOS/nixpkgs/issues/60180). + For nginx, the dependencies are still automatically managed when `services.nginx.virtualhosts.<name>.enableACME` is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all `acme-certificates.target`. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at [NixOS/nixpkgs\#60180](https://github.com/NixOS/nixpkgs/issues/60180). - The old deprecated `emacs` package sets have been dropped. What used to be called `emacsPackagesNg` is now simply called `emacsPackages`. -- `services.xserver.desktopManager.xterm` is now disabled by default if `stateVersion` is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn\'t useful for all people so it didn\'t make sense to have any desktopManager enabled default. +- `services.xserver.desktopManager.xterm` is now disabled by default if `stateVersion` is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to have any desktopManager enabled default. -- The WeeChat plugin `pkgs.weechatScripts.weechat-xmpp` has been removed as it doesn\'t receive any updates from upstream and depends on outdated Python2-based modules. +- The WeeChat plugin `pkgs.weechatScripts.weechat-xmpp` has been removed as it doesn't receive any updates from upstream and depends on outdated Python2-based modules. - Old unsupported versions (`logstash5`, `kibana5`, `filebeat5`, `heartbeat5`, `metricbeat5`, `packetbeat5`) of the ELK-stack and Elastic beats have been removed. @@ -210,7 +210,7 @@ When upgrading from a previous release, please be aware of the following incompa - Citrix Receiver (`citrix_receiver`) has been dropped in favor of Citrix Workspace (`citrix_workspace`). -- The `services.gitlab` module has had its literal secret options (`services.gitlab.smtp.password`, `services.gitlab.databasePassword`, `services.gitlab.initialRootPassword`, `services.gitlab.secrets.secret`, `services.gitlab.secrets.db`, `services.gitlab.secrets.otp` and `services.gitlab.secrets.jws`) replaced by file-based versions (`services.gitlab.smtp.passwordFile`, `services.gitlab.databasePasswordFile`, `services.gitlab.initialRootPasswordFile`, `services.gitlab.secrets.secretFile`, `services.gitlab.secrets.dbFile`, `services.gitlab.secrets.otpFile` and `services.gitlab.secrets.jwsFile`). This was done so that secrets aren\'t stored in the world-readable nix store, but means that for each option you\'ll have to create a file with the same exact string, add \"File\" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. `services.gitlab.databasePassword = "supersecurepassword"` becomes `services.gitlab.databasePasswordFile = "/path/to/secret_file"` where the file `secret_file` contains the string `supersecurepassword`. +- The `services.gitlab` module has had its literal secret options (`services.gitlab.smtp.password`, `services.gitlab.databasePassword`, `services.gitlab.initialRootPassword`, `services.gitlab.secrets.secret`, `services.gitlab.secrets.db`, `services.gitlab.secrets.otp` and `services.gitlab.secrets.jws`) replaced by file-based versions (`services.gitlab.smtp.passwordFile`, `services.gitlab.databasePasswordFile`, `services.gitlab.initialRootPasswordFile`, `services.gitlab.secrets.secretFile`, `services.gitlab.secrets.dbFile`, `services.gitlab.secrets.otpFile` and `services.gitlab.secrets.jwsFile`). This was done so that secrets aren't stored in the world-readable nix store, but means that for each option you'll have to create a file with the same exact string, add "File" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. `services.gitlab.databasePassword = "supersecurepassword"` becomes `services.gitlab.databasePasswordFile = "/path/to/secret_file"` where the file `secret_file` contains the string `supersecurepassword`. The state path (`services.gitlab.statePath`) now has the following restriction: no parent directory can be owned by any other user than `root` or the user specified in `services.gitlab.user`; i.e. if `services.gitlab.statePath` is set to `/var/lib/gitlab/state`, `gitlab` and all parent directories must be owned by either `root` or the user specified in `services.gitlab.user`. @@ -218,7 +218,7 @@ When upgrading from a previous release, please be aware of the following incompa - The Twitter client `corebird` has been dropped as [it is discontinued and does not work against the new Twitter API](https://www.patreon.com/posts/corebirds-future-18921328). Please use the fork `cawbird` instead which has been adapted to the API changes and is still maintained. -- The `nodejs-11_x` package has been removed as it\'s EOLed by upstream. +- The `nodejs-11_x` package has been removed as it's EOLed by upstream. - Because of the systemd upgrade, systemd-timesyncd will no longer work if `system.stateVersion` is not set correctly. When upgrading from NixOS 19.03, please make sure that `system.stateVersion` is set to `"19.03"`, or lower if the installation dates back to an earlier version of NixOS. @@ -252,7 +252,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `consul` package was upgraded past version `1.5`, so its deprecated legacy UI is no longer available. -- The default resample-method for PulseAudio has been changed from the upstream default `speex-float-1` to `speex-float-5`. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you\'ll need to set `hardware.pulseaudio.daemon.config.resample-method` back to `speex-float-1`. +- The default resample-method for PulseAudio has been changed from the upstream default `speex-float-1` to `speex-float-5`. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you'll need to set `hardware.pulseaudio.daemon.config.resample-method` back to `speex-float-1`. - The `phabricator` package and associated `httpd.extraSubservice`, as well as the `phd` service have been removed from nixpkgs due to lack of maintainer. @@ -264,7 +264,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `tomcat-connector` `httpd.extraSubservice` has been removed from nixpkgs. -- It\'s now possible to change configuration in [services.nextcloud](options.html#opt-services.nextcloud.enable) after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating `/var/lib/nextcloud`. +- It's now possible to change configuration in [services.nextcloud](options.html#opt-services.nextcloud.enable) after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating `/var/lib/nextcloud`. - There exists now `lib.forEach`, which is like `map`, but with arguments flipped. When mapping function body spans many lines (or has nested `map`s), it is often hard to follow which list is modified. @@ -308,6 +308,6 @@ When upgrading from a previous release, please be aware of the following incompa - The `altcoins` categorization of packages has been removed. You now access these packages at the top level, ie. `nix-shell -p dogecoin` instead of `nix-shell -p altcoins.dogecoin`, etc. -- Ceph has been upgraded to v14.2.1. See the [release notes](https://ceph.com/releases/v14-2-0-nautilus-released/) for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There\'s been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch. +- Ceph has been upgraded to v14.2.1. See the [release notes](https://ceph.com/releases/v14-2-0-nautilus-released/) for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There's been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch. - `pkgs.weechat` is now compiled against `pkgs.python3`. Weechat also recommends [to use Python3 in their docs.](https://weechat.org/scripts/python3/) diff --git a/nixos/doc/manual/release-notes/rl-2003.section.md b/nixos/doc/manual/release-notes/rl-2003.section.md index b92c7f6634c77..76cee8858e80a 100644 --- a/nixos/doc/manual/release-notes/rl-2003.section.md +++ b/nixos/doc/manual/release-notes/rl-2003.section.md @@ -34,11 +34,11 @@ In addition to numerous new and upgraded packages, this release has the followin - Postgresql for NixOS service now defaults to v11. -- The graphical installer image starts the graphical session automatically. Before you\'d be greeted by a tty and asked to enter `systemctl start display-manager`. It is now possible to disable the display-manager from running by selecting the `Disable display-manager` quirk in the boot menu. +- The graphical installer image starts the graphical session automatically. Before you'd be greeted by a tty and asked to enter `systemctl start display-manager`. It is now possible to disable the display-manager from running by selecting the `Disable display-manager` quirk in the boot menu. - GNOME 3 has been upgraded to 3.34. Please take a look at their [Release Notes](https://help.gnome.org/misc/release-notes/3.34) for details. -- If you enable the Pantheon Desktop Manager via [services.xserver.desktopManager.pantheon.enable](options.html#opt-services.xserver.desktopManager.pantheon.enable), we now default to also use [ Pantheon\'s newly designed greeter ](https://blog.elementary.io/say-hello-to-the-new-greeter/). Contrary to NixOS\'s usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible. +- If you enable the Pantheon Desktop Manager via [services.xserver.desktopManager.pantheon.enable](options.html#opt-services.xserver.desktopManager.pantheon.enable), we now default to also use [ Pantheon's newly designed greeter ](https://blog.elementary.io/say-hello-to-the-new-greeter/). Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible. - By default zfs pools will now be trimmed on a weekly basis. Trimming is only done on supported devices (i.e. NVME or SSDs) and should improve throughput and lifetime of these devices. It is controlled by the `services.zfs.trim.enable` varname. The zfs scrub service (`services.zfs.autoScrub.enable`) and the zfs autosnapshot service (`services.zfs.autoSnapshot.enable`) are now only enabled if zfs is set in `config.boot.initrd.supportedFilesystems` or `config.boot.supportedFilesystems`. These lists will automatically contain zfs as soon as any zfs mountpoint is configured in `fileSystems`. @@ -77,7 +77,7 @@ The following new services were added since the last release: - The kubernetes kube-proxy now supports a new hostname configuration `services.kubernetes.proxy.hostname` which has to be set if the hostname of the node should be non default. -- UPower\'s configuration is now managed by NixOS and can be customized via `services.upower`. +- UPower's configuration is now managed by NixOS and can be customized via `services.upower`. - To use Geary you should enable [programs.geary.enable](options.html#opt-programs.geary.enable) instead of just adding it to [environment.systemPackages](options.html#opt-environment.systemPackages). It was created so Geary could function properly outside of GNOME. @@ -187,9 +187,9 @@ When upgrading from a previous release, please be aware of the following incompa - The `99-main.network` file was removed. Matching all network interfaces caused many breakages, see [\#18962](https://github.com/NixOS/nixpkgs/pull/18962) and [\#71106](https://github.com/NixOS/nixpkgs/pull/71106). - We already don\'t support the global [networking.useDHCP](options.html#opt-networking.useDHCP), [networking.defaultGateway](options.html#opt-networking.defaultGateway) and [networking.defaultGateway6](options.html#opt-networking.defaultGateway6) options if [networking.useNetworkd](options.html#opt-networking.useNetworkd) is enabled, but direct users to configure the per-device [networking.interfaces.\<name\>....](options.html#opt-networking.interfaces) options. + We already don't support the global [networking.useDHCP](options.html#opt-networking.useDHCP), [networking.defaultGateway](options.html#opt-networking.defaultGateway) and [networking.defaultGateway6](options.html#opt-networking.defaultGateway6) options if [networking.useNetworkd](options.html#opt-networking.useNetworkd) is enabled, but direct users to configure the per-device [networking.interfaces.\<name\>....](options.html#opt-networking.interfaces) options. -- The stdenv now runs all bash with `set -u`, to catch the use of undefined variables. Before, it itself used `set -u` but was careful to unset it so other packages\' code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. +- The stdenv now runs all bash with `set -u`, to catch the use of undefined variables. Before, it itself used `set -u` but was careful to unset it so other packages' code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. - The SLIM Display Manager has been removed, as it has been unmaintained since 2013. Consider migrating to a different display manager such as LightDM (current default in NixOS), SDDM, GDM, or using the startx module which uses Xinitrc. @@ -197,7 +197,7 @@ When upgrading from a previous release, please be aware of the following incompa - The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled. -- There is now only one Xfce package-set and module. This means that attributes `xfce4-14` and `xfceUnstable` all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release\'s development (if viable). +- There is now only one Xfce package-set and module. This means that attributes `xfce4-14` and `xfceUnstable` all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release's development (if viable). - The [phpfpm](options.html#opt-services.phpfpm.pools) module now sets `PrivateTmp=true` in its systemd units for better process isolation. If you rely on `/tmp` being shared with other services, explicitly override this by setting `serviceConfig.PrivateTmp` to `false` for each phpfpm unit. @@ -221,7 +221,7 @@ When upgrading from a previous release, please be aware of the following incompa - The packages `openobex` and `obexftp` are no longer installed when enabling Bluetooth via `hardware.bluetooth.enable`. -- The `dump1090` derivation has been changed to use FlightAware\'s dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the `share/dump1090` directory of the derivation can be used in conjunction with an external webserver to replace this functionality. +- The `dump1090` derivation has been changed to use FlightAware's dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the `share/dump1090` directory of the derivation can be used in conjunction with an external webserver to replace this functionality. - The fourStore and fourStoreEndpoint modules have been removed. @@ -291,7 +291,7 @@ When upgrading from a previous release, please be aware of the following incompa - `services.buildkite-agent.meta-data` has been renamed to [services.buildkite-agents.\<name\>.tags](options.html#opt-services.buildkite-agents), to match upstreams naming for 3.x. Its type has also changed - it now accepts an attrset of strings. - - The`services.buildkite-agent.openssh.publicKeyPath` option has been removed, as it\'s not necessary to deploy public keys to clone private repositories. + - The`services.buildkite-agent.openssh.publicKeyPath` option has been removed, as it's not necessary to deploy public keys to clone private repositories. - `services.buildkite-agent.openssh.privateKeyPath` has been renamed to [buildkite-agents.\<name\>.privateSshKeyPath](options.html#opt-services.buildkite-agents), as the whole `openssh` now only contained that single option. @@ -301,7 +301,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `gcc5` and `gfortran5` packages have been removed. -- The `services.xserver.displayManager.auto` module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it\'s actually LightDM. Please use the `services.xserver.displayManager.lightdm.autoLogin` options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like: +- The `services.xserver.displayManager.auto` module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it's actually LightDM. Please use the `services.xserver.displayManager.lightdm.autoLogin` options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like: ```nix { @@ -325,13 +325,13 @@ When upgrading from a previous release, please be aware of the following incompa auth required pam_succeed_if.so quiet ``` - line, where default it\'s: + line, where default it's: ``` auth required pam_succeed_if.so uid >= 1000 quiet ``` - not permitting users with uid\'s below 1000 (like root). All other display managers in NixOS are configured like this. + not permitting users with uid's below 1000 (like root). All other display managers in NixOS are configured like this. - There have been lots of improvements to the Mailman module. As a result, @@ -357,9 +357,9 @@ When upgrading from a previous release, please be aware of the following incompa - Rspamd was updated to version 2.2. Read [ the upstream migration notes](https://rspamd.com/doc/migration.html#migration-to-rspamd-20) carefully. Please be especially aware that some modules were removed and the default Bayes backend is now Redis. -- The `*psu` versions of oraclejdk8 have been removed as they aren\'t provided by upstream anymore. +- The `*psu` versions of oraclejdk8 have been removed as they aren't provided by upstream anymore. -- The `services.dnscrypt-proxy` module has been removed as it used the deprecated version of dnscrypt-proxy. We\'ve added [services.dnscrypt-proxy2.enable](options.html#opt-services.dnscrypt-proxy2.enable) to use the supported version. This module supports configuration via the Nix attribute set [services.dnscrypt-proxy2.settings](options.html#opt-services.dnscrypt-proxy2.settings), or by passing a TOML configuration file via [services.dnscrypt-proxy2.configFile](options.html#opt-services.dnscrypt-proxy2.configFile). +- The `services.dnscrypt-proxy` module has been removed as it used the deprecated version of dnscrypt-proxy. We've added [services.dnscrypt-proxy2.enable](options.html#opt-services.dnscrypt-proxy2.enable) to use the supported version. This module supports configuration via the Nix attribute set [services.dnscrypt-proxy2.settings](options.html#opt-services.dnscrypt-proxy2.settings), or by passing a TOML configuration file via [services.dnscrypt-proxy2.configFile](options.html#opt-services.dnscrypt-proxy2.configFile). ```nix { @@ -382,13 +382,13 @@ When upgrading from a previous release, please be aware of the following incompa - `qesteidutil` has been deprecated in favor of `qdigidoc`. -- sqldeveloper_18 has been removed as it\'s not maintained anymore, sqldeveloper has been updated to version `19.4`. Please note that this means that this means that the oraclejdk is now required. For further information please read the [release notes](https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html). +- sqldeveloper_18 has been removed as it's not maintained anymore, sqldeveloper has been updated to version `19.4`. Please note that this means that this means that the oraclejdk is now required. For further information please read the [release notes](https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html). -- Haskell `env` and `shellFor` dev shell environments now organize dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don\'t need to algorithmically partition anything. +- Haskell `env` and `shellFor` dev shell environments now organize dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything. This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a `buildDepends` or run-time Haskell dependency as a `setupDepends`, whereas things would have worked before they may not work now. -- The gcc-snapshot-package has been removed. It\'s marked as broken for \>2 years and used to point to a fairly old snapshot from the gcc7-branch. +- The gcc-snapshot-package has been removed. It's marked as broken for \>2 years and used to point to a fairly old snapshot from the gcc7-branch. - The nixos-build-vms8 -script now uses the python test-driver. @@ -398,21 +398,21 @@ When upgrading from a previous release, please be aware of the following incompa - Stand-alone usage of `Upower` now requires `services.upower.enable` instead of just installing into [environment.systemPackages](options.html#opt-environment.systemPackages). -- nextcloud has been updated to `v18.0.2`. This means that users from NixOS 19.09 can\'t upgrade directly since you can only move one version forward and 19.09 uses `v16.0.8`. +- nextcloud has been updated to `v18.0.2`. This means that users from NixOS 19.09 can't upgrade directly since you can only move one version forward and 19.09 uses `v16.0.8`. To provide a safe upgrade-path and to circumvent similar issues in the future, the following measures were taken: - The pkgs.nextcloud-attribute has been removed and replaced with versioned attributes (currently pkgs.nextcloud17 and pkgs.nextcloud18). With this change major-releases can be backported without breaking stuff and to make upgrade-paths easier. - - Existing setups will be detected using [system.stateVersion](options.html#opt-system.stateVersion): by default, nextcloud17 will be used, but will raise a warning which notes that after that deploy it\'s recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting [services.nextcloud.package](options.html#opt-services.nextcloud.package). + - Existing setups will be detected using [system.stateVersion](options.html#opt-system.stateVersion): by default, nextcloud17 will be used, but will raise a warning which notes that after that deploy it's recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting [services.nextcloud.package](options.html#opt-services.nextcloud.package). - - Users with an overlay (e.g. to use nextcloud at version `v18` on `19.09`) will get an evaluation error by default. This is done to ensure that our [package](options.html#opt-services.nextcloud.package)-option doesn\'t select an older version by accident. It\'s recommended to use pkgs.nextcloud18 or to set [package](options.html#opt-services.nextcloud.package) to pkgs.nextcloud explicitly. + - Users with an overlay (e.g. to use nextcloud at version `v18` on `19.09`) will get an evaluation error by default. This is done to ensure that our [package](options.html#opt-services.nextcloud.package)-option doesn't select an older version by accident. It's recommended to use pkgs.nextcloud18 or to set [package](options.html#opt-services.nextcloud.package) to pkgs.nextcloud explicitly. ::: {.warning} - Please note that if you\'re coming from `19.03` or older, you have to manually upgrade to `19.09` first to upgrade your server to Nextcloud v16. + Please note that if you're coming from `19.03` or older, you have to manually upgrade to `19.09` first to upgrade your server to Nextcloud v16. ::: -- Hydra has gained a massive performance improvement due to [some database schema changes](https://github.com/NixOS/hydra/pull/710) by adding several IDs and better indexing. However, it\'s necessary to upgrade Hydra in multiple steps: +- Hydra has gained a massive performance improvement due to [some database schema changes](https://github.com/NixOS/hydra/pull/710) by adding several IDs and better indexing. However, it's necessary to upgrade Hydra in multiple steps: - At first, an older version of Hydra needs to be deployed which adds those (nullable) columns. When having set [stateVersion ](options.html#opt-system.stateVersion) to a value older than `20.03`, this package will be selected by default from the module when upgrading. Otherwise, the package can be deployed using the following config: @@ -434,13 +434,13 @@ When upgrading from a previous release, please be aware of the following incompa - Deploy a newer version of Hydra to activate the DB optimizations. This can be done by using hydra-unstable. This package already includes [flake-support](https://github.com/nixos/rfcs/pull/49) and is therefore compiled against pkgs.nixFlakes. ::: {.warning} - If your [stateVersion](options.html#opt-system.stateVersion) is set to `20.03` or greater, hydra-unstable will be used automatically! This will break your setup if you didn\'t run the migration. + If your [stateVersion](options.html#opt-system.stateVersion) is set to `20.03` or greater, hydra-unstable will be used automatically! This will break your setup if you didn't run the migration. ::: - Please note that Hydra is currently not available with nixStable as this doesn\'t compile anymore. + Please note that Hydra is currently not available with nixStable as this doesn't compile anymore. ::: {.warning} - pkgs.hydra has been removed to ensure a graceful database-migration using the dedicated package-attributes. If you still have pkgs.hydra defined in e.g. an overlay, an assertion error will be thrown. To circumvent this, you need to set [services.hydra.package](options.html#opt-services.hydra.package) to pkgs.hydra explicitly and make sure you know what you\'re doing! + pkgs.hydra has been removed to ensure a graceful database-migration using the dedicated package-attributes. If you still have pkgs.hydra defined in e.g. an overlay, an assertion error will be thrown. To circumvent this, you need to set [services.hydra.package](options.html#opt-services.hydra.package) to pkgs.hydra explicitly and make sure you know what you're doing! ::: - The TokuDB storage engine will be disabled in mariadb 10.5. It is recommended to switch to RocksDB. See also [TokuDB](https://mariadb.com/kb/en/tokudb/). @@ -478,9 +478,9 @@ When upgrading from a previous release, please be aware of the following incompa Depending on your setup, you need to incorporate one of the following changes in your setup to upgrade to 20.03: - - If you use `sqlite3` you don\'t need to do anything. + - If you use `sqlite3` you don't need to do anything. - - If you use `postgresql` on a different server, you don\'t need to change anything as well since this module was never designed to configure remote databases. + - If you use `postgresql` on a different server, you don't need to change anything as well since this module was never designed to configure remote databases. - If you use `postgresql` and configured your synapse initially on `19.09` or older, you simply need to enable postgresql-support explicitly: @@ -496,12 +496,12 @@ When upgrading from a previous release, please be aware of the following incompa - If you deploy a fresh matrix-synapse, you need to configure the database yourself (e.g. by using the [services.postgresql.initialScript](options.html#opt-services.postgresql.initialScript) option). An example for this can be found in the [documentation of the Matrix module](#module-services-matrix). -- If you initially deployed your matrix-synapse on `nixos-unstable` _after_ the `19.09`-release, your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will startup with a warning, but it\'s recommended to reconfigure the database to set the values `LC_COLLATE` and `LC_CTYPE` to [`'C'`](https://www.postgresql.org/docs/12/locale.html). +- If you initially deployed your matrix-synapse on `nixos-unstable` _after_ the `19.09`-release, your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will startup with a warning, but it's recommended to reconfigure the database to set the values `LC_COLLATE` and `LC_CTYPE` to [`'C'`](https://www.postgresql.org/docs/12/locale.html). -- The [systemd.network.links](options.html#opt-systemd.network.links) option is now respected even when [systemd-networkd](options.html#opt-systemd.network.enable) is disabled. This mirrors the behaviour of systemd - It\'s udev that parses `.link` files, not `systemd-networkd`. +- The [systemd.network.links](options.html#opt-systemd.network.links) option is now respected even when [systemd-networkd](options.html#opt-systemd.network.enable) is disabled. This mirrors the behaviour of systemd - It's udev that parses `.link` files, not `systemd-networkd`. - mongodb has been updated to version `3.4.24`. ::: {.warning} - Please note that mongodb has been relicensed under their own [` sspl`](https://www.mongodb.com/licensing/server-side-public-license/faq)-license. Since it\'s not entirely free and not OSI-approved, it\'s listed as non-free. This means that Hydra doesn\'t provide prebuilt mongodb-packages and needs to be built locally. + Please note that mongodb has been relicensed under their own [` sspl`](https://www.mongodb.com/licensing/server-side-public-license/faq)-license. Since it's not entirely free and not OSI-approved, it's listed as non-free. This means that Hydra doesn't provide prebuilt mongodb-packages and needs to be built locally. ::: diff --git a/nixos/doc/manual/release-notes/rl-2009.section.md b/nixos/doc/manual/release-notes/rl-2009.section.md index 79be2a56a54eb..6995ef1d406cf 100644 --- a/nixos/doc/manual/release-notes/rl-2009.section.md +++ b/nixos/doc/manual/release-notes/rl-2009.section.md @@ -218,7 +218,7 @@ In addition to 1119 new, 118 updated, and 476 removed options; 61 new modules we When upgrading from a previous release, please be aware of the following incompatible changes: -- MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Before you upgrade, it would be best to take a backup of your database. For MariaDB Galera Cluster, see [Upgrading from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/) instead. Before doing the upgrade read [Incompatible Changes Between 10.3 and 10.4](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104). After the upgrade you will need to run `mysql_upgrade`. MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more intuitive. See [Authentication from MariaDB 10.4](https://mariadb.com/kb/en/authentication-from-mariadb-104/). unix_socket auth plugin does not use a password, and uses the connecting user\'s UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root\@localhost and mysql\@localhost. To actually use the traditional mysql_native_password plugin method, one must run the following: +- MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Before you upgrade, it would be best to take a backup of your database. For MariaDB Galera Cluster, see [Upgrading from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/) instead. Before doing the upgrade read [Incompatible Changes Between 10.3 and 10.4](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104). After the upgrade you will need to run `mysql_upgrade`. MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more intuitive. See [Authentication from MariaDB 10.4](https://mariadb.com/kb/en/authentication-from-mariadb-104/). unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root\@localhost and mysql\@localhost. To actually use the traditional mysql_native_password plugin method, one must run the following: ```nix { @@ -284,7 +284,7 @@ When upgrading from a previous release, please be aware of the following incompa - The [matrix-synapse](options.html#opt-services.matrix-synapse.enable) module no longer includes optional dependencies by default, they have to be added through the [plugins](options.html#opt-services.matrix-synapse.plugins) option. -- `buildGoModule` now internally creates a vendor directory in the source tree for downloaded modules instead of using go\'s [module proxy protocol](https://golang.org/cmd/go/#hdr-Module_proxy_protocol). This storage format is simpler and therefore less likely to break with future versions of go. As a result `buildGoModule` switched from `modSha256` to the `vendorSha256` attribute to pin fetched version data. +- `buildGoModule` now internally creates a vendor directory in the source tree for downloaded modules instead of using go's [module proxy protocol](https://golang.org/cmd/go/#hdr-Module_proxy_protocol). This storage format is simpler and therefore less likely to break with future versions of go. As a result `buildGoModule` switched from `modSha256` to the `vendorSha256` attribute to pin fetched version data. - Grafana is now built without support for phantomjs by default. Phantomjs support has been [deprecated in Grafana](https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/) and the phantomjs project is [currently unmaintained](https://github.com/ariya/phantomjs/issues/15344#issue-302015362). It can still be enabled by providing `phantomJsSupport = true` to the package instantiation: @@ -306,9 +306,9 @@ When upgrading from a previous release, please be aware of the following incompa - The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at least one pre-generated key must be specified. - If you used the `boot.initrd.network.ssh.host*Key` options, you\'ll get an error explaining how to convert your host keys and migrate to the new `boot.initrd.network.ssh.hostKeys` option. Otherwise, if you don\'t have any host keys set, you\'ll need to generate some; see the `hostKeys` option documentation for instructions. + If you used the `boot.initrd.network.ssh.host*Key` options, you'll get an error explaining how to convert your host keys and migrate to the new `boot.initrd.network.ssh.hostKeys` option. Otherwise, if you don't have any host keys set, you'll need to generate some; see the `hostKeys` option documentation for instructions. -- Since this release there\'s an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions `imagick`, `opcache`, `pdo` and `pdo_mysql` loaded: +- Since this release there's an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions `imagick`, `opcache`, `pdo` and `pdo_mysql` loaded: ```nix { @@ -325,7 +325,7 @@ When upgrading from a previous release, please be aware of the following incompa } ``` - The default `php` attribute hasn\'t lost any extensions. The `opcache` extension has been added. All upstream PHP extensions are available under php.extensions.\<name?\>. + The default `php` attribute hasn't lost any extensions. The `opcache` extension has been added. All upstream PHP extensions are available under php.extensions.\<name?\>. All PHP `config` flags have been removed for the following reasons: @@ -418,9 +418,9 @@ When upgrading from a previous release, please be aware of the following incompa The default value for [services.httpd.mpm](options.html#opt-services.httpd.mpm) has been changed from `prefork` to `event`. Along with this change the default value for [services.httpd.virtualHosts.\<name\>.http2](options.html#opt-services.httpd.virtualHosts) has been set to `true`. -- The `systemd-networkd` option `systemd.network.networks.<name>.dhcp.CriticalConnection` has been removed following upstream systemd\'s deprecation of the same. It is recommended to use `systemd.network.networks.<name>.networkConfig.KeepConfiguration` instead. See systemd.network 5 for details. +- The `systemd-networkd` option `systemd.network.networks.<name>.dhcp.CriticalConnection` has been removed following upstream systemd's deprecation of the same. It is recommended to use `systemd.network.networks.<name>.networkConfig.KeepConfiguration` instead. See systemd.network 5 for details. -- The `systemd-networkd` option `systemd.network.networks._name_.dhcpConfig` has been renamed to [systemd.network.networks._name_.dhcpV4Config](options.html#opt-systemd.network.networks._name_.dhcpV4Config) following upstream systemd\'s documentation change. See systemd.network 5 for details. +- The `systemd-networkd` option `systemd.network.networks._name_.dhcpConfig` has been renamed to [systemd.network.networks._name_.dhcpV4Config](options.html#opt-systemd.network.networks._name_.dhcpV4Config) following upstream systemd's documentation change. See systemd.network 5 for details. - In the `picom` module, several options that accepted floating point numbers encoded as strings (for example [services.picom.activeOpacity](options.html#opt-services.picom.activeOpacity)) have been changed to the (relatively) new native `float` type. To migrate your configuration simply remove the quotes around the numbers. @@ -440,7 +440,7 @@ When upgrading from a previous release, please be aware of the following incompa - The GRUB specific option `boot.loader.grub.extraInitrd` has been replaced with the generic option `boot.initrd.secrets`. This option creates a secondary initrd from the specified files, rather than using a manually created initrd file. Due to an existing bug with `boot.loader.grub.extraInitrd`, it is not possible to directly boot an older generation that used that option. It is still possible to rollback to that generation if the required initrd file has not been deleted. -- The [DNSChain](https://github.com/okTurtles/dnschain) package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can\'t be built. For more information see issue [\#89205](https://github.com/NixOS/nixpkgs/issues/89205). +- The [DNSChain](https://github.com/okTurtles/dnschain) package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can't be built. For more information see issue [\#89205](https://github.com/NixOS/nixpkgs/issues/89205). - In the `resilio` module, [services.resilio.httpListenAddr](options.html#opt-services.resilio.httpListenAddr) has been changed to listen to `[::1]` instead of `0.0.0.0`. @@ -456,7 +456,7 @@ When upgrading from a previous release, please be aware of the following incompa - Update servers first, then clients. -- Radicale\'s default package has changed from 2.x to 3.x. An upgrade checklist can be found [here](https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist). You can use the newer version in the NixOS service by setting the `package` to `radicale3`, which is done automatically if `stateVersion` is 20.09 or higher. +- Radicale's default package has changed from 2.x to 3.x. An upgrade checklist can be found [here](https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist). You can use the newer version in the NixOS service by setting the `package` to `radicale3`, which is done automatically if `stateVersion` is 20.09 or higher. - `udpt` experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml. The new configuration documentation can be found at [the official website](https://naim94a.github.io/udpt/config.html) and example configuration is packaged in `${udpt}/share/udpt/udpt.toml`. @@ -522,7 +522,7 @@ When upgrading from a previous release, please be aware of the following incompa } ``` - The base package has also been upgraded to the 2020-07-29 \"Hogfather\" release. Plugins might be incompatible or require upgrading. + The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading. - The [services.postgresql.dataDir](options.html#opt-services.postgresql.dataDir) option is now set to `"/var/lib/postgresql/${cfg.package.psqlSchema}"` regardless of your [system.stateVersion](options.html#opt-system.stateVersion). Users with an existing postgresql install that have a [system.stateVersion](options.html#opt-system.stateVersion) of `17.03` or below should double check what the value of their [services.postgresql.dataDir](options.html#opt-services.postgresql.dataDir) option is (`/var/db/postgresql`) and then explicitly set this value to maintain compatibility: @@ -552,17 +552,17 @@ When upgrading from a previous release, please be aware of the following incompa - The [jellyfin](options.html#opt-services.jellyfin.enable) module will use and stay on the Jellyfin version `10.5.5` if `stateVersion` is lower than `20.09`. This is because significant changes were made to the database schema, and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by setting your `stateVersion` to `20.09` or higher, or set the `services.jellyfin.package` to `pkgs.jellyfin`. If you do not wish to upgrade Jellyfin, but want to change your `stateVersion`, you can set the value of `services.jellyfin.package` to `pkgs.jellyfin_10_5`. -- The `security.rngd` service is now disabled by default. This choice was made because there\'s krngd in the linux kernel space making it (for most usecases) functionally redundent. +- The `security.rngd` service is now disabled by default. This choice was made because there's krngd in the linux kernel space making it (for most usecases) functionally redundent. - The `hardware.nvidia.optimus_prime.enable` service has been renamed to `hardware.nvidia.prime.sync.enable` and has many new enhancements. Related nvidia prime settings may have also changed. - The package nextcloud17 has been removed and nextcloud18 was marked as insecure since both of them will [ will be EOL (end of life) within the lifetime of 20.09](https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html). - It\'s necessary to upgrade to nextcloud19: + It's necessary to upgrade to nextcloud19: - - From nextcloud17, you have to upgrade to nextcloud18 first as Nextcloud doesn\'t allow going multiple major revisions forward in a single upgrade. This is possible by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud18. + - From nextcloud17, you have to upgrade to nextcloud18 first as Nextcloud doesn't allow going multiple major revisions forward in a single upgrade. This is possible by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud18. - - From nextcloud18, it\'s possible to directly upgrade to nextcloud19 by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud19. + - From nextcloud18, it's possible to directly upgrade to nextcloud19 by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud19. - The GNOME desktop manager no longer default installs gnome3.epiphany. It was chosen to do this as it has a usability breaking issue (see issue [\#98819](https://github.com/NixOS/nixpkgs/issues/98819)) that makes it unsuitable to be a default app. @@ -578,7 +578,7 @@ When upgrading from a previous release, please be aware of the following incompa - `services.journald.rateLimitBurst` was updated from `1000` to `10000` to follow the new upstream systemd default. -- The notmuch package moves its emacs-related binaries and emacs lisp files to a separate output. They\'re not part of the default `out` output anymore - if you relied on the `notmuch-emacs-mua` binary or the emacs lisp files, access them via the `notmuch.emacs` output. +- The notmuch package moves its emacs-related binaries and emacs lisp files to a separate output. They're not part of the default `out` output anymore - if you relied on the `notmuch-emacs-mua` binary or the emacs lisp files, access them via the `notmuch.emacs` output. - Device tree overlay support was improved in [\#79370](https://github.com/NixOS/nixpkgs/pull/79370) and now uses [hardware.deviceTree.kernelPackage](options.html#opt-hardware.deviceTree.kernelPackage) instead of `hardware.deviceTree.base`. [hardware.deviceTree.overlays](options.html#opt-hardware.deviceTree.overlays) configuration was extended to support `.dts` files with symbols. Device trees can now be filtered by setting [hardware.deviceTree.filter](options.html#opt-hardware.deviceTree.filter) option. @@ -590,7 +590,7 @@ When upgrading from a previous release, please be aware of the following incompa Please note that Rust packages utilizing a custom build/install procedure (e.g. by using a `Makefile`) or test suites that rely on the structure of the `target/` directory may break due to those assumptions. For further information, please read the Rust section in the Nixpkgs manual. -- The cc- and binutils-wrapper\'s \"infix salt\" and `_BUILD_` and `_TARGET_` user infixes have been replaced with with a \"suffix salt\" and suffixes and `_FOR_BUILD` and `_FOR_TARGET`. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. +- The cc- and binutils-wrapper's "infix salt" and `_BUILD_` and `_TARGET_` user infixes have been replaced with with a "suffix salt" and suffixes and `_FOR_BUILD` and `_FOR_TARGET`. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. - Additional Git documentation (HTML and text files) is now available via the `git-doc` package. @@ -598,7 +598,7 @@ When upgrading from a previous release, please be aware of the following incompa - The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer. To login through ssh, either a password or an ssh key must be set for the root user or the nixos user. -- The scripted networking system now uses `.link` files in `/etc/systemd/network` to configure mac address and link MTU, instead of the sometimes buggy `network-link-*` units, which have been removed. Bringing the interface up has been moved to the beginning of the `network-addresses-*` unit. Note this doesn\'t require `systemd-networkd` - it\'s udev that parses `.link` files. Extra care needs to be taken in the presence of [legacy udev rules](https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME) to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. In such cases, you most likely want to create a `10-*.link` file through [systemd.network.links](options.html#opt-systemd.network.links) and set both name and MAC Address / MTU there. +- The scripted networking system now uses `.link` files in `/etc/systemd/network` to configure mac address and link MTU, instead of the sometimes buggy `network-link-*` units, which have been removed. Bringing the interface up has been moved to the beginning of the `network-addresses-*` unit. Note this doesn't require `systemd-networkd` - it's udev that parses `.link` files. Extra care needs to be taken in the presence of [legacy udev rules](https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME) to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. In such cases, you most likely want to create a `10-*.link` file through [systemd.network.links](options.html#opt-systemd.network.links) and set both name and MAC Address / MTU there. - Grafana received a major update to version 7.x. A plugin is now needed for image rendering support, and plugins must now be signed by default. More information can be found [in the Grafana documentation](https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0). @@ -624,15 +624,15 @@ When upgrading from a previous release, please be aware of the following incompa to get the previous behavior of listening on all network interfaces. -- With this release `systemd-networkd` (when enabled through [networking.useNetworkd](options.html#opt-networking.useNetworkd)) has it\'s netlink socket created through a `systemd.socket` unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices the default buffer size (currently 128MB) is not enough. +- With this release `systemd-networkd` (when enabled through [networking.useNetworkd](options.html#opt-networking.useNetworkd)) has it's netlink socket created through a `systemd.socket` unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices the default buffer size (currently 128MB) is not enough. On a machine with \>100 virtual interfaces (e.g., wireguard tunnels, VLANs, ...), that all have to be brought up during system startup, the receive buffer size will spike for a brief period. Eventually some of the message will be dropped since there is not enough (permitted) buffer space available. By having `systemd-networkd` start with a netlink socket created by `systemd` we can configure the `ReceiveBufferSize=` parameter in the socket options (i.e. `systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize`) without recompiling `systemd-networkd`. - Since the actual memory requirements depend on hardware, timing, exact configurations etc. it isn\'t currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of `systemd-networkd` for `rtnl: kernel receive buffer overrun` spam and increase the memory limit as they see fit. + Since the actual memory requirements depend on hardware, timing, exact configurations etc. it isn't currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of `systemd-networkd` for `rtnl: kernel receive buffer overrun` spam and increase the memory limit as they see fit. - Note: Increasing the `ReceiveBufferSize=` doesn\'t allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket. + Note: Increasing the `ReceiveBufferSize=` doesn't allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket. - Specifying [mailboxes](options.html#opt-services.dovecot2.mailboxes) in the dovecot2 module as a list is deprecated and will break eval in 21.05. Instead, an attribute-set should be specified where the `name` should be the key of the attribute. @@ -662,7 +662,7 @@ When upgrading from a previous release, please be aware of the following incompa - nextcloud has been updated to [v19](https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/). - If you have an existing installation, please make sure that you\'re on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn\'t support upgrades across multiple major versions. + If you have an existing installation, please make sure that you're on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn't support upgrades across multiple major versions. - The `nixos-run-vms` script now deletes the previous run machines states on test startup. You can use the `--keep-vm-state` flag to match the previous behaviour and keep the same VM state between different test runs. diff --git a/nixos/doc/manual/release-notes/rl-2105.section.md b/nixos/doc/manual/release-notes/rl-2105.section.md index 359f2e5b2e583..6244d79e7e781 100644 --- a/nixos/doc/manual/release-notes/rl-2105.section.md +++ b/nixos/doc/manual/release-notes/rl-2105.section.md @@ -68,9 +68,9 @@ When upgrading from a previous release, please be aware of the following incompa - If the `services.dbus` module is enabled, then the user D-Bus session is now always socket activated. The associated options `services.dbus.socketActivated` and `services.xserver.startDbusSession` have therefore been removed and you will receive a warning if they are present in your configuration. This change makes the user D-Bus session available also for non-graphical logins. -- The `networking.wireless.iwd` module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to \"keep kernel\", to avoid race conditions between iwd and networkd. If you don\'t want this, you can set `systemd.network.links."80-iwd" = lib.mkForce {}`. +- The `networking.wireless.iwd` module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to "keep kernel", to avoid race conditions between iwd and networkd. If you don't want this, you can set `systemd.network.links."80-iwd" = lib.mkForce {}`. -- `rubyMinimal` was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it\'s compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting `jitSupport = false;` in an overlay. See [\#90151](https://github.com/NixOS/nixpkgs/pull/90151) for more info. +- `rubyMinimal` was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it's compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting `jitSupport = false;` in an overlay. See [\#90151](https://github.com/NixOS/nixpkgs/pull/90151) for more info. - Setting `services.openssh.authorizedKeysFiles` now also affects which keys `security.pam.enableSSHAgentAuth` will use. WARNING: If you are using these options in combination do make sure that any key paths you use are present in `services.openssh.authorizedKeysFiles`! @@ -130,7 +130,7 @@ When upgrading from a previous release, please be aware of the following incompa - `vim` and `neovim` switched to Python 3, dropping all Python 2 support. -- [networking.wireguard.interfaces.\<name\>.generatePrivateKeyFile](options.html#opt-networking.wireguard.interfaces), which is off by default, had a `chmod` race condition fixed. As an aside, the parent directory\'s permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read [\#121294](https://github.com/NixOS/nixpkgs/pull/121294). +- [networking.wireguard.interfaces.\<name\>.generatePrivateKeyFile](options.html#opt-networking.wireguard.interfaces), which is off by default, had a `chmod` race condition fixed. As an aside, the parent directory's permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read [\#121294](https://github.com/NixOS/nixpkgs/pull/121294). - [boot.zfs.forceImportAll](options.html#opt-boot.zfs.forceImportAll) previously did nothing, but has been fixed. However its default has been changed to `false` to preserve the existing default behaviour. If you have this explicitly set to `true`, please note that your non-root pools will now be forcibly imported. @@ -157,12 +157,12 @@ When upgrading from a previous release, please be aware of the following incompa - Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and restarting the instance will now cause it to fetch and apply the new user data. ::: {.warning} - Specifically, `/etc/ec2-metadata` is re-populated on each boot. Some NixOS scripts that read from this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. Examples: `root`\'s SSH key is only added if `/root/.ssh/authorized_keys` does not exist, and SSH host keys are only set from user data if they do not exist in `/etc/ssh`. + Specifically, `/etc/ec2-metadata` is re-populated on each boot. Some NixOS scripts that read from this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. Examples: `root`'s SSH key is only added if `/root/.ssh/authorized_keys` does not exist, and SSH host keys are only set from user data if they do not exist in `/etc/ssh`. ::: - The `rspamd` services is now sandboxed. It is run as a dynamic user instead of root, so secrets and other files may have to be moved or their permissions may have to be fixed. The sockets are now located in `/run/rspamd` instead of `/run`. -- Enabling the Tor client no longer silently also enables and configures Privoxy, and the `services.tor.client.privoxy.enable` option has been removed. To enable Privoxy, and to configure it to use Tor\'s faster port, use the following configuration: +- Enabling the Tor client no longer silently also enables and configures Privoxy, and the `services.tor.client.privoxy.enable` option has been removed. To enable Privoxy, and to configure it to use Tor's faster port, use the following configuration: ```nix { @@ -181,7 +181,7 @@ When upgrading from a previous release, please be aware of the following incompa - The fish-foreign-env package has been replaced with fishPlugins.foreign-env, in which the fish functions have been relocated to the `vendor_functions.d` directory to be loaded automatically. -- The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter\'s `/probe` endpoint. In the prometheus scrape configuration the scrape target might look like this: +- The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's `/probe` endpoint. In the prometheus scrape configuration the scrape target might look like this: ``` http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint @@ -230,7 +230,7 @@ When upgrading from a previous release, please be aware of the following incompa Additionally, packages flashplayer and hal-flash were removed along with the `services.flashpolicyd` module. -- The `security.rngd` module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel\'s RNG. +- The `security.rngd` module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel's RNG. The default SMTP port for GitLab has been changed to `25` from its previous default of `465`. If you depended on this default, you should now set the [services.gitlab.smtp.port](options.html#opt-services.gitlab.smtp.port) option. @@ -272,11 +272,11 @@ When upgrading from a previous release, please be aware of the following incompa - `environment.defaultPackages` now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and the `EDITOR` environment variable is set to it. Environment variables can be set using `environment.variables`. -- `services.minio.dataDir` changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the service doesn\'t enforce nor checks the correct number of paths to correspond to minio requirements. +- `services.minio.dataDir` changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the service doesn't enforce nor checks the correct number of paths to correspond to minio requirements. - All CUDA toolkit versions prior to CUDA 10 have been removed. -- The kbdKeymaps package was removed since dvp and neo are now included in kbd. If you want to use the Programmer Dvorak Keyboard Layout, you have to use `dvorak-programmer` in `console.keyMap` now instead of `dvp`. In `services.xserver.xkbVariant` it\'s still `dvp`. +- The kbdKeymaps package was removed since dvp and neo are now included in kbd. If you want to use the Programmer Dvorak Keyboard Layout, you have to use `dvorak-programmer` in `console.keyMap` now instead of `dvp`. In `services.xserver.xkbVariant` it's still `dvp`. - The babeld service is now being run as an unprivileged user. To achieve that the module configures `skip-kernel-setup true` and takes care of setting forwarding and rp_filter sysctls by itself as well as for each interface in `services.babeld.interfaces`. @@ -286,7 +286,7 @@ When upgrading from a previous release, please be aware of the following incompa - Instead of determining `services.radicale.package` automatically based on `system.stateVersion`, the latest version is always used because old versions are not officially supported. - Furthermore, Radicale\'s systemd unit was hardened which might break some deployments. In particular, a non-default `filesystem_folder` has to be added to `systemd.services.radicale.serviceConfig.ReadWritePaths` if the deprecated `services.radicale.config` is used. + Furthermore, Radicale's systemd unit was hardened which might break some deployments. In particular, a non-default `filesystem_folder` has to be added to `systemd.services.radicale.serviceConfig.ReadWritePaths` if the deprecated `services.radicale.config` is used. - In the `security.acme` module, use of `--reuse-key` parameter for Lego has been removed. It was introduced for HKPK, but this security feature is now deprecated. It is a better security practice to rotate key pairs instead of always keeping the same. If you need to keep this parameter, you can add it back using `extraLegoRenewFlags` as an option for the appropriate certificate. @@ -294,13 +294,13 @@ When upgrading from a previous release, please be aware of the following incompa - `stdenv.lib` has been deprecated and will break eval in 21.11. Please use `pkgs.lib` instead. See [\#108938](https://github.com/NixOS/nixpkgs/issues/108938) for details. -- [GNURadio](https://www.gnuradio.org/) has a `pkgs` attribute set, and there\'s a `gnuradio.callPackage` function that extends `pkgs` with a `mkDerivation`, and a `mkDerivationWith`, like Qt5. Now all `gnuradio.pkgs` are defined with `gnuradio.callPackage` and some packages that depend on gnuradio are defined with this as well. +- [GNURadio](https://www.gnuradio.org/) has a `pkgs` attribute set, and there's a `gnuradio.callPackage` function that extends `pkgs` with a `mkDerivation`, and a `mkDerivationWith`, like Qt5. Now all `gnuradio.pkgs` are defined with `gnuradio.callPackage` and some packages that depend on gnuradio are defined with this as well. - [Privoxy](https://www.privoxy.org/) has been updated to version 3.0.32 (See [announcement](https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html)). Compared to the previous release, Privoxy has gained support for HTTPS inspection (still experimental), Brotli decompression, several new filters and lots of bug fixes, including security ones. In addition, the package is now built with compression and external filters support, which were previously disabled. Regarding the NixOS module, new options for HTTPS inspection have been added and `services.privoxy.extraConfig` has been replaced by the new [services.privoxy.settings](options.html#opt-services.privoxy.settings) (See [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) for the motivation). -- [Kodi](https://kodi.tv/) has been updated to version 19.1 \"Matrix\". See the [announcement](https://kodi.tv/article/kodi-19-0-matrix-release) for further details. +- [Kodi](https://kodi.tv/) has been updated to version 19.1 "Matrix". See the [announcement](https://kodi.tv/article/kodi-19-0-matrix-release) for further details. - The `services.packagekit.backend` option has been removed as it only supported a single setting which would always be the default. Instead new [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) compliant [services.packagekit.settings](options.html#opt-services.packagekit.settings) and [services.packagekit.vendorSettings](options.html#opt-services.packagekit.vendorSettings) options have been introduced. @@ -316,13 +316,13 @@ When upgrading from a previous release, please be aware of the following incompa If this option is disabled, default MTA config becomes not set and you should set the options in `services.mailman.settings.mta` according to the desired configuration as described in [Mailman documentation](https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html). -- The default-version of `nextcloud` is nextcloud21. Please note that it\'s _not_ possible to upgrade `nextcloud` across multiple major versions! This means that it\'s e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most `20.09` users will have to upgrade to nextcloud20 first. +- The default-version of `nextcloud` is nextcloud21. Please note that it's _not_ possible to upgrade `nextcloud` across multiple major versions! This means that it's e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most `20.09` users will have to upgrade to nextcloud20 first. The package can be manually upgraded by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud21. - The setting [services.redis.bind](options.html#opt-services.redis.bind) defaults to `127.0.0.1` now, making Redis listen on the loopback interface only, and not all public network interfaces. -- NixOS now emits a deprecation warning if systemd\'s `StartLimitInterval` setting is used in a `serviceConfig` section instead of in a `unitConfig`; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See [\#45785](https://github.com/NixOS/nixpkgs/issues/45785) for details. +- NixOS now emits a deprecation warning if systemd's `StartLimitInterval` setting is used in a `serviceConfig` section instead of in a `unitConfig`; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See [\#45785](https://github.com/NixOS/nixpkgs/issues/45785) for details. All services should use [systemd.services._name_.startLimitIntervalSec](options.html#opt-systemd.services._name_.startLimitIntervalSec) or `StartLimitIntervalSec` in [systemd.services._name_.unitConfig](options.html#opt-systemd.services._name_.unitConfig) instead. @@ -357,7 +357,7 @@ When upgrading from a previous release, please be aware of the following incompa `services.unbound.forwardAddresses` and `services.unbound.allowedAccess` have also been changed to use the new settings interface. You can follow the instructions when executing `nixos-rebuild` to upgrade your configuration to use the new interface. -- The `services.dnscrypt-proxy2` module now takes the upstream\'s example configuration and updates it with the user\'s settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. +- The `services.dnscrypt-proxy2` module now takes the upstream's example configuration and updates it with the user's settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. - NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). See the [Fedora Article for 31](https://www.redhat.com/sysadmin/fedora-31-control-group-v2) for details on why this is desirable, and how it impacts containers. @@ -367,11 +367,11 @@ When upgrading from a previous release, please be aware of the following incompa - GNOME users may wish to delete their `~/.config/pulse` due to the changes to stream routing logic. See [PulseAudio bug 832](https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832) for more information. -- The zookeeper package does not provide `zooInspector.sh` anymore, as that \"contrib\" has been dropped from upstream releases. +- The zookeeper package does not provide `zooInspector.sh` anymore, as that "contrib" has been dropped from upstream releases. -- In the ACME module, the data used to build the hash for the account directory has changed to accomodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new account creation handling. +- In the ACME module, the data used to build the hash for the account directory has changed to accommodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new account creation handling. -- [users.users._name_.createHome](options.html#opt-users.users._name_.createHome) now always ensures home directory permissions to be `0700`. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option\'s description was incorrect regarding ownership management and has been simplified greatly. +- [users.users._name_.createHome](options.html#opt-users.users._name_.createHome) now always ensures home directory permissions to be `0700`. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option's description was incorrect regarding ownership management and has been simplified greatly. - When defining a new user, one of [users.users._name_.isNormalUser](options.html#opt-users.users._name_.isNormalUser) and [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) is now required. This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. Note that users defined with an explicit UID below 500 are exempted from this check, as [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) has no effect for those. diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 5cb3731071f32..7272e9231582c 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -164,6 +164,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [smartctl_exporter](https://github.com/prometheus-community/smartctl_exporter), a Prometheus exporter for [S.M.A.R.T.](https://en.wikipedia.org/wiki/S.M.A.R.T.) data. Available as [services.prometheus.exporters.smartctl](options.html#opt-services.prometheus.exporters.smartctl.enable). +- [twingate](https://docs.twingate.com/docs/linux), a high performance, easy to use zero trust solution that enables access to private resources from any device with better security than a VPN. + ## Backward Incompatibilities {#sec-release-21.11-incompatibilities} - The NixOS VM test framework, `pkgs.nixosTest`/`make-test-python.nix` (`pkgs.testers.nixosTest` since 22.05), now requires detaching commands such as `succeed("foo &")` and `succeed("foo | xclip -i")` to close stdout. @@ -233,7 +235,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The `erigon` ethereum node has moved to a new database format in `2021-05-04`, and requires a full resync -- The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)). +- The `erigon` ethereum node has moved its database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)). - [users.users.<name>.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of ```nix @@ -427,7 +429,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The `services.ddclient.password` option was removed, and replaced with `services.ddclient.passwordFile`. -- The default GNAT version has been changed: The `gnat` attribute now points to `gnat11` +- The default GNAT version has been changed: The `gnat` attribute now points to `gnat12` instead of `gnat9`. - `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available. diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 217aa6056cad7..24f73dc3f00b6 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -9,8 +9,8 @@ In addition to numerous new and upgraded packages, this release has the followin - Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the `nix` command as experimental which now has to be enabled via the configuration explicitly. For more information and - instructions for upgrades, see the - relase notes for [nix-2.4](https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html), + instructions for upgrades, see the + relase notes for [nix-2.4](https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html), [nix-2.5](https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html), [nix-2.6](https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html), [nix-2.7](https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html) and @@ -30,7 +30,7 @@ In addition to numerous new and upgraded packages, this release has the followin - Systemd has been upgraded to the version 250. -- Pulseaudio has been updated to version 15.0 and now optionally +- Pulseaudio has been updated to version 15.0 and now optionally [supports additional Bluetooth audio codecs](https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters) such as aptX or LDAC, with codec switching available in `pavucontrol`. This feature is disabled by default, but can be enabled with the option @@ -50,7 +50,7 @@ In addition to numerous new and upgraded packages, this release has the followin settings for many certificates at once. This also opens up the option to use DNS-01 validation when using `enableACME` web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`). - + ## New Services {#sec-release-22.05-new-services} - [1password](https://1password.com/), command-lines and graphic interface for 1Password. Available as [programs._1password](#opt-programs._1password.enable) and [programs._1password-gui](#opt-programs._1password.enable). @@ -107,7 +107,7 @@ In addition to numerous new and upgraded packages, this release has the followin - [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust. Available as [services.kanidm](#opt-services.kanidm.enableServer) -- [Maddy](https://maddy.email/), a free an open source mail server. Availabe as [services.maddy](#opt-services.maddy.enable). +- [Maddy](https://maddy.email/), a free an open source mail server. Available as [services.maddy](#opt-services.maddy.enable). - [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable). @@ -562,7 +562,7 @@ In addition to numerous new and upgraded packages, this release has the followin - `pkgs._7zz` is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code - The `vim.customize` function produced by `vimUtils.makeCustomizable` now has a slightly different interface: - * The wrapper now includes everything in the given Vim derivation if `name` is `"vim"` (the default). This makes the `wrapManual` argument obsolete, but this behavior can be overriden by setting the `standalone` argument. + * The wrapper now includes everything in the given Vim derivation if `name` is `"vim"` (the default). This makes the `wrapManual` argument obsolete, but this behavior can be overridden by setting the `standalone` argument. * All the executables present in the given derivation (or, in `standalone` mode, only the `*vim` ones) are wrapped. This makes the `wrapGui` argument obsolete. * The `vimExecutableName` and `gvimExecutableName` arguments were replaced by a single `executableName` argument in which the shell variable `$exe` can be used to refer to the wrapped executable's name. @@ -743,11 +743,11 @@ In addition to numerous new and upgraded packages, this release has the followin - The configuration portion of the `nix-daemon` module has been reworked and exposed as [nix.settings](options.html#opt-nix-settings): * Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) and will be deprecated when NixOS 21.11 reaches end of life. * [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added. - + - [`kops`](https://kops.sigs.k8s.io) defaults to 1.23.2, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for `spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS` has changed from `true` to `false`. Cilium now has `disable-cnp-status-updates: true` by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the [1.22 release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) and [1.23 release notes](https://kops.sigs.k8s.io/releases/1.23-notes/) for more details, including other significant changes. - Mattermost has been upgraded to extended support version 6.3 as the previously - packaged extended support version 5.37 is [reaching end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). + packaged extended support version 5.37 is [reaching end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). Migration may take some time, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release) and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html). @@ -762,14 +762,14 @@ In addition to numerous new and upgraded packages, this release has the followin By default auto-upgrade will now run immediately if it would have been triggered at least once during the time when the timer was inactive. -- Mastodon now uses `services.redis.servers` to start a new redis server, instead of using a global redis server. +- Mastodon now uses `services.redis.servers` to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis. - - Note that this will recreate the redis database, although according to the [Mastodon docs](https://docs.joinmastodon.org/admin/backups/), + + Note that this will recreate the redis database, although according to the [Mastodon docs](https://docs.joinmastodon.org/admin/backups/), this is almost harmless: - > Losing the Redis database is almost harmless: The only irrecoverable data will be the contents of the Sidekiq queues and scheduled retries of previously failed jobs. + > Losing the Redis database is almost harmless: The only irrecoverable data will be the contents of the Sidekiq queues and scheduled retries of previously failed jobs. > The home and list feeds are stored in Redis, but can be regenerated with tootctl. - + If you do want to save the redis database, you can use the following commands: ```bash redis-cli save @@ -980,7 +980,7 @@ In addition to numerous new and upgraded packages, this release has the followin or `wl*` with priority 99 (which means that it doesn't have any effect if such an interface is matched by a `.network-`unit with a lower priority). In case of scripted networking, no behavior was changed. - + - The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks. - `zfs` was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18. diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index d61cf29675536..e92c776b33e3d 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -1,163 +1,87 @@ -# Release 22.11 (“Raccoon”, 2022.11/??) {#sec-release-22.11} +# Release 22.11 (“Raccoon”, 2022.11/30) {#sec-release-22.11} -Support is planned until the end of June 2023, handing over to 23.05. +The NixOS release team is happy to announce a new version of NixOS 22.11. NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS. -## Highlights {#sec-release-22.11-highlights} - -In addition to numerous new and upgraded packages, this release has the following highlights: - -- GNOME has been upgraded to 43. Please take a look at their [Release - Notes](https://release.gnome.org/43/) for details. - -- During cross-compilation, tests are now executed if the test suite can be executed - by the build platform. This is the case when doing “native” cross-compilation - where the build and host platforms are largely the same, but the nixpkgs' cross - compilation infrastructure is used, e.g. `pkgsStatic` and `pkgsLLVM`. Another - possibility is that the build platform is a superset of the host platform, e.g. when - cross-compiling from `x86_64-unknown-linux` to `i686-unknown-linux`. - The predicate gating test suite execution is the newly added `canExecute` - predicate: You can e.g. check if `stdenv.buildPlatform` can execute binaries - built for `stdenv.hostPlatform` (i.e. produced by `stdenv.cc`) by evaluating - `stdenv.buildPlatform.canExecute stdenv.hostPlatform`. - -- The `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options have been added. - These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options. - - - `hostPlatform` is the platform or "`system`" string of the NixOS system - described by the configuration. - - `buildPlatform` is the platform that is responsible for building the NixOS - configuration. It defaults to the `hostPlatform`, for a non-cross - build configuration. To cross compile, set `buildPlatform` to a different - value. - - The new options convey the same information, but with fewer options, and - following the Nixpkgs terminology. - - The existing options `nixpkgs.{system,localSystem,crossSystem}` have not - been formally deprecated, to allow for evaluation of the change and to allow - for a transition period so that in time the ecosystem can switch without - breaking compatibility with any supported NixOS release. - -- `emacs` enables native compilation which means: - - emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine; - - emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs. - -- `nixos-generate-config` now generates configurations that can be built in pure - mode. This is achieved by setting the new `nixpkgs.hostPlatform` option. - - You may have to unset the `system` parameter in `lib.nixosSystem`, or similarly - remove definitions of the `nixpkgs.{system,localSystem,crossSystem}` options. - - Alternatively, you can remove the `hostPlatform` line and use NixOS like you - would in NixOS 22.05 and earlier. - -- PHP now defaults to PHP 8.1, updated from 8.0. - -- PHP is now built `NTS` (Non-Thread Safe) style by default, for Apache and - `mod_php` usage we still enable `ZTS` (Zend Thread Safe). This has been a - common practice for a long time in other distributions. - -- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it. - -- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. - -- Improved performances of `lib.closePropagation` which was previously quadratic. This is used in e.g. `ghcWithPackages`. Please see backward incompatibilities notes below. - -- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to - blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream. - -- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. - -- An image configuration and generator has been added for Linode images, largely based on the present GCE configuration and image. - -- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement. - -<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> - -## New Services {#sec-release-22.11-new-services} - -- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). - -- [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable). - -- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable). - -- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable). - -- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable). - -- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable). +This release is supported until the end of June 2023, handing over to NixOS 23.05. -- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable). +To upgrade to the latest release follow the [upgrade chapter](#sec-upgrading). -- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable) +## Highlights {#sec-release-22.11-highlights} -- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable). +In addition to numerous new and upgraded packages, this release includes the following highlights: -- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. - Available as [services.infnoise](options.html#opt-services.infnoise.enable). +- Software that uses the `crypt` password hashing API is now using the implementation provided by [`libxcrypt`](https://github.com/besser82/libxcrypt) instead of glibc's, which enables support for more secure algorithms. + - Support for algorithms that `libxcrypt` [does not consider strong](https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41) are **deprecated** as of this release, and will be removed in NixOS 23.05. + - This includes system login passwords. Given this, we **strongly encourage** all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed. + - When using `users.users.<name>.hashedPassword` to configure user passwords, run `mkpasswd`, and use the yescrypt hash that is provided as the new value. + - On the other hand, for interactively configured user passwords, simply re-set the passwords for all users with `passwd`. + - This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run `nixos-rebuild switch`. -- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable) +- The NixOS documentation is now generated from markdown. While docbook is still part of the documentation build process, it's a big step towards the full migration. -- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. - Available as [services.kanata](options.html#opt-services.kanata.enable). +- `aarch64-linux` is now included in the `nixos-22.11` and `nixos-22.11-small` channels. This means that when those channel update, both `x86_64-linux` and `aarch64-linux` will be available in the binary cache. -- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable) +- `aarch64-linux` ISOs are now available on the [downloads page](https://nixos.org/download.html). -- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker. - Available as [services.languagetool](options.html#opt-services.languagetool.enable). +- `nsncd` is now available as a replacement of `nscd`. -- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services-hardware-openrgb-enable). + `nscd` is responsible for resolving hostnames, users and more in NixOS and has been a long standing source of bugs, such as sporadic network freezes. -- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable). + More context in this [issue](https://github.com/NixOS/nixpkgs/issues/135888). -- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable) - -- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable). + Help us test the new implementation by setting `services.nscd.enableNsncd` to `true`. -- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable). - -- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). + We plan to use `nsncd` by default in NixOS 23.05. -- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable). +- Linode cloud images are now supported by importing `${modulesPath}/virtualisation/linode-image.nix` and accessing `system.build.linodeImage` on the output. -- [netbird](https://netbird.io), a zero configuration VPN. - Available as [services.netbird](options.html#opt-services.netbird.enable). +- `hardware.nvidia` has a new option, `hardware.nvidia.open`, that can be used to enable the usage of NVIDIA's open-source kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [the release announcement](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for more information. -- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable). +- The `emacs` package now makes use of native compilation which means: + - Emacs packages from Nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine; + - Emacs packages from somewhere else, e.g. `package-install`, will perform asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still benefiting from native compilation for packages from Nixpkgs. -- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable). +## Internal changes {#sec-release-22.11-internal} -- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable). +- Haskell `ghcWithPackages` is now up to 15 times faster to evaluate, thanks to changing `lib.closePropagation` from a quadratic to linear complexity. Please see backward incompatibilities notes below. <https://github.com/NixOS/nixpkgs/pull/194391> -- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable). +- For cross-compilation targets that can also run on the building machine, we now run tests. This, for example, is the case for the `pkgsStatic` and `pkgsLLVM` package sets or i686 packages on `x86_64` machines. -- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable). +- To simplify cross-compilation in NixOS, this release introduces the `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options. These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options. -- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable) + - `hostPlatform` is the platform or "`system`" string of the NixOS system + described by the configuration. + - `buildPlatform` is the platform that is responsible for building the NixOS + configuration. It defaults to the `hostPlatform`, for a non-cross + build configuration. To cross compile, set `buildPlatform` to a different + value. -- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable). + The new options convey the same information, but with fewer options, and + following the Nixpkgs terminology. -- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable). + The existing options `nixpkgs.{system,localSystem,crossSystem}` have not + been formally deprecated, to allow for evaluation of the change and to allow + for a transition period so that in time the ecosystem can switch without + breaking compatibility with any supported NixOS release. -- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable). +## Notable version updates {#sec-release-22.11-version-updates} -- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable). +- Nix has been upgraded from v2.8.1 to v2.11.0. For more information, please see the release notes for [2.9](https://nixos.org/manual/nix/stable/release-notes/rl-2.9.html), [2.10](https://nixos.org/manual/nix/stable/release-notes/rl-2.10.html) and [2.11](https://nixos.org/manual/nix/stable/release-notes/rl-2.11.html). -- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul. -Available as [services.patroni](options.html#opt-services.patroni.enable). +- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. -- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable). +- GNOME has been upgraded to version 43. Please see the [release notes](https://release.gnome.org/43/) for details. -- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable). +- KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for [v5.25](https://kde.org/announcements/plasma/5/5.25.0/) and [v5.26](https://kde.org/announcements/plasma/5/5.26.0/) for more details on the included changes. -- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable). +- Cinnamon has been updated to 5.4, and the Cinnamon module now defaults to + Blueman as the Bluetooth manager and slick-greeter as the LightDM greeter, to match upstream. -- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable). +- PHP now defaults to PHP 8.1, updated from 8.0. -- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable). +- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. -<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> +- Python now defaults to 3.10, updated from 3.9. ## Backward Incompatibilities {#sec-release-22.11-incompatibilities} @@ -166,18 +90,17 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `isCompatible` predicate checking CPU compatibility is no longer exposed by the platform sets generated using `lib.systems.elaborate`. In most cases you will want to use the new `canExecute` predicate instead which also - considers the kernel / syscall interface. It is briefly described in the - release's [highlights section](#sec-release-22.11-highlights). + takes the kernel / syscall interface into account. `lib.systems.parse.isCompatible` still exists, but has changed semantically: Architectures with differing endianness modes are *no longer considered compatible*. - `ngrok` has been upgraded from 2.3.40 to 3.0.4. Please see [the upgrade guide](https://ngrok.com/docs/guides/upgrade-v2-v3) and [changelog](https://ngrok.com/docs/ngrok-agent/changelog). Notably, breaking changes are that the config file format has - changed and support for single hypen arguments was dropped. + changed and support for single hyphen arguments was dropped. -- `i18n.supportedLocales` is now by default only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`. - This got partially copied over from the minimal profile and reduces the final system size by up to 200MB. - If you require all locales installed set the option to ``[ "all" ]``. +- `i18n.supportedLocales` is now only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`. + - This reduces the final system closure size by up to 200MB. + - If you require all locales installed, set the option to ``[ "all" ]``. - Deprecated settings `logrotate.paths` and `logrotate.extraConfig` have been removed. Please convert any uses to @@ -187,7 +110,9 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `fetchgit` fetcher now uses [cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling) by default for sparse checkouts. [Non-cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems) can be enabled by passing `nonConeMode = true`, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice. -- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins +- The `fetchgit` fetcher supports sparse checkouts via the `sparseCheckout` option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings. + +- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins. - `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`. @@ -200,6 +125,13 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. +- The OpenSSL extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if + [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) + don't lose access to their files. + + In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting + [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. + - The `coq` package and versioned variants starting at `coq_8_14` no longer include CoqIDE, which is now available through `coqPackages.coqide`. It is still possible to get CoqIDE as part of @@ -216,6 +148,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues. Users who still wish to remain using GTK can do so by using `emacs-gtk`. +- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a TLS certificate and key. It will always start `https` and-–-if enabled-–-an LDAPS server and no HTTP and LDAP server anymore. + - riak package removed along with `services.riak` module, due to lack of maintainer to update the package. - ppd files in `pkgs.cups-drv-rastertosag-gdi` are now gzipped. If you refer to such a ppd file with its path (e.g. via [hardware.printers.ensurePrinters](options.html#opt-hardware.printers.ensurePrinters)) you will need to append `.gz` to the path. @@ -281,7 +215,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `zrepl` package has been updated from 0.5.0 to 0.6.0. See the [changelog](https://zrepl.github.io/changelog.html) for details. -- `k3s` no longer supports docker as runtime due to upstream dropping support. +- `k3s` no longer supports Docker as runtime due to upstream dropping support. - `cassandra_2_1` and `cassandra_2_2` have been removed. Please update to `cassandra_3_11` or `cassandra_3_0`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-3.11.14/NEWS.txt) for more information about the upgrade process. @@ -305,7 +239,9 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). For further information, please read the upstream changelogs. -- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`. +- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides. Use `features` instead, which defaults to `[ "lua54" "luau" ]`. + +- `ocamlPackages.ocaml_extlib` has been renamed to `ocamlPackages.extlib`. - `pkgs.fetchNextcloudApp` has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to apply patches. This means that your hashes are out-of-date and the (previously required) attributes `name` and `version` @@ -316,23 +252,41 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). In a future release other paths will be allowed again and interpreted relative to `services.syncthing.dataDir`. +- `services.github-runner` and `services.github-runners.<name>` gained the option `serviceOverrides` which allows overriding the systemd `serviceConfig`. If you have been overriding the systemd service configuration (i.e., by defining `systemd.services.github-runner.serviceConfig`), you have to use the `serviceOverrides` option now. Example: + + ``` + services.github-runner.serviceOverrides.SupplementaryGroups = [ + "docker" + ]; + ``` + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Other Notable Changes {#sec-release-22.11-notable-changes} +- PHP is now built in `NTS` (Non-Thread Safe) mode by default. + - For Apache and `mod_php` usage, we enable `ZTS` (Zend Thread Safe) mode. This has been a + common practice for a long time in other distributions. + +- `firefox`, `thunderbird` and `librewolf` now come with Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute. + - The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details. +- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The options under `services.github-runner` remain, to configure a single runner. + - `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details. -- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. +- A new module was added to provide hardware support for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. -- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour. +- ZFS module will no longer allow hibernation by default. + - This is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). + - Use the `boot.zfs.allowHibernation` option to configure this behaviour. -- `mastodon` now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`. +- Mastodon now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`. - The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default. -- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance. +- Neo4j was updated from version 3 to version 4. See upstream's [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) for information on how to migrate your instance. - The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark. @@ -342,9 +296,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `polymc` package has been removed due to a rogue maintainer. It has been replaced by `prismlauncher`, a fork by the rest of the maintainers. For more - details, see [the pull request that made this - change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue - detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460). + details, see [the PR that made this change](https://github.com/NixOS/nixpkgs/pull/196624) and + [the issue detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460). Users with existing installations should rename `~/.local/share/polymc` to `~/.local/share/PrismLauncher`. The main config file's path has also moved from `~/.local/share/polymc/polymc.cfg` to @@ -352,30 +305,93 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details. -- The `services.matrix-synapse` systemd unit has been hardened. +- Synapse's systemd unit has been hardened. + +- The module `services.grafana` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: + - The newly introduced option [](#opt-services.grafana.settings) is an attribute-set that + will be converted into Grafana's INI format. This means that the configuration from + [Grafana's configuration reference](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/) + can be directly written as attribute-set in Nix within this option. + - The option `services.grafana.extraOptions` has been removed. This option was an association + of environment variables for Grafana. If you had an expression like + + ```nix + { + services.grafana.extraOptions.SECURITY_ADMIN_USER = "foobar"; + } + ``` + + your Grafana instance was running with `GF_SECURITY_ADMIN_USER=foobar` in its environment. + + For the migration, it is recommended to turn it into the INI format, i.e. + to declare + + ```nix + { + services.grafana.settings.security.admin_user = "foobar"; + } + ``` + + instead. + + The keys in `services.grafana.extraOptions` have the format `<INI section name>_<Key Name>`. + Further details are outlined in the [configuration reference](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#override-configuration-with-environment-variables). -- The `services.grafana` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. + Alternatively you can also set all your values from `extraOptions` to + `systemd.services.grafana.environment`, make sure you don't forget to add + the `GF_` prefix though! + - Previously, the options [services.grafana.provision.datasources](#opt-services.grafana.provision.datasources) and + [services.grafana.provision.dashboards](#opt-services.grafana.provision.dashboards) expected lists of datasources + or dashboards for the [declarative provisioning](https://grafana.com/docs/grafana/latest/administration/provisioning/). -- The `services.grafana.provision.datasources` and `services.grafana.provision.dashboards` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. They also now support specifying the provisioning YAML file with `path` option. + To declare lists of + - **datasources**, please rename your declarations to [services.grafana.provision.datasources.settings.datasources](#opt-services.grafana.provision.datasources.settings.datasources). + - **dashboards**, please rename your declarations to [services.grafana.provision.dashboards.settings.providers](#opt-services.grafana.provision.dashboards.settings.providers). + + This change was made to support more features for that: + + - It's possible to declare the `apiVersion` of your dashboards and datasources + by [services.grafana.provision.datasources.settings.apiVersion](#opt-services.grafana.provision.datasources.settings.apiVersion) (or + [services.grafana.provision.dashboards.settings.apiVersion](#opt-services.grafana.provision.dashboards.settings.apiVersion)). + + - Instead of declaring datasources and dashboards in pure Nix, it's also possible + to specify configuration files (or directories) with YAML instead using + [services.grafana.provision.datasources.path](#opt-services.grafana.provision.datasources.path) (or + [services.grafana.provision.dashboards.path](#opt-services.grafana.provision.dashboards.path). This is useful when having + provisioning files from non-NixOS Grafana instances that you also want to + deploy to NixOS. + + __Note:__ secrets from these files will be leaked into the store unless you use a + [**file**-provider or env-var](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider) for secrets! + + - [services.grafana.provision.notifiers](#opt-services.grafana.provision.notifiers) is not affected by this change because + this feature is deprecated by Grafana and will probably be removed in Grafana 10. + It's recommended to use `services.grafana.provision.alerting.contactPoints` instead. - The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively. -- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. +- Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. - The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details. - The `guake` package has been updated from 3.6.3 to 3.9.0, see the [changelog](https://github.com/Guake/guake/releases) for more details. -- `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`. +- The `netlify-cli` package has been updated from 6.13.2 to 12.2.4, see the [changelog](https://github.com/netlify/cli/releases) for more details. + +- `dockerTools.buildImage`'s `contents` parameter has been deprecated in favor of `copyToRoot`. Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`. +- The `proxmox.qemuConf.bios` option was added, it corresponds to `Hardware->BIOS` field in Proxmox web interface. Use `"ovmf"` value to build UEFI image, default value remains `"bios"`. New option `proxmox.partitionTableType` defaults to either `"legacy"` or `"efi"`, depending on the `bios` value. Setting `partitionTableType` to `"hybrid"` results in an image, which supports both methods (`"bios"` and `"ovmf"`), thereby remaining bootable after change to Proxmox `Hardware->BIOS` field. + - memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot's fork is no longer available. -- Option descriptions, examples, and defaults writting in DocBook are now deprecated. Using CommonMark is preferred and will become the default in a future release. +- Option descriptions, examples, and defaults writing in DocBook are now deprecated. Using CommonMark is preferred and will become the default in a future release. - The `documentation.nixos.options.allowDocBook` option was added to ease the transition to CommonMark option documentation. Setting this option to `false` causes an error for every option included in the manual that uses DocBook documentation; it defaults to `true` to preserve the previous behavior and will be removed once the transition to CommonMark is complete. -- The redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like sentinel. +- The Redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like Sentinel. + +- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it. - The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it. @@ -384,22 +400,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). for Nextcloud in NixOS: - For Nextcloud **>=24**, the default PHP version is 8.1. - Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d). - - For `system.stateVersion` being **>=22.11**, Nextcloud 25 will be installed by default. For older versions, + - If `system.stateVersion` is **>=22.11**, Nextcloud 25 will be installed by default. For older versions, Nextcloud 24 will be installed. - - Please ensure that you only upgrade on major release at a time! Nextcloud doesn't support + - Please ensure that you only upgrade one major release at a time! Nextcloud doesn't support upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible when upgrading to **24** first. -- Add udev rules for the Teensy family of microcontrollers. - -- The Qt QML disk cache is now disabled by default. This fixes a - long-standing issue where updating Qt/KDE apps would sometimes cause - them to crash or behave strangely without explanation. Those concerned - about the small (~10%) performance hit to application startup can - re-enable the cache (and expose themselves to gremlins) by setting the - envrionment variable `QML_FORCE_DISK_CACHE` to `1` using e.g. the - `environment.sessionVariables` NixOS option. - - systemd-oomd is enabled by default. Depending on which systemd units have `ManagedOOMSwap=kill` or `ManagedOOMMemoryPressure=kill`, systemd-oomd will SIGKILL all the processes under the appropriate descendant cgroups when the @@ -413,26 +419,118 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. -- There is a new module for AMD SEV CPU functionality, which grants access to the hardware. - -- The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`. +- The Wordpress module now has support for installing language packs through a new option, `services.wordpress.sites.<site>.languages`. - The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment. -- PowerDNS has been updated from `4.6.x` to `4.7.x`. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the gsql database backends, which has to be manually applied. +- PowerDNS has been updated from v4.6.2 to v4.7.2. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the GSQL database backends, which has to be manually applied. + +- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and may be removed in a future release. -- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. +- There is a new module for `xfconf` (the Xfce configuration storage system), which has a dbus service. -- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. +- The Mastodon package has been upgraded to v4.0.0. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended. -- The `nomad` package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older. +- The `nomad` package now defaults to v1.3, which no longer has a downgrade path to v1.2 or older. - The `nodePackages` package set now defaults to the LTS release in the `nodejs` package again, instead of being pinned to `nodejs-14_x`. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new `postRebuild` hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies. -- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for "net.core.rmem_max" (taking the highest value defined to avoid conflicts between 2 services trying to set that value). +- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for `net.core.rmem_max` (taking the highest value defined to avoid conflicts between 2 services trying to set that value). - The `mame` package does not ship with its tools anymore in the default output. They were moved to a separate `tools` output instead. For convenience, `mame-tools` package was added for those who want to use it. - A NixOS module for Firefox has been added which allows preferences and [policies](https://github.com/mozilla/policy-templates/blob/master/README.md) to be set. This also allows extensions to be installed via the `ExtensionSettings` policy. The new options are under `programs.firefox`. +- The option `services.picom.experimentalBackends` was removed since it is now the default and the option will cause `picom` to quit instead. + +- `haskellPackages.callHackage` is not always invalidated if `all-cabal-hashes` changes, leading to less rebuilds of haskell dependencies. + +- `haskellPackages.callHackage` and `haskellPackages.callCabal2nix` (and related functions) no longer keep a reference to the `cabal2nix` call used to generate them. As a result, they will be garbage collected more often. + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +## New Services {#sec-release-22.11-new-services} + +- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable). + +- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). + +- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable). + +- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable). + +- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable). + +- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable). + +- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). + +- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable). + +- [EVCC](https://evcc.io) is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as [services.evcc](#opt-services.evcc.enable). + +- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable). + +- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable). + +- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable). + +- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable). + +- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable). + +- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable). + +- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. Available as [services.infnoise](options.html#opt-services.infnoise.enable). + +- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. Available as [services.kanata](options.html#opt-services.kanata.enable). + +- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable) + +- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable). + +- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable) + +- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker. Available as [services.languagetool](options.html#opt-services.languagetool.enable). + +- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable). + +- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable). + +- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable) + +- [netbird](https://netbird.io), a zero configuration VPN. Available as [services.netbird](options.html#opt-services.netbird.enable). + +- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable) + +- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services.hardware.openrgb.enable). + +- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable). + +- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul. Available as [services.patroni](options.html#opt-services.patroni.enable). + +- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable). + +- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable). + +- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable). + +- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable). + +- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable). + +- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable). + +- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable). + +- [TAYGA](http://www.litech.org/tayga/), an out-of-kernel stateless NAT64 implementation. Available as [services.tayga](#opt-services.tayga.enable). + +- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable). + +- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable). + +- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable). + +- [xray](https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md new file mode 100644 index 0000000000000..b5c9c4ceb55d9 --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -0,0 +1,130 @@ +# Release 23.05 (“Stoat”, 2023.05/??) {#sec-release-23.05} + +Support is planned until the end of December 2023, handing over to 23.11. + +## Highlights {#sec-release-23.05-highlights} + +In addition to numerous new and upgraded packages, this release has the following highlights: + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed. + +## New Services {#sec-release-23.05-new-services} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- [Akkoma](https://akkoma.social), an ActivityPub microblogging server. Available as [services.akkoma](options.html#opt-services.akkoma.enable). + +- [blesh](https://github.com/akinomyoga/ble.sh), a line editor written in pure bash. Available as [programs.bash.blesh](#opt-programs.bash.blesh.enable). + +- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable). + +- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a pdf-generating cups backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable). + +- [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion). + +- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable). + +- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and recieves MMSes. Available as [services.mmsd](#opt-services.mmsd.enable). + +- [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable). + +- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable). + +## Backward Incompatibilities {#sec-release-23.05-incompatibilities} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead. + +- `borgbackup` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.borgbackup.jobs.<name>.inhibitsSleep`](#opt-services.borgbackup.jobs._name_.inhibitsSleep). + +- The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. + This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service` + +- `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details. + +- `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/). + +- The [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. + +- The [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. + +- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. + +- The Nginx module now validates the syntax of config files at build time. For more complex configurations (using `include` with out-of-store files notably) you may need to disable this check by setting [services.nginx.validateConfig](#opt-services.nginx.validateConfig) to `false`. + +- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. + +- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. + +- Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually. + +- In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`. + +- The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon. + +## Other Notable Changes {#sec-release-23.05-notable-changes} + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc). + +- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules) + +- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package) + +- `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables. + +- The `dnsmasq` service now takes configuration via the + `services.dnsmasq.settings` attribute set. The option + `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches + end of life. + +- To reduce closure size in `nixos/modules/profiles/minimal.nix` profile disabled installation documentations and manuals. Also disabled `logrotate` and `udisks2` services. + +- The minimal ISO image now uses the `nixos/modules/profiles/minimal.nix` profile. + +- `mastodon` now supports connection to a remote `PostgreSQL` database. + +- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`. + Before upgrading, read the release notes for PeerTube: + - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0) + + And backup your data. + +- `services.chronyd` is now started with additional systemd sandbox/hardening options for better security. + +- The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: + + - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that + will be converted into headscale's YAML config format. This means that the configuration from + [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) + can be directly written as attribute-set in Nix within this option. + +- `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual. + +- `services.grafana` listens only on localhost by default again. This was changed to upstreams default of `0.0.0.0` by accident in the freeform setting conversion. + +- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm). + +- The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically. + +- Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option. + +- A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). + +- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion). + +- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. + +- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it. + +- The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)). + +- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream. + +- The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting. + +- [Xastir](https://xastir.org/index.php/Main_Page) can now access AX.25 interfaces via the `libax25` package. diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index e784ec9e67787..365fc1f03a5bc 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -1,3 +1,85 @@ +/* Technical details + +`make-disk-image` has a bit of magic to minimize the amount of work to do in a virtual machine. + +It relies on the [LKL (Linux Kernel Library) project](https://github.com/lkl/linux) which provides Linux kernel as userspace library. + +The Nix-store only image only need to run LKL tools to produce an image and will never spawn a virtual machine, whereas full images will always require a virtual machine, but also use LKL. + +### Image preparation phase + +Image preparation phase will produce the initial image layout in a folder: + +- devise a root folder based on `$PWD` +- prepare the contents by copying and restoring ACLs in this root folder +- load in the Nix store database all additional paths computed by `pkgs.closureInfo` in a temporary Nix store +- run `nixos-install` in a temporary folder +- transfer from the temporary store the additional paths registered to the installed NixOS +- compute the size of the disk image based on the apparent size of the root folder +- partition the disk image using the corresponding script according to the partition table type +- format the partitions if needed +- use `cptofs` (LKL tool) to copy the root folder inside the disk image + +At this step, the disk image already contains the Nix store, it now only needs to be converted to the desired format to be used. + +### Image conversion phase + +Using `qemu-img`, the disk image is converted from a raw format to the desired format: qcow2(-compressed), vdi, vpc. + +### Image Partitioning + +#### `none` + +No partition table layout is written. The image is a bare filesystem image. + +#### `legacy` + +The image is partitioned using MBR. There is one primary ext4 partition starting at 1 MiB that fills the rest of the disk image. + +This partition layout is unsuitable for UEFI. + +#### `legacy+gpt` + +This partition table type uses GPT and: + +- create a "no filesystem" partition from 1MiB to 2MiB ; +- set `bios_grub` flag on this "no filesystem" partition, which marks it as a [GRUB BIOS partition](https://www.gnu.org/software/parted/manual/html_node/set.html) ; +- create a primary ext4 partition starting at 2MiB and extending to the full disk image ; +- perform optimal alignments checks on each partition + +This partition layout is unsuitable for UEFI boot, because it has no ESP (EFI System Partition) partition. It can work with CSM (Compatibility Support Module) which emulates legacy (BIOS) boot for UEFI. + +#### `efi` + +This partition table type uses GPT and: + +- creates an FAT32 ESP partition from 8MiB to specified `bootSize` parameter (256MiB by default), set it bootable ; +- creates an primary ext4 partition starting after the boot partition and extending to the full disk image + +#### `hybrid` + +This partition table type uses GPT and: + +- creates a "no filesystem" partition from 0 to 1MiB, set `bios_grub` flag on it ; +- creates an FAT32 ESP partition from 8MiB to specified `bootSize` parameter (256MiB by default), set it bootable ; +- creates a primary ext4 partition starting after the boot one and extending to the full disk image + +This partition could be booted by a BIOS able to understand GPT layouts and recognizing the MBR at the start. + +### How to run determinism analysis on results? + +Build your derivation with `--check` to rebuild it and verify it is the same. + +If it fails, you will be left with two folders with one having `.check`. + +You can use `diffoscope` to see the differences between the folders. + +However, `diffoscope` is currently not able to diff two QCOW2 filesystems, thus, it is advised to use raw format. + +Even if you use raw disks, `diffoscope` cannot diff the partition table and partitions recursively. + +To solve this, you can run `fdisk -l $image` and generate `dd if=$image of=$image-p$i.raw skip=$start count=$sectors` for each `(start, sectors)` listed in the `fdisk` output. Now, you will have each partition as a separate file and you can compare them in pairs. +*/ { pkgs , lib @@ -47,6 +129,18 @@ , # Whether to invoke `switch-to-configuration boot` during image creation installBootLoader ? true +, # Whether to output have EFIVARS available in $out/efi-vars.fd and use it during disk creation + touchEFIVars ? false + +, # OVMF firmware derivation + OVMF ? pkgs.OVMF.fd + +, # EFI firmware + efiFirmware ? OVMF.firmware + +, # EFI variables + efiVariables ? OVMF.variables + , # The root file system type. fsType ? "ext4" @@ -70,6 +164,22 @@ , # Disk image format, one of qcow2, qcow2-compressed, vdi, vpc, raw. format ? "raw" + # Whether to fix: + # - GPT Disk Unique Identifier (diskGUID) + # - GPT Partition Unique Identifier: depends on the layout, root partition UUID can be controlled through `rootGPUID` option + # - GPT Partition Type Identifier: fixed according to the layout, e.g. ESP partition, etc. through `parted` invocation. + # - Filesystem Unique Identifier when fsType = ext4 for *root partition*. + # BIOS/MBR support is "best effort" at the moment. + # Boot partitions may not be deterministic. + # Also, to fix last time checked of the ext4 partition if fsType = ext4. +, deterministic ? true + + # GPT Partition Unique Identifier for root partition. +, rootGPUID ? "F222513B-DED1-49FA-B591-20CE86A2FE7F" + # When fsType = ext4, this is the root Filesystem Unique Identifier. + # TODO: support other filesystems someday. +, rootFSUID ? (if fsType == "ext4" then rootGPUID else null) + , # Whether a nix channel based on the current source tree should be # made available inside the image. Useful for interactive use of nix # utils, but changes the hash of the image when the sources are @@ -80,15 +190,18 @@ additionalPaths ? [] }: -assert partitionTableType == "legacy" || partitionTableType == "legacy+gpt" || partitionTableType == "efi" || partitionTableType == "hybrid" || partitionTableType == "none"; -# We use -E offset=X below, which is only supported by e2fsprogs -assert partitionTableType != "none" -> fsType == "ext4"; +assert (lib.assertOneOf "partitionTableType" partitionTableType [ "legacy" "legacy+gpt" "efi" "hybrid" "none" ]); +assert (lib.assertMsg (fsType == "ext4" && deterministic -> rootFSUID != null) "In deterministic mode with a ext4 partition, rootFSUID must be non-null, by default, it is equal to rootGPUID."); + # We use -E offset=X below, which is only supported by e2fsprogs +assert (lib.assertMsg (partitionTableType != "none" -> fsType == "ext4") "to produce a partition table, we need to use -E offset flag which is support only for fsType = ext4"); +assert (lib.assertMsg (touchEFIVars -> partitionTableType == "hybrid" || partitionTableType == "efi" || partitionTableType == "legacy+gpt") "EFI variables can be used only with a partition table of type: hybrid, efi or legacy+gpt."); + # If only Nix store image, then: contents must be empty, configFile must be unset, and we should no install bootloader. +assert (lib.assertMsg (onlyNixStore -> contents == [] && configFile == null && !installBootLoader) "In a only Nix store image, the contents must be empty, no configuration must be provided and no bootloader should be installed."); # Either both or none of {user,group} need to be set -assert lib.all +assert (lib.assertMsg (lib.all (attrs: ((attrs.user or null) == null) == ((attrs.group or null) == null)) - contents; -assert onlyNixStore -> contents == [] && configFile == null && !installBootLoader; + contents) "Contents of the disk image should set none of {user, group} or both at the same time."); with lib; @@ -127,6 +240,14 @@ let format' = format; in let mkpart primary ext4 2MB -1 \ align-check optimal 2 \ print + ${optionalString deterministic '' + sgdisk \ + --disk-guid=97FD5997-D90B-4AA3-8D16-C1723AEA73C \ + --partition-guid=1:1C06F03B-704E-4657-B9CD-681A087A2FDC \ + --partition-guid=2:970C694F-AFD0-4B99-B750-CDB7A329AB6F \ + --partition-guid=3:${rootGPUID} \ + $diskImage + ''} ''; efi = '' parted --script $diskImage -- \ @@ -134,6 +255,13 @@ let format' = format; in let mkpart ESP fat32 8MiB ${bootSize} \ set 1 boot on \ mkpart primary ext4 ${bootSize} -1 + ${optionalString deterministic '' + sgdisk \ + --disk-guid=97FD5997-D90B-4AA3-8D16-C1723AEA73C \ + --partition-guid=1:1C06F03B-704E-4657-B9CD-681A087A2FDC \ + --partition-guid=2:${rootGPUID} \ + $diskImage + ''} ''; hybrid = '' parted --script $diskImage -- \ @@ -143,10 +271,20 @@ let format' = format; in let mkpart no-fs 0 1024KiB \ set 2 bios_grub on \ mkpart primary ext4 ${bootSize} -1 + ${optionalString deterministic '' + sgdisk \ + --disk-guid=97FD5997-D90B-4AA3-8D16-C1723AEA73C \ + --partition-guid=1:1C06F03B-704E-4657-B9CD-681A087A2FDC \ + --partition-guid=2:970C694F-AFD0-4B99-B750-CDB7A329AB6F \ + --partition-guid=3:${rootGPUID} \ + $diskImage + ''} ''; none = ""; }.${partitionTableType}; + useEFIBoot = touchEFIVars; + nixpkgs = cleanSource pkgs.path; # FIXME: merge with channel.nix / make-channel.nix. @@ -171,7 +309,9 @@ let format' = format; in let config.system.build.nixos-enter nix systemdMinimal - ] ++ stdenv.initialPath); + ] + ++ lib.optional deterministic gptfdisk + ++ stdenv.initialPath); # I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate # image building logic. The comment right below this now appears in 4 different places in nixpkgs :) @@ -368,20 +508,35 @@ let format' = format; in let diskImage=$out/${filename} ''; + createEFIVars = '' + efiVars=$out/efi-vars.fd + cp ${efiVariables} $efiVars + chmod 0644 $efiVars + ''; + buildImage = pkgs.vmTools.runInLinuxVM ( pkgs.runCommand name { - preVM = prepareImage; + preVM = prepareImage + lib.optionalString touchEFIVars createEFIVars; buildInputs = with pkgs; [ util-linux e2fsprogs dosfstools ]; postVM = moveOrConvertImage + postVM; + QEMU_OPTS = + concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}" + ++ lib.optionals touchEFIVars [ + "-drive if=pflash,format=raw,unit=1,file=$efiVars" + ] + ); memSize = 1024; } '' export PATH=${binPath}:$PATH rootDisk=${if partitionTableType != "none" then "/dev/vda${rootPartition}" else "/dev/vda"} - # Some tools assume these exist - ln -s vda /dev/xvda - ln -s vda /dev/sda + # It is necessary to set root filesystem unique identifier in advance, otherwise + # bootloader might get the wrong one and fail to boot. + # At the end, we reset again because we want deterministic timestamps. + ${optionalString (fsType == "ext4" && deterministic) '' + tune2fs -T now ${optionalString deterministic "-U ${rootFSUID}"} -c 0 -i 0 $rootDisk + ''} # make systemd-boot find ESP without udev mkdir /dev/block ln -s /dev/vda1 /dev/block/254:1 @@ -396,6 +551,8 @@ let format' = format; in let mkdir -p /mnt/boot mkfs.vfat -n ESP /dev/vda1 mount /dev/vda1 /mnt/boot + + ${optionalString touchEFIVars "mount -t efivarfs efivarfs /sys/firmware/efi/efivars"} ''} # Install a configuration.nix @@ -405,7 +562,13 @@ let format' = format; in let ''} ${lib.optionalString installBootLoader '' - # Set up core system link, GRUB, etc. + # In this throwaway resource, we only have /dev/vda, but the actual VM may refer to another disk for bootloader, e.g. /dev/vdb + # Use this option to create a symlink from vda to any arbitrary device you want. + ${optionalString (config.boot.loader.grub.device != "/dev/vda") '' + ln -s /dev/vda ${config.boot.loader.grub.device} + ''} + + # Set up core system link, bootloader (sd-boot, GRUB, uboot, etc.), etc. NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root $mountPoint -- /nix/var/nix/profiles/system/bin/switch-to-configuration boot # The above scripts will generate a random machine-id and we don't want to bake a single ID into all our images @@ -432,8 +595,12 @@ let format' = format; in let # Make sure resize2fs works. Note that resize2fs has stricter criteria for resizing than a normal # mount, so the `-c 0` and `-i 0` don't affect it. Setting it to `now` doesn't produce deterministic # output, of course, but we can fix that when/if we start making images deterministic. + # In deterministic mode, this is fixed to 1970-01-01 (UNIX timestamp 0). + # This two-step approach is necessary otherwise `tune2fs` will want a fresher filesystem to perform + # some changes. ${optionalString (fsType == "ext4") '' - tune2fs -T now -c 0 -i 0 $rootDisk + tune2fs -T now ${optionalString deterministic "-U ${rootFSUID}"} -c 0 -i 0 $rootDisk + ${optionalString deterministic "tune2fs -f -T 19700101 $rootDisk"} ''} '' ); diff --git a/nixos/lib/make-options-doc/default.nix b/nixos/lib/make-options-doc/default.nix index e097aa5eebd8e..a3436caad8f98 100644 --- a/nixos/lib/make-options-doc/default.nix +++ b/nixos/lib/make-options-doc/default.nix @@ -19,14 +19,14 @@ { pkgs , lib , options -, transformOptions ? lib.id # function for additional tranformations of the options +, transformOptions ? lib.id # function for additional transformations of the options , documentType ? "appendix" # TODO deprecate "appendix" in favor of "none" # and/or rename function to moduleOptionDoc for clean slate # If you include more than one option list into a document, you need to # provide different ids. , variablelistId ? "configuration-variable-list" - # Strig to prefix to the option XML/HTML id attributes. + # String to prefix to the option XML/HTML id attributes. , optionIdPrefix ? "opt-" , revision ? "" # Specify revision for the options # a set of options the docs we are generating will be merged into, as if by recursiveUpdate. @@ -45,28 +45,11 @@ }: let - # Make a value safe for JSON. Functions are replaced by the string "<function>", - # derivations are replaced with an attrset - # { _type = "derivation"; name = <name of that derivation>; }. - # We need to handle derivations specially because consumers want to know about them, - # but we can't easily use the type,name subset of keys (since type is often used as - # a module option and might cause confusion). Use _type,name instead to the same - # effect, since _type is already used by the module system. - substSpecial = x: - if lib.isDerivation x then { _type = "derivation"; name = x.name; } - else if builtins.isAttrs x then lib.mapAttrs (name: substSpecial) x - else if builtins.isList x then map substSpecial x - else if lib.isFunction x then "<function>" - else x; - rawOpts = lib.optionAttrSetToDocList options; transformedOpts = map transformOptions rawOpts; filteredOpts = lib.filter (opt: opt.visible && !opt.internal) transformedOpts; optionsList = lib.flip map filteredOpts (opt: opt - // lib.optionalAttrs (opt ? example) { example = substSpecial opt.example; } - // lib.optionalAttrs (opt ? default) { default = substSpecial opt.default; } - // lib.optionalAttrs (opt ? type) { type = substSpecial opt.type; } // lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages opt.name; } ); @@ -111,14 +94,16 @@ in rec { inherit optionsNix; optionsAsciiDoc = pkgs.runCommand "options.adoc" {} '' - ${pkgs.python3Minimal}/bin/python ${./generateAsciiDoc.py} \ - < ${optionsJSON}/share/doc/nixos/options.json \ + ${pkgs.python3Minimal}/bin/python ${./generateDoc.py} \ + --format asciidoc \ + ${optionsJSON}/share/doc/nixos/options.json \ > $out ''; optionsCommonMark = pkgs.runCommand "options.md" {} '' - ${pkgs.python3Minimal}/bin/python ${./generateCommonMark.py} \ - < ${optionsJSON}/share/doc/nixos/options.json \ + ${pkgs.python3Minimal}/bin/python ${./generateDoc.py} \ + --format commonmark \ + ${optionsJSON}/share/doc/nixos/options.json \ > $out ''; diff --git a/nixos/lib/make-options-doc/generateAsciiDoc.py b/nixos/lib/make-options-doc/generateAsciiDoc.py deleted file mode 100644 index 48eadd248c5a0..0000000000000 --- a/nixos/lib/make-options-doc/generateAsciiDoc.py +++ /dev/null @@ -1,37 +0,0 @@ -import json -import sys - -options = json.load(sys.stdin) -# TODO: declarations: link to github -for (name, value) in options.items(): - print(f'== {name}') - print() - print(value['description']) - print() - print('[discrete]') - print('=== details') - print() - print(f'Type:: {value["type"]}') - if 'default' in value: - print('Default::') - print('+') - print('----') - print(json.dumps(value['default'], ensure_ascii=False, separators=(',', ':'))) - print('----') - print() - else: - print('No Default:: {blank}') - if value['readOnly']: - print('Read Only:: {blank}') - else: - print() - if 'example' in value: - print('Example::') - print('+') - print('----') - print(json.dumps(value['example'], ensure_ascii=False, separators=(',', ':'))) - print('----') - print() - else: - print('No Example:: {blank}') - print() diff --git a/nixos/lib/make-options-doc/generateCommonMark.py b/nixos/lib/make-options-doc/generateCommonMark.py deleted file mode 100644 index bf487bd89c3f8..0000000000000 --- a/nixos/lib/make-options-doc/generateCommonMark.py +++ /dev/null @@ -1,27 +0,0 @@ -import json -import sys - -options = json.load(sys.stdin) -for (name, value) in options.items(): - print('##', name.replace('<', '<').replace('>', '>')) - print(value['description']) - print() - if 'type' in value: - print('*_Type_*:') - print(value['type']) - print() - print() - if 'default' in value: - print('*_Default_*') - print('```') - print(json.dumps(value['default'], ensure_ascii=False, separators=(',', ':'))) - print('```') - print() - print() - if 'example' in value: - print('*_Example_*') - print('```') - print(json.dumps(value['example'], ensure_ascii=False, separators=(',', ':'))) - print('```') - print() - print() diff --git a/nixos/lib/make-options-doc/generateDoc.py b/nixos/lib/make-options-doc/generateDoc.py new file mode 100644 index 0000000000000..1fe4eb0253add --- /dev/null +++ b/nixos/lib/make-options-doc/generateDoc.py @@ -0,0 +1,108 @@ +import argparse +import json +import sys + +formats = ['commonmark', 'asciidoc'] + +parser = argparse.ArgumentParser( + description = 'Generate documentation for a set of JSON-formatted NixOS options' +) +parser.add_argument( + 'nix_options_path', + help = 'a path to a JSON file containing the NixOS options' +) +parser.add_argument( + '-f', + '--format', + choices = formats, + required = True, + help = f'the documentation format to generate' +) + +args = parser.parse_args() + +# Pretty-print certain Nix types, like literal expressions. +def render_types(obj): + if '_type' not in obj: return obj + + _type = obj['_type'] + if _type == 'literalExpression' or _type == 'literalDocBook': + return obj['text'] + + if _type == 'derivation': + return obj['name'] + + raise Exception(f'Unexpected type `{_type}` in {json.dumps(obj)}') + +def generate_commonmark(options): + for (name, value) in options.items(): + print('##', name.replace('<', '<').replace('>', '>')) + print(value['description']) + print() + if 'type' in value: + print('*_Type_*') + print ('```') + print(value['type']) + print ('```') + print() + print() + if 'default' in value: + print('*_Default_*') + print('```') + print(json.dumps(value['default'], ensure_ascii=False, separators=(',', ':'))) + print('```') + print() + print() + if 'example' in value: + print('*_Example_*') + print('```') + print(json.dumps(value['example'], ensure_ascii=False, separators=(',', ':'))) + print('```') + print() + print() + +# TODO: declarations: link to github +def generate_asciidoc(options): + for (name, value) in options.items(): + print(f'== {name}') + print() + print(value['description']) + print() + print('[discrete]') + print('=== details') + print() + print(f'Type:: {value["type"]}') + if 'default' in value: + print('Default::') + print('+') + print('----') + print(json.dumps(value['default'], ensure_ascii=False, separators=(',', ':'))) + print('----') + print() + else: + print('No Default:: {blank}') + if value['readOnly']: + print('Read Only:: {blank}') + else: + print() + if 'example' in value: + print('Example::') + print('+') + print('----') + print(json.dumps(value['example'], ensure_ascii=False, separators=(',', ':'))) + print('----') + print() + else: + print('No Example:: {blank}') + print() + +with open(args.nix_options_path) as nix_options_json: + options = json.load(nix_options_json, object_hook=render_types) + + if args.format == 'commonmark': + generate_commonmark(options) + elif args.format == 'asciidoc': + generate_asciidoc(options) + else: + raise Exception(f'Unsupported documentation format `--format {args.format}`') + diff --git a/nixos/lib/make-options-doc/options-to-docbook.xsl b/nixos/lib/make-options-doc/options-to-docbook.xsl index 0fe14a6d2d169..ac49659c681f8 100644 --- a/nixos/lib/make-options-doc/options-to-docbook.xsl +++ b/nixos/lib/make-options-doc/options-to-docbook.xsl @@ -138,82 +138,6 @@ </xsl:template> - <xsl:template match="string[contains(@value, '
')]" mode="top"> - <programlisting> - <xsl:text>''
</xsl:text> - <xsl:value-of select='str:replace(str:replace(@value, "''", "'''"), "${", "''${")' /> - <xsl:text>''</xsl:text> - </programlisting> - </xsl:template> - - - <xsl:template match="*" mode="top"> - <literal><xsl:apply-templates select="." /></literal> - </xsl:template> - - - <xsl:template match="null"> - <xsl:text>null</xsl:text> - </xsl:template> - - - <xsl:template match="string"> - <xsl:choose> - <xsl:when test="(contains(@value, '"') or contains(@value, '\')) and not(contains(@value, '
'))"> - <xsl:text>''</xsl:text><xsl:value-of select='str:replace(str:replace(@value, "''", "'''"), "${", "''${")' /><xsl:text>''</xsl:text> - </xsl:when> - <xsl:otherwise> - <xsl:text>"</xsl:text><xsl:value-of select="str:replace(str:replace(str:replace(str:replace(@value, '\', '\\'), '"', '\"'), '
', '\n'), '${', '\${')" /><xsl:text>"</xsl:text> - </xsl:otherwise> - </xsl:choose> - </xsl:template> - - - <xsl:template match="int"> - <xsl:value-of select="@value" /> - </xsl:template> - - - <xsl:template match="bool[@value = 'true']"> - <xsl:text>true</xsl:text> - </xsl:template> - - - <xsl:template match="bool[@value = 'false']"> - <xsl:text>false</xsl:text> - </xsl:template> - - - <xsl:template match="list"> - [ - <xsl:for-each select="*"> - <xsl:apply-templates select="." /> - <xsl:text> </xsl:text> - </xsl:for-each> - ] - </xsl:template> - - - <xsl:template match="attrs[attr[@name = '_type' and string[@value = 'literalExpression']]]"> - <xsl:value-of select="attr[@name = 'text']/string/@value" /> - </xsl:template> - - - <xsl:template match="attrs"> - { - <xsl:for-each select="attr"> - <xsl:value-of select="@name" /> - <xsl:text> = </xsl:text> - <xsl:apply-templates select="*" /><xsl:text>; </xsl:text> - </xsl:for-each> - } - </xsl:template> - - - <xsl:template match="attrs[attr[@name = '_type' and string[@value = 'derivation']]]"> - <replaceable>(build of <xsl:value-of select="attr[@name = 'name']/string/@value" />)</replaceable> - </xsl:template> - <xsl:template match="attr[@name = 'declarations' or @name = 'definitions']"> <simplelist> <!-- @@ -275,10 +199,4 @@ </simplelist> </xsl:template> - - <xsl:template match="function"> - <xsl:text>λ</xsl:text> - </xsl:template> - - </xsl:stylesheet> diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix index 4c52643446ed4..c6c8753d5325b 100644 --- a/nixos/lib/systemd-lib.nix +++ b/nixos/lib/systemd-lib.nix @@ -8,9 +8,9 @@ let systemd = cfg.package; in rec { - shellEscape = s: (replaceChars [ "\\" ] [ "\\\\" ] s); + shellEscape = s: (replaceStrings [ "\\" ] [ "\\\\" ] s); - mkPathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""]; + mkPathSafeName = lib.replaceStrings ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""]; # a type for options that take a unit name unitNameType = types.strMatching "[a-zA-Z0-9@%:_.\\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)"; @@ -258,7 +258,7 @@ in rec { makeJobScript = name: text: let - scriptName = replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape name); + scriptName = replaceStrings [ "\\" "@" ] [ "-" "_" ] (shellEscape name); out = (pkgs.writeShellScriptBin scriptName '' set -e ${text} diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix index 44f26572a23ba..9c7cb34f14b57 100644 --- a/nixos/lib/systemd-unit-options.nix +++ b/nixos/lib/systemd-unit-options.nix @@ -324,7 +324,11 @@ in rec { scriptArgs = mkOption { type = types.str; default = ""; - description = lib.mdDoc "Arguments passed to the main process script."; + example = "%i"; + description = lib.mdDoc '' + Arguments passed to the main process script. + Can contain specifiers (`%` placeholders expanded by systemd, see {manpage}`systemd.unit(5)`). + ''; }; preStart = mkOption { diff --git a/nixos/lib/test-driver/test_driver/__init__.py b/nixos/lib/test-driver/test_driver/__init__.py index 61d91c9ed6545..db7e0ed33a892 100755 --- a/nixos/lib/test-driver/test_driver/__init__.py +++ b/nixos/lib/test-driver/test_driver/__init__.py @@ -41,11 +41,9 @@ def writeable_dir(arg: str) -> Path: """ path = Path(arg) if not path.is_dir(): - raise argparse.ArgumentTypeError("{0} is not a directory".format(path)) + raise argparse.ArgumentTypeError(f"{path} is not a directory") if not os.access(path, os.W_OK): - raise argparse.ArgumentTypeError( - "{0} is not a writeable directory".format(path) - ) + raise argparse.ArgumentTypeError(f"{path} is not a writeable directory") return path diff --git a/nixos/lib/test-driver/test_driver/driver.py b/nixos/lib/test-driver/test_driver/driver.py index e32f6810ca87f..de6abbb4679e2 100644 --- a/nixos/lib/test-driver/test_driver/driver.py +++ b/nixos/lib/test-driver/test_driver/driver.py @@ -19,15 +19,11 @@ def get_tmp_dir() -> Path: tmp_dir.mkdir(mode=0o700, exist_ok=True) if not tmp_dir.is_dir(): raise NotADirectoryError( - "The directory defined by TMPDIR, TEMP, TMP or CWD: {0} is not a directory".format( - tmp_dir - ) + f"The directory defined by TMPDIR, TEMP, TMP or CWD: {tmp_dir} is not a directory" ) if not os.access(tmp_dir, os.W_OK): raise PermissionError( - "The directory defined by TMPDIR, TEMP, TMP, or CWD: {0} is not writeable".format( - tmp_dir - ) + f"The directory defined by TMPDIR, TEMP, TMP, or CWD: {tmp_dir} is not writeable" ) return tmp_dir @@ -220,6 +216,20 @@ class Driver: res = driver.polling_conditions.pop() assert res is self.condition + def wait(self, timeout: int = 900) -> None: + def condition(last: bool) -> bool: + if last: + rootlog.info(f"Last chance for {self.condition.description}") + ret = self.condition.check(force=True) + if not ret and not last: + rootlog.info( + f"({self.condition.description} failure not fatal yet)" + ) + return ret + + with rootlog.nested(f"waiting for {self.condition.description}"): + retry(condition, timeout=timeout) + if fun_ is None: return Poll else: diff --git a/nixos/lib/test-driver/test_driver/logger.py b/nixos/lib/test-driver/test_driver/logger.py index 59ed295472315..e6182ff7c761d 100644 --- a/nixos/lib/test-driver/test_driver/logger.py +++ b/nixos/lib/test-driver/test_driver/logger.py @@ -36,7 +36,7 @@ class Logger: def maybe_prefix(self, message: str, attributes: Dict[str, str]) -> str: if "machine" in attributes: - return "{}: {}".format(attributes["machine"], message) + return f"{attributes['machine']}: {message}" return message def log_line(self, message: str, attributes: Dict[str, str]) -> None: @@ -62,9 +62,7 @@ class Logger: def log_serial(self, message: str, machine: str) -> None: self.enqueue({"msg": message, "machine": machine, "type": "serial"}) if self._print_serial_logs: - self._eprint( - Style.DIM + "{} # {}".format(machine, message) + Style.RESET_ALL - ) + self._eprint(Style.DIM + f"{machine} # {message}" + Style.RESET_ALL) def enqueue(self, item: Dict[str, str]) -> None: self.queue.put(item) @@ -97,7 +95,7 @@ class Logger: yield self.drain_log_queue() toc = time.time() - self.log("(finished: {}, in {:.2f} seconds)".format(message, toc - tic)) + self.log(f"(finished: {message}, in {toc - tic:.2f} seconds)") self.xml.endElement("nest") diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index e45c83086fb52..6af964a0f588e 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -101,14 +101,14 @@ def _perform_ocr_on_screenshot( tess_args = f"-c debug_file=/dev/null --psm 11" - cmd = f"convert {magick_args} {screenshot_path} tiff:{screenshot_path}.tiff" + cmd = f"convert {magick_args} '{screenshot_path}' 'tiff:{screenshot_path}.tiff'" ret = subprocess.run(cmd, shell=True, capture_output=True) if ret.returncode != 0: raise Exception(f"TIFF conversion failed with exit code {ret.returncode}") model_results = [] for model_id in model_ids: - cmd = f"tesseract {screenshot_path}.tiff - {tess_args} --oem {model_id}" + cmd = f"tesseract '{screenshot_path}.tiff' - {tess_args} --oem '{model_id}'" ret = subprocess.run(cmd, shell=True, capture_output=True) if ret.returncode != 0: raise Exception(f"OCR failed with exit code {ret.returncode}") @@ -420,8 +420,8 @@ class Machine: def send_monitor_command(self, command: str) -> str: self.run_callbacks() - with self.nested("sending monitor command: {}".format(command)): - message = ("{}\n".format(command)).encode() + with self.nested(f"sending monitor command: {command}"): + message = f"{command}\n".encode() assert self.monitor is not None self.monitor.send(message) return self.wait_for_monitor_prompt() @@ -438,7 +438,7 @@ class Machine: info = self.get_unit_info(unit, user) state = info["ActiveState"] if state == "failed": - raise Exception('unit "{}" reached state "{}"'.format(unit, state)) + raise Exception(f'unit "{unit}" reached state "{state}"') if state == "inactive": status, jobs = self.systemctl("list-jobs --full 2>&1", user) @@ -446,27 +446,24 @@ class Machine: info = self.get_unit_info(unit, user) if info["ActiveState"] == state: raise Exception( - ( - 'unit "{}" is inactive and there ' "are no pending jobs" - ).format(unit) + f'unit "{unit}" is inactive and there are no pending jobs' ) return state == "active" with self.nested( - "waiting for unit {}{}".format( - unit, f" with user {user}" if user is not None else "" - ) + f"waiting for unit {unit}" + + (f" with user {user}" if user is not None else "") ): retry(check_active, timeout) def get_unit_info(self, unit: str, user: Optional[str] = None) -> Dict[str, str]: - status, lines = self.systemctl('--no-pager show "{}"'.format(unit), user) + status, lines = self.systemctl(f'--no-pager show "{unit}"', user) if status != 0: raise Exception( - 'retrieving systemctl info for unit "{}" {} failed with exit code {}'.format( - unit, "" if user is None else 'under user "{}"'.format(user), status - ) + f'retrieving systemctl info for unit "{unit}"' + + ("" if user is None else f' under user "{user}"') + + f" failed with exit code {status}" ) line_pattern = re.compile(r"^([^=]+)=(.*)$") @@ -486,24 +483,22 @@ class Machine: if user is not None: q = q.replace("'", "\\'") return self.execute( - ( - "su -l {} --shell /bin/sh -c " - "$'XDG_RUNTIME_DIR=/run/user/`id -u` " - "systemctl --user {}'" - ).format(user, q) + f"su -l {user} --shell /bin/sh -c " + "$'XDG_RUNTIME_DIR=/run/user/`id -u` " + f"systemctl --user {q}'" ) - return self.execute("systemctl {}".format(q)) + return self.execute(f"systemctl {q}") def require_unit_state(self, unit: str, require_state: str = "active") -> None: with self.nested( - "checking if unit ‘{}’ has reached state '{}'".format(unit, require_state) + f"checking if unit '{unit}' has reached state '{require_state}'" ): info = self.get_unit_info(unit) state = info["ActiveState"] if state != require_state: raise Exception( - "Expected unit ‘{}’ to to be in state ".format(unit) - + "'{}' but it is in state ‘{}’".format(require_state, state) + f"Expected unit '{unit}' to to be in state " + f"'{require_state}' but it is in state '{state}'" ) def _next_newline_closed_block_from_shell(self) -> str: @@ -593,13 +588,11 @@ class Machine: """Execute each command and check that it succeeds.""" output = "" for command in commands: - with self.nested("must succeed: {}".format(command)): + with self.nested(f"must succeed: {command}"): (status, out) = self.execute(command, timeout=timeout) if status != 0: - self.log("output: {}".format(out)) - raise Exception( - "command `{}` failed (exit code {})".format(command, status) - ) + self.log(f"output: {out}") + raise Exception(f"command `{command}` failed (exit code {status})") output += out return output @@ -607,12 +600,10 @@ class Machine: """Execute each command and check that it fails.""" output = "" for command in commands: - with self.nested("must fail: {}".format(command)): + with self.nested(f"must fail: {command}"): (status, out) = self.execute(command, timeout=timeout) if status == 0: - raise Exception( - "command `{}` unexpectedly succeeded".format(command) - ) + raise Exception(f"command `{command}` unexpectedly succeeded") output += out return output @@ -627,7 +618,7 @@ class Machine: status, output = self.execute(command, timeout=timeout) return status == 0 - with self.nested("waiting for success: {}".format(command)): + with self.nested(f"waiting for success: {command}"): retry(check_success, timeout) return output @@ -642,7 +633,7 @@ class Machine: status, output = self.execute(command, timeout=timeout) return status != 0 - with self.nested("waiting for failure: {}".format(command)): + with self.nested(f"waiting for failure: {command}"): retry(check_failure) return output @@ -661,8 +652,8 @@ class Machine: def get_tty_text(self, tty: str) -> str: status, output = self.execute( - "fold -w$(stty -F /dev/tty{0} size | " - "awk '{{print $2}}') /dev/vcs{0}".format(tty) + f"fold -w$(stty -F /dev/tty{tty} size | " + f"awk '{{print $2}}') /dev/vcs{tty}" ) return output @@ -681,45 +672,45 @@ class Machine: ) return len(matcher.findall(text)) > 0 - with self.nested("waiting for {} to appear on tty {}".format(regexp, tty)): + with self.nested(f"waiting for {regexp} to appear on tty {tty}"): retry(tty_matches) - def send_chars(self, chars: str) -> None: - with self.nested("sending keys ‘{}‘".format(chars)): + def send_chars(self, chars: str, delay: Optional[float] = 0.01) -> None: + with self.nested(f"sending keys '{chars}'"): for char in chars: - self.send_key(char) + self.send_key(char, delay) def wait_for_file(self, filename: str) -> None: """Waits until the file exists in machine's file system.""" def check_file(_: Any) -> bool: - status, _ = self.execute("test -e {}".format(filename)) + status, _ = self.execute(f"test -e {filename}") return status == 0 - with self.nested("waiting for file ‘{}‘".format(filename)): + with self.nested(f"waiting for file '{filename}'"): retry(check_file) - def wait_for_open_port(self, port: int) -> None: + def wait_for_open_port(self, port: int, addr: str = "localhost") -> None: def port_is_open(_: Any) -> bool: - status, _ = self.execute("nc -z localhost {}".format(port)) + status, _ = self.execute(f"nc -z {addr} {port}") return status == 0 - with self.nested("waiting for TCP port {}".format(port)): + with self.nested(f"waiting for TCP port {port} on {addr}"): retry(port_is_open) - def wait_for_closed_port(self, port: int) -> None: + def wait_for_closed_port(self, port: int, addr: str = "localhost") -> None: def port_is_closed(_: Any) -> bool: - status, _ = self.execute("nc -z localhost {}".format(port)) + status, _ = self.execute(f"nc -z {addr} {port}") return status != 0 - with self.nested("waiting for TCP port {} to be closed".format(port)): + with self.nested(f"waiting for TCP port {port} on {addr} to be closed"): retry(port_is_closed) def start_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: - return self.systemctl("start {}".format(jobname), user) + return self.systemctl(f"start {jobname}", user) def stop_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: - return self.systemctl("stop {}".format(jobname), user) + return self.systemctl(f"stop {jobname}", user) def wait_for_job(self, jobname: str) -> None: self.wait_for_unit(jobname) @@ -739,21 +730,21 @@ class Machine: toc = time.time() self.log("connected to guest root shell") - self.log("(connecting took {:.2f} seconds)".format(toc - tic)) + self.log(f"(connecting took {toc - tic:.2f} seconds)") self.connected = True def screenshot(self, filename: str) -> None: word_pattern = re.compile(r"^\w+$") if word_pattern.match(filename): - filename = os.path.join(self.out_dir, "{}.png".format(filename)) - tmp = "{}.ppm".format(filename) + filename = os.path.join(self.out_dir, f"{filename}.png") + tmp = f"{filename}.ppm" with self.nested( - "making screenshot {}".format(filename), + f"making screenshot {filename}", {"image": os.path.basename(filename)}, ): - self.send_monitor_command("screendump {}".format(tmp)) - ret = subprocess.run("pnmtopng {} > {}".format(tmp, filename), shell=True) + self.send_monitor_command(f"screendump {tmp}") + ret = subprocess.run(f"pnmtopng '{tmp}' > '{filename}'", shell=True) os.unlink(tmp) if ret.returncode != 0: raise Exception("Cannot convert screenshot") @@ -815,7 +806,7 @@ class Machine: def dump_tty_contents(self, tty: str) -> None: """Debugging: Dump the contents of the TTY<n>""" - self.execute("fold -w 80 /dev/vcs{} | systemd-cat".format(tty)) + self.execute(f"fold -w 80 /dev/vcs{tty} | systemd-cat") def _get_screen_text_variants(self, model_ids: Iterable[int]) -> List[str]: with tempfile.TemporaryDirectory() as tmpdir: @@ -837,15 +828,15 @@ class Machine: return True if last: - self.log("Last OCR attempt failed. Text was: {}".format(variants)) + self.log(f"Last OCR attempt failed. Text was: {variants}") return False - with self.nested("waiting for {} to appear on screen".format(regex)): + with self.nested(f"waiting for {regex} to appear on screen"): retry(screen_matches) def wait_for_console_text(self, regex: str) -> None: - with self.nested("waiting for {} to appear on console".format(regex)): + with self.nested(f"waiting for {regex} to appear on console"): # Buffer the console output, this is needed # to match multiline regexes. console = io.StringIO() @@ -860,10 +851,11 @@ class Machine: if matches is not None: return - def send_key(self, key: str) -> None: + def send_key(self, key: str, delay: Optional[float] = 0.01) -> None: key = CHAR_TO_KEY.get(key, key) - self.send_monitor_command("sendkey {}".format(key)) - time.sleep(0.01) + self.send_monitor_command(f"sendkey {key}") + if delay is not None: + time.sleep(delay) def send_console(self, chars: str) -> None: assert self.process @@ -920,7 +912,7 @@ class Machine: self.pid = self.process.pid self.booted = True - self.log("QEMU running (pid {})".format(self.pid)) + self.log(f"QEMU running (pid {self.pid})") def cleanup_statedir(self) -> None: shutil.rmtree(self.state_dir) @@ -974,7 +966,7 @@ class Machine: names = self.get_window_names() if last_try: self.log( - "Last chance to match {} on the window list,".format(regexp) + f"Last chance to match {regexp} on the window list," + " which currently contains: " + ", ".join(names) ) @@ -991,9 +983,7 @@ class Machine: """Forward a TCP port on the host to a TCP port on the guest. Useful during interactive testing. """ - self.send_monitor_command( - "hostfwd_add tcp::{}-:{}".format(host_port, guest_port) - ) + self.send_monitor_command(f"hostfwd_add tcp::{host_port}-:{guest_port}") def block(self) -> None: """Make the machine unreachable by shutting down eth1 (the multicast diff --git a/nixos/lib/test-driver/test_driver/polling_condition.py b/nixos/lib/test-driver/test_driver/polling_condition.py index 459845452fa12..02ca0a03ab3dc 100644 --- a/nixos/lib/test-driver/test_driver/polling_condition.py +++ b/nixos/lib/test-driver/test_driver/polling_condition.py @@ -1,4 +1,5 @@ from typing import Callable, Optional +from math import isfinite import time from .logger import rootlog @@ -14,7 +15,7 @@ class PollingCondition: description: Optional[str] last_called: float - entered: bool + entry_count: int def __init__( self, @@ -34,14 +35,21 @@ class PollingCondition: self.description = str(description) self.last_called = float("-inf") - self.entered = False + self.entry_count = 0 - def check(self) -> bool: - if self.entered or not self.overdue: + def check(self, force: bool = False) -> bool: + if (self.entered or not self.overdue) and not force: return True with self, rootlog.nested(self.nested_message): - rootlog.info(f"Time since last: {time.monotonic() - self.last_called:.2f}s") + time_since_last = time.monotonic() - self.last_called + last_message = ( + f"Time since last: {time_since_last:.2f}s" + if isfinite(time_since_last) + else "(not called yet)" + ) + + rootlog.info(last_message) try: res = self.condition() # type: ignore except Exception: @@ -69,9 +77,16 @@ class PollingCondition: def overdue(self) -> bool: return self.last_called + self.seconds_interval < time.monotonic() + @property + def entered(self) -> bool: + # entry_count should never dip *below* zero + assert self.entry_count >= 0 + return self.entry_count > 0 + def __enter__(self) -> None: - self.entered = True + self.entry_count += 1 def __exit__(self, exc_type, exc_value, traceback) -> None: # type: ignore - self.entered = False + assert self.entered + self.entry_count -= 1 self.last_called = time.monotonic() diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index 134d38f1b6767..4904ad6e35913 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -1,3 +1,4 @@ +args@ { system , pkgs ? import ../.. { inherit system config; } # Use a minimal kernel? @@ -5,7 +6,7 @@ # Ignored , config ? { } # !!! See comment about args in lib/modules.nix -, specialArgs ? { } +, specialArgs ? throw "legacy - do not use, see error below" # Modules to add to each VM , extraConfigurations ? [ ] }: @@ -13,6 +14,13 @@ let nixos-lib = import ./default.nix { inherit (pkgs) lib; }; in +pkgs.lib.throwIf (args?specialArgs) '' + testing-python.nix: `specialArgs` is not supported anymore. If you're looking + for the public interface to the NixOS test framework, use `runTest`, and + `node.specialArgs`. + See https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests + and https://nixos.org/manual/nixos/unstable/index.html#test-opt-node.specialArgs +'' rec { inherit pkgs; diff --git a/nixos/lib/testing/legacy.nix b/nixos/lib/testing/legacy.nix index 868b8b65b17d5..b310575566015 100644 --- a/nixos/lib/testing/legacy.nix +++ b/nixos/lib/testing/legacy.nix @@ -3,9 +3,10 @@ let inherit (lib) mkIf mkOption types; in { - # This needs options.warnings, which we don't have (yet?). + # This needs options.warnings and options.assertions, which we don't have (yet?). # imports = [ # (lib.mkRenamedOptionModule [ "machine" ] [ "nodes" "machine" ]) + # (lib.mkRemovedOptionModule [ "minimal" ] "The minimal kernel module was removed as it was broken and not used any more in nixpkgs.") # ]; options = { diff --git a/nixos/lib/testing/nodes.nix b/nixos/lib/testing/nodes.nix index 8e620c96b3bb1..c538ab468c526 100644 --- a/nixos/lib/testing/nodes.nix +++ b/nixos/lib/testing/nodes.nix @@ -23,7 +23,7 @@ let nixpkgs.config.allowAliases = false; }) testModuleArgs.config.extraBaseModules - ] ++ optional config.minimal ../../modules/testing/minimal-kernel.nix; + ]; }; @@ -78,14 +78,6 @@ in ''; }; - minimal = mkOption { - type = types.bool; - default = false; - description = mdDoc '' - Enable to configure all [{option}`nodes`](#test-opt-nodes) to run with a minimal kernel. - ''; - }; - nodesCompat = mkOption { internal = true; description = mdDoc '' diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index 9eefa80d1c8b7..def3aa13f3202 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -48,7 +48,7 @@ rec { trim = s: removeSuffix "/" (removePrefix "/" s); normalizedPath = strings.normalizePath s; in - replaceChars ["/"] ["-"] + replaceStrings ["/"] ["-"] (replacePrefix "." (strings.escapeC ["."] ".") (strings.escapeC (stringToCharacters " !\"#$%&'()*+,;<=>=@[\\]^`{|}~-") (if normalizedPath == "/" then normalizedPath else trim normalizedPath))); @@ -67,7 +67,7 @@ rec { else if builtins.isInt arg || builtins.isFloat arg then toString arg else throw "escapeSystemdExecArg only allows strings, paths and numbers"; in - replaceChars [ "%" "$" ] [ "%%" "$$" ] (builtins.toJSON s); + replaceStrings [ "%" "$" ] [ "%%" "$$" ] (builtins.toJSON s); # Quotes a list of arguments into a single string for use in a Exec* # line. @@ -112,7 +112,7 @@ rec { else if isAttrs item then map (name: let - escapedName = ''"${replaceChars [''"'' "\\"] [''\"'' "\\\\"] name}"''; + escapedName = ''"${replaceStrings [''"'' "\\"] [''\"'' "\\\\"] name}"''; in recurse (prefix + "." + escapedName) item.${name}) (attrNames item) else if isList item then diff --git a/nixos/maintainers/scripts/ec2/amazon-image.nix b/nixos/maintainers/scripts/ec2/amazon-image.nix index e2a05a09d0c28..0db0f4d0dcca4 100644 --- a/nixos/maintainers/scripts/ec2/amazon-image.nix +++ b/nixos/maintainers/scripts/ec2/amazon-image.nix @@ -43,7 +43,7 @@ in { sizeMB = mkOption { type = with types; either (enum [ "auto" ]) int; - default = if config.ec2.hvm then 2048 else 8192; + default = 2048; example = 8192; description = lib.mdDoc "The size in MB of the image"; }; @@ -60,9 +60,6 @@ in { '' { modulesPath, ... }: { imports = [ "''${modulesPath}/virtualisation/amazon-image.nix" ]; - ${optionalString config.ec2.hvm '' - ec2.hvm = true; - ''} ${optionalString config.ec2.efi '' ec2.efi = true; ''} @@ -129,9 +126,7 @@ in { pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package fsType = "ext4"; - partitionTableType = if config.ec2.efi then "efi" - else if config.ec2.hvm then "legacy+gpt" - else "none"; + partitionTableType = if config.ec2.efi then "efi" else "legacy+gpt"; diskSize = cfg.sizeMB; diff --git a/nixos/maintainers/scripts/lxd/lxd-image-inner.nix b/nixos/maintainers/scripts/lxd/lxd-image-inner.nix index ead3d4e994014..c8cf2a04fb10a 100644 --- a/nixos/maintainers/scripts/lxd/lxd-image-inner.nix +++ b/nixos/maintainers/scripts/lxd/lxd-image-inner.nix @@ -94,9 +94,4 @@ with lib; # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? - - # As this is intended as a stadalone image, undo some of the minimal profile stuff - documentation.enable = true; - documentation.nixos.enable = true; - environment.noXlibs = false; } diff --git a/nixos/maintainers/scripts/lxd/lxd-image.nix b/nixos/maintainers/scripts/lxd/lxd-image.nix index 6aa3f2f558471..cf30836dffe55 100644 --- a/nixos/maintainers/scripts/lxd/lxd-image.nix +++ b/nixos/maintainers/scripts/lxd/lxd-image.nix @@ -26,9 +26,4 @@ with lib; # Network networking.useDHCP = false; networking.interfaces.eth0.useDHCP = true; - - # As this is intended as a standalone image, undo some of the minimal profile stuff - documentation.enable = true; - documentation.nixos.enable = true; - environment.noXlibs = false; } diff --git a/nixos/modules/config/gtk/gtk-icon-cache.nix b/nixos/modules/config/gtk/gtk-icon-cache.nix index 87d5483e36ab9..62f0cc3f090f9 100644 --- a/nixos/modules/config/gtk/gtk-icon-cache.nix +++ b/nixos/modules/config/gtk/gtk-icon-cache.nix @@ -52,10 +52,8 @@ with lib; environment.extraSetup = '' # For each icon theme directory ... - - find $out/share/icons -mindepth 1 -maxdepth 1 -print0 | while read -d $'\0' themedir + find $out/share/icons -exec test -d {} ';' -mindepth 1 -maxdepth 1 -print0 | while read -d $'\0' themedir do - # In order to build the cache, the theme dir should be # writable. When the theme dir is a symbolic link to somewhere # in the nix store it is not writable and it means that only diff --git a/nixos/modules/config/krb5/default.nix b/nixos/modules/config/krb5/default.nix index e3e0fadf09638..df7a3f48236f0 100644 --- a/nixos/modules/config/krb5/default.nix +++ b/nixos/modules/config/krb5/default.nix @@ -82,8 +82,8 @@ in { kerberos = mkOption { type = types.package; - default = pkgs.krb5Full; - defaultText = literalExpression "pkgs.krb5Full"; + default = pkgs.krb5; + defaultText = literalExpression "pkgs.krb5"; example = literalExpression "pkgs.heimdal"; description = lib.mdDoc '' The Kerberos implementation that will be present in diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 946c9bf38c470..70e265a65a60c 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -30,10 +30,16 @@ with lib; beam = super.beam_nox; cairo = super.cairo.override { x11Support = false; }; dbus = super.dbus.override { x11Support = false; }; - ffmpeg_4 = super.ffmpeg_4.override { sdlSupport = false; vdpauSupport = false; }; - ffmpeg_5 = super.ffmpeg_5.override { sdlSupport = false; vdpauSupport = false; }; + ffmpeg_4 = super.ffmpeg_4-headless; + ffmpeg_5 = super.ffmpeg_5-headless; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; + gpsd = super.gpsd.override { guiSupport = false; }; + imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; }; + imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; }; + libextractor = super.libextractor.override { gstreamerSupport = false; gtkSupport = false; }; libva = super.libva-minimal; + limesuite = super.limesuite.override { withGui = false; }; + msmtp = super.msmtp.override { withKeyring = false; }; networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; networkmanager-l2tp = super.networkmanager-l2tp.override { withGnome = false; }; @@ -41,7 +47,10 @@ with lib; networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; networkmanager-sstp = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; + pinentry = super.pinentry.override { enabledFlavors = [ "curses" "tty" "emacs" ]; withLibsecret = false; }; qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; }; + qrencode = super.qrencode.overrideAttrs (_: { doCheck = false; }); + zbar = super.zbar.override { enableVideo = false; withXorg = false; }; })); }; } diff --git a/nixos/modules/config/power-management.nix b/nixos/modules/config/power-management.nix index a4e8028cfbe9e..e7fd02920e0dc 100644 --- a/nixos/modules/config/power-management.nix +++ b/nixos/modules/config/power-management.nix @@ -94,7 +94,7 @@ in after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target" ]; script = '' - /run/current-system/systemd/bin/systemctl try-restart post-resume.target + /run/current-system/systemd/bin/systemctl try-restart --no-block post-resume.target ${cfg.resumeCommands} ${cfg.powerUpCommands} ''; diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 50bb9b17783bb..bc6583442edf2 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -42,8 +42,8 @@ in strings. The latter is concatenated, interspersed with colon characters. ''; - type = with types; attrsOf (either str (listOf str)); - apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); + type = with types; attrsOf (oneOf [ (listOf str) str path ]); + apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else "${v}"); }; environment.profiles = mkOption { diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index 10d52ade288bb..76a054b100ebe 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -160,7 +160,7 @@ let config = rec { device = mkIf options.label.isDefined "/dev/disk/by-label/${config.label}"; - deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device); + deviceName = lib.replaceStrings ["\\"] [""] (escapeSystemdPath config.device); realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device; }; diff --git a/nixos/modules/config/system-environment.nix b/nixos/modules/config/system-environment.nix index 5b226d5079b0f..399304185223f 100644 --- a/nixos/modules/config/system-environment.nix +++ b/nixos/modules/config/system-environment.nix @@ -1,6 +1,6 @@ # This module defines a system-wide environment that will be # initialised by pam_env (that is, not only in shells). -{ config, lib, pkgs, ... }: +{ config, lib, options, pkgs, ... }: with lib; @@ -32,8 +32,7 @@ in therefore not possible to use PAM style variables such as `@{HOME}`. ''; - type = with types; attrsOf (either str (listOf str)); - apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); + inherit (options.environment.variables) type apply; }; environment.profileRelativeSessionVariables = mkOption { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index b538a0119c06d..19319b9309cd1 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -35,7 +35,7 @@ let ''; hashedPasswordDescription = '' - To generate a hashed password run `mkpasswd -m sha-512`. + To generate a hashed password run `mkpasswd`. If set to an empty string (`""`), this user will be able to log in without being asked for a password (but not via remote @@ -101,16 +101,13 @@ let type = types.bool; default = false; description = lib.mdDoc '' - Indicates whether this is an account for a “real” user. This - automatically sets {option}`group` to - `users`, {option}`createHome` to - `true`, {option}`home` to - {file}`/home/«username»`, + Indicates whether this is an account for a “real” user. + This automatically sets {option}`group` to `users`, + {option}`createHome` to `true`, + {option}`home` to {file}`/home/«username»`, {option}`useDefaultShell` to `true`, - and {option}`isSystemUser` to - `false`. - Exactly one of `isNormalUser` and - `isSystemUser` must be true. + and {option}`isSystemUser` to `false`. + Exactly one of `isNormalUser` and `isSystemUser` must be true. ''; }; @@ -592,13 +589,33 @@ in { ''; }; + # Warn about user accounts with deprecated password hashing schemes + system.activationScripts.hashes = { + deps = [ "users" ]; + text = '' + users=() + while IFS=: read -r user hash tail; do + if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then + users+=("$user") + fi + done </etc/shadow + + if (( "''${#users[@]}" )); then + echo " + WARNING: The following user accounts rely on password hashes that will + be removed in NixOS 23.05. They should be renewed as soon as possible." + printf ' - %s\n' "''${users[@]}" + fi + ''; + }; + # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; # Install all the user shells environment.systemPackages = systemShells; - environment.etc = (mapAttrs' (_: { packages, name, ... }: { + environment.etc = mapAttrs' (_: { packages, name, ... }: { name = "profiles/per-user/${name}"; value.source = pkgs.buildEnv { name = "user-environment"; @@ -606,7 +623,7 @@ in { inherit (config.environment) pathsToLink extraOutputsToInstall; inherit (config.system.path) ignoreCollisions postBuild; }; - }) (filterAttrs (_: u: u.packages != []) cfg.users)); + }) (filterAttrs (_: u: u.packages != []) cfg.users); environment.profiles = [ "$HOME/.nix-profile" diff --git a/nixos/modules/config/xdg/portal.nix b/nixos/modules/config/xdg/portal.nix index e28ff74e5d80a..ab6cffe499aa8 100644 --- a/nixos/modules/config/xdg/portal.nix +++ b/nixos/modules/config/xdg/portal.nix @@ -61,6 +61,17 @@ in Defaults to `false` to respect its opt-in nature. ''; }; + + xdgOpenUsePortal = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Sets environment variable `NIXOS_XDG_OPEN_USE_PORTAL` to `1` + This will make `xdg-open` use the portal to open programs, which resolves bugs involving + programs opening inside FHS envs or with unexpected env vars set from wrappers. + See [#160923](https://github.com/NixOS/nixpkgs/issues/160923) for more info. + ''; + }; }; config = @@ -95,6 +106,7 @@ in sessionVariables = { GTK_USE_PORTAL = mkIf cfg.gtkUsePortal "1"; + NIXOS_XDG_OPEN_USE_PORTAL = mkIf cfg.xdgOpenUsePortal "1"; XDG_DESKTOP_PORTAL_DIR = "${joinedPortals}/share/xdg-desktop-portal/portals"; }; }; diff --git a/nixos/modules/config/zram.nix b/nixos/modules/config/zram.nix index cc2ca63144332..87ac53a60b7ed 100644 --- a/nixos/modules/config/zram.nix +++ b/nixos/modules/config/zram.nix @@ -132,6 +132,8 @@ in options zram num_devices=${toString cfg.numDevices} ''; + boot.kernelParams = ["zram.num_devices=${toString cfg.numDevices}"]; + services.udev.extraRules = '' KERNEL=="zram[0-9]*", ENV{SYSTEMD_WANTS}="zram-init-%k.service", TAG+="systemd" ''; @@ -178,9 +180,9 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStartPre = "${modprobe} -r zram"; - ExecStart = "${modprobe} zram"; - ExecStop = "${modprobe} -r zram"; + ExecStartPre = "-${modprobe} -r zram"; + ExecStart = "-${modprobe} zram"; + ExecStop = "-${modprobe} -r zram"; }; restartTriggers = [ cfg.numDevices diff --git a/nixos/modules/hardware/gpgsmartcards.nix b/nixos/modules/hardware/gpgsmartcards.nix index 43ade4d12e120..68e1e5f74e2e5 100644 --- a/nixos/modules/hardware/gpgsmartcards.nix +++ b/nixos/modules/hardware/gpgsmartcards.nix @@ -8,7 +8,7 @@ let # https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/scdaemon.udev # the latest rev of the entire debian gnupg2 repo as of 2021-04-28 - # the scdaemon.udev file was last commited on 2021-01-05 (7817a03): + # the scdaemon.udev file was last committed on 2021-01-05 (7817a03): scdaemonUdevRev = "01898735a015541e3ffb43c7245ac1e612f40836"; scdaemonRules = pkgs.fetchurl { diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 5a5d88d9a4e00..9108bcbd1652a 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -26,9 +26,7 @@ in imports = [ (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) - (mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] '' - S3TC support is now always enabled in Mesa. - '') + (mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] "S3TC support is now always enabled in Mesa.") ]; options = { @@ -89,21 +87,28 @@ in extraPackages = mkOption { type = types.listOf types.package; default = []; - example = literalExpression "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]"; + example = literalExpression "with pkgs; [ intel-media-driver intel-ocl vaapiIntel ]"; description = lib.mdDoc '' - Additional packages to add to OpenGL drivers. This can be used - to add OpenCL drivers, VA-API/VDPAU drivers etc. + Additional packages to add to OpenGL drivers. + This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. + + ::: {.note} + intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained vaapiIntel driver. + ::: ''; }; extraPackages32 = mkOption { type = types.listOf types.package; default = []; - example = literalExpression "with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]"; + example = literalExpression "with pkgs.pkgsi686Linux; [ intel-media-driver vaapiIntel ]"; description = lib.mdDoc '' - Additional packages to add to 32-bit OpenGL drivers on - 64-bit systems. Used when {option}`driSupport32Bit` is - set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. + Additional packages to add to 32-bit OpenGL drivers on 64-bit systems. + Used when {option}`driSupport32Bit` is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. + + ::: {.note} + intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained vaapiIntel driver. + ::: ''; }; @@ -124,7 +129,6 @@ in }; config = mkIf cfg.enable { - assertions = [ { assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64; message = "Option driSupport32Bit only makes sense on a 64-bit system."; diff --git a/nixos/modules/hardware/openrazer.nix b/nixos/modules/hardware/openrazer.nix index 247913297c9e0..aaa4000e758ff 100644 --- a/nixos/modules/hardware/openrazer.nix +++ b/nixos/modules/hardware/openrazer.nix @@ -110,7 +110,7 @@ in boot.extraModulePackages = [ kernelPackages.openrazer ]; boot.kernelModules = drivers; - # Makes the man pages available so you can succesfully run + # Makes the man pages available so you can successfully run # > systemctl --user help openrazer-daemon environment.systemPackages = [ pkgs.python3Packages.openrazer-daemon.man ]; diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix index 64c29bb0a5b3b..85e3215127fdc 100644 --- a/nixos/modules/hardware/printers.nix +++ b/nixos/modules/hardware/printers.nix @@ -100,7 +100,7 @@ in { default = {}; description = lib.mdDoc '' Sets PPD options for the printer. - {command}`lpoptions [-p printername] -l` shows suported PPD options for the given printer. + {command}`lpoptions [-p printername] -l` shows supported PPD options for the given printer. ''; }; }; diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 2a0feaeb28456..4b4c2e3933482 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -6,6 +6,12 @@ with lib; let + # This is copied into the installer image, so it's important that it is filtered + # to avoid including a large .git directory. + # We also want the source name to be normalised to "source" to avoid depending on the + # location of nixpkgs. + # In the future we might want to expose the ISO image from the flake and use + # `self.outPath` directly instead. nixpkgs = lib.cleanSource pkgs.path; # We need a copy of the Nix expressions for Nixpkgs and NixOS on the @@ -31,7 +37,14 @@ let in { - nix.registry.nixpkgs.flake.outPath = builtins.path { name = "source"; path = pkgs.path; }; + # Pin the nixpkgs flake in the installer to our cleaned up nixpkgs source. + # FIXME: this might be surprising and is really only needed for offline installations, + # see discussion in https://github.com/NixOS/nixpkgs/pull/204178#issuecomment-1336289021 + nix.registry.nixpkgs.to = { + type = "path"; + path = nixpkgs; + }; + # Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required # for nixos-install. boot.postBootCommands = mkAfter diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix index 288cbc94a321b..3f3571d253825 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix @@ -14,8 +14,6 @@ in calamares-nixos calamares-nixos-autostart calamares-nixos-extensions - # Needed for calamares QML module packagechooserq - libsForQt5.full # Get list of locales glibcLocales ]; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix new file mode 100644 index 0000000000000..9d09cdbe0206d --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: + +{ + imports = [ ./installation-cd-minimal-new-kernel.nix ]; + + # Makes `availableOn` fail for zfs, see <nixos/modules/profiles/base.nix>. + # This is a workaround since we cannot remove the `"zfs"` string from `supportedFilesystems`. + # The proper fix would be to make `supportedFilesystems` an attrset with true/false which we + # could then `lib.mkForce false` + nixpkgs.overlays = [(final: super: { + zfs = super.zfs.overrideAttrs(_: { + meta.platforms = []; + }); + })]; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix index 97506045e0e15..7a3bd74cb70a7 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix @@ -1,14 +1,20 @@ # This module defines a small NixOS installation CD. It does not # contain any graphical stuff. -{ ... }: +{ lib, ... }: { - imports = - [ ./installation-cd-base.nix - ]; + imports = [ + ../../profiles/minimal.nix + ./installation-cd-base.nix + ]; - isoImage.edition = "minimal"; + # Causes a lot of uncached builds for a negligible decrease in size. + environment.noXlibs = lib.mkOverride 500 false; - fonts.fontconfig.enable = false; + documentation.man.enable = lib.mkOverride 500 true; + + fonts.fontconfig.enable = lib.mkForce false; + + isoImage.edition = lib.mkForce "minimal"; } diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index e37142f05f41b..659df7851b08d 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -70,18 +70,24 @@ let ; # Timeout in syslinux is in units of 1/10 of a second. - # 0 is used to disable timeouts. + # null means max timeout (35996, just under 1h in 1/10 seconds) + # 0 means disable timeout syslinuxTimeout = if config.boot.loader.timeout == null then - 0 + 35996 else - max (config.boot.loader.timeout * 10) 1; + config.boot.loader.timeout * 10; - - max = x: y: if x > y then x else y; + # Timeout in grub is in seconds. + # null means max timeout (infinity) + # 0 means disable timeout + grubEfiTimeout = if config.boot.loader.timeout == null then + -1 + else + config.boot.loader.timeout; # The configuration file for syslinux. - # Notes on syslinux configuration and UNetbootin compatiblity: + # Notes on syslinux configuration and UNetbootin compatibility: # * Do not use '/syslinux/syslinux.cfg' as the path for this # configuration. UNetbootin will not parse the file and use it as-is. # This results in a broken configuration if the partition label does @@ -286,7 +292,7 @@ let if serial; then set with_serial=yes ;fi export with_serial clear - set timeout=10 + set timeout=${toString grubEfiTimeout} # This message will only be viewable when "gfxterm" is not used. echo "" diff --git a/nixos/modules/installer/netboot/netboot-minimal.nix b/nixos/modules/installer/netboot/netboot-minimal.nix index 1563501a7e011..91065d52faf47 100644 --- a/nixos/modules/installer/netboot/netboot-minimal.nix +++ b/nixos/modules/installer/netboot/netboot-minimal.nix @@ -1,10 +1,12 @@ # This module defines a small netboot environment. -{ ... }: +{ lib, ... }: { - imports = - [ ./netboot-base.nix - ../../profiles/minimal.nix - ]; + imports = [ + ./netboot-base.nix + ../../profiles/minimal.nix + ]; + + documentation.man.enable = lib.mkOverride 500 true; } diff --git a/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix b/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix new file mode 100644 index 0000000000000..0e50559602945 --- /dev/null +++ b/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: + +{ + imports = [ ./sd-image-aarch64-new-kernel-installer.nix ]; + + # Makes `availableOn` fail for zfs, see <nixos/modules/profiles/base.nix>. + # This is a workaround since we cannot remove the `"zfs"` string from `supportedFilesystems`. + # The proper fix would be to make `supportedFilesystems` an attrset with true/false which we + # could then `lib.mkForce false` + nixpkgs.overlays = [(final: super: { + zfs = super.zfs.overrideAttrs(_: { + meta.platforms = []; + }); + })]; +} diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 4700895cec8e8..3eca901bdbf7b 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/nmq5zcd93qb1yskx42rs910ff0247nn2-nix-2.11.0"; - i686-linux = "/nix/store/ja6im1sw9a8lzczi10lc0iddffl9kzmn-nix-2.11.0"; - aarch64-linux = "/nix/store/myr6fcqa9y4y2fb83zz73dck52vcn81z-nix-2.11.0"; - x86_64-darwin = "/nix/store/2pfjz9b22k9997gh7cb0hjk1qa4lxrvy-nix-2.11.0"; - aarch64-darwin = "/nix/store/lr32i0bdarx1iqsch4sy24jj1jkfw9vf-nix-2.11.0"; + x86_64-linux = "/nix/store/h88w1442c7hzkbw8sgpcsbqp4lhz6l5p-nix-2.12.0"; + i686-linux = "/nix/store/j23527l1c3hfx17nssc0v53sq6c741zs-nix-2.12.0"; + aarch64-linux = "/nix/store/zgzmdymyh934y3r4vqh8z337ba4cwsjb-nix-2.12.0"; + x86_64-darwin = "/nix/store/wnlrzllazdyg1nrw9na497p4w0m7i7mm-nix-2.12.0"; + aarch64-darwin = "/nix/store/7n5yamgzg5dpp5vb6ipdqgfh6cf30wmn-nix-2.12.0"; } diff --git a/nixos/modules/installer/tools/nixos-enter.sh b/nixos/modules/installer/tools/nixos-enter.sh index 89beeee7cf9e5..30113ee00508b 100644 --- a/nixos/modules/installer/tools/nixos-enter.sh +++ b/nixos/modules/installer/tools/nixos-enter.sh @@ -101,7 +101,7 @@ chroot_add_resolv_conf "$mountPoint" || echo "$0: failed to set up resolv.conf" LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" IN_NIXOS_ENTER=1 chroot "$mountPoint" "$system/activate" 1>&2 || true # Create /tmp - chroot "$mountPoint" systemd-tmpfiles --create --remove --exclude-prefix=/dev 1>&2 || true + chroot "$mountPoint" "$system/sw/bin/systemd-tmpfiles" --create --remove --exclude-prefix=/dev 1>&2 || true ) unset TMPDIR diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index aa6e40f43705e..64a8f7846b463 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -48,10 +48,15 @@ let }; scrubDerivations = namePrefix: pkgSet: mapAttrs (name: value: - let wholeName = "${namePrefix}.${name}"; in - if isAttrs value then + let + wholeName = "${namePrefix}.${name}"; + guard = lib.warn "Attempt to evaluate package ${wholeName} in option documentation; this is not supported and will eventually be an error. Use `mkPackageOption` or `literalExpression` instead."; + in if isAttrs value then scrubDerivations wholeName value - // (optionalAttrs (isDerivation value) { outPath = "\${${wholeName}}"; }) + // optionalAttrs (isDerivation value) { + outPath = guard "\${${wholeName}}"; + drvPath = guard drvPath; + } else value ) pkgSet; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index cbc3b612059d7..17ea04cb4ecb5 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -355,6 +355,7 @@ in pipewire = 323; rstudio-server = 324; localtimed = 325; + automatic-timezoned = 326; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -664,6 +665,7 @@ in pipewire = 323; rstudio-server = 324; localtimed = 325; + automatic-timezoned = 326; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/misc/label.nix b/nixos/modules/misc/label.nix index 0c29d13aab1df..44ee812249ce4 100644 --- a/nixos/modules/misc/label.nix +++ b/nixos/modules/misc/label.nix @@ -27,7 +27,7 @@ in variable (defaults to the value of {option}`system.nixos.version`). - Can be overriden by setting {env}`NIXOS_LABEL`. + Can be overridden by setting {env}`NIXOS_LABEL`. Useful for not loosing track of configurations built from different nixos branches/revisions, e.g.: diff --git a/nixos/modules/misc/man-db.nix b/nixos/modules/misc/man-db.nix index 08fb91b3994c4..299b11d1fcef2 100644 --- a/nixos/modules/misc/man-db.nix +++ b/nixos/modules/misc/man-db.nix @@ -52,9 +52,11 @@ in environment.systemPackages = [ cfg.package ]; environment.etc."man_db.conf".text = let - manualCache = pkgs.runCommand "man-cache" { } '' + manualCache = pkgs.runCommand "man-cache" { + nativeBuildInputs = [ cfg.package ]; + } '' echo "MANDB_MAP ${cfg.manualPages}/share/man $out" > man.conf - ${cfg.package}/bin/mandb -C man.conf -psc >/dev/null 2>&1 + mandb -C man.conf -psc >/dev/null 2>&1 ''; in '' diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 00460a88d86cb..7f44c3f6f3f0e 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -23,12 +23,12 @@ let optionalAttrs (lhs ? packageOverrides) { packageOverrides = pkgs: optCall lhs.packageOverrides pkgs // - optCall (attrByPath ["packageOverrides"] ({}) rhs) pkgs; + optCall (attrByPath [ "packageOverrides" ] { } rhs) pkgs; } // optionalAttrs (lhs ? perlPackageOverrides) { perlPackageOverrides = pkgs: optCall lhs.perlPackageOverrides pkgs // - optCall (attrByPath ["perlPackageOverrides"] ({}) rhs) pkgs; + optCall (attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; }; configType = mkOptionType { @@ -67,11 +67,6 @@ let # Context for messages hostPlatformLine = optionalString hasHostPlatform "${showOptionWithDefLocs opt.hostPlatform}"; buildPlatformLine = optionalString hasBuildPlatform "${showOptionWithDefLocs opt.buildPlatform}"; - platformLines = optionalString hasPlatform '' - Your system configuration configures nixpkgs with platform parameters: - ${hostPlatformLine - }${buildPlatformLine - }''; legacyOptionsDefined = optional (opt.localSystem.highestPrio < (mkDefault {}).priority) opt.system @@ -307,7 +302,7 @@ in '' else throw '' - Neither ${opt.hostPlatform} nor or the legacy option ${opt.system} has been set. + Neither ${opt.hostPlatform} nor the legacy option ${opt.system} has been set. You can set ${opt.hostPlatform} in hardware-configuration.nix by re-running a recent version of nixos-generate-config. The option ${opt.system} is still fully supported for NixOS 22.05 interoperability, diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index b3cdaf5568d4f..1067b21a22b07 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -89,6 +89,12 @@ in stateVersion = mkOption { type = types.str; + # TODO Remove this and drop the default of the option so people are forced to set it. + # Doing this also means fixing the comment in nixos/modules/testing/test-instrumentation.nix + apply = v: + lib.warnIf (options.system.stateVersion.highestPrio == (lib.mkOptionDefault { }).priority) + "system.stateVersion is not set, defaulting to ${v}. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion." + v; default = cfg.release; defaultText = literalExpression "config.${opt.release}"; description = lib.mdDoc '' @@ -149,14 +155,6 @@ in "os-release".text = attrsToText osReleaseContents; }; - # We have to use `warnings` because when warning in the default of the option - # the warning would also be shown when building the manual since the manual - # has to evaluate the default. - # - # TODO Remove this and drop the default of the option so people are forced to set it. - # Doing this also means fixing the comment in nixos/modules/testing/test-instrumentation.nix - warnings = lib.optional (options.system.stateVersion.highestPrio == (lib.mkOptionDefault { }).priority) - "system.stateVersion is not set, defaulting to ${config.system.stateVersion}. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion."; }; # uses version info nixpkgs, which requires a full nixpkgs path diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ca5bf624f725b..41b953dc34733 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1,21 +1,13 @@ [ + ./config/appstream.nix + ./config/console.nix ./config/debug-info.nix ./config/fonts/fontconfig.nix ./config/fonts/fontdir.nix ./config/fonts/fonts.nix ./config/fonts/ghostscript.nix - ./config/xdg/autostart.nix - ./config/xdg/icons.nix - ./config/xdg/menus.nix - ./config/xdg/mime.nix - ./config/xdg/portal.nix - ./config/xdg/portals/wlr.nix - ./config/xdg/portals/lxqt.nix - ./config/appstream.nix - ./config/console.nix - ./config/xdg/sounds.nix - ./config/gtk/gtk-icon-cache.nix ./config/gnu.nix + ./config/gtk/gtk-icon-cache.nix ./config/i18n.nix ./config/iproute2.nix ./config/krb5/default.nix @@ -39,25 +31,32 @@ ./config/unix-odbc-drivers.nix ./config/users-groups.nix ./config/vte.nix + ./config/xdg/autostart.nix + ./config/xdg/icons.nix + ./config/xdg/menus.nix + ./config/xdg/mime.nix + ./config/xdg/portal.nix + ./config/xdg/portals/lxqt.nix + ./config/xdg/portals/wlr.nix + ./config/xdg/sounds.nix ./config/zram.nix ./hardware/acpilight.nix ./hardware/all-firmware.nix ./hardware/bladeRF.nix ./hardware/brillo.nix ./hardware/ckb-next.nix + ./hardware/corectrl.nix ./hardware/cpu/amd-microcode.nix + ./hardware/cpu/amd-sev.nix ./hardware/cpu/intel-microcode.nix ./hardware/cpu/intel-sgx.nix - ./hardware/corectrl.nix - ./hardware/digitalbitbox.nix ./hardware/device-tree.nix - ./hardware/gkraken.nix + ./hardware/digitalbitbox.nix ./hardware/flirc.nix + ./hardware/gkraken.nix ./hardware/gpgsmartcards.nix - ./hardware/i2c.nix ./hardware/hackrf.nix - ./hardware/sensor/hddtemp.nix - ./hardware/sensor/iio.nix + ./hardware/i2c.nix ./hardware/keyboard/teck.nix ./hardware/keyboard/uhk.nix ./hardware/keyboard/zsa.nix @@ -70,33 +69,35 @@ ./hardware/network/intel-2200bg.nix ./hardware/new-lg4ff.nix ./hardware/nitrokey.nix + ./hardware/onlykey/default.nix ./hardware/opengl.nix ./hardware/openrazer.nix + ./hardware/opentabletdriver.nix ./hardware/pcmcia.nix ./hardware/printers.nix ./hardware/raid/hpsa.nix ./hardware/rtl-sdr.nix ./hardware/saleae-logic.nix + ./hardware/sata.nix + ./hardware/sensor/hddtemp.nix + ./hardware/sensor/iio.nix ./hardware/steam-hardware.nix ./hardware/system-76.nix ./hardware/tuxedo-keyboard.nix ./hardware/ubertooth.nix - ./hardware/usb-wwan.nix - ./hardware/usb-storage.nix - ./hardware/onlykey/default.nix - ./hardware/opentabletdriver.nix - ./hardware/sata.nix - ./hardware/wooting.nix ./hardware/uinput.nix + ./hardware/usb-storage.nix + ./hardware/usb-wwan.nix ./hardware/video/amdgpu-pro.nix - ./hardware/video/capture/mwprocapture.nix ./hardware/video/bumblebee.nix + ./hardware/video/capture/mwprocapture.nix ./hardware/video/displaylink.nix ./hardware/video/hidpi.nix ./hardware/video/nvidia.nix ./hardware/video/switcheroo-control.nix ./hardware/video/uvcvideo/default.nix ./hardware/video/webcam/facetimehd.nix + ./hardware/wooting.nix ./hardware/xone.nix ./hardware/xpadneo.nix ./i18n/input-method/default.nix @@ -104,39 +105,40 @@ ./i18n/input-method/fcitx5.nix ./i18n/input-method/hime.nix ./i18n/input-method/ibus.nix + ./i18n/input-method/kime.nix ./i18n/input-method/nabi.nix ./i18n/input-method/uim.nix - ./i18n/input-method/kime.nix ./installer/tools/tools.nix ./misc/assertions.nix ./misc/crashdump.nix ./misc/documentation.nix ./misc/extra-arguments.nix ./misc/ids.nix - ./misc/lib.nix ./misc/label.nix + ./misc/lib.nix ./misc/locate.nix ./misc/man-db.nix ./misc/mandoc.nix ./misc/meta.nix + ./misc/nixops-autoluks.nix ./misc/nixpkgs.nix ./misc/passthru.nix ./misc/version.nix ./misc/wordlist.nix - ./misc/nixops-autoluks.nix - ./programs/_1password.nix ./programs/_1password-gui.nix + ./programs/_1password.nix ./programs/adb.nix ./programs/appgate-sdp.nix ./programs/atop.nix ./programs/ausweisapp.nix ./programs/autojump.nix ./programs/bandwhich.nix - ./programs/bash/bash.nix + ./programs/bash-my-aws.nix ./programs/bash/bash-completion.nix + ./programs/bash/bash.nix + ./programs/bash/blesh.nix ./programs/bash/ls-colors.nix ./programs/bash/undistract-me.nix - ./programs/bash-my-aws.nix ./programs/bcc.nix ./programs/browserpass.nix ./programs/calls.nix @@ -164,44 +166,47 @@ ./programs/flexoptix-app.nix ./programs/freetds.nix ./programs/fuse.nix + ./programs/fzf.nix ./programs/gamemode.nix ./programs/geary.nix ./programs/git.nix ./programs/gnome-disks.nix ./programs/gnome-documents.nix ./programs/gnome-terminal.nix - ./programs/gpaste.nix ./programs/gnupg.nix + ./programs/gpaste.nix ./programs/gphoto2.nix ./programs/haguichi.nix ./programs/hamster.nix ./programs/htop.nix ./programs/iftop.nix + ./programs/i3lock.nix ./programs/iotop.nix ./programs/java.nix + ./programs/k3b.nix ./programs/k40-whisperer.nix + ./programs/kbdlight.nix ./programs/kclock.nix - ./programs/k3b.nix ./programs/kdeconnect.nix - ./programs/kbdlight.nix ./programs/less.nix ./programs/liboping.nix ./programs/light.nix ./programs/mdevctl.nix ./programs/mepo.nix - ./programs/mosh.nix ./programs/mininet.nix + ./programs/mosh.nix ./programs/msmtp.nix ./programs/mtr.nix ./programs/nano.nix ./programs/nbd.nix - ./programs/nix-ld.nix ./programs/neovim.nix ./programs/nethoscope.nix + ./programs/nix-index.nix + ./programs/nix-ld.nix ./programs/nm-applet.nix ./programs/nncp.nix - ./programs/npm.nix ./programs/noisetorch.nix + ./programs/npm.nix ./programs/oblogout.nix ./programs/openvpn3.nix ./programs/pantheon-tweaks.nix @@ -209,22 +214,24 @@ ./programs/plotinus.nix ./programs/proxychains.nix ./programs/qt5ct.nix + ./programs/rog-control-center.nix ./programs/rust-motd.nix ./programs/screen.nix - ./programs/sedutil.nix ./programs/seahorse.nix - ./programs/slock.nix + ./programs/sedutil.nix ./programs/shadow.nix - ./programs/spacefm.nix ./programs/singularity.nix + ./programs/skim.nix + ./programs/slock.nix + ./programs/spacefm.nix ./programs/ssh.nix - ./programs/sysdig.nix - ./programs/systemtap.nix ./programs/starship.nix ./programs/steam.nix ./programs/streamdeck-ui.nix ./programs/sway.nix + ./programs/sysdig.nix ./programs/system-config-printer.nix + ./programs/systemtap.nix ./programs/thefuck.nix ./programs/thunar.nix ./programs/tmux.nix @@ -238,6 +245,7 @@ ./programs/waybar.nix ./programs/weylus.nix ./programs/wireshark.nix + ./programs/xastir.nix ./programs/wshowkeys.nix ./programs/xfconf.nix ./programs/xfs_quota.nix @@ -247,10 +255,10 @@ ./programs/yabar.nix ./programs/zmap.nix ./programs/zsh/oh-my-zsh.nix - ./programs/zsh/zsh.nix ./programs/zsh/zsh-autoenv.nix ./programs/zsh/zsh-autosuggestions.nix ./programs/zsh/zsh-syntax-highlighting.nix + ./programs/zsh/zsh.nix ./rename.nix ./security/acme ./security/apparmor.nix @@ -259,23 +267,23 @@ ./security/ca.nix ./security/chromium-suid-sandbox.nix ./security/dhparams.nix + ./security/doas.nix ./security/duosec.nix ./security/google_oslogin.nix ./security/lock-kernel-modules.nix ./security/misc.nix ./security/oath.nix ./security/pam.nix - ./security/pam_usb.nix ./security/pam_mount.nix + ./security/pam_usb.nix ./security/please.nix ./security/polkit.nix ./security/rngd.nix ./security/rtkit.nix - ./security/wrappers/default.nix ./security/sudo.nix - ./security/doas.nix ./security/systemd-confinement.nix ./security/tpm2.nix + ./security/wrappers/default.nix ./services/admin/meshcentral.nix ./services/admin/oxidized.nix ./services/admin/pgadmin.nix @@ -290,17 +298,17 @@ ./services/audio/jack.nix ./services/audio/jmusicbot.nix ./services/audio/liquidsoap.nix + ./services/audio/mopidy.nix ./services/audio/mpd.nix ./services/audio/mpdscribble.nix - ./services/audio/mopidy.nix + ./services/audio/navidrome.nix ./services/audio/networkaudiod.nix ./services/audio/roon-bridge.nix - ./services/audio/navidrome.nix ./services/audio/roon-server.nix ./services/audio/slimserver.nix ./services/audio/snapserver.nix - ./services/audio/squeezelite.nix ./services/audio/spotifyd.nix + ./services/audio/squeezelite.nix ./services/audio/ympd.nix ./services/backup/automysqlbackup.nix ./services/backup/bacula.nix @@ -312,8 +320,8 @@ ./services/backup/mysql-backup.nix ./services/backup/postgresql-backup.nix ./services/backup/postgresql-wal-receiver.nix - ./services/backup/restic.nix ./services/backup/restic-rest-server.nix + ./services/backup/restic.nix ./services/backup/rsnapshot.nix ./services/backup/sanoid.nix ./services/backup/syncoid.nix @@ -321,15 +329,15 @@ ./services/backup/tsm.nix ./services/backup/zfs-replication.nix ./services/backup/znapzend.nix - ./services/blockchain/ethereum/geth.nix + ./services/backup/zrepl.nix ./services/blockchain/ethereum/erigon.nix + ./services/blockchain/ethereum/geth.nix ./services/blockchain/ethereum/lighthouse.nix - ./services/backup/zrepl.nix ./services/cluster/corosync/default.nix ./services/cluster/hadoop/default.nix ./services/cluster/k3s/default.nix - ./services/cluster/kubernetes/addons/dns.nix ./services/cluster/kubernetes/addon-manager.nix + ./services/cluster/kubernetes/addons/dns.nix ./services/cluster/kubernetes/apiserver.nix ./services/cluster/kubernetes/controller-manager.nix ./services/cluster/kubernetes/default.nix @@ -349,14 +357,14 @@ ./services/continuous-integration/buildbot/master.nix ./services/continuous-integration/buildbot/worker.nix ./services/continuous-integration/buildkite-agents.nix - ./services/continuous-integration/hail.nix - ./services/continuous-integration/hercules-ci-agent/default.nix - ./services/continuous-integration/hydra/default.nix ./services/continuous-integration/github-runner.nix ./services/continuous-integration/github-runners.nix ./services/continuous-integration/gitlab-runner.nix ./services/continuous-integration/gocd-agent/default.nix ./services/continuous-integration/gocd-server/default.nix + ./services/continuous-integration/hail.nix + ./services/continuous-integration/hercules-ci-agent/default.nix + ./services/continuous-integration/hydra/default.nix ./services/continuous-integration/jenkins/default.nix ./services/continuous-integration/jenkins/job-builder.nix ./services/continuous-integration/jenkins/slave.nix @@ -365,8 +373,8 @@ ./services/databases/clickhouse.nix ./services/databases/cockroachdb.nix ./services/databases/couchdb.nix - ./services/databases/dragonflydb.nix ./services/databases/dgraph.nix + ./services/databases/dragonflydb.nix ./services/databases/firebird.nix ./services/databases/foundationdb.nix ./services/databases/hbase-standalone.nix @@ -382,6 +390,7 @@ ./services/databases/pgmanage.nix ./services/databases/postgresql.nix ./services/databases/redis.nix + ./services/databases/surrealdb.nix ./services/databases/victoriametrics.nix ./services/desktops/accountsservice.nix ./services/desktops/bamf.nix @@ -392,12 +401,6 @@ ./services/desktops/espanso.nix ./services/desktops/flatpak.nix ./services/desktops/geoclue2.nix - ./services/desktops/gsignond.nix - ./services/desktops/gvfs.nix - ./services/desktops/malcontent.nix - ./services/desktops/pipewire/pipewire.nix - ./services/desktops/pipewire/pipewire-media-session.nix - ./services/desktops/pipewire/wireplumber.nix ./services/desktops/gnome/at-spi2-core.nix ./services/desktops/gnome/evolution-data-server.nix ./services/desktops/gnome/glib-networking.nix @@ -411,27 +414,33 @@ ./services/desktops/gnome/gnome-user-share.nix ./services/desktops/gnome/rygel.nix ./services/desktops/gnome/sushi.nix - ./services/desktops/gnome/tracker.nix ./services/desktops/gnome/tracker-miners.nix + ./services/desktops/gnome/tracker.nix + ./services/desktops/gsignond.nix + ./services/desktops/gvfs.nix + ./services/desktops/malcontent.nix ./services/desktops/neard.nix + ./services/desktops/pipewire/pipewire-media-session.nix + ./services/desktops/pipewire/pipewire.nix + ./services/desktops/pipewire/wireplumber.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/system-config-printer.nix ./services/desktops/telepathy.nix ./services/desktops/tumbler.nix ./services/desktops/zeitgeist.nix - ./services/development/bloop.nix ./services/development/blackfire.nix + ./services/development/bloop.nix ./services/development/distccd.nix ./services/development/hoogle.nix ./services/development/jupyter/default.nix ./services/development/jupyterhub/default.nix - ./services/development/rstudio-server/default.nix ./services/development/lorri.nix + ./services/development/rstudio-server/default.nix ./services/development/zammad.nix ./services/display-managers/greetd.nix ./services/editors/emacs.nix - ./services/editors/infinoted.nix ./services/editors/haste.nix + ./services/editors/infinoted.nix ./services/finance/odoo.nix ./services/games/asf.nix ./services/games/crossfire-server.nix @@ -447,6 +456,7 @@ ./services/hardware/acpid.nix ./services/hardware/actkbd.nix ./services/hardware/argonone.nix + ./services/hardware/asusd.nix ./services/hardware/auto-cpufreq.nix ./services/hardware/bluetooth.nix ./services/hardware/bolt.nix @@ -474,20 +484,22 @@ ./services/hardware/sane_extra_backends/brscan5.nix ./services/hardware/sane_extra_backends/dsseries.nix ./services/hardware/spacenavd.nix + ./services/hardware/supergfxd.nix ./services/hardware/tcsd.nix - ./services/hardware/tlp.nix + ./services/hardware/thermald.nix ./services/hardware/thinkfan.nix ./services/hardware/throttled.nix + ./services/hardware/tlp.nix ./services/hardware/trezord.nix ./services/hardware/triggerhappy.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix + ./services/hardware/undervolt.nix ./services/hardware/upower.nix ./services/hardware/usbmuxd.nix ./services/hardware/usbrelayd.nix - ./services/hardware/thermald.nix - ./services/hardware/undervolt.nix ./services/hardware/vdr.nix + ./services/home-automation/evcc.nix ./services/home-automation/home-assistant.nix ./services/home-automation/zigbee2mqtt.nix ./services/logging/SystemdJournal2Gelf.nix @@ -508,6 +520,7 @@ ./services/logging/syslog-ng.nix ./services/logging/syslogd.nix ./services/logging/vector.nix + ./services/logging/ulogd.nix ./services/mail/clamsmtp.nix ./services/mail/davmail.nix ./services/mail/dkimproxy-out.nix @@ -521,22 +534,22 @@ ./services/mail/mailhog.nix ./services/mail/mailman.nix ./services/mail/mlmmj.nix + ./services/mail/nullmailer.nix ./services/mail/offlineimap.nix ./services/mail/opendkim.nix ./services/mail/opensmtpd.nix ./services/mail/pfix-srsd.nix ./services/mail/postfix.nix ./services/mail/postfixadmin.nix - ./services/mail/postsrsd.nix ./services/mail/postgrey.nix + ./services/mail/postsrsd.nix ./services/mail/public-inbox.nix - ./services/mail/spamassassin.nix + ./services/mail/roundcube.nix ./services/mail/rspamd.nix ./services/mail/rss2email.nix - ./services/mail/roundcube.nix ./services/mail/schleuder.nix + ./services/mail/spamassassin.nix ./services/mail/sympa.nix - ./services/mail/nullmailer.nix ./services/matrix/appservice-discord.nix ./services/matrix/appservice-irc.nix ./services/matrix/conduit.nix @@ -546,32 +559,33 @@ ./services/matrix/mjolnir.nix ./services/matrix/pantalaimon.nix ./services/matrix/synapse.nix - ./services/misc/ananicy.nix ./services/misc/airsonic.nix + ./services/misc/ananicy.nix ./services/misc/ankisyncd.nix ./services/misc/apache-kafka.nix + ./services/misc/atuin.nix ./services/misc/autofs.nix ./services/misc/autorandr.nix ./services/misc/bazarr.nix ./services/misc/beanstalkd.nix ./services/misc/bees.nix ./services/misc/bepasty.nix - ./services/misc/canto-daemon.nix ./services/misc/calibre-server.nix + ./services/misc/canto-daemon.nix ./services/misc/cfdyndns.nix - ./services/misc/clipmenu.nix - ./services/misc/clipcat.nix - ./services/misc/cpuminer-cryptonight.nix ./services/misc/cgminer.nix + ./services/misc/clipcat.nix + ./services/misc/clipmenu.nix ./services/misc/confd.nix + ./services/misc/cpuminer-cryptonight.nix ./services/misc/devmon.nix ./services/misc/dictd.nix - ./services/misc/duckling.nix - ./services/misc/dwm-status.nix - ./services/misc/dysnomia.nix ./services/misc/disnix.nix ./services/misc/docker-registry.nix ./services/misc/domoticz.nix + ./services/misc/duckling.nix + ./services/misc/dwm-status.nix + ./services/misc/dysnomia.nix ./services/misc/errbot.nix ./services/misc/etcd.nix ./services/misc/etebase-server.nix @@ -583,16 +597,16 @@ ./services/misc/gammu-smsd.nix ./services/misc/geoipupdate.nix ./services/misc/gitea.nix - #./services/misc/gitit.nix + # ./services/misc/gitit.nix ./services/misc/gitlab.nix ./services/misc/gitolite.nix ./services/misc/gitweb.nix ./services/misc/gogs.nix ./services/misc/gollum.nix ./services/misc/gpsd.nix + ./services/misc/greenclip.nix ./services/misc/headphones.nix ./services/misc/heisenbridge.nix - ./services/misc/greenclip.nix ./services/misc/ihaskell.nix ./services/misc/input-remapper.nix ./services/misc/irkerd.nix @@ -600,11 +614,11 @@ ./services/misc/jellyfin.nix ./services/misc/klipper.nix ./services/misc/languagetool.nix - ./services/misc/logkeys.nix ./services/misc/leaps.nix - ./services/misc/lidarr.nix ./services/misc/libreddit.nix + ./services/misc/lidarr.nix ./services/misc/lifecycled.nix + ./services/misc/logkeys.nix ./services/misc/mame.nix ./services/misc/mbpfan.nix ./services/misc/mediatomb.nix @@ -629,23 +643,22 @@ ./services/misc/paperless.nix ./services/misc/parsoid.nix ./services/misc/persistent-evdev.nix + ./services/misc/pinnwand.nix ./services/misc/plex.nix ./services/misc/plikd.nix ./services/misc/podgrab.nix ./services/misc/polaris.nix ./services/misc/portunus.nix ./services/misc/prowlarr.nix - ./services/misc/tautulli.nix - ./services/misc/pinnwand.nix ./services/misc/pykms.nix ./services/misc/radarr.nix ./services/misc/redmine.nix - ./services/misc/rippled.nix ./services/misc/ripple-data-api.nix + ./services/misc/rippled.nix ./services/misc/rmfakecloud.nix - ./services/misc/serviio.nix ./services/misc/safeeyes.nix ./services/misc/sdrplay.nix + ./services/misc/serviio.nix ./services/misc/sickbeard.nix ./services/misc/signald.nix ./services/misc/siproxd.nix @@ -663,6 +676,7 @@ ./services/misc/sysprof.nix ./services/misc/tandoor-recipes.nix ./services/misc/taskserver + ./services/misc/tautulli.nix ./services/misc/tiddlywiki.nix ./services/misc/tp-auto-kbbl.nix ./services/misc/tzupdate.nix @@ -682,10 +696,10 @@ ./services/monitoring/datadog-agent.nix ./services/monitoring/do-agent.nix ./services/monitoring/fusion-inventory.nix - ./services/monitoring/grafana.nix ./services/monitoring/grafana-agent.nix ./services/monitoring/grafana-image-renderer.nix ./services/monitoring/grafana-reporter.nix + ./services/monitoring/grafana.nix ./services/monitoring/graphite.nix ./services/monitoring/hdaps.nix ./services/monitoring/heapster.nix @@ -703,56 +717,58 @@ ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix ./services/monitoring/parsedmarc.nix - ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/alertmanager.nix + ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/exporters.nix ./services/monitoring/prometheus/pushgateway.nix ./services/monitoring/prometheus/sachet.nix ./services/monitoring/prometheus/xmpp-alerts.nix - ./services/monitoring/riemann.nix ./services/monitoring/riemann-dash.nix ./services/monitoring/riemann-tools.nix + ./services/monitoring/riemann.nix ./services/monitoring/scollector.nix ./services/monitoring/smartd.nix + ./services/monitoring/statsd.nix ./services/monitoring/sysstat.nix ./services/monitoring/teamviewer.nix ./services/monitoring/telegraf.nix ./services/monitoring/thanos.nix + ./services/monitoring/tremor-rs.nix ./services/monitoring/tuptime.nix - ./services/monitoring/unifi-poller.nix + ./services/monitoring/unpoller.nix ./services/monitoring/ups.nix + ./services/monitoring/uptime-kuma.nix ./services/monitoring/uptime.nix ./services/monitoring/vmagent.nix - ./services/monitoring/uptime-kuma.nix ./services/monitoring/vnstat.nix ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix ./services/monitoring/zabbix-server.nix ./services/network-filesystems/cachefilesd.nix + ./services/network-filesystems/ceph.nix ./services/network-filesystems/davfs2.nix + ./services/network-filesystems/diod.nix ./services/network-filesystems/drbd.nix ./services/network-filesystems/glusterfs.nix ./services/network-filesystems/kbfs.nix ./services/network-filesystems/kubo.nix ./services/network-filesystems/litestream/default.nix + ./services/network-filesystems/moosefs.nix ./services/network-filesystems/netatalk.nix ./services/network-filesystems/nfsd.nix - ./services/network-filesystems/moosefs.nix ./services/network-filesystems/openafs/client.nix ./services/network-filesystems/openafs/server.nix - ./services/network-filesystems/orangefs/server.nix ./services/network-filesystems/orangefs/client.nix + ./services/network-filesystems/orangefs/server.nix ./services/network-filesystems/rsyncd.nix - ./services/network-filesystems/samba.nix ./services/network-filesystems/samba-wsdd.nix + ./services/network-filesystems/samba.nix ./services/network-filesystems/tahoe.nix - ./services/network-filesystems/diod.nix ./services/network-filesystems/u9fs.nix - ./services/network-filesystems/webdav.nix ./services/network-filesystems/webdav-server-rs.nix - ./services/network-filesystems/yandex-disk.nix + ./services/network-filesystems/webdav.nix ./services/network-filesystems/xtreemfs.nix - ./services/network-filesystems/ceph.nix + ./services/network-filesystems/yandex-disk.nix ./services/networking/3proxy.nix ./services/networking/adguardhome.nix ./services/networking/amuled.nix @@ -760,16 +776,16 @@ ./services/networking/aria2.nix ./services/networking/asterisk.nix ./services/networking/atftpd.nix + ./services/networking/autossh.nix ./services/networking/avahi-daemon.nix ./services/networking/babeld.nix - ./services/networking/bee.nix ./services/networking/bee-clef.nix + ./services/networking/bee.nix ./services/networking/biboumi.nix ./services/networking/bind.nix - ./services/networking/bitcoind.nix - ./services/networking/autossh.nix - ./services/networking/bird.nix ./services/networking/bird-lg.nix + ./services/networking/bird.nix + ./services/networking/bitcoind.nix ./services/networking/bitlbee.nix ./services/networking/blockbook-frontend.nix ./services/networking/blocky.nix @@ -777,6 +793,7 @@ ./services/networking/chisel-server.nix ./services/networking/cjdns.nix ./services/networking/cloudflare-dyndns.nix + ./services/networking/cloudflared.nix ./services/networking/cntlm.nix ./services/networking/connman.nix ./services/networking/consul.nix @@ -795,8 +812,6 @@ ./services/networking/dnsdist.nix ./services/networking/dnsmasq.nix ./services/networking/doh-proxy-rust.nix - ./services/networking/ncdns.nix - ./services/networking/nomad.nix ./services/networking/ejabberd.nix ./services/networking/envoy.nix ./services/networking/epmd.nix @@ -809,6 +824,8 @@ ./services/networking/firefox-syncserver.nix ./services/networking/fireqos.nix ./services/networking/firewall.nix + ./services/networking/firewall-iptables.nix + ./services/networking/firewall-nftables.nix ./services/networking/flannel.nix ./services/networking/freenet.nix ./services/networking/freeradius.nix @@ -831,10 +848,10 @@ ./services/networking/htpdate.nix ./services/networking/https-dns-proxy.nix ./services/networking/hylafax/default.nix - ./services/networking/i2pd.nix ./services/networking/i2p.nix - ./services/networking/icecream/scheduler.nix + ./services/networking/i2pd.nix ./services/networking/icecream/daemon.nix + ./services/networking/icecream/scheduler.nix ./services/networking/inspircd.nix ./services/networking/iodine.nix ./services/networking/iperf3.nix @@ -859,14 +876,15 @@ ./services/networking/lxd-image-server.nix ./services/networking/magic-wormhole-mailbox-server.nix ./services/networking/matterbridge.nix - ./services/networking/mjpg-streamer.nix ./services/networking/minidlna.nix ./services/networking/miniupnpd.nix - ./services/networking/mosquitto.nix + ./services/networking/miredo.nix + ./services/networking/mjpg-streamer.nix + ./services/networking/mmsd.nix ./services/networking/monero.nix ./services/networking/morty.nix + ./services/networking/mosquitto.nix ./services/networking/mozillavpn.nix - ./services/networking/miredo.nix ./services/networking/mstpd.nix ./services/networking/mtprotoproxy.nix ./services/networking/mtr-exporter.nix @@ -877,20 +895,24 @@ ./services/networking/namecoind.nix ./services/networking/nar-serve.nix ./services/networking/nat.nix + ./services/networking/nat-iptables.nix + ./services/networking/nat-nftables.nix ./services/networking/nats.nix ./services/networking/nbd.nix + ./services/networking/ncdns.nix ./services/networking/ndppd.nix ./services/networking/nebula.nix ./services/networking/netbird.nix ./services/networking/networkmanager.nix ./services/networking/nextdns.nix ./services/networking/nftables.nix - ./services/networking/ngircd.nix ./services/networking/nghttpx/default.nix + ./services/networking/ngircd.nix ./services/networking/nix-serve.nix ./services/networking/nix-store-gcs-proxy.nix ./services/networking/nixops-dns.nix ./services/networking/nntp-proxy.nix + ./services/networking/nomad.nix ./services/networking/nsd.nix ./services/networking/ntopng.nix ./services/networking/ntp/chrony.nix @@ -906,20 +928,20 @@ ./services/networking/openvpn.nix ./services/networking/ostinato.nix ./services/networking/owamp.nix + ./services/networking/pdns-recursor.nix ./services/networking/pdnsd.nix ./services/networking/pixiecore.nix ./services/networking/pleroma.nix ./services/networking/polipo.nix ./services/networking/powerdns.nix - ./services/networking/pdns-recursor.nix ./services/networking/pppd.nix ./services/networking/pptpd.nix ./services/networking/prayer.nix ./services/networking/privoxy.nix ./services/networking/prosody.nix ./services/networking/quassel.nix - ./services/networking/quorum.nix ./services/networking/quicktun.nix + ./services/networking/quorum.nix ./services/networking/r53-ddns.nix ./services/networking/radicale.nix ./services/networking/radvd.nix @@ -933,70 +955,72 @@ ./services/networking/sabnzbd.nix ./services/networking/seafile.nix ./services/networking/searx.nix - ./services/networking/skydns.nix ./services/networking/shadowsocks.nix ./services/networking/shairport-sync.nix ./services/networking/shellhub-agent.nix ./services/networking/shorewall.nix ./services/networking/shorewall6.nix ./services/networking/shout.nix - ./services/networking/sniproxy.nix - ./services/networking/snowflake-proxy.nix + ./services/networking/skydns.nix ./services/networking/smartdns.nix ./services/networking/smokeping.nix + ./services/networking/sniproxy.nix + ./services/networking/snowflake-proxy.nix ./services/networking/softether.nix - ./services/networking/solanum.nix ./services/networking/soju.nix + ./services/networking/solanum.nix ./services/networking/spacecookie.nix ./services/networking/spiped.nix ./services/networking/squid.nix - ./services/networking/sslh.nix ./services/networking/ssh/lshd.nix ./services/networking/ssh/sshd.nix - ./services/networking/strongswan.nix + ./services/networking/sslh.nix ./services/networking/strongswan-swanctl/module.nix - ./services/networking/stunnel.nix + ./services/networking/strongswan.nix ./services/networking/stubby.nix + ./services/networking/stunnel.nix ./services/networking/supplicant.nix ./services/networking/supybot.nix - ./services/networking/syncthing.nix - ./services/networking/syncthing-relay.nix ./services/networking/syncplay.nix + ./services/networking/syncthing-relay.nix + ./services/networking/syncthing.nix ./services/networking/tailscale.nix + ./services/networking/tayga.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix ./services/networking/tedicross.nix - ./services/networking/tetrd.nix ./services/networking/teleport.nix + ./services/networking/tetrd.nix + ./services/networking/tftpd.nix ./services/networking/thelounge.nix ./services/networking/tinc.nix ./services/networking/tinydns.nix - ./services/networking/tftpd.nix ./services/networking/tmate-ssh-server.nix - ./services/networking/trickster.nix ./services/networking/tox-bootstrapd.nix ./services/networking/tox-node.nix ./services/networking/toxvpn.nix + ./services/networking/trickster.nix ./services/networking/tvheadend.nix + ./services/networking/twingate.nix ./services/networking/ucarp.nix ./services/networking/unbound.nix ./services/networking/unifi.nix - ./services/video/unifi-video.nix - ./services/video/rtsp-simple-server.nix ./services/networking/uptermd.nix ./services/networking/v2ray.nix + ./services/networking/v2raya.nix ./services/networking/vdirsyncer.nix ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix ./services/networking/websockify.nix ./services/networking/wg-netmanager.nix + ./services/networking/webhook.nix ./services/networking/wg-quick.nix ./services/networking/wireguard.nix ./services/networking/wpa_supplicant.nix + ./services/networking/x2goserver.nix ./services/networking/xandikos.nix ./services/networking/xinetd.nix ./services/networking/xl2tpd.nix - ./services/networking/x2goserver.nix ./services/networking/xray.nix ./services/networking/xrdp.nix ./services/networking/yggdrasil.nix @@ -1005,11 +1029,13 @@ ./services/networking/zerotierone.nix ./services/networking/znc/default.nix ./services/printing/cupsd.nix + ./services/printing/ipp-usb.nix + ./services/printing/cups-pdf.nix ./services/scheduling/atd.nix ./services/scheduling/cron.nix ./services/scheduling/fcron.nix - ./services/search/elasticsearch.nix ./services/search/elasticsearch-curator.nix + ./services/search/elasticsearch.nix ./services/search/hound.nix ./services/search/kibana.nix ./services/search/meilisearch.nix @@ -1018,25 +1044,25 @@ ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix - ./services/security/endlessh.nix ./services/security/endlessh-go.nix + ./services/security/endlessh.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix ./services/security/haka.nix ./services/security/haveged.nix ./services/security/hockeypuck.nix - ./services/security/hologram-server.nix ./services/security/hologram-agent.nix - ./services/security/kanidm.nix + ./services/security/hologram-server.nix ./services/security/infnoise.nix + ./services/security/kanidm.nix ./services/security/munge.nix ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix ./services/security/oauth2_proxy_nginx.nix ./services/security/opensnitch.nix ./services/security/pass-secret-service.nix - ./services/security/privacyidea.nix ./services/security/physlock.nix + ./services/security/privacyidea.nix ./services/security/shibboleth-sp.nix ./services/security/sks.nix ./services/security/sshguard.nix @@ -1049,13 +1075,14 @@ ./services/security/vault.nix ./services/security/vaultwarden/default.nix ./services/security/yubikey-agent.nix + ./services/system/automatic-timezoned.nix ./services/system/cachix-agent/default.nix ./services/system/cachix-watch-store.nix ./services/system/cloud-init.nix ./services/system/dbus.nix ./services/system/earlyoom.nix - ./services/system/localtimed.nix ./services/system/kerberos/default.nix + ./services/system/localtimed.nix ./services/system/nscd.nix ./services/system/saslauthd.nix ./services/system/self-deploy.nix @@ -1072,19 +1099,22 @@ ./services/ttys/getty.nix ./services/ttys/gpm.nix ./services/ttys/kmscon.nix - ./services/wayland/cage.nix ./services/video/epgstation/default.nix ./services/video/mirakurun.nix ./services/video/replay-sorcery.nix + ./services/video/rtsp-simple-server.nix + ./services/video/unifi-video.nix + ./services/wayland/cage.nix + ./services/web-apps/akkoma.nix ./services/web-apps/alps.nix ./services/web-apps/atlassian/confluence.nix ./services/web-apps/atlassian/crowd.nix ./services/web-apps/atlassian/jira.nix + ./services/web-apps/baget.nix ./services/web-apps/bookstack.nix ./services/web-apps/calibre-web.nix - ./services/web-apps/code-server.nix - ./services/web-apps/baget.nix ./services/web-apps/changedetection-io.nix + ./services/web-apps/code-server.nix ./services/web-apps/convos.nix ./services/web-apps/dex.nix ./services/web-apps/discourse.nix @@ -1105,16 +1135,17 @@ ./services/web-apps/icingaweb2/icingaweb2.nix ./services/web-apps/icingaweb2/module-monitoring.nix ./services/web-apps/ihatemoney + ./services/web-apps/invidious.nix + ./services/web-apps/invoiceplane.nix ./services/web-apps/isso.nix ./services/web-apps/jirafeau.nix ./services/web-apps/jitsi-meet.nix ./services/web-apps/keycloak.nix ./services/web-apps/komga.nix ./services/web-apps/lemmy.nix - ./services/web-apps/invidious.nix - ./services/web-apps/invoiceplane.nix ./services/web-apps/limesurvey.nix ./services/web-apps/mastodon.nix + ./services/web-apps/matomo.nix ./services/web-apps/mattermost.nix ./services/web-apps/mediawiki.nix ./services/web-apps/miniflux.nix @@ -1124,29 +1155,29 @@ ./services/web-apps/nexus.nix ./services/web-apps/nifi.nix ./services/web-apps/node-red.nix - ./services/web-apps/phylactery.nix ./services/web-apps/onlyoffice.nix - ./services/web-apps/pict-rs.nix + ./services/web-apps/openwebrx.nix + ./services/web-apps/outline.nix + ./services/web-apps/peering-manager.nix ./services/web-apps/peertube.nix + ./services/web-apps/pgpkeyserver-lite.nix + ./services/web-apps/phylactery.nix + ./services/web-apps/pict-rs.nix ./services/web-apps/plantuml-server.nix ./services/web-apps/plausible.nix - ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/powerdns-admin.nix ./services/web-apps/prosody-filer.nix - ./services/web-apps/matomo.nix - ./services/web-apps/openwebrx.nix - ./services/web-apps/outline.nix ./services/web-apps/restya-board.nix - ./services/web-apps/sogo.nix ./services/web-apps/rss-bridge.nix - ./services/web-apps/tt-rss.nix - ./services/web-apps/trilium.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix ./services/web-apps/snipe-it.nix + ./services/web-apps/sogo.nix + ./services/web-apps/trilium.nix + ./services/web-apps/tt-rss.nix ./services/web-apps/vikunja.nix - ./services/web-apps/wiki-js.nix ./services/web-apps/whitebophir.nix + ./services/web-apps/wiki-js.nix ./services/web-apps/wordpress.nix ./services/web-apps/writefreely.nix ./services/web-apps/youtrack.nix @@ -1160,6 +1191,7 @@ ./services/web-servers/hitch/default.nix ./services/web-servers/hydron.nix ./services/web-servers/jboss/default.nix + ./services/web-servers/keter ./services/web-servers/lighttpd/cgit.nix ./services/web-servers/lighttpd/collectd.nix ./services/web-servers/lighttpd/default.nix @@ -1172,21 +1204,16 @@ ./services/web-servers/nginx/gitweb.nix ./services/web-servers/phpfpm/default.nix ./services/web-servers/pomerium.nix - ./services/web-servers/unit/default.nix ./services/web-servers/tomcat.nix - ./services/web-servers/keter ./services/web-servers/traefik.nix ./services/web-servers/trafficserver/default.nix ./services/web-servers/ttyd.nix + ./services/web-servers/unit/default.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix ./services/web-servers/zope2.nix - ./services/x11/extra-layouts.nix ./services/x11/clight.nix ./services/x11/colord.nix - ./services/x11/picom.nix - ./services/x11/unclutter.nix - ./services/x11/unclutter-xfixes.nix ./services/x11/desktop-managers/default.nix ./services/x11/display-managers/default.nix ./services/x11/display-managers/gdm.nix @@ -1196,24 +1223,30 @@ ./services/x11/display-managers/startx.nix ./services/x11/display-managers/sx.nix ./services/x11/display-managers/xpra.nix + ./services/x11/extra-layouts.nix ./services/x11/fractalart.nix + ./services/x11/gdk-pixbuf.nix + ./services/x11/hardware/cmt.nix + ./services/x11/hardware/digimend.nix ./services/x11/hardware/libinput.nix ./services/x11/hardware/synaptics.nix ./services/x11/hardware/wacom.nix - ./services/x11/hardware/digimend.nix - ./services/x11/hardware/cmt.nix - ./services/x11/gdk-pixbuf.nix ./services/x11/imwheel.nix + ./services/x11/picom.nix ./services/x11/redshift.nix ./services/x11/touchegg.nix + ./services/x11/unclutter-xfixes.nix + ./services/x11/unclutter.nix ./services/x11/urserver.nix ./services/x11/urxvtd.nix ./services/x11/window-managers/awesome.nix - ./services/x11/window-managers/default.nix + ./services/x11/window-managers/bspwm.nix ./services/x11/window-managers/clfswm.nix + ./services/x11/window-managers/default.nix ./services/x11/window-managers/fluxbox.nix ./services/x11/window-managers/icewm.nix ./services/x11/window-managers/bspwm.nix + ./services/x11/window-managers/katriawm.nix ./services/x11/window-managers/metacity.nix ./services/x11/window-managers/none.nix ./services/x11/window-managers/twm.nix @@ -1226,13 +1259,14 @@ ./services/x11/xserver.nix ./system/activation/activation-script.nix ./system/activation/specialisation.nix + ./system/activation/bootspec.nix ./system/activation/top-level.nix ./system/boot/binfmt.nix ./system/boot/emergency-mode.nix ./system/boot/grow-partition.nix ./system/boot/initrd-network.nix - ./system/boot/initrd-ssh.nix ./system/boot/initrd-openvpn.nix + ./system/boot/initrd-ssh.nix ./system/boot/kernel.nix ./system/boot/kexec.nix ./system/boot/loader/efi.nix @@ -1241,6 +1275,7 @@ ./system/boot/loader/grub/grub.nix ./system/boot/loader/grub/ipxe.nix ./system/boot/loader/grub/memtest.nix + ./system/boot/loader/external/external.nix ./system/boot/loader/init-script/init-script.nix ./system/boot/loader/loader.nix ./system/boot/loader/raspberrypi/raspberrypi.nix @@ -1278,6 +1313,7 @@ ./tasks/filesystems/btrfs.nix ./tasks/filesystems/cifs.nix ./tasks/filesystems/ecryptfs.nix + ./tasks/filesystems/envfs.nix ./tasks/filesystems/exfat.nix ./tasks/filesystems/ext.nix ./tasks/filesystems/f2fs.nix @@ -1291,47 +1327,48 @@ ./tasks/filesystems/xfs.nix ./tasks/filesystems/zfs.nix ./tasks/lvm.nix - ./tasks/network-interfaces.nix - ./tasks/network-interfaces-systemd.nix ./tasks/network-interfaces-scripted.nix + ./tasks/network-interfaces-systemd.nix + ./tasks/network-interfaces.nix + ./tasks/powertop.nix ./tasks/scsi-link-power-management.nix ./tasks/snapraid.nix ./tasks/stratis.nix ./tasks/swraid.nix ./tasks/trackpoint.nix - ./tasks/powertop.nix ./testing/service-runner.nix + ./virtualisation/amazon-options.nix ./virtualisation/anbox.nix ./virtualisation/appvm.nix ./virtualisation/build-vm.nix ./virtualisation/container-config.nix ./virtualisation/containerd.nix ./virtualisation/containers.nix - ./virtualisation/nixos-containers.nix - ./virtualisation/oci-containers.nix ./virtualisation/cri-o.nix - ./virtualisation/docker.nix ./virtualisation/docker-rootless.nix + ./virtualisation/docker.nix ./virtualisation/ecs-agent.nix + ./virtualisation/hyperv-guest.nix + ./virtualisation/kvmgt.nix ./virtualisation/libvirtd.nix ./virtualisation/lxc.nix ./virtualisation/lxcfs.nix ./virtualisation/lxd.nix - ./virtualisation/amazon-options.nix - ./virtualisation/hyperv-guest.nix - ./virtualisation/kvmgt.nix + ./virtualisation/nixos-containers.nix + ./virtualisation/oci-containers.nix ./virtualisation/openstack-options.nix ./virtualisation/openvswitch.nix ./virtualisation/parallels-guest.nix ./virtualisation/podman/default.nix ./virtualisation/qemu-guest-agent.nix + ./virtualisation/rosetta.nix ./virtualisation/spice-usb-redirection.nix ./virtualisation/virtualbox-guest.nix ./virtualisation/virtualbox-host.nix ./virtualisation/vmware-guest.nix ./virtualisation/vmware-host.nix ./virtualisation/waydroid.nix - ./virtualisation/xen-dom0.nix ./virtualisation/xe-guest-utilities.nix + ./virtualisation/xen-dom0.nix { documentation.nixos.extraModules = [ ./virtualisation/qemu-vm.nix ]; } ] diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index 5fa64a6c52e9f..4857ea4dbeae8 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -31,7 +31,7 @@ in "pata_winbond" # SCSI support (incomplete). - "3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" + "3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" "hpsa" # USB support, especially for booting from USB CD-ROM # drives. diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index c415ca857437b..616b2470dcb4d 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -20,7 +20,13 @@ pkgs.mkpasswd # for generating password files # Some text editors. - pkgs.vim + (pkgs.vim.customize { + name = "vim"; + vimrcConfig.packages.default = { + start = [ pkgs.vimPlugins.vim-nix ]; + }; + vimrcConfig.customRC = "syntax on"; + }) # Some networking tools. pkgs.fuse @@ -36,6 +42,7 @@ pkgs.smartmontools # for diagnosing hard disks pkgs.pciutils pkgs.usbutils + pkgs.nvme-cli # Tools to create / manipulate filesystems. pkgs.ntfsprogs # for resizing NTFS partitions diff --git a/nixos/modules/profiles/docker-container.nix b/nixos/modules/profiles/docker-container.nix index 183645de36fbe..5365e49711dce 100644 --- a/nixos/modules/profiles/docker-container.nix +++ b/nixos/modules/profiles/docker-container.nix @@ -1,13 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - -let inherit (pkgs) writeScript; in - let - pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l; + inherit (pkgs) writeScript; + + pkgs2storeContents = map (x: { object = x; symlink = "none"; }); +in -in { +{ # Docker image config. imports = [ ../installer/cd-dvd/channel.nix diff --git a/nixos/modules/profiles/keys/ssh_host_ed25519_key b/nixos/modules/profiles/keys/ssh_host_ed25519_key new file mode 100644 index 0000000000000..b18489795369e --- /dev/null +++ b/nixos/modules/profiles/keys/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACCQVnMW/wZWqrdWrjrRPhfEFFq1KLYguagSflLhFnVQmwAAAJASuMMnErjD +JwAAAAtzc2gtZWQyNTUxOQAAACCQVnMW/wZWqrdWrjrRPhfEFFq1KLYguagSflLhFnVQmw +AAAEDIN2VWFyggtoSPXcAFy8dtG1uAig8sCuyE21eMDt2GgJBWcxb/Blaqt1auOtE+F8QU +WrUotiC5qBJ+UuEWdVCbAAAACnJvb3RAbml4b3MBAgM= +-----END OPENSSH PRIVATE KEY----- diff --git a/nixos/modules/profiles/keys/ssh_host_ed25519_key.pub b/nixos/modules/profiles/keys/ssh_host_ed25519_key.pub new file mode 100644 index 0000000000000..2c45826715fc5 --- /dev/null +++ b/nixos/modules/profiles/keys/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBWcxb/Blaqt1auOtE+F8QUWrUotiC5qBJ+UuEWdVCb root@nixos diff --git a/nixos/modules/profiles/macos-builder.nix b/nixos/modules/profiles/macos-builder.nix new file mode 100644 index 0000000000000..fddf19ad12517 --- /dev/null +++ b/nixos/modules/profiles/macos-builder.nix @@ -0,0 +1,175 @@ +{ config, lib, pkgs, ... }: + +let + keysDirectory = "/var/keys"; + + user = "builder"; + + keyType = "ed25519"; + +in + +{ + imports = [ + ../virtualisation/qemu-vm.nix + + # Avoid a dependency on stateVersion + { + disabledModules = [ + ../virtualisation/nixos-containers.nix + ../services/x11/desktop-managers/xterm.nix + ]; + config = { }; + options.boot.isContainer = lib.mkOption { default = false; internal = true; }; + } + ]; + + # The builder is not intended to be used interactively + documentation.enable = false; + + environment.etc = { + "ssh/ssh_host_ed25519_key" = { + mode = "0600"; + + source = ./keys/ssh_host_ed25519_key; + }; + + "ssh/ssh_host_ed25519_key.pub" = { + mode = "0644"; + + source = ./keys/ssh_host_ed25519_key.pub; + }; + }; + + # DNS fails for QEMU user networking (SLiRP) on macOS. See: + # + # https://github.com/utmapp/UTM/issues/2353 + # + # This works around that by using a public DNS server other than the DNS + # server that QEMU provides (normally 10.0.2.3) + networking.nameservers = [ "8.8.8.8" ]; + + nix.settings = { + auto-optimise-store = true; + + min-free = 1024 * 1024 * 1024; + + max-free = 3 * 1024 * 1024 * 1024; + + trusted-users = [ "root" user ]; + }; + + services.openssh = { + enable = true; + + authorizedKeysFiles = [ "${keysDirectory}/%u_${keyType}.pub" ]; + }; + + system.build.macos-builder-installer = + let + privateKey = "/etc/nix/${user}_${keyType}"; + + publicKey = "${privateKey}.pub"; + + # This installCredentials script is written so that it's as easy as + # possible for a user to audit before confirming the `sudo` + installCredentials = hostPkgs.writeShellScript "install-credentials" '' + KEYS="''${1}" + INSTALL=${hostPkgs.coreutils}/bin/install + "''${INSTALL}" -g nixbld -m 600 "''${KEYS}/${user}_${keyType}" ${privateKey} + "''${INSTALL}" -g nixbld -m 644 "''${KEYS}/${user}_${keyType}.pub" ${publicKey} + ''; + + hostPkgs = config.virtualisation.host.pkgs; + + script = hostPkgs.writeShellScriptBin "create-builder" '' + KEYS="''${KEYS:-./keys}" + ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}" + PRIVATE_KEY="''${KEYS}/${user}_${keyType}" + PUBLIC_KEY="''${PRIVATE_KEY}.pub" + if [ ! -e "''${PRIVATE_KEY}" ] || [ ! -e "''${PUBLIC_KEY}" ]; then + ${hostPkgs.coreutils}/bin/rm --force -- "''${PRIVATE_KEY}" "''${PUBLIC_KEY}" + ${hostPkgs.openssh}/bin/ssh-keygen -q -f "''${PRIVATE_KEY}" -t ${keyType} -N "" -C 'builder@localhost' + fi + if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then + (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}") + fi + KEYS="$(nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm + ''; + + in + script.overrideAttrs (old: { + meta = (old.meta or { }) // { + platforms = lib.platforms.darwin; + }; + }); + + system = { + # To prevent gratuitous rebuilds on each change to Nixpkgs + nixos.revision = null; + + stateVersion = lib.mkDefault (throw '' + The macOS linux builder should not need a stateVersion to be set, but a module + has accessed stateVersion nonetheless. + Please inspect the trace of the following command to figure out which module + has a dependency on stateVersion. + + nix-instantiate --attr darwin.builder --show-trace + ''); + }; + + users.users."${user}" = { + isNormalUser = true; + }; + + security.polkit.enable = true; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id === "org.freedesktop.login1.power-off" && subject.user === "${user}") { + return "yes"; + } else { + return "no"; + } + }) + ''; + + virtualisation = { + diskSize = 20 * 1024; + + memorySize = 3 * 1024; + + forwardPorts = [ + { from = "host"; guest.port = 22; host.port = 22; } + ]; + + # Disable graphics for the builder since users will likely want to run it + # non-interactively in the background. + graphics = false; + + sharedDirectories.keys = { + source = "\"$KEYS\""; + target = keysDirectory; + }; + + # If we don't enable this option then the host will fail to delegate builds + # to the guest, because: + # + # - The host will lock the path to build + # - The host will delegate the build to the guest + # - The guest will attempt to lock the same path and fail because + # the lockfile on the host is visible on the guest + # + # Snapshotting the host's /nix/store as an image isolates the guest VM's + # /nix/store from the host's /nix/store, preventing this problem. + useNixStoreImage = true; + + # Obviously the /nix/store needs to be writable on the guest in order for it + # to perform builds. + writableStore = true; + + # This ensures that anything built on the guest isn't lost when the guest is + # restarted. + writableStoreUseTmpfs = false; + }; +} diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index 0125017dfee88..bd1b2b4521899 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -10,10 +10,20 @@ with lib; documentation.enable = mkDefault false; + documentation.doc.enable = mkDefault false; + + documentation.info.enable = mkDefault false; + + documentation.man.enable = mkDefault false; + documentation.nixos.enable = mkDefault false; programs.command-not-found.enable = mkDefault false; + services.logrotate.enable = mkDefault false; + + services.udisks2.enable = mkDefault false; + xdg.autostart.enable = mkDefault false; xdg.icons.enable = mkDefault false; xdg.mime.enable = mkDefault false; diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 249e99ddc4721..286faeadc489d 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -12,7 +12,7 @@ let cfg = config.programs.bash; bashAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}") + mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) ); diff --git a/nixos/modules/programs/bash/blesh.nix b/nixos/modules/programs/bash/blesh.nix new file mode 100644 index 0000000000000..8fa51bef77443 --- /dev/null +++ b/nixos/modules/programs/bash/blesh.nix @@ -0,0 +1,16 @@ +{ lib, config, pkgs, ... }: +with lib; +let + cfg = config.programs.bash.blesh; +in { + options = { + programs.bash.blesh.enable = mkEnableOption (mdDoc "blesh"); + }; + + config = mkIf cfg.enable { + programs.bash.interactiveShellInit = mkBefore '' + source ${pkgs.blesh}/share/blesh/ble.sh + ''; + }; + meta.maintainers = with maintainers; [ laalsaas ]; +} diff --git a/nixos/modules/programs/firefox.nix b/nixos/modules/programs/firefox.nix index 76e6c1a553f3a..3a5105c57d767 100644 --- a/nixos/modules/programs/firefox.nix +++ b/nixos/modules/programs/firefox.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.programs.firefox; + nmh = cfg.nativeMessagingHosts; + policyFormat = pkgs.formats.json { }; organisationInfo = '' @@ -15,15 +17,15 @@ let given control of your browser, unless of course they also control your NixOS configuration. ''; - -in { +in +{ options.programs.firefox = { enable = mkEnableOption (mdDoc "the Firefox web browser"); package = mkOption { - description = mdDoc "Firefox package to use."; type = types.package; default = pkgs.firefox; + description = mdDoc "Firefox package to use."; defaultText = literalExpression "pkgs.firefox"; relatedPackages = [ "firefox" @@ -31,16 +33,16 @@ in { "firefox-bin" "firefox-devedition-bin" "firefox-esr" - "firefox-esr-wayland" - "firefox-wayland" ]; }; policies = mkOption { + type = policyFormat.type; + default = { }; description = mdDoc '' Group policies to install. - See [Mozilla's documentation](https://github.com/mozilla/policy-templates/blob/master/README.md") + See [Mozilla's documentation](https://github.com/mozilla/policy-templates/blob/master/README.md) for a list of available options. This can be used to install extensions declaratively! Check out the @@ -48,43 +50,214 @@ in { ${organisationInfo} ''; - type = policyFormat.type; - default = {}; }; preferences = mkOption { + type = with types; attrsOf (oneOf [ bool int string ]); + default = { }; description = mdDoc '' - Preferences to set from `about://config`. + Preferences to set from `about:config`. Some of these might be able to be configured more ergonomically using policies. ${organisationInfo} ''; - type = with types; attrsOf (oneOf [ bool int string ]); - default = {}; + }; + + preferencesStatus = mkOption { + type = types.enum [ "default" "locked" "user" "clear" ]; + default = "locked"; + description = mdDoc '' + The status of `firefox.preferences`. + + `status` can assume the following values: + - `"default"`: Preferences appear as default. + - `"locked"`: Preferences appear as default and can't be changed. + - `"user"`: Preferences appear as changed. + - `"clear"`: Value has no effect. Resets to factory defaults on each startup. + ''; + }; + + languagePacks = mkOption { + # Available languages can be found in https://releases.mozilla.org/pub/firefox/releases/${cfg.package.version}/linux-x86_64/xpi/ + type = types.listOf (types.enum ([ + "ach" + "af" + "an" + "ar" + "ast" + "az" + "be" + "bg" + "bn" + "br" + "bs" + "ca-valencia" + "ca" + "cak" + "cs" + "cy" + "da" + "de" + "dsb" + "el" + "en-CA" + "en-GB" + "en-US" + "eo" + "es-AR" + "es-CL" + "es-ES" + "es-MX" + "et" + "eu" + "fa" + "ff" + "fi" + "fr" + "fy-NL" + "ga-IE" + "gd" + "gl" + "gn" + "gu-IN" + "he" + "hi-IN" + "hr" + "hsb" + "hu" + "hy-AM" + "ia" + "id" + "is" + "it" + "ja" + "ka" + "kab" + "kk" + "km" + "kn" + "ko" + "lij" + "lt" + "lv" + "mk" + "mr" + "ms" + "my" + "nb-NO" + "ne-NP" + "nl" + "nn-NO" + "oc" + "pa-IN" + "pl" + "pt-BR" + "pt-PT" + "rm" + "ro" + "ru" + "sco" + "si" + "sk" + "sl" + "son" + "sq" + "sr" + "sv-SE" + "szl" + "ta" + "te" + "th" + "tl" + "tr" + "trs" + "uk" + "ur" + "uz" + "vi" + "xh" + "zh-CN" + "zh-TW" + ])); + default = [ ]; + description = mdDoc '' + The language packs to install. + ''; + }; + + autoConfig = mkOption { + type = types.lines; + default = ""; + description = mdDoc '' + AutoConfig files can be used to set and lock preferences that are not covered + by the policies.json for Mac and Linux. This method can be used to automatically + change user preferences or prevent the end user from modifiying specific + preferences by locking them. More info can be found in https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig. + ''; + }; + + nativeMessagingHosts = mapAttrs (_: v: mkEnableOption (mdDoc v)) { + browserpass = "Browserpass support"; + bukubrow = "Bukubrow support"; + ff2mpv = "ff2mpv support"; + fxCast = "fx_cast support"; + gsconnect = "GSConnect support"; + jabref = "JabRef support"; + passff = "PassFF support"; + tridactyl = "Tridactyl support"; + ugetIntegrator = "Uget Integrator support"; }; }; config = mkIf cfg.enable { - environment.systemPackages = [ cfg.package ]; + environment.systemPackages = [ + (cfg.package.override { + extraPrefs = cfg.autoConfig; + extraNativeMessagingHosts = with pkgs; optionals nmh.ff2mpv [ + ff2mpv + ] ++ optionals nmh.gsconnect [ + gnomeExtensions.gsconnect + ] ++ optionals nmh.jabref [ + jabref + ] ++ optionals nmh.passff [ + passff-host + ]; + }) + ]; - environment.etc."firefox/policies/policies.json".source = - let policiesJSON = - policyFormat.generate - "firefox-policies.json" - { inherit (cfg) policies; }; - in mkIf (cfg.policies != {}) "${policiesJSON}"; + nixpkgs.config.firefox = { + enableBrowserpass = nmh.browserpass; + enableBukubrow = nmh.bukubrow; + enableTridactylNative = nmh.tridactyl; + enableUgetIntegrator = nmh.ugetIntegrator; + enableFXCastBridge = nmh.fxCast; + }; - # Preferences are converted into a policy - programs.firefox.policies = - mkIf (cfg.preferences != {}) - { - Preferences = (mapAttrs (name: value: { - Value = value; - Status = "locked"; - }) cfg.preferences); + environment.etc = + let + policiesJSON = policyFormat.generate "firefox-policies.json" { inherit (cfg) policies; }; + in + mkIf (cfg.policies != { }) { + "firefox/policies/policies.json".source = "${policiesJSON}"; }; + + # Preferences are converted into a policy + programs.firefox.policies = { + Preferences = (mapAttrs + (_: value: { Value = value; Status = cfg.preferencesStatus; }) + cfg.preferences); + ExtensionSettings = listToAttrs (map + (lang: nameValuePair + "langpack-${lang}@firefox.mozilla.org" + { + installation_mode = "normal_installed"; + install_url = "https://releases.mozilla.org/pub/firefox/releases/${cfg.package.version}/linux-x86_64/xpi/${lang}.xpi"; + } + ) + cfg.languagePacks); + }; }; meta.maintainers = with maintainers; [ danth ]; diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index a98c15a045172..6f79c13d94b44 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -8,18 +8,21 @@ let wrappedBins = pkgs.runCommand "firejail-wrapped-binaries" { preferLocalBuild = true; allowSubstitutes = false; + # take precedence over non-firejailed versions + meta.priority = -1; } '' mkdir -p $out/bin + mkdir -p $out/share/applications ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: let opts = if builtins.isAttrs value then value - else { executable = value; profile = null; extraArgs = []; }; + else { executable = value; desktop = null; profile = null; extraArgs = []; }; args = lib.escapeShellArgs ( opts.extraArgs ++ (optional (opts.profile != null) "--profile=${toString opts.profile}") - ); + ); in '' cat <<_EOF >$out/bin/${command} @@ -27,6 +30,11 @@ let exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} + + ${lib.optionalString (opts.desktop != null) '' + substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \ + --replace ${opts.executable} $out/bin/${command} + ''} '') cfg.wrappedBinaries)} ''; @@ -42,6 +50,12 @@ in { description = lib.mdDoc "Executable to run sandboxed"; example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; }; + desktop = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; + example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; + }; profile = mkOption { type = types.nullOr types.path; default = null; @@ -71,12 +85,6 @@ in { ''; description = lib.mdDoc '' Wrap the binaries in firejail and place them in the global path. - - You will get file collisions if you put the actual application binary in - the global environment (such as by adding the application package to - `environment.systemPackages`), and applications started via - .desktop files are not wrapped if they specify the absolute path to the - binary. ''; }; }; diff --git a/nixos/modules/programs/flashrom.nix b/nixos/modules/programs/flashrom.nix index 5f0de5a402341..ff495558c9e04 100644 --- a/nixos/modules/programs/flashrom.nix +++ b/nixos/modules/programs/flashrom.nix @@ -16,11 +16,12 @@ in group. ''; }; + package = mkPackageOption pkgs "flashrom" { }; }; config = mkIf cfg.enable { - services.udev.packages = [ pkgs.flashrom ]; - environment.systemPackages = [ pkgs.flashrom ]; + services.udev.packages = [ cfg.package ]; + environment.systemPackages = [ cfg.package ]; users.groups.flashrom = { }; }; } diff --git a/nixos/modules/programs/fzf.nix b/nixos/modules/programs/fzf.nix new file mode 100644 index 0000000000000..eda4eacde4ac9 --- /dev/null +++ b/nixos/modules/programs/fzf.nix @@ -0,0 +1,27 @@ +{pkgs, config, lib, ...}: +with lib; +let + cfg = config.programs.fzf; +in { + options = { + programs.fzf = { + fuzzyCompletion = mkEnableOption (mdDoc "fuzzy completion with fzf"); + keybindings = mkEnableOption (mdDoc "fzf keybindings"); + }; + }; + config = { + environment.systemPackages = optional (cfg.keybindings || cfg.fuzzyCompletion) pkgs.fzf; + programs.bash.interactiveShellInit = optionalString cfg.fuzzyCompletion '' + source ${pkgs.fzf}/share/fzf/completion.bash + '' + optionalString cfg.keybindings '' + source ${pkgs.fzf}/share/fzf/key-bindings.bash + ''; + + programs.zsh.interactiveShellInit = optionalString cfg.fuzzyCompletion '' + source ${pkgs.fzf}/share/fzf/completion.zsh + '' + optionalString cfg.keybindings '' + source ${pkgs.fzf}/share/fzf/key-bindings.zsh + ''; + }; + meta.maintainers = with maintainers; [ laalsaas ]; +} diff --git a/nixos/modules/programs/git.nix b/nixos/modules/programs/git.nix index acff5dfdd888a..4e271a8c134b2 100644 --- a/nixos/modules/programs/git.nix +++ b/nixos/modules/programs/git.nix @@ -20,15 +20,41 @@ in }; config = mkOption { - type = with types; attrsOf (attrsOf anything); - default = { }; + type = + with types; + let + gitini = attrsOf (attrsOf anything); + in + either gitini (listOf gitini) // { + merge = loc: defs: + let + config = foldl' + (acc: { value, ... }@x: acc // (if isList value then { + ordered = acc.ordered ++ value; + } else { + unordered = acc.unordered ++ [ x ]; + })) + { + ordered = [ ]; + unordered = [ ]; + } + defs; + in + [ (gitini.merge loc config.unordered) ] ++ config.ordered; + }; + default = [ ]; example = { init.defaultBranch = "main"; url."https://github.com/".insteadOf = [ "gh:" "github:" ]; }; description = lib.mdDoc '' - Configuration to write to /etc/gitconfig. See the CONFIGURATION FILE - section of git-config(1) for more information. + Configuration to write to /etc/gitconfig. A list can also be + specified to keep the configuration in order. For example, setting + `config` to `[ { foo.x = 42; } { bar.y = 42; }]` will put the `foo` + section before the `bar` section unlike the default alphabetical + order, which can be helpful for sections such as `include` and + `includeIf`. See the CONFIGURATION FILE section of git-config(1) for + more information. ''; }; @@ -48,8 +74,8 @@ in config = mkMerge [ (mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - environment.etc.gitconfig = mkIf (cfg.config != {}) { - text = generators.toGitINI cfg.config; + environment.etc.gitconfig = mkIf (cfg.config != [ ]) { + text = concatMapStringsSep "\n" generators.toGitINI cfg.config; }; }) (mkIf (cfg.enable && cfg.lfs.enable) { diff --git a/nixos/modules/programs/htop.nix b/nixos/modules/programs/htop.nix index 521287f9352d5..2682ced490ca3 100644 --- a/nixos/modules/programs/htop.nix +++ b/nixos/modules/programs/htop.nix @@ -20,7 +20,7 @@ in package = mkOption { type = types.package; default = pkgs.htop; - defaultText = "pkgs.htop"; + defaultText = lib.literalExpression "pkgs.htop"; description = lib.mdDoc '' The htop package that should be used. ''; diff --git a/nixos/modules/programs/i3lock.nix b/nixos/modules/programs/i3lock.nix new file mode 100644 index 0000000000000..466ae59c9277f --- /dev/null +++ b/nixos/modules/programs/i3lock.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.programs.i3lock; + +in { + + ###### interface + + options = { + programs.i3lock = { + enable = mkEnableOption (mdDoc "i3lock"); + package = mkOption { + type = types.package; + default = pkgs.i3lock; + defaultText = literalExpression "pkgs.i3lock"; + example = literalExpression '' + pkgs.i3lock-color + ''; + description = mdDoc '' + Specify which package to use for the i3lock program, + The i3lock package must include a i3lock file or link in its out directory in order for the u2fSupport option to work correctly. + ''; + }; + u2fSupport = mkOption { + type = types.bool; + default = false; + example = true; + description = mdDoc '' + Whether to enable U2F support in the i3lock program. + U2F enables authentication using a hardware device, such as a security key. + When U2F support is enabled, the i3lock program will set the setuid bit on the i3lock binary and enable the pam u2fAuth service, + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ cfg.package ]; + + security.wrappers.i3lock = mkIf cfg.u2fSupport { + setuid = true; + owner = "root"; + group = "root"; + source = "${cfg.package.out}/bin/i3lock"; + }; + + security.pam.services.i3lock.u2fAuth = cfg.u2fSupport; + + }; + +} diff --git a/nixos/modules/programs/nix-index.nix b/nixos/modules/programs/nix-index.nix new file mode 100644 index 0000000000000..a494b9d8c2c9b --- /dev/null +++ b/nixos/modules/programs/nix-index.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.programs.nix-index; +in { + options.programs.nix-index = with lib; { + enable = mkEnableOption (lib.mdDoc "nix-index, a file database for nixpkgs"); + + package = mkOption { + type = types.package; + default = pkgs.nix-index; + defaultText = literalExpression "pkgs.nix-index"; + description = lib.mdDoc "Package providing the `nix-index` tool."; + }; + + enableBashIntegration = mkEnableOption (lib.mdDoc "Bash integration") // { + default = true; + }; + + enableZshIntegration = mkEnableOption (lib.mdDoc "Zsh integration") // { + default = true; + }; + + enableFishIntegration = mkEnableOption (lib.mdDoc "Fish integration") // { + default = true; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = let + checkOpt = name: { + assertion = cfg.${name} -> !config.programs.command-not-found.enable; + message = '' + The 'programs.command-not-found.enable' option is mutually exclusive + with the 'programs.nix-index.${name}' option. + ''; + }; + in [ (checkOpt "enableBashIntegration") (checkOpt "enableZshIntegration") ]; + + environment.systemPackages = [ cfg.package ]; + + programs.bash.interactiveShellInit = lib.mkIf cfg.enableBashIntegration '' + source ${cfg.package}/etc/profile.d/command-not-found.sh + ''; + + programs.zsh.interactiveShellInit = lib.mkIf cfg.enableZshIntegration '' + source ${cfg.package}/etc/profile.d/command-not-found.sh + ''; + + # See https://github.com/bennofs/nix-index/issues/126 + programs.fish.interactiveShellInit = let + wrapper = pkgs.writeScript "command-not-found" '' + #!${pkgs.bash}/bin/bash + source ${cfg.package}/etc/profile.d/command-not-found.sh + command_not_found_handle "$@" + ''; + in lib.mkIf cfg.enableFishIntegration '' + function __fish_command_not_found_handler --on-event fish_command_not_found + ${wrapper} $argv + end + ''; + }; +} diff --git a/nixos/modules/programs/nix-ld.nix b/nixos/modules/programs/nix-ld.nix index 602278d1ba9b6..9a12b4ca5c74f 100644 --- a/nixos/modules/programs/nix-ld.nix +++ b/nixos/modules/programs/nix-ld.nix @@ -1,10 +1,67 @@ { pkgs, lib, config, ... }: +let + cfg = config.programs.nix-ld; + + # TODO make glibc here configureable? + nix-ld-so = pkgs.runCommand "ld.so" {} '' + ln -s "$(cat '${pkgs.stdenv.cc}/nix-support/dynamic-linker')" $out + ''; + + nix-ld-libraries = pkgs.buildEnv { + name = "lb-library-path"; + pathsToLink = [ "/lib" ]; + paths = map lib.getLib cfg.libraries; + extraPrefix = "/share/nix-ld"; + ignoreCollisions = true; + }; + + # We currently take all libraries from systemd and nix as the default. + # Is there a better list? + baseLibraries = with pkgs; [ + zlib + zstd + stdenv.cc.cc + curl + openssl + attr + libssh + bzip2 + libxml2 + acl + libsodium + util-linux + xz + systemd + ]; +in { meta.maintainers = [ lib.maintainers.mic92 ]; - options = { - programs.nix-ld.enable = lib.mkEnableOption (lib.mdDoc ''nix-ld, Documentation: <https://github.com/Mic92/nix-ld>''); + options.programs.nix-ld = { + enable = lib.mkEnableOption (lib.mdDoc ''nix-ld, Documentation: <https://github.com/Mic92/nix-ld>''); + package = lib.mkOption { + type = lib.types.package; + description = lib.mdDoc "Which package to use for the nix-ld."; + default = pkgs.nix-ld; + defaultText = lib.literalExpression "pkgs.nix-ld"; + }; + libraries = lib.mkOption { + type = lib.types.listOf lib.types.package; + description = lib.mdDoc "Libraries that automatically become available to all programs. The default set includes common libraries."; + default = baseLibraries; + defaultText = lib.literalExpression "baseLibraries derived from systemd and nix dependencies."; + }; }; + config = lib.mkIf config.programs.nix-ld.enable { - systemd.tmpfiles.packages = [ pkgs.nix-ld ]; + systemd.tmpfiles.packages = [ cfg.package ]; + + environment.systemPackages = [ nix-ld-libraries ]; + + environment.pathsToLink = [ "/share/nix-ld" ]; + + environment.variables = { + NIX_LD = toString nix-ld-so; + NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + }; }; } diff --git a/nixos/modules/programs/rog-control-center.nix b/nixos/modules/programs/rog-control-center.nix new file mode 100644 index 0000000000000..4aef5143ac7ff --- /dev/null +++ b/nixos/modules/programs/rog-control-center.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.programs.rog-control-center; +in +{ + options = { + programs.rog-control-center = { + enable = lib.mkEnableOption (lib.mdDoc "the rog-control-center application"); + + autoStart = lib.mkOption { + default = false; + type = lib.types.bool; + description = lib.mdDoc "Whether rog-control-center should be started automatically."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ + pkgs.asusctl + (lib.mkIf cfg.autoStart (pkgs.makeAutostartItem { name = "rog-control-center"; package = pkgs.asusctl; })) + ]; + + services.asusd.enable = true; + }; + + meta.maintainers = pkgs.asusctl.meta.maintainers; +} diff --git a/nixos/modules/programs/skim.nix b/nixos/modules/programs/skim.nix new file mode 100644 index 0000000000000..57a5d68ec3d5a --- /dev/null +++ b/nixos/modules/programs/skim.nix @@ -0,0 +1,34 @@ +{ pkgs, config, lib, ... }: +let + inherit (lib) mdDoc mkEnableOption mkPackageOption optional optionalString; + cfg = config.programs.skim; +in +{ + options = { + programs.skim = { + fuzzyCompletion = mkEnableOption (mdDoc "fuzzy completion with skim"); + keybindings = mkEnableOption (mdDoc "skim keybindings"); + package = mkPackageOption pkgs "skim" {}; + }; + }; + + config = { + environment.systemPackages = optional (cfg.keybindings || cfg.fuzzyCompletion) cfg.package; + + programs.bash.interactiveShellInit = optionalString cfg.fuzzyCompletion '' + source ${cfg.package}/share/skim/completion.bash + '' + optionalString cfg.keybindings '' + source ${cfg.package}/share/skim/key-bindings.bash + ''; + + programs.zsh.interactiveShellInit = optionalString cfg.fuzzyCompletion '' + source ${cfg.package}/share/skim/completion.zsh + '' + optionalString cfg.keybindings '' + source ${cfg.package}/share/skim/key-bindings.zsh + ''; + + programs.fish.interactiveShellInit = optionalString cfg.keybindings '' + source ${cfg.package}/share/skim/key-bindings.fish && skim_key_bindings + ''; + }; +} diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index adbbf5d9ed4b4..1b69aac98863b 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -4,17 +4,31 @@ with lib; let cfg = config.programs.steam; - - steam = pkgs.steam.override { - extraLibraries = pkgs: with config.hardware.opengl; - if pkgs.hostPlatform.is64bit - then [ package ] ++ extraPackages - else [ package32 ] ++ extraPackages32; - }; in { options.programs.steam = { enable = mkEnableOption (lib.mdDoc "steam"); + package = mkOption { + type = types.package; + default = pkgs.steam.override { + extraLibraries = pkgs: with config.hardware.opengl; + if pkgs.hostPlatform.is64bit + then [ package ] ++ extraPackages + else [ package32 ] ++ extraPackages32; + }; + defaultText = literalExpression '' + pkgs.steam.override { + extraLibraries = pkgs: with config.hardware.opengl; + if pkgs.hostPlatform.is64bit + then [ package ] ++ extraPackages + else [ package32 ] ++ extraPackages32; + } + ''; + description = lib.mdDoc '' + steam package to use. + ''; + }; + remotePlay.openFirewall = mkOption { type = types.bool; default = false; @@ -44,7 +58,10 @@ in { hardware.steam-hardware.enable = true; - environment.systemPackages = [ steam steam.run ]; + environment.systemPackages = [ + cfg.package + cfg.package.run + ]; networking.firewall = lib.mkMerge [ (mkIf cfg.remotePlay.openFirewall { diff --git a/nixos/modules/programs/streamdeck-ui.nix b/nixos/modules/programs/streamdeck-ui.nix index e933b899c55ec..113d1d49e151a 100644 --- a/nixos/modules/programs/streamdeck-ui.nix +++ b/nixos/modules/programs/streamdeck-ui.nix @@ -4,7 +4,8 @@ with lib; let cfg = config.programs.streamdeck-ui; -in { +in +{ options.programs.streamdeck-ui = { enable = mkEnableOption (lib.mdDoc "streamdeck-ui"); @@ -13,15 +14,20 @@ in { type = types.bool; description = lib.mdDoc "Whether streamdeck-ui should be started automatically."; }; + + package = mkPackageOption pkgs "streamdeck-ui" { + default = [ "streamdeck-ui" ]; + }; + }; config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ - streamdeck-ui - (mkIf cfg.autoStart (makeAutostartItem { name = "streamdeck-ui"; package = streamdeck-ui; })) + cfg.package + (mkIf cfg.autoStart (makeAutostartItem { name = "streamdeck-ui"; package = cfg.package; })) ]; - services.udev.packages = with pkgs; [ streamdeck-ui ]; + services.udev.packages = [ cfg.package ]; }; meta.maintainers = with maintainers; [ majiir ]; diff --git a/nixos/modules/programs/tmux.nix b/nixos/modules/programs/tmux.nix index cf7ea4cfcf76a..4fb9175fb8d21 100644 --- a/nixos/modules/programs/tmux.nix +++ b/nixos/modules/programs/tmux.nix @@ -178,6 +178,16 @@ in { description = lib.mdDoc "List of plugins to install."; example = lib.literalExpression "[ pkgs.tmuxPlugins.nord ]"; }; + + withUtempter = mkOption { + description = lib.mdDoc '' + Whether to enable libutempter for tmux. + This is required so that tmux can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). + Note, this will add a guid wrapper for the group utmp! + ''; + default = true; + type = types.bool; + }; }; }; @@ -193,6 +203,15 @@ in { TMUX_TMPDIR = lib.optional cfg.secureSocket ''''${XDG_RUNTIME_DIR:-"/run/user/$(id -u)"}''; }; }; + security.wrappers = mkIf cfg.withUtempter { + utempter = { + source = "${pkgs.libutempter}/lib/utempter/utempter"; + owner = "root"; + group = "utmp"; + setuid = false; + setgid = true; + }; + }; }; imports = [ diff --git a/nixos/modules/programs/vim.nix b/nixos/modules/programs/vim.nix index 15983e371f0eb..b12a45166d560 100644 --- a/nixos/modules/programs/vim.nix +++ b/nixos/modules/programs/vim.nix @@ -19,7 +19,7 @@ in { type = types.package; default = pkgs.vim; defaultText = literalExpression "pkgs.vim"; - example = literalExpression "pkgs.vimHugeX"; + example = literalExpression "pkgs.vim-full"; description = lib.mdDoc '' vim package to use. ''; diff --git a/nixos/modules/programs/weylus.nix b/nixos/modules/programs/weylus.nix index eab8afdf2cc84..a5775f3b981cc 100644 --- a/nixos/modules/programs/weylus.nix +++ b/nixos/modules/programs/weylus.nix @@ -29,7 +29,7 @@ in package = mkOption { type = package; default = pkgs.weylus; - defaultText = "pkgs.weylus"; + defaultText = lib.literalExpression "pkgs.weylus"; description = lib.mdDoc "Weylus package to install."; }; }; diff --git a/nixos/modules/programs/xastir.nix b/nixos/modules/programs/xastir.nix new file mode 100644 index 0000000000000..0977668d83707 --- /dev/null +++ b/nixos/modules/programs/xastir.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.xastir; +in { + meta.maintainers = with maintainers; [ melling ]; + + options.programs.xastir = { + enable = mkEnableOption (mdDoc "Enable Xastir Graphical APRS client"); + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ xastir ]; + security.wrappers.xastir = { + source = "${pkgs.xastir}/bin/xastir"; + capabilities = "cap_net_raw+p"; + owner = "root"; + group = "root"; + }; + }; +} diff --git a/nixos/modules/programs/xfs_quota.nix b/nixos/modules/programs/xfs_quota.nix index a1e9ff941c6b8..0fc2958b3f387 100644 --- a/nixos/modules/programs/xfs_quota.nix +++ b/nixos/modules/programs/xfs_quota.nix @@ -94,7 +94,7 @@ in ''; wantedBy = [ "multi-user.target" ]; - after = [ ((replaceChars [ "/" ] [ "-" ] opts.fileSystem) + ".mount") ]; + after = [ ((replaceStrings [ "/" ] [ "-" ] opts.fileSystem) + ".mount") ]; restartTriggers = [ config.environment.etc.projects.source ]; diff --git a/nixos/modules/programs/xonsh.nix b/nixos/modules/programs/xonsh.nix index 3223761f93408..7202ed06c6af2 100644 --- a/nixos/modules/programs/xonsh.nix +++ b/nixos/modules/programs/xonsh.nix @@ -46,8 +46,8 @@ in config = mkIf cfg.enable { - environment.etc.xonshrc.text = '' - # /etc/xonshrc: DO NOT EDIT -- this file has been generated automatically. + environment.etc."xonsh/xonshrc".text = '' + # /etc/xonsh/xonshrc: DO NOT EDIT -- this file has been generated automatically. if not ''${...}.get('__NIXOS_SET_ENVIRONMENT_DONE'): diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 29790e0dd759b..0b152e54cf95f 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -12,7 +12,7 @@ let opt = options.programs.zsh; zshAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}") + mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") (filterAttrs (k: v: v != null) cfg.shellAliases) ); @@ -173,10 +173,10 @@ in # This file is read for all shells. # Only execute this file once per shell. - if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi + if [ -n "''${__ETC_ZSHENV_SOURCED-}" ]; then return; fi __ETC_ZSHENV_SOURCED=1 - if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]; then + if [ -z "''${__NIXOS_SET_ENVIRONMENT_DONE-}" ]; then . ${config.system.build.setEnvironment} fi @@ -206,7 +206,7 @@ in ${zshStartupNotes} # Only execute this file once per shell. - if [ -n "$__ETC_ZPROFILE_SOURCED" ]; then return; fi + if [ -n "''${__ETC_ZPROFILE_SOURCED-}" ]; then return; fi __ETC_ZPROFILE_SOURCED=1 # Setup custom login shell init stuff. diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 4e163901b0887..a380bb5484afc 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -714,7 +714,7 @@ in { default = false; description = lib.mdDoc '' Whether to use the root user when generating certs. This is not recommended - for security + compatiblity reasons. If a service requires root owned certificates + for security + compatibility reasons. If a service requires root owned certificates consider following the guide on "Using ACME with services demanding root owned certificates" in the NixOS manual, and only using this as a fallback or for testing. @@ -765,7 +765,7 @@ in { To use the let's encrypt staging server, use security.acme.server = "https://acme-staging-v02.api.letsencrypt.org/directory". '') - (mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") + (mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permissions are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") (mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") (mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") (mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600))) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 0d858a458564d..24b48338ed772 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -202,7 +202,7 @@ in # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). # Note that this does not remove profiles dynamically generated by libvirt. [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ - # Optionaly kill the processes which are unconfined but now have a profile loaded + # Optionally kill the processes which are unconfined but now have a profile loaded # (because AppArmor can only start to confine new processes). optional cfg.killUnconfinedConfinables killUnconfinedConfinables; ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 21e1749d85032..273bc796341c2 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -282,7 +282,7 @@ let defaultText = literalExpression "config.security.pam.mount.enable"; type = types.bool; description = lib.mdDoc '' - Enable PAM mount (pam_mount) system to mount fileystems on user login. + Enable PAM mount (pam_mount) system to mount filesystems on user login. ''; }; @@ -305,7 +305,7 @@ let default = false; type = types.bool; description = lib.mdDoc '' - Wheather the delay after typing a wrong password should be disabled. + Whether the delay after typing a wrong password should be disabled. ''; }; @@ -694,7 +694,7 @@ let optionalString (cfg.limits != []) '' session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits} '' + - optionalString (cfg.showMotd && config.users.motd != null) '' + optionalString (cfg.showMotd && (config.users.motd != null || config.users.motdFile != null)) '' session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd} '' + optionalString (cfg.enableAppArmor && config.security.apparmor.enable) '' @@ -775,7 +775,9 @@ let }; })); - motd = pkgs.writeText "motd" config.users.motd; + motd = if isNull config.users.motdFile + then pkgs.writeText "motd" config.users.motd + else config.users.motdFile; makePAMService = name: service: { name = "pam.d/${name}"; @@ -1199,12 +1201,26 @@ in description = lib.mdDoc "Message of the day shown to users when they log in."; }; + users.motdFile = mkOption { + default = null; + example = "/etc/motd"; + type = types.nullOr types.path; + description = lib.mdDoc "A file containing the message of the day shown to users when they log in."; + }; }; ###### implementation config = { + assertions = [ + { + assertion = isNull config.users.motd || isNull config.users.motdFile; + message = '' + Only one of users.motd and users.motdFile can be set. + ''; + } + ]; environment.systemPackages = # Include the PAM modules in the system path mostly for the manpages. diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix index 11cc13a8cbeb2..481f1f3d38eb6 100644 --- a/nixos/modules/security/pam_mount.nix +++ b/nixos/modules/security/pam_mount.nix @@ -24,7 +24,7 @@ in type = types.bool; default = false; description = lib.mdDoc '' - Enable PAM mount system to mount fileystems on user login. + Enable PAM mount system to mount filesystems on user login. ''; }; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index a58c792d8c5f8..4b62abd658a42 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -202,7 +202,7 @@ in internal = true; description = lib.mdDoc '' This option defines the path to the wrapper programs. It - should not be overriden. + should not be overridden. ''; }; }; diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix index 4cd900f945c8b..5d3f7db12bc9b 100644 --- a/nixos/modules/services/audio/botamusique.nix +++ b/nixos/modules/services/audio/botamusique.nix @@ -103,9 +103,8 @@ in StateDirectory = "botamusique"; SystemCallArchitectures = "native"; SystemCallFilter = [ - "@system-service" + "@system-service @resources" "~@privileged" - "~@resources" ]; UMask = "0077"; WorkingDirectory = "/var/lib/botamusique"; diff --git a/nixos/modules/services/audio/icecast.nix b/nixos/modules/services/audio/icecast.nix index 759f1ab0db9b3..63049bd93ab9b 100644 --- a/nixos/modules/services/audio/icecast.nix +++ b/nixos/modules/services/audio/icecast.nix @@ -48,7 +48,7 @@ in { hostname = mkOption { type = types.nullOr types.str; - description = lib.mdDoc "DNS name or IP address that will be used for the stream directory lookups or possibily the playlist generation if a Host header is not provided."; + description = lib.mdDoc "DNS name or IP address that will be used for the stream directory lookups or possibly the playlist generation if a Host header is not provided."; default = config.networking.domain; defaultText = literalExpression "config.networking.domain"; }; @@ -74,7 +74,7 @@ in { listen = { port = mkOption { - type = types.int; + type = types.port; description = lib.mdDoc "TCP port that will be used to accept client connections."; default = 8000; }; diff --git a/nixos/modules/services/audio/liquidsoap.nix b/nixos/modules/services/audio/liquidsoap.nix index c313104c46096..5c10d13af5fde 100644 --- a/nixos/modules/services/audio/liquidsoap.nix +++ b/nixos/modules/services/audio/liquidsoap.nix @@ -38,11 +38,13 @@ in default = {}; - example = { - myStream1 = "/etc/liquidsoap/myStream1.liq"; - myStream2 = literalExpression "./myStream2.liq"; - myStream3 = "out(playlist(\"/srv/music/\"))"; - }; + example = literalExpression '' + { + myStream1 = "/etc/liquidsoap/myStream1.liq"; + myStream2 = ./myStream2.liq; + myStream3 = "out(playlist(\"/srv/music/\"))"; + } + ''; type = types.attrsOf (types.either types.path types.str); }; diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index bbfccec98c4af..ba1e4716c9b99 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -142,7 +142,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 6600; description = lib.mdDoc '' This setting is the TCP port that is desired for the daemon to get assigned diff --git a/nixos/modules/services/audio/roon-bridge.nix b/nixos/modules/services/audio/roon-bridge.nix index db84ba2862210..e9335091ba9a9 100644 --- a/nixos/modules/services/audio/roon-bridge.nix +++ b/nixos/modules/services/audio/roon-bridge.nix @@ -53,13 +53,18 @@ in { networking.firewall = mkIf cfg.openFirewall { allowedTCPPortRanges = [{ from = 9100; to = 9200; }]; allowedUDPPorts = [ 9003 ]; - extraCommands = '' + extraCommands = optionalString (!config.networking.nftables.enable) '' iptables -A INPUT -s 224.0.0.0/4 -j ACCEPT iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT iptables -A INPUT -s 240.0.0.0/5 -j ACCEPT iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT ''; + extraInputRules = optionalString config.networking.nftables.enable '' + ip saddr { 224.0.0.0/4, 240.0.0.0/5 } accept + ip daddr 224.0.0.0/4 accept + pkttype { multicast, broadcast } accept + ''; }; diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 4764ee3e598fc..fbe74f63b9dac 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -40,6 +40,7 @@ in { wantedBy = [ "multi-user.target" ]; environment.ROON_DATAROOT = "/var/lib/${name}"; + environment.ROON_ID_DIR = "/var/lib/${name}"; serviceConfig = { ExecStart = "${pkgs.roon-server}/bin/RoonServer"; @@ -57,7 +58,7 @@ in { { from = 30000; to = 30010; } ]; allowedUDPPorts = [ 9003 ]; - extraCommands = '' + extraCommands = optionalString (!config.networking.nftables.enable) '' ## IGMP / Broadcast ## iptables -A INPUT -s 224.0.0.0/4 -j ACCEPT iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT @@ -65,6 +66,11 @@ in { iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT ''; + extraInputRules = optionalString config.networking.nftables.enable '' + ip saddr { 224.0.0.0/4, 240.0.0.0/5 } accept + ip daddr 224.0.0.0/4 accept + pkttype { multicast, broadcast } accept + ''; }; diff --git a/nixos/modules/services/audio/snapserver.nix b/nixos/modules/services/audio/snapserver.nix index fdc1f605bb32a..2af42eeb3705b 100644 --- a/nixos/modules/services/audio/snapserver.nix +++ b/nixos/modules/services/audio/snapserver.nix @@ -101,9 +101,7 @@ in { openFirewall = mkOption { type = types.bool; - # Make the behavior consistent with other services. Set the default to - # false and remove the accompanying warning after NixOS 22.05 is released. - default = true; + default = false; description = lib.mdDoc '' Whether to automatically open the specified ports in the firewall. ''; @@ -279,12 +277,7 @@ in { # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. - '' else "") cfg.streams) - # Remove this warning after NixOS 22.05 is released. - ++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) '' - services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11. - Enable it explicitly if you need to control Snapserver remotely. - ''; + '' else "") cfg.streams); systemd.services.snapserver = { after = [ "network.target" ]; diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index 7b29eb41e72a0..c5fc09dcea028 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -11,7 +11,11 @@ let mkExcludeFile = cfg: # Write each exclude pattern to a new line - pkgs.writeText "excludefile" (concatStringsSep "\n" cfg.exclude); + pkgs.writeText "excludefile" (concatMapStrings (s: s + "\n") cfg.exclude); + + mkPatternsFile = cfg: + # Write each pattern to a new line + pkgs.writeText "patternsfile" (concatMapStrings (s: s + "\n") cfg.patterns); mkKeepArgs = cfg: # If cfg.prune.keep e.g. has a yearly attribute, @@ -19,7 +23,8 @@ let concatStringsSep " " (mapAttrsToList (x: y: "--keep-${x}=${toString y}") cfg.prune.keep); - mkBackupScript = cfg: '' + mkBackupScript = name: cfg: pkgs.writeShellScript "${name}-script" ('' + set -e on_exit() { exitStatus=$? @@ -46,6 +51,7 @@ let borg create $extraArgs \ --compression ${cfg.compression} \ --exclude-from ${mkExcludeFile cfg} \ + --patterns-from ${mkPatternsFile cfg} \ $extraCreateArgs \ "::$archiveName$archiveSuffix" \ ${if cfg.paths == null then "-" else escapeShellArgs cfg.paths} @@ -58,10 +64,10 @@ let '' + optionalString (cfg.prune.keep != { }) '' borg prune $extraArgs \ ${mkKeepArgs cfg} \ - ${optionalString (cfg.prune.prefix != null) "--prefix ${escapeShellArg cfg.prune.prefix} \\"} + ${optionalString (cfg.prune.prefix != null) "--glob-archives ${escapeShellArg "${cfg.prune.prefix}*"}"} \ $extraPruneArgs ${cfg.postPrune} - ''; + ''); mkPassEnv = cfg: with cfg.encryption; if passCommand != null then @@ -73,12 +79,19 @@ let mkBackupService = name: cfg: let userHome = config.users.users.${cfg.user}.home; - in nameValuePair "borgbackup-job-${name}" { + backupJobName = "borgbackup-job-${name}"; + backupScript = mkBackupScript backupJobName cfg; + in nameValuePair backupJobName { description = "BorgBackup job ${name}"; path = with pkgs; [ borgbackup openssh ]; - script = mkBackupScript cfg; + script = "exec " + optionalString cfg.inhibitsSleep ''\ + ${pkgs.systemd}/bin/systemd-inhibit \ + --who="borgbackup" \ + --what="sleep" \ + --why="Scheduled backup" \ + '' + backupScript; serviceConfig = { User = cfg.user; Group = cfg.group; @@ -137,8 +150,9 @@ let # Ensure that the home directory already exists # We can't assert createHome == true because that's not the case for root cd "${config.users.users.${cfg.user}.home}" - ${install} -d .config/borg - ${install} -d .cache/borg + # Create each directory separately to prevent root owned parent dirs + ${install} -d .config .config/borg + ${install} -d .cache .cache/borg '' + optionalString (isLocalPath cfg.repo && !cfg.removableDevice) '' ${install} -d ${escapeShellArg cfg.repo} '')); @@ -341,6 +355,15 @@ in { ''; }; + inhibitsSleep = mkOption { + default = false; + type = types.bool; + example = true; + description = lib.mdDoc '' + Prevents the system from sleeping while backing up. + ''; + }; + user = mkOption { type = types.str; description = lib.mdDoc '' @@ -424,6 +447,21 @@ in { ]; }; + patterns = mkOption { + type = with types; listOf str; + description = lib.mdDoc '' + Include/exclude paths matching the given patterns. The first + matching patterns is used, so if an include pattern (prefix `+`) + matches before an exclude pattern (prefix `-`), the file is + backed up. See [{command}`borg help patterns`](https://borgbackup.readthedocs.io/en/stable/usage/help.html#borg-patterns) for pattern syntax. + ''; + default = [ ]; + example = [ + "+ /home/susan" + "- /home/*" + ]; + }; + readWritePaths = mkOption { type = with types; listOf path; description = lib.mdDoc '' diff --git a/nixos/modules/services/backup/borgbackup.xml b/nixos/modules/services/backup/borgbackup.xml index 8f623c9365684..f38064f867756 100644 --- a/nixos/modules/services/backup/borgbackup.xml +++ b/nixos/modules/services/backup/borgbackup.xml @@ -179,7 +179,7 @@ sudo borg init --encryption=repokey-blake2 \ mode = "repokey-blake2"; passCommand = "cat /run/keys/borgbackup_passphrase"; }; - BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase"; + environment = { BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase"; }; compression = "auto,lzma"; startAt = "daily"; }; diff --git a/nixos/modules/services/backup/zfs-replication.nix b/nixos/modules/services/backup/zfs-replication.nix index f0267c47364d6..ce914003c6222 100644 --- a/nixos/modules/services/backup/zfs-replication.nix +++ b/nixos/modules/services/backup/zfs-replication.nix @@ -12,7 +12,7 @@ in { enable = mkEnableOption (lib.mdDoc "ZFS snapshot replication."); followDelete = mkOption { - description = lib.mdDoc "Remove remote snapshots that don't have a local correspondant."; + description = lib.mdDoc "Remove remote snapshots that don't have a local correspondent."; default = true; type = types.bool; }; @@ -30,7 +30,7 @@ in { }; localFilesystem = mkOption { - description = lib.mdDoc "Local ZFS fileystem from which snapshots should be sent. Defaults to the attribute name."; + description = lib.mdDoc "Local ZFS filesystem from which snapshots should be sent. Defaults to the attribute name."; example = "pool/file/path"; type = types.str; }; diff --git a/nixos/modules/services/backup/znapzend.nix b/nixos/modules/services/backup/znapzend.nix index f8d741e3ad9af..76f147c18affa 100644 --- a/nixos/modules/services/backup/znapzend.nix +++ b/nixos/modules/services/backup/znapzend.nix @@ -9,7 +9,7 @@ let The znapzend backup plan to use for the source. The plan specifies how often to backup and for how long to keep the - backups. It consists of a series of retention periodes to interval + backups. It consists of a series of retention periods to interval associations: ``` @@ -268,7 +268,7 @@ let mkSrcAttrs = srcCfg: with srcCfg; { enabled = onOff enable; - # mbuffer is not referenced by its full path to accomodate non-NixOS systems or differing mbuffer versions between source and target + # mbuffer is not referenced by its full path to accommodate non-NixOS systems or differing mbuffer versions between source and target mbuffer = with mbuffer; if enable then "mbuffer" + optionalString (port != null) ":${toString port}" else "off"; mbuffer_size = mbuffer.size; @@ -372,7 +372,7 @@ in compressed feature which adds the options `-Lce` to the {command}`zfs send` command. When this is enabled, make sure that both the sending and receiving pool have the same relevant - features enabled. Using `-c` will skip unneccessary + features enabled. Using `-c` will skip unnecessary decompress-compress stages, `-L` is for large block support and -e is for embedded data support. see {manpage}`znapzend(1)` diff --git a/nixos/modules/services/blockchain/ethereum/erigon.nix b/nixos/modules/services/blockchain/ethereum/erigon.nix index 9ff7df0b15e56..8ebe0fcaff549 100644 --- a/nixos/modules/services/blockchain/ethereum/erigon.nix +++ b/nixos/modules/services/blockchain/ethereum/erigon.nix @@ -13,6 +13,12 @@ in { services.erigon = { enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier"); + extraArgs = mkOption { + type = types.listOf types.str; + description = lib.mdDoc "Additional arguments passed to Erigon"; + default = [ ]; + }; + secretJwtPath = mkOption { type = types.path; description = lib.mdDoc '' @@ -86,7 +92,7 @@ in { serviceConfig = { LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}"; - ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT"; + ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT ${lib.escapeShellArgs cfg.extraArgs}"; DynamicUser = true; Restart = "on-failure"; StateDirectory = "erigon"; diff --git a/nixos/modules/services/blockchain/ethereum/lighthouse.nix b/nixos/modules/services/blockchain/ethereum/lighthouse.nix index db72c62d33044..863e737d908ae 100644 --- a/nixos/modules/services/blockchain/ethereum/lighthouse.nix +++ b/nixos/modules/services/blockchain/ethereum/lighthouse.nix @@ -51,7 +51,7 @@ in { type = types.bool; default = false; description = lib.mdDoc '' - Explictly disables syncing of deposit logs from the execution node. + Explicitly disables syncing of deposit logs from the execution node. This overrides any previous option that depends on it. Useful if you intend to run a non-validating beacon node. ''; @@ -247,6 +247,7 @@ in { DynamicUser = true; Restart = "on-failure"; StateDirectory = "lighthouse-beacon"; + ReadWritePaths = [ cfg.beacon.dataDir ]; NoNewPrivileges = true; PrivateTmp = true; ProtectHome = true; @@ -279,7 +280,7 @@ in { ${pkgs.lighthouse}/bin/lighthouse validator_client \ --network ${cfg.network} \ --beacon-nodes ${lib.concatStringsSep "," cfg.validator.beaconNodes} \ - --datadir ${cfg.validator.dataDir}/${cfg.network} + --datadir ${cfg.validator.dataDir}/${cfg.network} \ ${optionalString cfg.validator.metrics.enable ''--metrics --metrics-address ${cfg.validator.metrics.address} --metrics-port ${toString cfg.validator.metrics.port}''} \ ${cfg.extraArgs} ${cfg.validator.extraArgs} ''; @@ -287,6 +288,7 @@ in { serviceConfig = { Restart = "on-failure"; StateDirectory = "lighthouse-validator"; + ReadWritePaths = [ cfg.validator.dataDir ]; CapabilityBoundingSet = ""; DynamicUser = true; NoNewPrivileges = true; diff --git a/nixos/modules/services/cluster/hadoop/hbase.nix b/nixos/modules/services/cluster/hadoop/hbase.nix index 237a1d428fe21..97951ebfe3343 100644 --- a/nixos/modules/services/cluster/hadoop/hbase.nix +++ b/nixos/modules/services/cluster/hadoop/hbase.nix @@ -141,9 +141,9 @@ in services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir; - networking.firewall.allowedTCPPorts = (mkIf cfg.hbase.master.openFirewall [ + networking.firewall.allowedTCPPorts = mkIf cfg.hbase.master.openFirewall [ 16000 16010 - ]); + ]; }) @@ -168,9 +168,9 @@ in services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir; networking = { - firewall.allowedTCPPorts = (mkIf cfg.hbase.regionServer.openFirewall [ + firewall.allowedTCPPorts = mkIf cfg.hbase.regionServer.openFirewall [ 16020 16030 - ]); + ]; hosts = mkIf cfg.hbase.regionServer.overrideHosts { "127.0.0.2" = mkForce [ ]; "::1" = mkForce [ ]; diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index d6b3428908b2a..7aa2a8323b1d7 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -22,7 +22,7 @@ in bootstrapAddons = mkOption { description = lib.mdDoc '' - Bootstrap addons are like regular addons, but they are applied with cluster-admin rigths. + Bootstrap addons are like regular addons, but they are applied with cluster-admin rights. They are applied at addon-manager startup only. ''; default = { }; diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 0898fee9bdb71..3ede1cb80e85a 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -171,7 +171,7 @@ in port = mkOption { description = lib.mdDoc "Kubernetes kubelet healthz port."; default = 10248; - type = int; + type = port; }; }; @@ -204,7 +204,7 @@ in port = mkOption { description = lib.mdDoc "Kubernetes kubelet info server listening port."; default = 10250; - type = int; + type = port; }; seedDockerImages = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index d68267883e45f..26fe0f5e9e097 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -323,7 +323,7 @@ in systemctl restart flannel ''} - echo "Node joined succesfully" + echo "Node joined successfully" '')]; # isolate etcd on loopback at the master node diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 2eada43eb4ec1..f31a92f368400 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -43,7 +43,7 @@ in port = mkOption { description = lib.mdDoc "Kubernetes scheduler listening port."; default = 10251; - type = int; + type = port; }; verbosity = mkOption { diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index d9055149b77f6..5666199c48453 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -1,4 +1,4 @@ -# NixOS module for Buildbot continous integration server. +# NixOS module for Buildbot continuous integration server. { config, lib, options, pkgs, ... }: @@ -10,7 +10,7 @@ let python = cfg.package.pythonModule; - escapeStr = s: escape ["'"] s; + escapeStr = escape [ "'" ]; defaultMasterCfg = pkgs.writeText "master.cfg" '' from buildbot.plugins import * @@ -206,7 +206,7 @@ in { port = mkOption { default = 8010; - type = types.int; + type = types.port; description = lib.mdDoc "Specifies port number on which the buildbot HTTP interface listens."; }; @@ -245,9 +245,7 @@ in { description = "Buildbot User."; isNormalUser = true; createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; + inherit (cfg) home group extraGroups; useDefaultShell = true; }; }; diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix index 796b5a7f1175f..72ac0c1299005 100644 --- a/nixos/modules/services/continuous-integration/github-runner/options.nix +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -49,7 +49,7 @@ with lib; registration token on startup as needed. Make sure the PAT has a scope of `admin:org` for organization-wide registrations or a scope of `repo` for a single repository. Fine-grained PATs need read and write permission - to the "Adminstration" resources. + to the "Administration" resources. Changing this option or the file's content triggers a new runner registration. ''; diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index 2050e04d55cd5..7b1c4da862606 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -141,7 +141,7 @@ in default = false; description = lib.mdDoc '' Finish all remaining jobs before stopping. - If not set gitlab-runner will stop immediatly without waiting + If not set gitlab-runner will stop immediately without waiting for jobs to finish, which will lead to failed builds. ''; }; diff --git a/nixos/modules/services/continuous-integration/gocd-server/default.nix b/nixos/modules/services/continuous-integration/gocd-server/default.nix index 25c16a5c721ce..bf7fd529bfca3 100644 --- a/nixos/modules/services/continuous-integration/gocd-server/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-server/default.nix @@ -46,7 +46,7 @@ in { port = mkOption { default = 8153; - type = types.int; + type = types.port; description = lib.mdDoc '' Specifies port number on which the Go.CD server HTTP interface listens. ''; diff --git a/nixos/modules/services/continuous-integration/hail.nix b/nixos/modules/services/continuous-integration/hail.nix index 76d7356e24725..62e8b8077c079 100644 --- a/nixos/modules/services/continuous-integration/hail.nix +++ b/nixos/modules/services/continuous-integration/hail.nix @@ -15,8 +15,8 @@ in { default = false; description = lib.mdDoc '' Enables the Hail Auto Update Service. Hail can automatically deploy artifacts - built by a Hydra Continous Integration server. A common use case is to provide - continous deployment for single services or a full NixOS configuration.''; + built by a Hydra Continuous Integration server. A common use case is to provide + continuous deployment for single services or a full NixOS configuration.''; }; profile = mkOption { type = types.str; diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index 7114795750423..564bcd37dec5e 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -122,7 +122,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 3000; description = lib.mdDoc '' TCP port the web server should listen to. diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index 7556dbfc7b849..e26acb88d8c85 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -19,6 +19,10 @@ let cfg = config.services.cassandra; + atLeast3 = versionAtLeast cfg.package.version "3"; + atLeast3_11 = versionAtLeast cfg.package.version "3.11"; + atLeast4 = versionAtLeast cfg.package.version "4"; + defaultUser = "cassandra"; cassandraConfig = flip recursiveUpdate cfg.extraConfig ( @@ -39,7 +43,7 @@ let parameters = [{ seeds = concatStringsSep "," cfg.seedAddresses; }]; } ]; - } // optionalAttrs (versionAtLeast cfg.package.version "3") { + } // optionalAttrs atLeast3 { hints_directory = "${cfg.homeDir}/hints"; } ); @@ -62,7 +66,7 @@ let cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; passAsFile = [ "extraEnvSh" ]; - inherit (cfg) extraEnvSh; + inherit (cfg) extraEnvSh package; buildCommand = '' mkdir -p "$out" @@ -80,6 +84,10 @@ let # Delete default password file sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" + + ${lib.optionalString atLeast4 '' + cp $package/conf/jvm*.options $out/ + ''} ''; }; @@ -95,8 +103,20 @@ let "-Dcom.sun.management.jmxremote.password.file=${cfg.jmxRolesFile}" ] ++ optionals cfg.remoteJmx [ "-Djava.rmi.server.hostname=${cfg.rpcAddress}" + ] ++ optionals atLeast4 [ + # Historically, we don't use a log dir, whereas the upstream scripts do + # expect this. We override those by providing our own -Xlog:gc flag. + "-Xlog:gc=warning,heap*=warning,age*=warning,safepoint=warning,promotion*=warning" ]; + commonEnv = { + # Sufficient for cassandra 2.x, 3.x + CASSANDRA_CONF = "${cassandraEtc}"; + + # Required since cassandra 4 + CASSANDRA_LOGBACK_CONF = "${cassandraEtc}/logback.xml"; + }; + in { options.services.cassandra = { @@ -435,7 +455,7 @@ in jmxRolesFile = mkOption { type = types.nullOr types.path; default = - if versionAtLeast cfg.package.version "3.11" + if atLeast3_11 then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile else null; defaultText = literalMD ''generated configuration file if version is at least 3.11, otherwise `null`''; @@ -486,8 +506,7 @@ in systemd.services.cassandra = { description = "Apache Cassandra service"; after = [ "network.target" ]; - environment = { - CASSANDRA_CONF = "${cassandraEtc}"; + environment = commonEnv // { JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; MAX_HEAP_SIZE = toString cfg.maxHeapSize; HEAP_NEWSIZE = toString cfg.heapNewSize; @@ -508,6 +527,7 @@ in description = "Perform a full repair on this Cassandra node"; after = [ "cassandra.service" ]; requires = [ "cassandra.service" ]; + environment = commonEnv; serviceConfig = { User = cfg.user; Group = cfg.group; @@ -536,6 +556,7 @@ in description = "Perform an incremental repair on this cassandra node."; after = [ "cassandra.service" ]; requires = [ "cassandra.service" ]; + environment = commonEnv; serviceConfig = { User = cfg.user; Group = cfg.group; diff --git a/nixos/modules/services/databases/clickhouse.nix b/nixos/modules/services/databases/clickhouse.nix index 96607d9a783cc..04dd20b5f14d1 100644 --- a/nixos/modules/services/databases/clickhouse.nix +++ b/nixos/modules/services/databases/clickhouse.nix @@ -16,7 +16,7 @@ with lib; package = mkOption { type = types.package; default = pkgs.clickhouse; - defaultText = "pkgs.clickhouse"; + defaultText = lib.literalExpression "pkgs.clickhouse"; description = lib.mdDoc '' ClickHouse package to use. ''; diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index 16b82b867a3d1..cdf32654e6638 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -122,7 +122,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 5984; description = lib.mdDoc '' Defined the port number to listen. diff --git a/nixos/modules/services/databases/firebird.nix b/nixos/modules/services/databases/firebird.nix index b2c4a5dd8f62a..4c2855345368b 100644 --- a/nixos/modules/services/databases/firebird.nix +++ b/nixos/modules/services/databases/firebird.nix @@ -14,7 +14,7 @@ # # Be careful, virtuoso-opensource also provides a different isql command ! -# There are at least two ways to run firebird. superserver has been choosen +# There are at least two ways to run firebird. superserver has been chosen # however there are no strong reasons to prefer this or the other one AFAIK # Eg superserver is said to be most efficiently using resources according to # http://www.firebirdsql.org/manual/qsg25-classic-or-super.html diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index ec4524e9061db..128bb0862175d 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -160,10 +160,12 @@ in List of database names and their initial schemas that should be used to create databases on the first startup of MySQL. The schema attribute is optional: If not specified, an empty database is created. ''; - example = [ - { name = "foodatabase"; schema = literalExpression "./foodatabase.sql"; } - { name = "bardatabase"; } - ]; + example = literalExpression '' + [ + { name = "foodatabase"; schema = ./foodatabase.sql; } + { name = "bardatabase"; } + ] + ''; }; initialScript = mkOption { diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 7a59de372f24b..cba3442023cb8 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -16,7 +16,7 @@ let # systemd/systemd#19604 description = '' LDAP value - either a string, or an attrset containing - <literal>path</literal> or <literal>base64</literal> for included + `path` or `base64` for included values or base-64 encoded values respectively. ''; check = x: lib.isString x || (lib.isAttrs x && (x ? path || x ? base64)); diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index e84116635a375..6665e7a088fc1 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -51,7 +51,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 5432; description = lib.mdDoc '' The port on which PostgreSQL listens. @@ -146,6 +146,7 @@ in Name of the user to ensure. ''; }; + ensurePermissions = mkOption { type = types.attrsOf types.str; default = {}; @@ -167,6 +168,154 @@ in } ''; }; + + ensureClauses = mkOption { + description = lib.mdDoc '' + An attrset of clauses to grant to the user. Under the hood this uses the + [ALTER USER syntax](https://www.postgresql.org/docs/current/sql-alteruser.html) for each attrName where + the attrValue is true in the attrSet: + `ALTER USER user.name WITH attrName` + ''; + example = literalExpression '' + { + superuser = true; + createrole = true; + createdb = true; + } + ''; + default = {}; + defaultText = lib.literalMD '' + The default, `null`, means that the user created will have the default permissions assigned by PostgreSQL. Subsequent server starts will not set or unset the clause, so imperative changes are preserved. + ''; + type = types.submodule { + options = let + defaultText = lib.literalMD '' + `null`: do not set. For newly created roles, use PostgreSQL's default. For existing roles, do not touch this clause. + ''; + in { + superuser = mkOption { + type = types.nullOr types.bool; + description = lib.mdDoc '' + Grants the user, created by the ensureUser attr, superuser permissions. From the postgres docs: + + A database superuser bypasses all permission checks, + except the right to log in. This is a dangerous privilege + and should not be used carelessly; it is best to do most + of your work as a role that is not a superuser. To create + a new database superuser, use CREATE ROLE name SUPERUSER. + You must do this as a role that is already a superuser. + + More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html) + ''; + default = null; + inherit defaultText; + }; + createrole = mkOption { + type = types.nullOr types.bool; + description = lib.mdDoc '' + Grants the user, created by the ensureUser attr, createrole permissions. From the postgres docs: + + A role must be explicitly given permission to create more + roles (except for superusers, since those bypass all + permission checks). To create such a role, use CREATE + ROLE name CREATEROLE. A role with CREATEROLE privilege + can alter and drop other roles, too, as well as grant or + revoke membership in them. However, to create, alter, + drop, or change membership of a superuser role, superuser + status is required; CREATEROLE is insufficient for that. + + More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html) + ''; + default = null; + inherit defaultText; + }; + createdb = mkOption { + type = types.nullOr types.bool; + description = lib.mdDoc '' + Grants the user, created by the ensureUser attr, createdb permissions. From the postgres docs: + + A role must be explicitly given permission to create + databases (except for superusers, since those bypass all + permission checks). To create such a role, use CREATE + ROLE name CREATEDB. + + More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html) + ''; + default = null; + inherit defaultText; + }; + "inherit" = mkOption { + type = types.nullOr types.bool; + description = lib.mdDoc '' + Grants the user created inherit permissions. From the postgres docs: + + A role is given permission to inherit the privileges of + roles it is a member of, by default. However, to create a + role without the permission, use CREATE ROLE name + NOINHERIT. + + More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html) + ''; + default = null; + inherit defaultText; + }; + login = mkOption { + type = types.nullOr types.bool; + description = lib.mdDoc '' + Grants the user, created by the ensureUser attr, login permissions. From the postgres docs: + + Only roles that have the LOGIN attribute can be used as + the initial role name for a database connection. A role + with the LOGIN attribute can be considered the same as a + “database user”. To create a role with login privilege, + use either: + + CREATE ROLE name LOGIN; CREATE USER name; + + (CREATE USER is equivalent to CREATE ROLE except that + CREATE USER includes LOGIN by default, while CREATE ROLE + does not.) + + More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html) + ''; + default = null; + inherit defaultText; + }; + replication = mkOption { + type = types.nullOr types.bool; + description = lib.mdDoc '' + Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs: + + A role must explicitly be given permission to initiate + streaming replication (except for superusers, since those + bypass all permission checks). A role used for streaming + replication must have LOGIN permission as well. To create + such a role, use CREATE ROLE name REPLICATION LOGIN. + + More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html) + ''; + default = null; + inherit defaultText; + }; + bypassrls = mkOption { + type = types.nullOr types.bool; + description = lib.mdDoc '' + Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs: + + A role must be explicitly given permission to bypass + every row-level security (RLS) policy (except for + superusers, since those bypass all permission checks). To + create such a role, use CREATE ROLE name BYPASSRLS as a + superuser. + + More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html) + ''; + default = null; + inherit defaultText; + }; + }; + }; + }; }; }); default = []; @@ -380,12 +529,29 @@ in $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"' '') cfg.ensureDatabases} '' + '' - ${concatMapStrings (user: '' - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' - ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' - '') user.ensurePermissions)} - '') cfg.ensureUsers} + ${ + concatMapStrings + (user: + let + userPermissions = concatStringsSep "\n" + (mapAttrsToList + (database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '') + user.ensurePermissions + ); + + filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses; + + clauseSqlStatements = attrValues (mapAttrs (n: v: if v then n else "no${n}") filteredClauses); + + userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' ''; + in '' + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' + ${userPermissions} + ${userClauses} + '' + ) + cfg.ensureUsers + } ''; serviceConfig = mkMerge [ diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 1f143f9c66f6d..1464f4487e39d 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -67,7 +67,7 @@ in { ''); servers = mkOption { - type = with types; attrsOf (submodule ({config, name, ...}@args: { + type = with types; attrsOf (submodule ({ config, name, ... }: { options = { enable = mkEnableOption (lib.mdDoc '' Redis server. @@ -271,14 +271,11 @@ in { }; config.settings = mkMerge [ { - port = config.port; + inherit (config) port logfile databases maxclients appendOnly; daemonize = false; supervised = "systemd"; loglevel = config.logLevel; - logfile = config.logfile; syslog-enabled = config.syslog; - databases = config.databases; - maxclients = config.maxclients; save = if config.save == [] then ''""'' # Disable saving with `save = ""` else map @@ -286,12 +283,11 @@ in { config.save; dbfilename = "dump.rdb"; dir = "/var/lib/${redisName name}"; - appendOnly = config.appendOnly; appendfsync = config.appendFsync; slowlog-log-slower-than = config.slowLogLogSlowerThan; slowlog-max-len = config.slowLogMaxLen; } - (mkIf (config.bind != null) { bind = config.bind; }) + (mkIf (config.bind != null) { inherit (config) bind; }) (mkIf (config.unixSocket != null) { unixsocket = config.unixSocket; unixsocketperm = toString config.unixSocketPerm; @@ -361,8 +357,10 @@ in { fi echo 'include "${redisConfStore}"' > "${redisConfRun}" ${optionalString (conf.requirePassFile != null) '' - {echo -n "requirepass " - cat ${escapeShellArg conf.requirePassFile}} >> "${redisConfRun}" + { + echo -n "requirepass " + cat ${escapeShellArg conf.requirePassFile} + } >> "${redisConfRun}" ''} ''); Type = "notify"; diff --git a/nixos/modules/services/databases/surrealdb.nix b/nixos/modules/services/databases/surrealdb.nix new file mode 100644 index 0000000000000..050a5336cb4c6 --- /dev/null +++ b/nixos/modules/services/databases/surrealdb.nix @@ -0,0 +1,113 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.surrealdb; +in { + + options = { + services.surrealdb = { + enable = mkEnableOption (lib.mdDoc "A scalable, distributed, collaborative, document-graph database, for the realtime web "); + + package = mkOption { + default = pkgs.surrealdb; + defaultText = literalExpression "pkgs.surrealdb"; + type = types.package; + description = lib.mdDoc '' + Which surrealdb derivation to use. + ''; + }; + + dbPath = mkOption { + type = types.str; + description = lib.mdDoc '' + The path that surrealdb will write data to. Use null for in-memory. + Can be one of "memory", "file://:path", "tikv://:addr". + ''; + default = "file:///var/lib/surrealdb/"; + example = "memory"; + }; + + host = mkOption { + type = types.str; + description = lib.mdDoc '' + The host that surrealdb will connect to. + ''; + default = "127.0.0.1"; + example = "127.0.0.1"; + }; + + port = mkOption { + type = types.port; + description = lib.mdDoc '' + The port that surrealdb will connect to. + ''; + default = 8000; + example = 8000; + }; + + userNamePath = mkOption { + type = types.path; + description = lib.mdDoc '' + Path to read the username from. + ''; + }; + + passwordPath = mkOption { + type = types.path; + description = lib.mdDoc '' + Path to read the password from. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + # Used to connect to the running service + environment.systemPackages = [ cfg.package ] ; + + systemd.services.surrealdb = { + description = "A scalable, distributed, collaborative, document-graph database, for the realtime web "; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + script = '' + ${cfg.package}/bin/surreal start \ + --user $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_USERNAME) \ + --pass $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_PASSWORD) \ + --bind ${cfg.host}:${toString cfg.port} \ + -- ${cfg.dbPath} + ''; + serviceConfig = { + LoadCredential = [ + "SURREALDB_USERNAME:${cfg.userNamePath}" + "SURREALDB_PASSWORD:${cfg.passwordPath}" + ]; + + DynamicUser = true; + Restart = "on-failure"; + StateDirectory = "surrealdb"; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/desktops/gnome/at-spi2-core.nix b/nixos/modules/services/desktops/gnome/at-spi2-core.nix index 495ea5af9879d..10a2f1f9eca0d 100644 --- a/nixos/modules/services/desktops/gnome/at-spi2-core.nix +++ b/nixos/modules/services/desktops/gnome/at-spi2-core.nix @@ -51,7 +51,10 @@ with lib; }) (mkIf (!config.services.gnome.at-spi2-core.enable) { - environment.variables.NO_AT_BRIDGE = "1"; + environment.variables = { + NO_AT_BRIDGE = "1"; + GTK_A11Y = "none"; + }; }) ]; } diff --git a/nixos/modules/services/desktops/pipewire/wireplumber.nix b/nixos/modules/services/desktops/pipewire/wireplumber.nix index 32490773b5e9e..4b36b99aa7c1e 100644 --- a/nixos/modules/services/desktops/pipewire/wireplumber.nix +++ b/nixos/modules/services/desktops/pipewire/wireplumber.nix @@ -32,6 +32,10 @@ in assertion = !config.services.pipewire.media-session.enable; message = "WirePlumber and pipewire-media-session can't be enabled at the same time."; } + { + assertion = !config.hardware.bluetooth.hsphfpd.enable; + message = "Using Wireplumber conflicts with hsphfpd, as it provides the same functionality. `hardware.bluetooth.hsphfpd.enable` needs be set to false"; + } ]; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/development/jupyter/default.nix b/nixos/modules/services/development/jupyter/default.nix index 9b0178d3ea682..9f79108444685 100644 --- a/nixos/modules/services/development/jupyter/default.nix +++ b/nixos/modules/services/development/jupyter/default.nix @@ -57,7 +57,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 8888; description = lib.mdDoc '' Port number Jupyter will be listening on. @@ -119,7 +119,7 @@ in { kernels = mkOption { type = types.nullOr (types.attrsOf(types.submodule (import ./kernel-options.nix { - inherit lib; + inherit lib pkgs; }))); default = null; diff --git a/nixos/modules/services/development/jupyter/kernel-options.nix b/nixos/modules/services/development/jupyter/kernel-options.nix index 42af47aeb3c82..6e406152de472 100644 --- a/nixos/modules/services/development/jupyter/kernel-options.nix +++ b/nixos/modules/services/development/jupyter/kernel-options.nix @@ -1,9 +1,11 @@ # Options that can be used for creating a jupyter kernel. -{lib }: +{ lib, pkgs }: with lib; { + freeformType = (pkgs.formats.json { }).type; + options = { displayName = mkOption { @@ -40,6 +42,15 @@ with lib; ''; }; + env = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { OMP_NUM_THREADS = "1"; }; + description = lib.mdDoc '' + Environment variables to set for the kernel. + ''; + }; + logo32 = mkOption { type = types.nullOr types.path; default = null; diff --git a/nixos/modules/services/development/jupyterhub/default.nix b/nixos/modules/services/development/jupyterhub/default.nix index c0c0734cac098..cebc35a504760 100644 --- a/nixos/modules/services/development/jupyterhub/default.nix +++ b/nixos/modules/services/development/jupyterhub/default.nix @@ -119,7 +119,7 @@ in { kernels = mkOption { type = types.nullOr (types.attrsOf(types.submodule (import ../jupyter/kernel-options.nix { - inherit lib; + inherit lib pkgs; }))); default = null; diff --git a/nixos/modules/services/display-managers/greetd.nix b/nixos/modules/services/display-managers/greetd.nix index fa3f8fdf4f1db..3a0f59f62afbd 100644 --- a/nixos/modules/services/display-managers/greetd.nix +++ b/nixos/modules/services/display-managers/greetd.nix @@ -45,7 +45,7 @@ in default = !(cfg.settings ? initial_session); defaultText = literalExpression "!(config.services.greetd.settings ? initial_session)"; description = lib.mdDoc '' - Wether to restart greetd when it terminates (e.g. on failure). + Whether to restart greetd when it terminates (e.g. on failure). This is usually desirable so a user can always log in, but should be disabled when using 'settings.initial_session' (autologin), because every greetd restart will trigger the autologin again. ''; @@ -89,6 +89,8 @@ in SendSIGHUP = true; TimeoutStopSec = "30s"; KeyringMode = "shared"; + + Type = "idle"; }; # Don't kill a user session when using nixos-rebuild diff --git a/nixos/modules/services/games/asf.nix b/nixos/modules/services/games/asf.nix index 10847e8f11f39..7585d56b2d78f 100644 --- a/nixos/modules/services/games/asf.nix +++ b/nixos/modules/services/games/asf.nix @@ -35,7 +35,7 @@ in description = lib.mdDoc '' If enabled, starts the ArchisSteamFarm service. For configuring the SteamGuard token you will need to use the web-ui, which is enabled by default over on 127.0.0.1:1242. - You cannot configure ASF in any way outside of nix, since all the config files get wiped on restart and replaced with the programatically set ones by nix. + You cannot configure ASF in any way outside of nix, since all the config files get wiped on restart and replaced with the programnatically set ones by nix. ''; default = false; }; @@ -43,12 +43,14 @@ in web-ui = mkOption { type = types.submodule { options = { - enable = mkEnableOption - (lib.mdDoc "Wheter to start the web-ui. This is the preferred way of configuring things such as the steam guard token"); + enable = mkEnableOption "" // { + description = lib.mdDoc "Whether to start the web-ui. This is the preferred way of configuring things such as the steam guard token."; + }; package = mkOption { type = types.package; default = pkgs.ArchiSteamFarm.ui; + defaultText = lib.literalExpression "pkgs.ArchiSteamFarm.ui"; description = lib.mdDoc "Web-UI package to use. Contents must be in lib/dist."; }; @@ -56,7 +58,6 @@ in }; default = { enable = true; - package = pkgs.ArchiSteamFarm.ui; }; example = { enable = false; @@ -67,6 +68,7 @@ in package = mkOption { type = types.package; default = pkgs.ArchiSteamFarm; + defaultText = lib.literalExpression "pkgs.ArchiSteamFarm"; description = lib.mdDoc "Package to use. Should always be the latest version, for security reasons, since this module uses very new features and to not get out of sync with the Steam API."; }; @@ -96,7 +98,7 @@ in ipcPasswordFile = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc "Path to a file containig the password. The file must be readable by the `asf` user/group."; + description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `asf` user/group."; }; ipcSettings = mkOption { @@ -127,7 +129,7 @@ in }; passwordFile = mkOption { type = types.path; - description = lib.mdDoc "Path to a file containig the password. The file must be readable by the `asf` user/group."; + description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `asf` user/group."; }; enabled = mkOption { type = types.bool; diff --git a/nixos/modules/services/games/crossfire-server.nix b/nixos/modules/services/games/crossfire-server.nix index 7820a08be40b2..0849667e61c9f 100644 --- a/nixos/modules/services/games/crossfire-server.nix +++ b/nixos/modules/services/games/crossfire-server.nix @@ -131,9 +131,9 @@ in { exp_table = ""; forbid = ""; metaserver2 = ""; - motd = (fileContents "${cfg.package}/etc/crossfire/motd"); - news = (fileContents "${cfg.package}/etc/crossfire/news"); - rules = (fileContents "${cfg.package}/etc/crossfire/rules"); + motd = fileContents "${cfg.package}/etc/crossfire/motd"; + news = fileContents "${cfg.package}/etc/crossfire/news"; + rules = fileContents "${cfg.package}/etc/crossfire/rules"; settings = ""; stat_bonus = ""; } // cfg.configFiles); diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index f54c265c34b04..9b15cac149d59 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -39,14 +39,14 @@ let } // cfg.extraSettings; serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings)); serverAdminsFile = pkgs.writeText "server-adminlist.json" (builtins.toJSON cfg.admins); - modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods; + modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods cfg.mods-dat; in { options = { services.factorio = { enable = mkEnableOption (lib.mdDoc name); port = mkOption { - type = types.int; + type = types.port; default = 34197; description = lib.mdDoc '' The port to which the service should bind. @@ -136,6 +136,15 @@ in derivations via nixos-channel. Until then, this is for experts only. ''; }; + mods-dat = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Mods settings can be changed by specifying a dat file, in the [mod + settings file + format](https://wiki.factorio.com/Mod_settings_file_format). + ''; + }; game-name = mkOption { type = types.nullOr types.str; default = "Factorio Game"; diff --git a/nixos/modules/services/games/minetest-server.nix b/nixos/modules/services/games/minetest-server.nix index 34e0ba8c8e5ce..e8c96881673b5 100644 --- a/nixos/modules/services/games/minetest-server.nix +++ b/nixos/modules/services/games/minetest-server.nix @@ -62,7 +62,7 @@ in Path to logfile for logging. If set to null, logging will be output to stdout which means - all output will be catched by systemd. + all output will be caught by systemd. ''; }; diff --git a/nixos/modules/services/games/terraria.nix b/nixos/modules/services/games/terraria.nix index 571bcde2c5b20..ccdd779165b88 100644 --- a/nixos/modules/services/games/terraria.nix +++ b/nixos/modules/services/games/terraria.nix @@ -116,7 +116,7 @@ in openFirewall = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Wheter to open ports in the firewall"; + description = lib.mdDoc "Whether to open ports in the firewall"; }; dataDir = mkOption { diff --git a/nixos/modules/services/hardware/argonone.nix b/nixos/modules/services/hardware/argonone.nix index dc90e09e985bb..e67c2625062e0 100644 --- a/nixos/modules/services/hardware/argonone.nix +++ b/nixos/modules/services/hardware/argonone.nix @@ -9,7 +9,7 @@ in package = lib.mkOption { type = lib.types.package; default = pkgs.argononed; - defaultText = "pkgs.argononed"; + defaultText = lib.literalExpression "pkgs.argononed"; description = lib.mdDoc '' The package implementing the Argon One driver ''; diff --git a/nixos/modules/services/hardware/asusd.nix b/nixos/modules/services/hardware/asusd.nix new file mode 100644 index 0000000000000..fba9b059bbbb7 --- /dev/null +++ b/nixos/modules/services/hardware/asusd.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.asusd; + json = pkgs.formats.json { }; + toml = pkgs.formats.toml { }; +in +{ + options = { + services.asusd = { + enable = lib.mkEnableOption (lib.mdDoc "the asusd service for ASUS ROG laptops"); + + enableUserService = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Activate the asusd-user service. + ''; + }; + + animeConfig = lib.mkOption { + type = json.type; + default = { }; + description = lib.mdDoc '' + The content of /etc/asusd/anime.conf. + See https://asus-linux.org/asusctl/#anime-control. + ''; + }; + + asusdConfig = lib.mkOption { + type = json.type; + default = { }; + description = lib.mdDoc '' + The content of /etc/asusd/asusd.conf. + See https://asus-linux.org/asusctl/. + ''; + }; + + auraConfig = lib.mkOption { + type = json.type; + default = { }; + description = lib.mdDoc '' + The content of /etc/asusd/aura.conf. + See https://asus-linux.org/asusctl/#led-keyboard-control. + ''; + }; + + profileConfig = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = ""; + description = lib.mdDoc '' + The content of /etc/asusd/profile.conf. + See https://asus-linux.org/asusctl/#profiles. + ''; + }; + + ledModesConfig = lib.mkOption { + type = lib.types.nullOr toml.type; + default = null; + description = lib.mdDoc '' + The content of /etc/asusd/asusd-ledmodes.toml. Leave `null` to use default settings. + See https://asus-linux.org/asusctl/#led-keyboard-control. + ''; + }; + + userLedModesConfig = lib.mkOption { + type = lib.types.nullOr toml.type; + default = null; + description = lib.mdDoc '' + The content of /etc/asusd/asusd-user-ledmodes.toml. + See https://asus-linux.org/asusctl/#led-keyboard-control. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.asusctl ]; + + environment.etc = + let + maybeConfig = name: cfg: lib.mkIf (cfg != { }) { + source = json.generate name cfg; + mode = "0644"; + }; + in + { + "asusd/anime.conf" = maybeConfig "anime.conf" cfg.animeConfig; + "asusd/asusd.conf" = maybeConfig "asusd.conf" cfg.asusdConfig; + "asusd/aura.conf" = maybeConfig "aura.conf" cfg.auraConfig; + "asusd/profile.conf" = lib.mkIf (cfg.profileConfig != null) { + source = pkgs.writeText "profile.conf" cfg.profileConfig; + mode = "0644"; + }; + "asusd/asusd-ledmodes.toml" = { + source = + if cfg.ledModesConfig == null + then "${pkgs.asusctl}/share/asusd/data/asusd-ledmodes.toml" + else toml.generate "asusd-ledmodes.toml" cfg.ledModesConfig; + mode = "0644"; + }; + }; + + services.dbus.enable = true; + systemd.packages = [ pkgs.asusctl ]; + services.dbus.packages = [ pkgs.asusctl ]; + services.udev.packages = [ pkgs.asusctl ]; + services.supergfxd.enable = lib.mkDefault true; + + systemd.user.services.asusd-user.enable = cfg.enableUserService; + }; + + meta.maintainers = pkgs.asusctl.meta.maintainers; +} diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index 8b90c1913bc51..6453e6968dccb 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -50,14 +50,8 @@ in type = types.package; default = pkgs.bluez; defaultText = literalExpression "pkgs.bluez"; - example = literalExpression "pkgs.bluezFull"; description = lib.mdDoc '' Which BlueZ package to use. - - ::: {.note} - Use the `pkgs.bluezFull` package to enable all - bluez plugins. - ::: ''; }; diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index 98f837bd78245..8d7651f97c390 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -7,13 +7,16 @@ with lib; let cfg = config.services.fwupd; + format = pkgs.formats.ini { + listToValue = l: lib.concatStringsSep ";" (map (s: generators.mkValueStringDefault {} s) l); + mkKeyValue = generators.mkKeyValueDefault {} "="; + }; + customEtc = { "fwupd/daemon.conf" = { - source = pkgs.writeText "daemon.conf" '' - [fwupd] - DisabledDevices=${lib.concatStringsSep ";" cfg.disabledDevices} - DisabledPlugins=${lib.concatStringsSep ";" cfg.disabledPlugins} - ''; + source = format.generate "daemon.conf" { + fwupd = cfg.daemonSettings; + }; }; "fwupd/uefi_capsule.conf" = { source = pkgs.writeText "uefi_capsule.conf" '' @@ -67,24 +70,6 @@ in { ''; }; - disabledDevices = mkOption { - type = types.listOf types.str; - default = []; - example = [ "2082b5e0-7a64-478a-b1b2-e3404fab6dad" ]; - description = lib.mdDoc '' - Allow disabling specific devices by their GUID - ''; - }; - - disabledPlugins = mkOption { - type = types.listOf types.str; - default = []; - example = [ "udev" ]; - description = lib.mdDoc '' - Allow disabling specific plugins - ''; - }; - extraTrustedKeys = mkOption { type = types.listOf types.path; default = []; @@ -120,18 +105,49 @@ in { Which fwupd package to use. ''; }; + + daemonSettings = mkOption { + type = types.submodule { + freeformType = format.type.nestedTypes.elemType; + options = { + DisabledDevices = mkOption { + type = types.listOf types.str; + default = []; + example = [ "2082b5e0-7a64-478a-b1b2-e3404fab6dad" ]; + description = lib.mdDoc '' + List of device GUIDs to be disabled. + ''; + }; + + DisabledPlugins = mkOption { + type = types.listOf types.str; + default = []; + example = [ "udev" ]; + description = lib.mdDoc '' + List of plugins to be disabled. + ''; + }; + }; + }; + default = {}; + description = lib.mdDoc '' + Configurations for the fwupd daemon. + ''; + }; }; }; imports = [ - (mkRenamedOptionModule [ "services" "fwupd" "blacklistDevices"] [ "services" "fwupd" "disabledDevices" ]) - (mkRenamedOptionModule [ "services" "fwupd" "blacklistPlugins"] [ "services" "fwupd" "disabledPlugins" ]) + (mkRenamedOptionModule [ "services" "fwupd" "blacklistDevices"] [ "services" "fwupd" "daemonSettings" "DisabledDevices" ]) + (mkRenamedOptionModule [ "services" "fwupd" "blacklistPlugins"] [ "services" "fwupd" "daemonSettings" "DisabledPlugins" ]) + (mkRenamedOptionModule [ "services" "fwupd" "disabledDevices" ] [ "services" "fwupd" "daemonSettings" "DisabledDevices" ]) + (mkRenamedOptionModule [ "services" "fwupd" "disabledPlugins" ] [ "services" "fwupd" "daemonSettings" "DisabledPlugins" ]) ]; ###### implementation config = mkIf cfg.enable { # Disable test related plug-ins implicitly so that users do not have to care about them. - services.fwupd.disabledPlugins = cfg.package.defaultDisabledPlugins; + services.fwupd.daemonSettings.DisabledPlugins = cfg.package.defaultDisabledPlugins; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/hardware/joycond.nix b/nixos/modules/services/hardware/joycond.nix index f4da00762a438..1af18b3b63d37 100644 --- a/nixos/modules/services/hardware/joycond.nix +++ b/nixos/modules/services/hardware/joycond.nix @@ -14,7 +14,7 @@ with lib; package = mkOption { type = types.package; default = pkgs.joycond; - defaultText = "pkgs.joycond"; + defaultText = lib.literalExpression "pkgs.joycond"; description = lib.mdDoc '' The joycond package to use. ''; diff --git a/nixos/modules/services/hardware/lirc.nix b/nixos/modules/services/hardware/lirc.nix index acc43cd4186bd..5b1a8d10c7299 100644 --- a/nixos/modules/services/hardware/lirc.nix +++ b/nixos/modules/services/hardware/lirc.nix @@ -19,7 +19,7 @@ in { [lircd] nodaemon = False ''; - description = lib.mdDoc "LIRC default options descriped in man:lircd(8) ({file}`lirc_options.conf`)"; + description = lib.mdDoc "LIRC default options described in man:lircd(8) ({file}`lirc_options.conf`)"; }; configs = mkOption { diff --git a/nixos/modules/services/hardware/sane.nix b/nixos/modules/services/hardware/sane.nix index dd5c65b1f6a64..2cac2e8e8bb47 100644 --- a/nixos/modules/services/hardware/sane.nix +++ b/nixos/modules/services/hardware/sane.nix @@ -28,7 +28,7 @@ let }; env = { - SANE_CONFIG_DIR = "/etc/sane.d"; + SANE_CONFIG_DIR = "/etc/sane-config"; LD_LIBRARY_PATH = [ "/etc/sane-libs" ]; }; @@ -126,13 +126,22 @@ in ''; }; + hardware.sane.openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open ports needed for discovery of scanners on the local network, e.g. + needed for Canon scanners (BJNP protocol). + ''; + }; + services.saned.enable = mkOption { type = types.bool; default = false; description = lib.mdDoc '' Enable saned network daemon for remote connection to scanners. - saned would be runned from `scanner` user; to allow + saned would be run from `scanner` user; to allow access to hardware that doesn't have `scanner` group you should add needed groups to this user. ''; @@ -158,11 +167,12 @@ in environment.systemPackages = backends; environment.sessionVariables = env; - environment.etc."sane.d".source = config.hardware.sane.configDir; + environment.etc."sane-config".source = config.hardware.sane.configDir; environment.etc."sane-libs".source = "${saneConfig}/lib/sane"; services.udev.packages = backends; users.groups.scanner.gid = config.ids.gids.scanner; + networking.firewall.allowedUDPPorts = mkIf config.hardware.sane.openFirewall [ 8612 ]; }) (mkIf config.services.saned.enable { diff --git a/nixos/modules/services/hardware/supergfxd.nix b/nixos/modules/services/hardware/supergfxd.nix new file mode 100644 index 0000000000000..df339e4ba011f --- /dev/null +++ b/nixos/modules/services/hardware/supergfxd.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.supergfxd; + json = pkgs.formats.json { }; +in +{ + options = { + services.supergfxd = { + enable = lib.mkEnableOption (lib.mdDoc "Enable the supergfxd service"); + + settings = lib.mkOption { + type = lib.types.nullOr json.type; + default = null; + description = lib.mdDoc '' + The content of /etc/supergfxd.conf. + See https://gitlab.com/asus-linux/supergfxctl/#config-options-etcsupergfxdconf. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.supergfxctl ]; + + environment.etc."supergfxd.conf" = lib.mkIf (cfg.settings != null) { + source = json.generate "supergfxd.conf" cfg.settings; + mode = "0644"; + }; + + services.dbus.enable = true; + + systemd.packages = [ pkgs.supergfxctl ]; + systemd.services.supergfxd.wantedBy = [ "multi-user.target" ]; + + services.dbus.packages = [ pkgs.supergfxctl ]; + services.udev.packages = [ pkgs.supergfxctl ]; + }; + + meta.maintainers = pkgs.supergfxctl.meta.maintainers; +} diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 7a7f8330243a2..d95261332419d 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -46,6 +46,11 @@ let SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd" ''; + nixosInitrdRules = '' + # Mark dm devices as db_persist so that they are kept active after switching root + SUBSYSTEM=="block", KERNEL=="dm-[0-9]*", ACTION=="add|change", OPTIONS+="db_persist" + ''; + # Perform substitutions in all udev rules files. udevRulesFor = { name, udevPackages, udevPath, udev, systemd, binPackages, initrdBin ? null }: pkgs.runCommand name { preferLocalBuild = true; @@ -364,8 +369,10 @@ in EOF ''; + boot.initrd.services.udev.rules = nixosInitrdRules; + boot.initrd.systemd.additionalUpstreamUnits = [ - # TODO: "initrd-udevadm-cleanup-db.service" is commented out because of https://github.com/systemd/systemd/issues/12953 + "initrd-udevadm-cleanup-db.service" "systemd-udevd-control.socket" "systemd-udevd-kernel.socket" "systemd-udevd.service" diff --git a/nixos/modules/services/hardware/usbmuxd.nix b/nixos/modules/services/hardware/usbmuxd.nix index b4c954906dd3a..9466ea26995b8 100644 --- a/nixos/modules/services/hardware/usbmuxd.nix +++ b/nixos/modules/services/hardware/usbmuxd.nix @@ -13,6 +13,7 @@ in { options.services.usbmuxd = { + enable = mkOption { type = types.bool; default = false; @@ -39,6 +40,15 @@ in The group usbmuxd should use to run after startup. ''; }; + + package = mkOption { + type = types.package; + default = pkgs.usbmuxd; + defaultText = literalExpression "pkgs.usbmuxd"; + description = lib.mdDoc "Which package to use for the usbmuxd daemon."; + relatedPackages = [ "usbmuxd" "usbmuxd2" ]; + }; + }; config = mkIf cfg.enable { @@ -68,7 +78,7 @@ in # Trigger the udev rule manually. This doesn't require replugging the # device when first enabling the option to get it to work ExecStartPre = "${pkgs.udev}/bin/udevadm trigger -s usb -a idVendor=${apple}"; - ExecStart = "${pkgs.usbmuxd}/bin/usbmuxd -U ${cfg.user} -f"; + ExecStart = "${cfg.package}/bin/usbmuxd -U ${cfg.user} -v"; }; }; diff --git a/nixos/modules/services/home-automation/evcc.nix b/nixos/modules/services/home-automation/evcc.nix new file mode 100644 index 0000000000000..efa2cf2443139 --- /dev/null +++ b/nixos/modules/services/home-automation/evcc.nix @@ -0,0 +1,96 @@ +{ lib +, pkgs +, config +, ... +}: + +with lib; + +let + cfg = config.services.evcc; + + format = pkgs.formats.yaml {}; + configFile = format.generate "evcc.yml" cfg.settings; + + package = pkgs.evcc; +in + +{ + meta.maintainers = with lib.maintainers; [ hexa ]; + + options.services.evcc = with types; { + enable = mkEnableOption (lib.mdDoc "EVCC, the extensible EV Charge Controller with PV integration"); + + extraArgs = mkOption { + type = listOf str; + default = []; + description = lib.mdDoc '' + Extra arguments to pass to the evcc executable. + ''; + }; + + settings = mkOption { + type = format.type; + description = lib.mdDoc '' + evcc configuration as a Nix attribute set. + + Check for possible options in the sample [evcc.dist.yaml](https://github.com/andig/evcc/blob/${package.version}/evcc.dist.yaml]. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.evcc = { + after = [ + "network-online.target" + "mosquitto.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + environment.HOME = "/var/lib/evcc"; + path = with pkgs; [ + glibc # requires getent + ]; + serviceConfig = { + ExecStart = "${package}/bin/evcc --config ${configFile} ${escapeShellArgs cfg.extraArgs}"; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ + "char-ttyUSB" + ]; + DevicePolicy = "closed"; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups= true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + StateDirectory = "evcc"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + User = "evcc"; + }; + }; + }; + + meta.buildDocsInSandbox = false; +} diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 2962e52c08bba..fa06e5391bbfe 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -435,6 +435,7 @@ in { "august" "august_ble" "airthings_ble" + "aranet" "bluemaestro" "bluetooth" "bluetooth_le_tracker" @@ -453,8 +454,11 @@ in { "moat" "oralb" "qingping" + "ruuvitag_ble" + "sensirion_ble" "sensorpro" "sensorpush" + "shelly" "snooz" "switchbot" "thermobeacon" diff --git a/nixos/modules/services/home-automation/zigbee2mqtt.nix b/nixos/modules/services/home-automation/zigbee2mqtt.nix index 71f6e7a258404..796de3a491e49 100644 --- a/nixos/modules/services/home-automation/zigbee2mqtt.nix +++ b/nixos/modules/services/home-automation/zigbee2mqtt.nix @@ -119,9 +119,8 @@ in ]; SystemCallArchitectures = "native"; SystemCallFilter = [ - "@system-service" - "~@privileged" - "~@resources" + "@system-service @pkey" + "~@privileged @resources" ]; UMask = "0077"; }; diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index fd41b982678f3..1799e9282b3b0 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -163,7 +163,7 @@ in default = null; description = lib.mdDoc '' How often to rotate the logs. Defaults to previously set global setting, - which itself defauts to weekly. + which itself defaults to weekly. ''; }; diff --git a/nixos/modules/services/logging/ulogd.nix b/nixos/modules/services/logging/ulogd.nix new file mode 100644 index 0000000000000..065032b531c6d --- /dev/null +++ b/nixos/modules/services/logging/ulogd.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.ulogd; + settingsFormat = pkgs.formats.ini { }; + settingsFile = settingsFormat.generate "ulogd.conf" cfg.settings; +in { + options = { + services.ulogd = { + enable = mkEnableOption (lib.mdDoc "ulogd"); + + settings = mkOption { + example = { + global.stack = "stack=log1:NFLOG,base1:BASE,pcap1:PCAP"; + log1.group = 2; + pcap1 = { + file = "/var/log/ulogd.pcap"; + sync = 1; + }; + }; + type = settingsFormat.type; + default = { }; + description = lib.mdDoc "Configuration for ulogd. See {file}`/share/doc/ulogd/` in `pkgs.ulogd.doc`."; + }; + + logLevel = mkOption { + type = types.enum [ 1 3 5 7 8 ]; + default = 5; + description = lib.mdDoc "Log level (1 = debug, 3 = info, 5 = notice, 7 = error, 8 = fatal)"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.ulogd = { + description = "Ulogd Daemon"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.ulogd}/bin/ulogd -c ${settingsFile} --verbose --loglevel ${toString cfg.logLevel}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }; + }; +} diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index cd0da4fc50987..a9504acee3511 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -116,8 +116,9 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."exim.conf".source ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; - ExecReload = "${coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; + ExecReload = "+${coreutils}/bin/kill -HUP $MAINPID"; + User = cfg.user; }; preStart = '' if ! test -d ${cfg.spoolDir}; then diff --git a/nixos/modules/services/mail/listmonk.nix b/nixos/modules/services/mail/listmonk.nix index c4ea6747196c4..8b636bd5b1ff6 100644 --- a/nixos/modules/services/mail/listmonk.nix +++ b/nixos/modules/services/mail/listmonk.nix @@ -8,7 +8,7 @@ let # Escaping is done according to https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS setDatabaseOption = key: value: "UPDATE settings SET value = '${ - lib.replaceChars [ "'" ] [ "''" ] (builtins.toJSON value) + lib.replaceStrings [ "'" ] [ "''" ] (builtins.toJSON value) }' WHERE key = '${key}';"; updateDatabaseConfigSQL = pkgs.writeText "update-database-config.sql" (concatStringsSep "\n" (mapAttrsToList setDatabaseOption diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index 198c2f3280f58..0ca87696b1431 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -113,7 +113,7 @@ in { type = types.str; example = "/run/secrets/ldap-bind"; description = lib.mdDoc '' - Path to the file containing the bind password of the servie account + Path to the file containing the bind password of the service account defined by [](#opt-services.mailman.ldap.bindDn). ''; }; @@ -443,7 +443,7 @@ in { virtualHosts = lib.genAttrs cfg.webHosts (webHost: { locations = { ${cfg.serve.virtualRoot}.extraConfig = "uwsgi_pass unix:/run/mailman-web.socket;"; - "${cfg.serve.virtualRoot}/static/".alias = webSettings.STATIC_ROOT + "/"; + "${removeSuffix "/" cfg.serve.virtualRoot}/static/".alias = webSettings.STATIC_ROOT + "/"; }; }); }; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 5461e89a801d4..d01734d61e87e 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -234,12 +234,12 @@ let headerChecks = concatStringsSep "\n" (map (x: "${x.pattern} ${x.action}") cfg.headerChecks) + cfg.extraHeaderChecks; - aliases = let seperator = if cfg.aliasMapType == "hash" then ":" else ""; in + aliases = let separator = if cfg.aliasMapType == "hash" then ":" else ""; in optionalString (cfg.postmasterAlias != "") '' - postmaster${seperator} ${cfg.postmasterAlias} + postmaster${separator} ${cfg.postmasterAlias} '' + optionalString (cfg.rootAlias != "") '' - root${seperator} ${cfg.rootAlias} + root${separator} ${cfg.rootAlias} '' + cfg.extraAliases ; diff --git a/nixos/modules/services/mail/public-inbox.nix b/nixos/modules/services/mail/public-inbox.nix index ab7ff5f726a4d..9cd6726e6cb2d 100644 --- a/nixos/modules/services/mail/public-inbox.nix +++ b/nixos/modules/services/mail/public-inbox.nix @@ -275,7 +275,11 @@ in default = {}; description = lib.mdDoc "public inboxes"; type = types.submodule { - freeformType = with types; /*inbox name*/attrsOf (/*inbox option name*/attrsOf /*inbox option value*/iniAtom); + # Keeping in line with the tradition of unnecessarily specific types, allow users to set + # freeform settings either globally under the `publicinbox` section, or for specific + # inboxes through additional nesting. + freeformType = with types; attrsOf (oneOf [ iniAtom (attrsOf iniAtom) ]); + options.css = mkOption { type = with types; listOf str; default = []; diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index d8adf53e48a94..e05820fb87cf1 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -39,7 +39,7 @@ in ''; description = lib.mdDoc '' - The package which contains roundcube's sources. Can be overriden to create + The package which contains roundcube's sources. Can be overridden to create an environment which contains roundcube and third-party plugins. ''; }; @@ -92,7 +92,7 @@ in default = []; example = literalExpression "with pkgs.aspellDicts; [ en fr de ]"; description = lib.mdDoc '' - List of aspell dictionnaries for spell checking. If empty, spell checking is disabled. + List of aspell dictionaries for spell checking. If empty, spell checking is disabled. ''; }; diff --git a/nixos/modules/services/matrix/conduit.nix b/nixos/modules/services/matrix/conduit.nix index 812d463e9e86b..c8d89ed33f512 100644 --- a/nixos/modules/services/matrix/conduit.nix +++ b/nixos/modules/services/matrix/conduit.nix @@ -23,8 +23,7 @@ in package = mkOption { type = types.package; default = pkgs.matrix-conduit; - defaultText = "pkgs.matrix-conduit"; - example = "pkgs.matrix-conduit"; + defaultText = lib.literalExpression "pkgs.matrix-conduit"; description = lib.mdDoc '' Package of the conduit matrix server to use. ''; diff --git a/nixos/modules/services/matrix/mautrix-telegram.nix b/nixos/modules/services/matrix/mautrix-telegram.nix index fc8b95051ddbe..5a632fd27e80d 100644 --- a/nixos/modules/services/matrix/mautrix-telegram.nix +++ b/nixos/modules/services/matrix/mautrix-telegram.nix @@ -7,8 +7,8 @@ let registrationFile = "${dataDir}/telegram-registration.yaml"; cfg = config.services.mautrix-telegram; settingsFormat = pkgs.formats.json {}; - settingsFileUnsubstituted = settingsFormat.generate "mautrix-telegram-config-unsubstituted.json" cfg.settings; - settingsFile = "${dataDir}/config.json"; + settingsFile = + settingsFormat.generate "mautrix-telegram-config.json" cfg.settings; in { options = { @@ -97,12 +97,23 @@ in { default = null; description = lib.mdDoc '' File containing environment variables to be passed to the mautrix-telegram service, - in which secret tokens can be specified securely by defining values for + in which secret tokens can be specified securely by defining values for e.g. `MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN`, `MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN`, `MAUTRIX_TELEGRAM_TELEGRAM_API_ID`, `MAUTRIX_TELEGRAM_TELEGRAM_API_HASH` and optionally `MAUTRIX_TELEGRAM_TELEGRAM_BOT_TOKEN`. + + These environment variables can also be used to set other options by + replacing hierarchy levels by `.`, converting the name to uppercase + and prepending `MAUTRIX_TELEGRAM_`. + For example, the first value above maps to + {option}`settings.appservice.as_token`. + + The environment variable values can be prefixed with `json::` to have + them be parsed as JSON. For example, `login_shared_secret_map` can be + set as follows: + `MAUTRIX_TELEGRAM_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`. ''; }; @@ -129,7 +140,7 @@ in { path = [ pkgs.lottieconverter ]; # mautrix-telegram tries to generate a dotfile in the home directory of - # the running user if using a postgresql databse: + # the running user if using a postgresql database: # # File "python3.10/site-packages/asyncpg/connect_utils.py", line 257, in _dot_postgre> # return (pathlib.Path.home() / '.postgresql' / filename).resolve() @@ -141,16 +152,6 @@ in { environment.HOME = dataDir; preStart = '' - # Not all secrets can be passed as environment variable (yet) - # https://github.com/tulir/mautrix-telegram/issues/584 - [ -f ${settingsFile} ] && rm -f ${settingsFile} - old_umask=$(umask) - umask 0177 - ${pkgs.envsubst}/bin/envsubst \ - -o ${settingsFile} \ - -i ${settingsFileUnsubstituted} - umask $old_umask - # generate the appservice's registration file if absent if [ ! -f '${registrationFile}' ]; then ${pkgs.mautrix-telegram}/bin/mautrix-telegram \ @@ -186,8 +187,6 @@ in { --config='${settingsFile}' ''; }; - - restartTriggers = [ settingsFileUnsubstituted ]; }; }; diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index 86662055222a1..3087d879b9d2b 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -80,7 +80,7 @@ in { (mkRemovedOptionModule [ "services" "matrix-synapse" "user_creation_max_duration" ] "It is no longer supported by synapse." ) (mkRemovedOptionModule [ "services" "matrix-synapse" "verbose" ] "Use a log config instead." ) - # options that were moved into rfc42 style settigns + # options that were moved into rfc42 style settings (mkRemovedOptionModule [ "services" "matrix-synapse" "app_service_config_files" ] "Use settings.app_service_config_files instead" ) (mkRemovedOptionModule [ "services" "matrix-synapse" "database_args" ] "Use settings.database.args instead" ) (mkRemovedOptionModule [ "services" "matrix-synapse" "database_name" ] "Use settings.database.args.database instead" ) @@ -286,6 +286,7 @@ in { log_config = mkOption { type = types.path; default = ./synapse-log_config.yaml; + defaultText = lib.literalExpression "nixos/modules/services/matrix/synapse-log_config.yaml"; description = lib.mdDoc '' The file that holds the logging configuration. ''; @@ -506,6 +507,12 @@ in { sqlite3 = null; psycopg2 = "matrix-synapse"; }.${cfg.settings.database.name}; + defaultText = lib.literalExpression '' + { + sqlite3 = null; + psycopg2 = "matrix-synapse"; + }.''${cfg.settings.database.name}; + ''; description = lib.mdDoc '' Username to connect with psycopg2, set to null when using sqlite3. diff --git a/nixos/modules/services/misc/atuin.nix b/nixos/modules/services/misc/atuin.nix new file mode 100644 index 0000000000000..c94852e3aad9c --- /dev/null +++ b/nixos/modules/services/misc/atuin.nix @@ -0,0 +1,85 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.atuin; +in +{ + options = { + services.atuin = { + enable = mkEnableOption (mdDoc "Enable server for shell history sync with atuin."); + + openRegistration = mkOption { + type = types.bool; + default = false; + description = mdDoc "Allow new user registrations with the atuin server."; + }; + + path = mkOption { + type = types.str; + default = ""; + description = mdDoc "A path to prepend to all the routes of the server."; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = mdDoc "The host address the atuin server should listen on."; + }; + + port = mkOption { + type = types.port; + default = 8888; + description = mdDoc "The port the atuin server should listen on."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = mdDoc "Open ports in the firewall for the atuin server."; + }; + + }; + }; + + config = mkIf cfg.enable { + + # enable postgres to host atuin db + services.postgresql = { + enable = true; + ensureUsers = [{ + name = "atuin"; + ensurePermissions = { + "DATABASE atuin" = "ALL PRIVILEGES"; + }; + }]; + ensureDatabases = [ "atuin" ]; + }; + + systemd.services.atuin = { + description = "atuin server"; + after = [ "network.target" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.atuin}/bin/atuin server start"; + RuntimeDirectory = "atuin"; + RuntimeDirectoryMode = "0700"; + DynamicUser = true; + }; + + environment = { + ATUIN_HOST = cfg.host; + ATUIN_PORT = toString cfg.port; + ATUIN_OPEN_REGISTRATION = boolToString cfg.openRegistration; + ATUIN_DB_URI = "postgresql:///atuin"; + ATUIN_PATH = cfg.path; + ATUIN_CONFIG_DIR = "/run/atuin"; # required to start, but not used as configuration is via environment variables + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + }; +} diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index 365fdd5fcc398..072064143dbdb 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -258,7 +258,7 @@ in { type = hooksModule; description = lib.mdDoc "Global hook scripts"; default = { }; - example = '' + example = literalExpression '' { postswitch = { "notify-i3" = "''${pkgs.i3}/bin/i3-msg restart"; @@ -279,7 +279,7 @@ in { exit 1 esac echo "Xft.dpi: $DPI" | ''${pkgs.xorg.xrdb}/bin/xrdb -merge - ''' + '''; }; } ''; diff --git a/nixos/modules/services/misc/beanstalkd.nix b/nixos/modules/services/misc/beanstalkd.nix index 5d34355aebfc7..4262cae323b94 100644 --- a/nixos/modules/services/misc/beanstalkd.nix +++ b/nixos/modules/services/misc/beanstalkd.nix @@ -16,7 +16,7 @@ in listen = { port = mkOption { - type = types.int; + type = types.port; description = lib.mdDoc "TCP port that will be used to accept client connections."; default = 11300; }; diff --git a/nixos/modules/services/misc/domoticz.nix b/nixos/modules/services/misc/domoticz.nix index 3358b4de466a6..fd9fcf0b78eb5 100644 --- a/nixos/modules/services/misc/domoticz.nix +++ b/nixos/modules/services/misc/domoticz.nix @@ -21,7 +21,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 8080; description = lib.mdDoc "Port to bind to for HTTP, set to 0 to disable HTTP."; }; diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix index 4d748ec6eb66d..0f92265ccbea6 100644 --- a/nixos/modules/services/misc/dysnomia.nix +++ b/nixos/modules/services/misc/dysnomia.nix @@ -114,7 +114,7 @@ in }; components = mkOption { - description = lib.mdDoc "An atttribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state"; + description = lib.mdDoc "An attribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state"; default = {}; type = types.attrsOf types.attrs; }; diff --git a/nixos/modules/services/misc/gammu-smsd.nix b/nixos/modules/services/misc/gammu-smsd.nix index 72e83a249c84c..83f4efe695a27 100644 --- a/nixos/modules/services/misc/gammu-smsd.nix +++ b/nixos/modules/services/misc/gammu-smsd.nix @@ -45,8 +45,8 @@ let initDBDir = "share/doc/gammu/examples/sql"; gammuPackage = with cfg.backend; (pkgs.gammu.override { - dbiSupport = (service == "sql" && sql.driver == "sqlite"); - postgresSupport = (service == "sql" && sql.driver == "native_pgsql"); + dbiSupport = service == "sql" && sql.driver == "sqlite"; + postgresSupport = service == "sql" && sql.driver == "native_pgsql"; }); in { @@ -192,7 +192,7 @@ in { password = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc "User password used for connetion to the database"; + description = lib.mdDoc "User password used for connection to the database"; }; }; }; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index ac598108a01ef..00e90f5b32b47 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -183,7 +183,7 @@ in file = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc "Filename to be used for the dump. If `null` a default name is choosen by gitea."; + description = lib.mdDoc "Filename to be used for the dump. If `null` a default name is chosen by gitea."; example = "gitea-dump"; }; }; @@ -235,7 +235,7 @@ in }; httpPort = mkOption { - type = types.int; + type = types.port; default = 3000; description = lib.mdDoc "HTTP listen port."; }; @@ -310,7 +310,7 @@ in }; SSH_PORT = mkOption { - type = types.int; + type = types.port; default = 22; example = 2222; description = lib.mdDoc '' @@ -395,7 +395,7 @@ in ROOT_URL = cfg.rootUrl; } (mkIf cfg.enableUnixSocket { - PROTOCOL = "unix"; + PROTOCOL = "http+unix"; HTTP_ADDR = "/run/gitea/gitea.sock"; }) (mkIf (!cfg.enableUnixSocket) { @@ -404,7 +404,6 @@ in }) (mkIf cfg.lfs.enable { LFS_START_SERVER = true; - LFS_CONTENT_PATH = cfg.lfs.contentDir; }) ]; @@ -426,6 +425,10 @@ in oauth2 = { JWT_SECRET = "#oauth2jwtsecret#"; }; + + lfs = mkIf (cfg.lfs.enable) { + PATH = cfg.lfs.contentDir; + }; }; services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { @@ -483,11 +486,11 @@ in description = "gitea"; after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; wantedBy = [ "multi-user.target" ]; - path = [ gitea pkgs.git ]; + path = [ gitea pkgs.git pkgs.gnupg ]; # In older versions the secret naming for JWT was kind of confusing. # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET - # wasn't persistant at all. + # wasn't persistent at all. # To fix that, there is now the file oauth2_jwt_secret containing the # values for JWT_SECRET and the file jwt_secret gets renamed to # lfs_jwt_secret. diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 13453d9cc7854..e7c707228f1be 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -16,22 +16,6 @@ let else pkgs.postgresql_12; - # Git 2.36.1 seemingly contains a commit-graph related bug which is - # easily triggered through GitLab, so we downgrade it to 2.35.x - # until this issue is solved. See - # https://gitlab.com/gitlab-org/gitlab/-/issues/360783#note_992870101. - gitPackage = - let - version = "2.35.4"; - in - pkgs.git.overrideAttrs (oldAttrs: rec { - inherit version; - src = pkgs.fetchurl { - url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz"; - sha256 = "sha256-mv13OdNkXggeKQkJ+47QcJ6lYmcw6Qjri1ZJ2ETCTOk="; - }; - }); - gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; @@ -60,7 +44,7 @@ let prometheus_listen_addr = "localhost:9236" [git] - bin_path = "${gitPackage}/bin/git" + bin_path = "${pkgs.git}/bin/git" [gitaly-ruby] dir = "${cfg.packages.gitaly.ruby}" @@ -157,7 +141,7 @@ let }; workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret"; gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret"; - git.bin_path = "${gitPackage}/bin/git"; + git.bin_path = "git"; monitoring = { ip_whitelist = [ "127.0.0.0/8" "::1/128" ]; sidekiq_exporter = { @@ -576,7 +560,7 @@ in { description = lib.mdDoc "GitLab container registry host name."; }; port = mkOption { - type = types.int; + type = types.port; default = 4567; description = lib.mdDoc "GitLab container registry port."; }; @@ -629,7 +613,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 25; description = lib.mdDoc "Port of the SMTP server for GitLab."; }; @@ -1325,7 +1309,7 @@ in { }); path = with pkgs; [ postgresqlPackage - gitPackage + git ruby openssh nodejs @@ -1356,7 +1340,7 @@ in { path = with pkgs; [ openssh procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562 - gitPackage + git cfg.packages.gitaly.rubyEnv cfg.packages.gitaly.rubyEnv.wrappedRuby gzip @@ -1402,7 +1386,7 @@ in { path = with pkgs; [ remarshal exiftool - gitPackage + git gnutar gzip openssh @@ -1475,7 +1459,7 @@ in { environment = gitlabEnv; path = with pkgs; [ postgresqlPackage - gitPackage + git openssh nodejs procps diff --git a/nixos/modules/services/misc/gitlab.xml b/nixos/modules/services/misc/gitlab.xml index 40424c5039a25..9816fdac7dd7f 100644 --- a/nixos/modules/services/misc/gitlab.xml +++ b/nixos/modules/services/misc/gitlab.xml @@ -141,7 +141,7 @@ services.gitlab = { </para> <para> - A list of all availabe rake tasks can be obtained by running: + A list of all available rake tasks can be obtained by running: <screen> <prompt>$ </prompt>sudo -u git -H gitlab-rake -T </screen> diff --git a/nixos/modules/services/misc/gpsd.nix b/nixos/modules/services/misc/gpsd.nix index 1ab8d1bbe0629..ec0a8e1eaa1c4 100644 --- a/nixos/modules/services/misc/gpsd.nix +++ b/nixos/modules/services/misc/gpsd.nix @@ -77,6 +77,14 @@ in ''; }; + listenany = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Listen on all addresses rather than just loopback. + ''; + }; + }; }; @@ -106,6 +114,7 @@ in -S "${toString cfg.port}" \ ${optionalString cfg.readonly "-b"} \ ${optionalString cfg.nowait "-n"} \ + ${optionalString cfg.listenany "-G"} \ "${cfg.device}" ''; }; diff --git a/nixos/modules/services/misc/heisenbridge.nix b/nixos/modules/services/misc/heisenbridge.nix index 13ba362b33dbb..d07e0e420462b 100644 --- a/nixos/modules/services/misc/heisenbridge.nix +++ b/nixos/modules/services/misc/heisenbridge.nix @@ -28,8 +28,7 @@ in package = mkOption { type = types.package; default = pkgs.heisenbridge; - defaultText = "pkgs.heisenbridge"; - example = "pkgs.heisenbridge.override { … = …; }"; + defaultText = lib.literalExpression "pkgs.heisenbridge"; description = lib.mdDoc '' Package of the application to run, exposed for overriding purposes. ''; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index f49657a075335..2a4483199d7dd 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -81,7 +81,7 @@ in ProtectKernelTunables = !config.boot.isContainer; LockPersonality = true; PrivateTmp = !config.boot.isContainer; - # needed for hardware accelaration + # needed for hardware acceleration PrivateDevices = false; PrivateUsers = true; RemoveIPC = true; diff --git a/nixos/modules/services/misc/libreddit.nix b/nixos/modules/services/misc/libreddit.nix index c961d13da4738..fd58928d28219 100644 --- a/nixos/modules/services/misc/libreddit.nix +++ b/nixos/modules/services/misc/libreddit.nix @@ -15,6 +15,13 @@ in services.libreddit = { enable = mkEnableOption (lib.mdDoc "Private front-end for Reddit"); + package = mkOption { + type = types.package; + default = pkgs.libreddit; + defaultText = literalExpression "pkgs.libreddit"; + description = lib.mdDoc "Libreddit package to use."; + }; + address = mkOption { default = "0.0.0.0"; example = "127.0.0.1"; @@ -45,7 +52,7 @@ in after = [ "network.target" ]; serviceConfig = { DynamicUser = true; - ExecStart = "${pkgs.libreddit}/bin/libreddit ${args}"; + ExecStart = "${cfg.package}/bin/libreddit ${args}"; AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; Restart = "on-failure"; RestartSec = "2s"; diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index 3f0bd585371f7..632b7caaac403 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -288,7 +288,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 49152; description = lib.mdDoc '' The network port to listen on. diff --git a/nixos/modules/services/misc/nitter.nix b/nixos/modules/services/misc/nitter.nix index 95394d9d2113e..f0cb5cc151388 100644 --- a/nixos/modules/services/misc/nitter.nix +++ b/nixos/modules/services/misc/nitter.nix @@ -47,7 +47,7 @@ in { options = { services.nitter = { - enable = mkEnableOption (lib.mdDoc "If enabled, start Nitter."); + enable = mkEnableOption (lib.mdDoc "Nitter"); package = mkOption { default = pkgs.nitter; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 26e7cbfca733f..1d115108c30fb 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -42,7 +42,7 @@ let else if isDerivation v then toString v else if builtins.isPath v then toString v else if isString v then v - else if isCoercibleToString v then toString v + else if strings.isConvertibleWithToString v then toString v else abort "The nix conf value: ${toPretty {} v} can not be encoded"; mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; @@ -115,6 +115,7 @@ in (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) (mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; }) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings; @@ -366,17 +367,6 @@ in ''; }; - readOnlyStore = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - If set, NixOS will enforce the immutability of the Nix store - by making {file}`/nix/store` a read-only bind - mount. Nix will automatically make the store writable when - needed. - ''; - }; - nixPath = mkOption { type = types.listOf types.str; default = [ @@ -414,6 +404,7 @@ in str int bool + path package ]); in @@ -618,7 +609,7 @@ in By default, pseudo-features `nixos-test`, `benchmark`, and `big-parallel` used in Nixpkgs are set, `kvm` - is also included in it is avaliable. + is also included if it is available. ''; }; @@ -651,7 +642,7 @@ in description = lib.mdDoc '' Configuration for Nix, see <https://nixos.org/manual/nix/stable/#sec-conf-file> or - {manpage}`nix.conf(5)` for avalaible options. + {manpage}`nix.conf(5)` for available options. The value declared here will be translated directly to the key-value pairs Nix expects. You can use {command}`nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings` @@ -801,7 +792,10 @@ in fi ''; - nix.nrBuildUsers = mkDefault (max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)); + nix.nrBuildUsers = mkDefault ( + if cfg.settings.auto-allocate-uids or false then 0 + else max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) + ); users.users = nixbldUsers; @@ -828,7 +822,7 @@ in optionals (pkgs.hostPlatform ? gcc.arch) ( # a builder can run code for `gcc.arch` and inferior architectures [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ - map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} + map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} or []) ) ); } diff --git a/nixos/modules/services/misc/octoprint.nix b/nixos/modules/services/misc/octoprint.nix index 196adb180a5b5..c216c6fa2b77a 100644 --- a/nixos/modules/services/misc/octoprint.nix +++ b/nixos/modules/services/misc/octoprint.nix @@ -17,7 +17,7 @@ let cfgUpdate = pkgs.writeText "octoprint-config.yaml" (builtins.toJSON fullConfig); - pluginsEnv = package.python.withPackages (ps: [ps.octoprint] ++ (cfg.plugins ps)); + pluginsEnv = package.python.withPackages (ps: [ ps.octoprint ] ++ (cfg.plugins ps)); package = pkgs.octoprint; @@ -47,6 +47,12 @@ in ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Open ports in the firewall for OctoPrint."; + }; + user = mkOption { type = types.str; default = "octoprint"; @@ -67,7 +73,7 @@ in plugins = mkOption { type = types.functionTo (types.listOf types.package); - default = plugins: []; + default = plugins: [ ]; defaultText = literalExpression "plugins: []"; example = literalExpression "plugins: with plugins; [ themeify stlviewer ]"; description = lib.mdDoc "Additional plugins to be used. Available plugins are passed through the plugins input."; @@ -75,7 +81,7 @@ in extraConfig = mkOption { type = types.attrs; - default = {}; + default = { }; description = lib.mdDoc "Extra options which are added to OctoPrint's YAML configuration file."; }; @@ -128,6 +134,6 @@ in }; }; + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; }; - } diff --git a/nixos/modules/services/misc/osrm.nix b/nixos/modules/services/misc/osrm.nix index bcfb868422cc7..12c908a761e32 100644 --- a/nixos/modules/services/misc/osrm.nix +++ b/nixos/modules/services/misc/osrm.nix @@ -21,7 +21,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 5000; description = lib.mdDoc "Port on which the web server will run."; }; diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 6a98d5cb686d3..1dddd147ac095 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -211,19 +211,15 @@ in ]; systemd.services.paperless-scheduler = { - description = "Paperless scheduler"; + description = "Paperless Celery Beat"; + wantedBy = [ "multi-user.target" ]; + wants = [ "paperless-consumer.service" "paperless-web.service" "paperless-task-queue.service" ]; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = "${pkg}/bin/paperless-ngx qcluster"; + ExecStart = "${pkg}/bin/celery --app paperless beat --loglevel INFO"; Restart = "on-failure"; - # The `mbind` syscall is needed for running the classifier. - SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; - # Needs to talk to mail server for automated import rules - PrivateNetwork = false; }; environment = env; - wantedBy = [ "multi-user.target" ]; - wants = [ "paperless-consumer.service" "paperless-web.service" ]; preStart = '' ln -sf ${manage} ${cfg.dataDir}/paperless-manage @@ -250,6 +246,21 @@ in after = [ "redis-paperless.service" ]; }; + systemd.services.paperless-task-queue = { + description = "Paperless Celery Workers"; + after = [ "paperless-scheduler.service" ]; + serviceConfig = defaultServiceConfig // { + User = cfg.user; + ExecStart = "${pkg}/bin/celery --app paperless worker --loglevel INFO"; + Restart = "on-failure"; + # The `mbind` syscall is needed for running the classifier. + SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; + # Needs to talk to mail server for automated import rules + PrivateNetwork = false; + }; + environment = env; + }; + # Reading the user-provided password file requires root access systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) { requiredBy = [ "paperless-scheduler.service" ]; @@ -265,20 +276,24 @@ in systemd.services.paperless-consumer = { description = "Paperless document consumer"; + # Bind to `paperless-scheduler` so that the consumer never runs + # during migrations + bindsTo = [ "paperless-scheduler.service" ]; + after = [ "paperless-scheduler.service" ]; serviceConfig = defaultServiceConfig // { User = cfg.user; ExecStart = "${pkg}/bin/paperless-ngx document_consumer"; Restart = "on-failure"; }; environment = env; - # Bind to `paperless-scheduler` so that the consumer never runs - # during migrations - bindsTo = [ "paperless-scheduler.service" ]; - after = [ "paperless-scheduler.service" ]; }; systemd.services.paperless-web = { description = "Paperless web server"; + # Bind to `paperless-scheduler` so that the web server never runs + # during migrations + bindsTo = [ "paperless-scheduler.service" ]; + after = [ "paperless-scheduler.service" ]; serviceConfig = defaultServiceConfig // { User = cfg.user; ExecStart = '' @@ -301,11 +316,7 @@ in }; # Allow the web interface to access the private /tmp directory of the server. # This is required to support uploading files via the web interface. - unitConfig.JoinsNamespaceOf = "paperless-scheduler.service"; - # Bind to `paperless-scheduler` so that the web server never runs - # during migrations - bindsTo = [ "paperless-scheduler.service" ]; - after = [ "paperless-scheduler.service" ]; + unitConfig.JoinsNamespaceOf = "paperless-task-queue.service"; }; users = optionalAttrs (cfg.user == defaultUser) { diff --git a/nixos/modules/services/misc/pinnwand.nix b/nixos/modules/services/misc/pinnwand.nix index 2947698611111..5fca9f4125a83 100644 --- a/nixos/modules/services/misc/pinnwand.nix +++ b/nixos/modules/services/misc/pinnwand.nix @@ -19,29 +19,66 @@ in }; settings = mkOption { - type = format.type; + default = {}; description = lib.mdDoc '' Your {file}`pinnwand.toml` as a Nix attribute set. Look up - possible options in the [pinnwand.toml-example](https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example). + possible options in the [documentation](https://pinnwand.readthedocs.io/en/v${pkgs.pinnwand.version}/configuration.html). ''; - default = {}; + type = types.submodule { + freeformType = format.type; + options = { + database_uri = mkOption { + type = types.str; + default = "sqlite:////var/lib/pinnwand/pinnwand.db"; + example = "sqlite:///:memory"; + description = lib.mdDoc '' + Database URI compatible with [SQLAlchemyhttps://docs.sqlalchemy.org/en/14/core/engines.html#database-urls]. + + Additional packages may need to be introduced into the environment for certain databases. + ''; + }; + + paste_size = mkOption { + type = types.ints.positive; + default = 262144; + example = 524288; + description = lib.mdDoc '' + Maximum size of a paste in bytes. + ''; + }; + paste_help = mkOption { + type = types.str; + default = '' + <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> + ''; + description = lib.mdDoc '' + Raw HTML help text shown in the header area. + ''; + }; + footer = mkOption { + type = types.str; + default = '' + View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. + ''; + description = lib.mdDoc '' + The footer in raw HTML. + ''; + }; + }; + }; }; }; config = mkIf cfg.enable { - services.pinnwand.settings = { - database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db"; - paste_size = mkDefault 262144; - paste_help = mkDefault '' - <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p> - ''; - footer = mkDefault '' - View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page. - ''; - }; + systemd.services.pinnwand = { + description = "Pinnwannd HTTP Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; - systemd.services = let - hardeningOptions = { + serviceConfig = { + ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString cfg.port}"; User = "pinnwand"; DynamicUser = true; @@ -72,32 +109,14 @@ in RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; UMask = "0077"; }; - - command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}"; - in { - pinnwand = { - description = "Pinnwannd HTTP Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/"; - - serviceConfig = { - ExecStart = "${command} http --port ${toString(cfg.port)}"; - } // hardeningOptions; - }; - - pinnwand-reaper = { - description = "Pinnwand Reaper"; - startAt = "daily"; - - serviceConfig = { - ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes - } // hardeningOptions; - }; }; }; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/misc/podgrab.nix b/nixos/modules/services/misc/podgrab.nix index c0a1247185050..c596122fd31c4 100644 --- a/nixos/modules/services/misc/podgrab.nix +++ b/nixos/modules/services/misc/podgrab.nix @@ -12,7 +12,7 @@ in example = "/run/secrets/password.env"; description = lib.mdDoc '' The path to a file containing the PASSWORD environment variable - definition for Podgrab's authentification. + definition for Podgrab's authentication. ''; }; diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 0b283ea27d82c..f60cbe3477132 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -29,7 +29,7 @@ in package = mkOption { type = types.package; default = pkgs.portunus; - defaultText = "pkgs.portunus"; + defaultText = lib.literalExpression "pkgs.portunus"; description = lib.mdDoc "The Portunus package to use."; }; @@ -108,7 +108,7 @@ in package = mkOption { type = types.package; default = pkgs.openldap; - defaultText = "pkgs.openldap"; + defaultText = lib.literalExpression "pkgs.openldap"; description = lib.mdDoc "The OpenLDAP package to use."; }; @@ -135,7 +135,7 @@ in type = types.bool; default = false; description = lib.mdDoc '' - Wether to enable LDAPS protocol. + Whether to enable LDAPS protocol. This also adds two entries to the `/etc/hosts` file to point [](#opt-services.portunus.domain) to localhost, so that CLIs and programs can use ldaps protocol and verify the certificate without opening the firewall port for the protocol. diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 75c5a4e26e0f6..58a595b5c76f5 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -206,6 +206,57 @@ in description = lib.mdDoc "Create the database and database user locally."; }; }; + + components = { + subversion = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Subversion integration."; + }; + + mercurial = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Mercurial integration."; + }; + + git = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "git integration."; + }; + + cvs = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "cvs integration."; + }; + + breezy = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "bazaar integration."; + }; + + imagemagick = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Allows exporting Gant diagrams as PNG."; + }; + + ghostscript = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Allows exporting Gant diagrams as PDF."; + }; + + minimagick_font_path = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc "MiniMagick font path"; + example = "/run/current-system/sw/share/X11/fonts/LiberationSans-Regular.ttf"; + }; + }; }; }; @@ -225,16 +276,21 @@ in { assertion = cfg.database.createLocally -> cfg.database.host == "localhost"; message = "services.redmine.database.host must be set to localhost if services.redmine.database.createLocally is set to true"; } + { assertion = cfg.components.imagemagick -> cfg.components.minimagick_font_path != ""; + message = "services.redmine.components.minimagick_font_path must be configured with a path to a font file if services.redmine.components.imagemagick is set to true."; + } ]; services.redmine.settings = { production = { - scm_subversion_command = "${pkgs.subversion}/bin/svn"; - scm_mercurial_command = "${pkgs.mercurial}/bin/hg"; - scm_git_command = "${pkgs.git}/bin/git"; - scm_cvs_command = "${pkgs.cvs}/bin/cvs"; - scm_bazaar_command = "${pkgs.breezy}/bin/bzr"; - scm_darcs_command = "${pkgs.darcs}/bin/darcs"; + scm_subversion_command = if cfg.components.subversion then "${pkgs.subversion}/bin/svn" else ""; + scm_mercurial_command = if cfg.components.mercurial then "${pkgs.mercurial}/bin/hg" else ""; + scm_git_command = if cfg.components.git then "${pkgs.git}/bin/git" else ""; + scm_cvs_command = if cfg.components.cvs then "${pkgs.cvs}/bin/cvs" else ""; + scm_bazaar_command = if cfg.components.breezy then "${pkgs.breezy}/bin/bzr" else ""; + imagemagick_convert_command = if cfg.components.imagemagick then "${pkgs.imagemagick}/bin/convert" else ""; + gs_command = if cfg.components.ghostscript then "${pkgs.ghostscript}/bin/gs" else ""; + minimagick_font_path = "${cfg.components.minimagick_font_path}"; }; }; @@ -296,14 +352,15 @@ in environment.REDMINE_LANG = "en"; environment.SCHEMA = "${cfg.stateDir}/cache/schema.db"; path = with pkgs; [ - imagemagick - breezy - cvs - darcs - git - mercurial - subversion - ]; + ] + ++ optional cfg.components.subversion subversion + ++ optional cfg.components.mercurial mercurial + ++ optional cfg.components.git git + ++ optional cfg.components.cvs cvs + ++ optional cfg.components.breezy breezy + ++ optional cfg.components.imagemagick imagemagick + ++ optional cfg.components.ghostscript ghostscript; + preStart = '' rm -rf "${cfg.stateDir}/plugins/"* rm -rf "${cfg.stateDir}/public/themes/"* diff --git a/nixos/modules/services/misc/ripple-data-api.nix b/nixos/modules/services/misc/ripple-data-api.nix index 2663d734980fb..30623a3213389 100644 --- a/nixos/modules/services/misc/ripple-data-api.nix +++ b/nixos/modules/services/misc/ripple-data-api.nix @@ -40,7 +40,7 @@ in { port = mkOption { description = lib.mdDoc "Ripple data api port"; default = 5993; - type = types.int; + type = types.port; }; importMode = mkOption { @@ -77,7 +77,7 @@ in { port = mkOption { description = lib.mdDoc "Ripple data api redis port."; default = 5984; - type = types.int; + type = types.port; }; }; @@ -91,7 +91,7 @@ in { port = mkOption { description = lib.mdDoc "Ripple data api couchdb port."; default = 5984; - type = types.int; + type = types.port; }; db = mkOption { diff --git a/nixos/modules/services/misc/serviio.nix b/nixos/modules/services/misc/serviio.nix index 57efebb2c03f0..18e64030d79d5 100644 --- a/nixos/modules/services/misc/serviio.nix +++ b/nixos/modules/services/misc/serviio.nix @@ -80,7 +80,7 @@ in { 23424 # mediabrowser ]; allowedUDPPorts = [ - 1900 # UPnP service discovey + 1900 # UPnP service discovery ]; }; }; diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index a79149c8f58ad..7dd254e349200 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -88,7 +88,6 @@ let # Sourcehut services srht buildsrht - dispatchsrht gitsrht hgsrht hubsrht @@ -109,13 +108,13 @@ in { options.services.sourcehut = { enable = mkEnableOption (lib.mdDoc '' - sourcehut - git hosting, continuous integration, mailing list, ticket tracking, - task dispatching, wiki and account management services + sourcehut - git hosting, continuous integration, mailing list, ticket tracking, wiki + and account management services ''); services = mkOption { type = with types; listOf (enum - [ "builds" "dispatch" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]); + [ "builds" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]); defaultText = "locally enabled services"; description = lib.mdDoc '' Services that may be displayed as links in the title bar of the Web interface. @@ -301,32 +300,6 @@ in }; }; - options."dispatch.sr.ht" = commonServiceSettings "dispatch" // { - }; - options."dispatch.sr.ht::github" = { - oauth-client-id = mkOptionNullOrStr "OAuth client id."; - oauth-client-secret = mkOptionNullOrStr "OAuth client secret."; - }; - options."dispatch.sr.ht::gitlab" = { - enabled = mkEnableOption (lib.mdDoc "GitLab integration"); - canonical-upstream = mkOption { - type = types.str; - description = lib.mdDoc "Canonical upstream."; - default = "gitlab.com"; - }; - repo-cache = mkOption { - type = types.str; - description = lib.mdDoc "Repository cache directory."; - default = "./repo-cache"; - }; - "gitlab.com" = mkOption { - type = with types; nullOr str; - description = lib.mdDoc "GitLab id and secret."; - default = null; - example = "GitLab:application id:secret"; - }; - }; - options."builds.sr.ht" = commonServiceSettings "builds" // { allow-free = mkEnableOption (lib.mdDoc "nonpaying users to submit builds"); redis = mkOption { @@ -532,7 +505,7 @@ in description = lib.mdDoc "Origin URL for API, 100 more than web."; type = types.str; default = "http://${cfg.listenAddress}:${toString (cfg.meta.port + 100)}"; - defaultText = ''http://<xref linkend="opt-services.sourcehut.listenAddress"/>:''${toString (<xref linkend="opt-services.sourcehut.meta.port"/> + 100)}''; + defaultText = lib.literalMD ''`"http://''${`[](#opt-services.sourcehut.listenAddress)`}:''${toString (`[](#opt-services.sourcehut.meta.port)` + 100)}"`''; }; webhooks = mkOption { description = lib.mdDoc "The Redis connection used for the webhooks worker."; @@ -1021,11 +994,6 @@ in ]; }) - (import ./service.nix "dispatch" { - inherit configIniOfService; - port = 5005; - }) - (import ./service.nix "git" (let baseService = { path = [ cfg.git.package ]; @@ -1416,6 +1384,10 @@ in (mkRenamedOptionModule [ "services" "sourcehut" "address" ] [ "services" "sourcehut" "listenAddress" ]) + (mkRemovedOptionModule [ "services" "sourcehut" "dispatch" ] '' + dispatch is deprecated. See https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/ + for more information. + '') ]; meta.doc = ./sourcehut.xml; diff --git a/nixos/modules/services/misc/sourcehut/service.nix b/nixos/modules/services/misc/sourcehut/service.nix index 37a439ee352b3..aae13e0cc2c92 100644 --- a/nixos/modules/services/misc/sourcehut/service.nix +++ b/nixos/modules/services/misc/sourcehut/service.nix @@ -71,7 +71,7 @@ let # Note that each systemd service gets its own ${runDir}/config.ini file. ExecStartPre = mkBefore [("+"+pkgs.writeShellScript "${serviceName}-credentials" '' set -x - # Replace values begining with a '<' by the content of the file whose name is after. + # Replace values beginning with a '<' by the content of the file whose name is after. gawk '{ if (match($0,/^([^=]+=)<(.+)/,m)) { getline f < m[2]; print m[1] f } else print $0 }' ${configIni} | ${optionalString (!allowStripe) "gawk '!/^stripe-secret-key=/' |"} install -o ${srvCfg.user} -g root -m 400 /dev/stdin ${runDir}/config.ini diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index aeefd657f4d02..ee4bf42183f93 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -145,7 +145,7 @@ in { in lib.mdDoc '' Whether to enable the Taskwarrior server. - More instructions about NixOS in conjuction with Taskserver can be + More instructions about NixOS in conjunction with Taskserver can be found [in the NixOS manual](${url}). ''; }; @@ -251,7 +251,7 @@ in { client id (such as `task 2.3.0`). The values `all` or `none` have - special meaning. Overidden by any entry in the option + special meaning. Overridden by any entry in the option {option}`services.taskserver.disallowedClientIDs`. ''; }; diff --git a/nixos/modules/services/monitoring/grafana-agent.nix b/nixos/modules/services/monitoring/grafana-agent.nix index ecb39a924f586..270d888afb781 100644 --- a/nixos/modules/services/monitoring/grafana-agent.nix +++ b/nixos/modules/services/monitoring/grafana-agent.nix @@ -16,7 +16,7 @@ in package = mkOption { type = types.package; default = pkgs.grafana-agent; - defaultText = "pkgs.grafana-agent"; + defaultText = lib.literalExpression "pkgs.grafana-agent"; description = lib.mdDoc "The grafana-agent package to use."; }; @@ -49,17 +49,19 @@ in }; default = { }; - defaultText = '' - metrics = { - wal_directory = "\''${STATE_DIRECTORY}"; - global.scrape_interval = "5s"; - }; - integrations = { - agent.enabled = true; - agent.scrape_integration = true; - node_exporter.enabled = true; - replace_instance_label = true; - }; + defaultText = lib.literalExpression '' + { + metrics = { + wal_directory = "\''${STATE_DIRECTORY}"; + global.scrape_interval = "5s"; + }; + integrations = { + agent.enabled = true; + agent.scrape_integration = true; + node_exporter.enabled = true; + replace_instance_label = true; + }; + } ''; example = { metrics.global.remote_write = [{ diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 52d5cab9f5159..9cce4c71d964a 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -13,57 +13,96 @@ let settingsFormatIni = pkgs.formats.ini {}; configFile = settingsFormatIni.generate "config.ini" cfg.settings; - datasourceConfiguration = { - apiVersion = 1; - datasources = cfg.provision.datasources; - }; - - datasourceFileNew = if (cfg.provision.datasources.path == null) then provisioningSettingsFormat.generate "datasource.yaml" cfg.provision.datasources.settings else cfg.provision.datasources.path; - datasourceFile = if (builtins.isList cfg.provision.datasources) then provisioningSettingsFormat.generate "datasource.yaml" datasourceConfiguration else datasourceFileNew; - - dashboardConfiguration = { - apiVersion = 1; - providers = cfg.provision.dashboards; - }; - - dashboardFileNew = if (cfg.provision.dashboards.path == null) then provisioningSettingsFormat.generate "dashboard.yaml" cfg.provision.dashboards.settings else cfg.provision.dashboards.path; - dashboardFile = if (builtins.isList cfg.provision.dashboards) then provisioningSettingsFormat.generate "dashboard.yaml" dashboardConfiguration else dashboardFileNew; + mkProvisionCfg = name: attr: provisionCfg: + if provisionCfg.path != null + then provisionCfg.path + else + provisioningSettingsFormat.generate "${name}.yaml" + (if provisionCfg.settings != null + then provisionCfg.settings + else { + apiVersion = 1; + ${attr} = []; + }); + + datasourceFileOrDir = mkProvisionCfg "datasource" "datasources" cfg.provision.datasources; + dashboardFileOrDir = mkProvisionCfg "dashboard" "providers" cfg.provision.dashboards; notifierConfiguration = { apiVersion = 1; notifiers = cfg.provision.notifiers; }; - notifierFile = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration); + notifierFileOrDir = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration); generateAlertingProvisioningYaml = x: if (cfg.provision.alerting."${x}".path == null) then provisioningSettingsFormat.generate "${x}.yaml" cfg.provision.alerting."${x}".settings else cfg.provision.alerting."${x}".path; - rulesFile = generateAlertingProvisioningYaml "rules"; - contactPointsFile = generateAlertingProvisioningYaml "contactPoints"; - policiesFile = generateAlertingProvisioningYaml "policies"; - templatesFile = generateAlertingProvisioningYaml "templates"; - muteTimingsFile = generateAlertingProvisioningYaml "muteTimings"; - - provisionConfDir = pkgs.runCommand "grafana-provisioning" { } '' + rulesFileOrDir = generateAlertingProvisioningYaml "rules"; + contactPointsFileOrDir = generateAlertingProvisioningYaml "contactPoints"; + policiesFileOrDir = generateAlertingProvisioningYaml "policies"; + templatesFileOrDir = generateAlertingProvisioningYaml "templates"; + muteTimingsFileOrDir = generateAlertingProvisioningYaml "muteTimings"; + + ln = { src, dir, filename }: '' + if [[ -d "${src}" ]]; then + pushd $out/${dir} &>/dev/null + lndir "${src}" + popd &>/dev/null + else + ln -sf ${src} $out/${dir}/${filename}.yaml + fi + ''; + provisionConfDir = pkgs.runCommand "grafana-provisioning" { nativeBuildInputs = [ pkgs.xorg.lndir ]; } '' mkdir -p $out/{datasources,dashboards,notifiers,alerting} - ln -sf ${datasourceFile} $out/datasources/datasource.yaml - ln -sf ${dashboardFile} $out/dashboards/dashboard.yaml - ln -sf ${notifierFile} $out/notifiers/notifier.yaml - ln -sf ${rulesFile} $out/alerting/rules.yaml - ln -sf ${contactPointsFile} $out/alerting/contactPoints.yaml - ln -sf ${policiesFile} $out/alerting/policies.yaml - ln -sf ${templatesFile} $out/alerting/templates.yaml - ln -sf ${muteTimingsFile} $out/alerting/muteTimings.yaml + ${ln { src = datasourceFileOrDir; dir = "datasources"; filename = "datasource"; }} + ${ln { src = dashboardFileOrDir; dir = "dashboards"; filename = "dashbaord"; }} + ${ln { src = notifierFileOrDir; dir = "notifiers"; filename = "notifier"; }} + ${ln { src = rulesFileOrDir; dir = "alerting"; filename = "rules"; }} + ${ln { src = contactPointsFileOrDir; dir = "alerting"; filename = "contactPoints"; }} + ${ln { src = policiesFileOrDir; dir = "alerting"; filename = "policies"; }} + ${ln { src = templatesFileOrDir; dir = "alerting"; filename = "templates"; }} + ${ln { src = muteTimingsFileOrDir; dir = "alerting"; filename = "muteTimings"; }} ''; # Get a submodule without any embedded metadata: _filter = x: filterAttrs (k: v: k != "_module") x; + # FIXME(@Ma27) remove before 23.05. This is just a helper-type + # because `mkRenamedOptionModule` doesn't work if `foo.bar` is renamed + # to `foo.bar.baz`. + submodule' = module: types.coercedTo + (mkOptionType { + name = "grafana-provision-submodule"; + description = "Wrapper-type for backwards compat of Grafana's declarative provisioning"; + check = x: + if builtins.isList x then + throw '' + Provisioning dashboards and datasources declaratively by + setting `dashboards` or `datasources` to a list is not supported + anymore. Use `services.grafana.provision.datasources.settings.datasources` + (or `services.grafana.provision.dashboards.settings.providers`) instead. + '' + else isAttrs x || isFunction x; + }) + id + (types.submodule module); + # http://docs.grafana.org/administration/provisioning/#datasources grafanaTypes.datasourceConfig = types.submodule { freeformType = provisioningSettingsFormat.type; + imports = [ + (mkRemovedOptionModule [ "password" ] '' + `services.grafana.provision.datasources.settings.datasources.<name>.password` has been removed + in Grafana 9. Use `secureJsonData` instead. + '') + (mkRemovedOptionModule [ "basicAuthPassword" ] '' + `services.grafana.provision.datasources.settings.datasources.<name>.basicAuthPassword` has been removed + in Grafana 9. Use `secureJsonData` instead. + '') + ]; + options = { name = mkOption { type = types.str; @@ -93,28 +132,6 @@ let default = false; description = lib.mdDoc "Allow users to edit datasources from the UI."; }; - password = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - Database password, if used. Please note that the contents of this option - will end up in a world-readable Nix store. Use the file provider - pointing at a reasonably secured file in the local filesystem - to work around that. Look at the documentation for details: - <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> - ''; - }; - basicAuthPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - Basic auth password. Please note that the contents of this option - will end up in a world-readable Nix store. Use the file provider - pointing at a reasonably secured file in the local filesystem - to work around that. Look at the documentation for details: - <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> - ''; - }; secureJsonData = mkOption { type = types.nullOr types.attrs; default = null; @@ -276,6 +293,10 @@ in { (mkRemovedOptionModule [ "services" "grafana" "auth" "google" "clientSecretFile" ] '' This option has been removed. Use 'services.grafana.settings.google.client_secret' with file provider instead. '') + (mkRemovedOptionModule [ "services" "grafana" "extraOptions" ] '' + This option has been removed. Use 'services.grafana.settings' instead. For a detailed migration guide, please + review the release notes of NixOS 22.11. + '') (mkRemovedOptionModule [ "services" "grafana" "auth" "azuread" "tenantId" ] "This option has been deprecated upstream.") ]; @@ -330,19 +351,7 @@ in { Don't change the value of this option if you are planning to use `services.grafana.provision` options. ''; default = provisionConfDir; - defaultText = literalExpression '' - pkgs.runCommand "grafana-provisioning" { } \'\' - mkdir -p $out/{datasources,dashboards,notifiers,alerting} - ln -sf ''${datasourceFile} $out/datasources/datasource.yaml - ln -sf ''${dashboardFile} $out/dashboards/dashboard.yaml - ln -sf ''${notifierFile} $out/notifiers/notifier.yaml - ln -sf ''${rulesFile} $out/alerting/rules.yaml - ln -sf ''${contactPointsFile} $out/alerting/contactPoints.yaml - ln -sf ''${policiesFile} $out/alerting/policies.yaml - ln -sf ''${templatesFile} $out/alerting/templates.yaml - ln -sf ''${muteTimingsFile} $out/alerting/muteTimings.yaml - \'\' - ''; + defaultText = "directory with links to files generated from services.grafana.provision"; type = types.path; }; }; @@ -355,9 +364,15 @@ in { }; http_addr = mkOption { - description = lib.mdDoc "Listening address."; - default = ""; type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + Listening address. + + ::: {.note} + This setting intentionally varies from upstream's default to be a bit more secure by default. + ::: + ''; }; http_port = mkOption { @@ -546,7 +561,7 @@ in { auto_assign_org_role = mkOption { description = lib.mdDoc "Default role new users will be auto assigned."; default = "Viewer"; - type = types.enum ["Viewer" "Editor"]; + type = types.enum ["Viewer" "Editor" "Admin"]; }; }; @@ -564,17 +579,14 @@ in { datasources = mkOption { description = lib.mdDoc '' - Deprecated option for Grafana datasource configuration. Use either - `services.grafana.provision.datasources.settings` or - `services.grafana.provision.datasources.path` instead. + Declaratively provision Grafana's datasources. ''; - default = []; - apply = x: if (builtins.isList x) then map _filter x else x; - type = with types; either (listOf grafanaTypes.datasourceConfig) (submodule { + default = {}; + type = submodule' { options.settings = mkOption { description = lib.mdDoc '' Grafana datasource configuration in Nix. Can't be used with - `services.grafana.provision.datasources.path` simultaneously. See + [](#opt-services.grafana.provision.datasources.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources> for supported options. ''; @@ -591,6 +603,7 @@ in { description = lib.mdDoc "List of datasources to insert/update."; default = []; type = types.listOf grafanaTypes.datasourceConfig; + apply = map (flip builtins.removeAttrs [ "password" "basicAuthPassword" ]); }; deleteDatasources = mkOption { @@ -630,28 +643,26 @@ in { options.path = mkOption { description = lib.mdDoc '' Path to YAML datasource configuration. Can't be used with - `services.grafana.provision.datasources.settings` simultaneously. + [](#opt-services.grafana.provision.datasources.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; }; - }); + }; }; dashboards = mkOption { description = lib.mdDoc '' - Deprecated option for Grafana dashboard configuration. Use either - `services.grafana.provision.dashboards.settings` or - `services.grafana.provision.dashboards.path` instead. + Declaratively provision Grafana's dashboards. ''; - default = []; - apply = x: if (builtins.isList x) then map _filter x else x; - type = with types; either (listOf grafanaTypes.dashboardConfig) (submodule { + default = {}; + type = submodule' { options.settings = mkOption { description = lib.mdDoc '' Grafana dashboard configuration in Nix. Can't be used with - `services.grafana.provision.dashboards.path` simultaneously. See + [](#opt-services.grafana.provision.dashboards.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards> for supported options. ''; @@ -684,12 +695,13 @@ in { options.path = mkOption { description = lib.mdDoc '' Path to YAML dashboard configuration. Can't be used with - `services.grafana.provision.dashboards.settings` simultaneously. + [](#opt-services.grafana.provision.dashboards.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; }; - }); + }; }; @@ -706,7 +718,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML rules configuration. Can't be used with - `services.grafana.provision.alerting.rules.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.rules.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -715,7 +728,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana rules configuration in Nix. Can't be used with - `services.grafana.provision.alerting.rules.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.rules.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#rules> for supported options. ''; @@ -829,7 +842,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML contact points configuration. Can't be used with - `services.grafana.provision.alerting.contactPoints.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.contactPoints.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -838,7 +852,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana contact points configuration in Nix. Can't be used with - `services.grafana.provision.alerting.contactPoints.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.contactPoints.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#contact-points> for supported options. ''; @@ -852,7 +866,7 @@ in { }; contactPoints = mkOption { - description = lib.mdDoc "List of contact points to import or update. Please note that sensitive data will end up in world-readable Nix store."; + description = lib.mdDoc "List of contact points to import or update."; default = []; type = types.listOf (types.submodule { freeformType = provisioningSettingsFormat.type; @@ -909,7 +923,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML notification policies configuration. Can't be used with - `services.grafana.provision.alerting.policies.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.policies.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -918,7 +933,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana notification policies configuration in Nix. Can't be used with - `services.grafana.provision.alerting.policies.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.policies.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#notification-policies> for supported options. ''; @@ -978,7 +993,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML templates configuration. Can't be used with - `services.grafana.provision.alerting.templates.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.templates.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -987,7 +1003,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana templates configuration in Nix. Can't be used with - `services.grafana.provision.alerting.templates.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.templates.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#templates> for supported options. ''; @@ -1059,7 +1075,8 @@ in { path = mkOption { description = lib.mdDoc '' Path to YAML mute timings configuration. Can't be used with - `services.grafana.provision.alerting.muteTimings.settings` simultaneously. + [](#opt-services.grafana.provision.alerting.muteTimings.settings) simultaneously. + Can be either a directory or a single YAML file. Will end up in the store. ''; default = null; type = types.nullOr types.path; @@ -1068,7 +1085,7 @@ in { settings = mkOption { description = lib.mdDoc '' Grafana mute timings configuration in Nix. Can't be used with - `services.grafana.provision.alerting.muteTimings.path` simultaneously. See + [](#opt-services.grafana.provision.alerting.muteTimings.path) simultaneously. See <https://grafana.com/docs/grafana/latest/administration/provisioning/#mute-timings> for supported options. ''; @@ -1159,52 +1176,50 @@ in { config = mkIf cfg.enable { warnings = let - usesFileProvider = opt: defaultValue: builtins.match "^${defaultValue}$|^\\$__file\\{.*}$" opt != null; - in flatten [ - (optional ( - ! usesFileProvider cfg.settings.database.password "" || - ! usesFileProvider cfg.settings.security.admin_password "admin" - ) "Grafana passwords will be stored as plaintext in the Nix store! Use file provider instead.") - (optional ( + doesntUseFileProvider = opt: defaultValue: let - checkOpts = opt: any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) opt; - datasourcesUsed = if (cfg.provision.datasources.settings == null) then [] else cfg.provision.datasources.settings.datasources; - in if (builtins.isList cfg.provision.datasources) then checkOpts cfg.provision.datasources else checkOpts datasourcesUsed - ) '' - Datasource passwords will be stored as plaintext in the Nix store! - It is not possible to use file provider in provisioning; please provision - datasources via `services.grafana.provision.datasources.path` instead. - '') - (optional ( - any (x: x.secure_settings != null) cfg.provision.notifiers - ) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead.") + regex = "${optionalString (defaultValue != null) "^${defaultValue}$|"}^\\$__(file|env)\\{.*}$|^\\$[^_\\$][^ ]+$"; + in builtins.match regex opt == null; + in + # Ensure that no custom credentials are leaked into the Nix store. Unless the default value + # is specified, this can be achieved by using the file/env provider: + # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion (optional ( - builtins.isList cfg.provision.datasources && cfg.provision.datasources != [] + doesntUseFileProvider cfg.settings.database.password "" || + doesntUseFileProvider cfg.settings.security.admin_password "admin" ) '' - Provisioning Grafana datasources with options has been deprecated. - Use `services.grafana.provision.datasources.settings` or - `services.grafana.provision.datasources.path` instead. - '') - (optional ( - builtins.isList cfg.provision.datasources && cfg.provision.dashboards != [] + Grafana passwords will be stored as plaintext in the Nix store! + Use file provider or an env-var instead. + '') + # Warn about deprecated notifiers. + ++ (optional (cfg.provision.notifiers != []) '' + Notifiers are deprecated upstream and will be removed in Grafana 10. + Use `services.grafana.provision.alerting.contactPoints` instead. + '') + # Ensure that `secureJsonData` of datasources provisioned via `datasources.settings` + # only uses file/env providers. + ++ (optional ( + let + datasourcesToCheck = optionals + (cfg.provision.datasources.settings != null) + cfg.provision.datasources.settings.datasources; + declarationUnsafe = { secureJsonData, ... }: + secureJsonData != null + && any (flip doesntUseFileProvider null) (attrValues secureJsonData); + in any declarationUnsafe datasourcesToCheck ) '' - Provisioning Grafana dashboards with options has been deprecated. - Use `services.grafana.provision.dashboards.settings` or - `services.grafana.provision.dashboards.path` instead. - '') - (optional ( - cfg.provision.notifiers != [] - ) '' - Notifiers are deprecated upstream and will be removed in Grafana 10. - Use `services.grafana.provision.alerting.contactPoints` instead. - '') - ]; + Declarations in the `secureJsonData`-block of a datasource will be leaked to the + Nix store unless a file-provider or an env-var is used! + '') + ++ (optional ( + any (x: x.secure_settings != null) cfg.provision.notifiers + ) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead."); environment.systemPackages = [ cfg.package ]; assertions = [ { - assertion = if (builtins.isList cfg.provision.datasources) then true else cfg.provision.datasources.settings == null || cfg.provision.datasources.path == null; + assertion = cfg.provision.datasources.settings == null || cfg.provision.datasources.path == null; message = "Cannot set both datasources settings and datasources path"; } { @@ -1213,12 +1228,11 @@ in { ({ type, access, ... }: type == "prometheus" -> access != "direct") opt; in - if (builtins.isList cfg.provision.datasources) then prometheusIsNotDirect cfg.provision.datasources - else cfg.provision.datasources.settings == null || prometheusIsNotDirect cfg.provision.datasources.settings.datasources; + cfg.provision.datasources.settings == null || prometheusIsNotDirect cfg.provision.datasources.settings.datasources; message = "For datasources of type `prometheus`, the `direct` access mode is not supported anymore (since Grafana 9.2.0)"; } { - assertion = if (builtins.isList cfg.provision.dashboards) then true else cfg.provision.dashboards.settings == null || cfg.provision.dashboards.path == null; + assertion = cfg.provision.dashboards.settings == null || cfg.provision.dashboards.path == null; message = "Cannot set both dashboards settings and dashboards path"; } { @@ -1283,7 +1297,10 @@ in { SystemCallArchitectures = "native"; # Upstream grafana is not setting SystemCallFilter for compatibility # reasons, see https://github.com/grafana/grafana/pull/40176 - SystemCallFilter = [ "@system-service" "~@privileged" ]; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ]; UMask = "0027"; }; preStart = '' diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index 8edb2ca099749..65c91b8f79bb6 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -94,7 +94,7 @@ in { port = mkOption { description = lib.mdDoc "Graphite web frontend port."; default = 8080; - type = types.int; + type = types.port; }; extraConfig = mkOption { @@ -154,14 +154,14 @@ in { }; blacklist = mkOption { - description = lib.mdDoc "Any metrics received which match one of the experssions will be dropped."; + description = lib.mdDoc "Any metrics received which match one of the expressions will be dropped."; default = null; type = types.nullOr types.str; example = "^some\\.noisy\\.metric\\.prefix\\..*"; }; whitelist = mkOption { - description = lib.mdDoc "Only metrics received which match one of the experssions will be persisted."; + description = lib.mdDoc "Only metrics received which match one of the expressions will be persisted."; default = null; type = types.nullOr types.str; example = ".*"; @@ -225,7 +225,7 @@ in { port = mkOption { description = lib.mdDoc "Seyren listening port."; default = 8081; - type = types.int; + type = types.port; }; seyrenUrl = mkOption { diff --git a/nixos/modules/services/monitoring/kapacitor.nix b/nixos/modules/services/monitoring/kapacitor.nix index 61529c2e45264..727b694047b41 100644 --- a/nixos/modules/services/monitoring/kapacitor.nix +++ b/nixos/modules/services/monitoring/kapacitor.nix @@ -66,7 +66,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 9092; description = lib.mdDoc "Port of Kapacitor"; }; diff --git a/nixos/modules/services/monitoring/parsedmarc.md b/nixos/modules/services/monitoring/parsedmarc.md index d93134a4cc767..5a17f79da5d46 100644 --- a/nixos/modules/services/monitoring/parsedmarc.md +++ b/nixos/modules/services/monitoring/parsedmarc.md @@ -17,7 +17,6 @@ services.parsedmarc = { host = "imap.example.com"; user = "alice@example.com"; password = "/path/to/imap_password_file"; - watch = true; }; provision.geoIp = false; # Not recommended! }; diff --git a/nixos/modules/services/monitoring/parsedmarc.nix b/nixos/modules/services/monitoring/parsedmarc.nix index 3540d91fc9f37..40c76b804559c 100644 --- a/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixos/modules/services/monitoring/parsedmarc.nix @@ -123,7 +123,10 @@ in host = "imap.example.com"; user = "alice@example.com"; password = { _secret = "/run/keys/imap_password" }; + }; + mailbox = { watch = true; + batch_size = 30; }; splunk_hec = { url = "https://splunkhec.example.com"; @@ -170,6 +173,24 @@ in }; }; + mailbox = { + watch = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Use the IMAP IDLE command to process messages as they arrive. + ''; + }; + + delete = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Delete messages after processing them, instead of archiving them. + ''; + }; + }; + imap = { host = lib.mkOption { type = lib.types.str; @@ -216,22 +237,6 @@ in ''; apply = x: if isAttrs x || x == null then x else { _secret = x; }; }; - - watch = lib.mkOption { - type = lib.types.bool; - default = true; - description = lib.mdDoc '' - Use the IMAP IDLE command to process messages as they arrive. - ''; - }; - - delete = lib.mkOption { - type = lib.types.bool; - default = false; - description = lib.mdDoc '' - Delete messages after processing them, instead of archiving them. - ''; - }; }; smtp = { @@ -360,6 +365,13 @@ in config = lib.mkIf cfg.enable { + warnings = let + deprecationWarning = optname: "Starting in 8.0.0, the `${optname}` option has been moved from the `services.parsedmarc.settings.imap`" + + "configuration section to the `services.parsedmarc.settings.mailbox` configuration section."; + hasImapOpt = lib.flip builtins.hasAttr cfg.settings.imap; + movedOptions = [ "reports_folder" "archive_folder" "watch" "delete" "test" "batch_size" ]; + in builtins.map deprecationWarning (builtins.filter hasImapOpt movedOptions); + services.elasticsearch.enable = lib.mkDefault cfg.provision.elasticsearch; services.geoipupdate = lib.mkIf cfg.provision.geoIp { @@ -444,6 +456,8 @@ in ssl = false; user = cfg.provision.localMail.recipientName; password = "${pkgs.writeText "imap-password" "@imap-password@"}"; + }; + mailbox = { watch = true; }; }) diff --git a/nixos/modules/services/monitoring/parsedmarc.xml b/nixos/modules/services/monitoring/parsedmarc.xml index 7167b52d0357d..b6a4bcf8ff5a5 100644 --- a/nixos/modules/services/monitoring/parsedmarc.xml +++ b/nixos/modules/services/monitoring/parsedmarc.xml @@ -15,14 +15,13 @@ email address and saves them to a local Elasticsearch instance looks like this: </para> - <programlisting language="bash"> + <programlisting> services.parsedmarc = { enable = true; settings.imap = { host = "imap.example.com"; user = "alice@example.com"; password = "/path/to/imap_password_file"; - watch = true; }; provision.geoIp = false; # Not recommended! }; @@ -45,7 +44,7 @@ services.parsedmarc = { email address that should be configured in the domain’s dmarc policy is <literal>dmarc@monitoring.example.com</literal>. </para> - <programlisting language="bash"> + <programlisting> services.parsedmarc = { enable = true; provision = { @@ -68,7 +67,7 @@ services.parsedmarc = { Elasticsearch instance is automatically added as a Grafana datasource, and the dashboard is added to Grafana as well. </para> - <programlisting language="bash"> + <programlisting> services.parsedmarc = { enable = true; provision = { diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixos/modules/services/monitoring/prometheus/alertmanager.nix index ee2533ef1213f..0c0931d3d295a 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -34,7 +34,7 @@ in { (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' Due to incompatibility, the alertmanagerURL option has been removed, - please use 'services.prometheus2.alertmanagers' instead. + please use 'services.prometheus.alertmanagers' instead. '') ]; @@ -107,7 +107,7 @@ in { }; port = mkOption { - type = types.int; + type = types.port; default = 9093; description = lib.mdDoc '' Port to listen on for the web interface and API. diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index f6bae8f9e9652..f516b75ab10fb 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -3,7 +3,7 @@ with lib; let - json = pkgs.formats.json { }; + yaml = pkgs.formats.yaml { }; cfg = config.services.prometheus; checkConfigEnabled = (lib.isBool cfg.checkConfig && cfg.checkConfig) @@ -11,8 +11,6 @@ let workingDir = "/var/lib/" + cfg.stateDir; - prometheusYmlOut = "${workingDir}/prometheus-substituted.yaml"; - triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' PATH="${makeBinPath (with pkgs; [ systemd ])}" if systemctl -q is-active prometheus.service; then @@ -38,7 +36,7 @@ let promtool ${what} $out '' else file; - generatedPrometheusYml = json.generate "prometheus.yml" promConfig; + generatedPrometheusYml = yaml.generate "prometheus.yml" promConfig; # This becomes the main config file for Prometheus promConfig = { @@ -73,7 +71,8 @@ let "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" - ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}"; + ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}" + ++ optional (cfg.webConfigFile != null) "--web.config.file=${cfg.webConfigFile}"; filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); filterAttrsListRecursive = pred: x: @@ -1719,6 +1718,15 @@ in ''; }; + webConfigFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Specifies which file should be used as web.config.file and be passed on startup. + See https://prometheus.io/docs/prometheus/latest/configuration/https/ for valid options. + ''; + }; + checkConfig = mkOption { type = with types; either bool (enum [ "syntax-only" ]); default = true; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 8826d80a70c74..f3fbfb149ad77 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -51,6 +51,7 @@ let "nginx" "nginxlog" "node" + "nut" "openldap" "openvpn" "pihole" @@ -67,12 +68,13 @@ let "smartctl" "smokeping" "sql" + "statsd" "surfboard" "systemd" "tor" "unbound" "unifi" - "unifi-poller" + "unpoller" "v2ray" "varnish" "wireguard" @@ -229,6 +231,10 @@ in options.services.prometheus.exporters = mkOption { type = types.submodule { options = (mkSubModules); + imports = [ + ../../../misc/assertions.nix + (lib.mkRenamedOptionModule [ "unifi-poller" ] [ "unpoller" ]) + ]; }; description = lib.mdDoc "Prometheus exporter configuration"; default = {}; @@ -292,13 +298,14 @@ in Please specify either 'services.prometheus.exporters.sql.configuration' or 'services.prometheus.exporters.sql.configFile' ''; - } ] ++ (flip map (attrNames cfg) (exporter: { + } ] ++ (flip map (attrNames exporterOpts) (exporter: { assertion = cfg.${exporter}.firewallFilter != null -> cfg.${exporter}.openFirewall; message = '' The `firewallFilter'-option of exporter ${exporter} doesn't have any effect unless `openFirewall' is set to `true'! ''; - })); + })) ++ config.services.prometheus.exporters.assertions; + warnings = config.services.prometheus.exporters.warnings; }] ++ [(mkIf config.services.minio.enable { services.prometheus.exporters.minio.minioAddress = mkDefault "http://localhost:9000"; services.prometheus.exporters.minio.minioAccessKey = mkDefault config.services.minio.accessKey; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.xml b/nixos/modules/services/monitoring/prometheus/exporters.xml index 1df88bb61a12d..e922e1ace8d0a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.xml +++ b/nixos/modules/services/monitoring/prometheus/exporters.xml @@ -37,7 +37,7 @@ by default</link>, via http under <literal>/metrics</literal>. In this example the firewall should just allow incoming connections to the exporter's port on the bridge interface <literal>br0</literal> (this would - have to be configured seperately of course). For more information about + have to be configured separately of course). For more information about configuration see <literal>man configuration.nix</literal> or search through the <link xlink:href="https://nixos.org/nixos/options.html#prometheus.exporters">available @@ -179,7 +179,7 @@ in # for the exporter's systemd service. One of # `serviceOpts.script` and `serviceOpts.serviceConfig.ExecStart` # has to be specified here. This will be merged with the default - # service confiuration. + # service configuration. # Note that by default 'DynamicUser' is 'true'. serviceOpts = { serviceConfig = { diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix index d9eedd237c8b5..0c2de683ecf72 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -18,7 +18,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 25826; description = lib.mdDoc "Network address on which to accept collectd binary network packets."; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nginxlog.nix b/nixos/modules/services/monitoring/prometheus/exporters/nginxlog.nix index 9e507423c7d61..674dc9dd41581 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/nginxlog.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/nginxlog.nix @@ -17,7 +17,7 @@ in { settings that can all be used here: https://github.com/martin-helmich/prometheus-nginxlog-exporter The `listen` object is already generated by `port`, `listenAddress` and `metricsEndpoint` and - will be merged with the value of `settings` before writting it as JSON. + will be merged with the value of `settings` before writing it as JSON. ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nut.nix b/nixos/modules/services/monitoring/prometheus/exporters/nut.nix new file mode 100644 index 0000000000000..1c86b48b4509b --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/nut.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.nut; +in +{ + port = 9199; + extraOpts = { + nutServer = mkOption { + type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + Hostname or address of the NUT server + ''; + }; + nutUser = mkOption { + type = types.str; + default = ""; + example = "nut"; + description = lib.mdDoc '' + The user to log in into NUT server. If set, passwordPath should + also be set. + + Default NUT configs usually permit reading variables without + authentication. + ''; + }; + passwordPath = mkOption { + type = types.nullOr types.path; + default = null; + apply = final: if final == null then null else toString final; + description = lib.mdDoc '' + A run-time path to the nutUser password file, which should be + provisioned outside of Nix store. + ''; + }; + }; + serviceOpts = { + script = '' + ${optionalString (cfg.passwordPath != null) + "export NUT_EXPORTER_PASSWORD=$(cat ${toString cfg.passwordPath})"} + ${pkgs.prometheus-nut-exporter}/bin/nut_exporter \ + --nut.server=${cfg.nutServer} \ + --web.listen-address="${cfg.listenAddress}:${toString cfg.port}" \ + ${optionalString (cfg.nutUser != "") "--nut.username=${cfg.nutUser}"} + ''; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/pve.nix b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix index 8e2573d084bc5..e02acad3ecd1d 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/pve.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix @@ -10,7 +10,7 @@ let text = "default:"; }; - computedConfigFile = "${if cfg.configFile == null then emptyConfigFile else cfg.configFile}"; + computedConfigFile = if cfg.configFile == null then emptyConfigFile else cfg.configFile; in { port = 9221; @@ -100,6 +100,8 @@ in }; serviceOpts = { serviceConfig = { + DynamicUser = cfg.environmentFile == null; + LoadCredential = "configFile:${computedConfigFile}"; ExecStart = '' ${cfg.package}/bin/pve_exporter \ --${if cfg.collectors.status == true then "" else "no-"}collector.status \ @@ -108,11 +110,11 @@ in --${if cfg.collectors.cluster == true then "" else "no-"}collector.cluster \ --${if cfg.collectors.resources == true then "" else "no-"}collector.resources \ --${if cfg.collectors.config == true then "" else "no-"}collector.config \ - ${computedConfigFile} \ + %d/configFile \ ${toString cfg.port} ${cfg.listenAddress} ''; } // optionalAttrs (cfg.environmentFile != null) { - EnvironmentFile = cfg.environmentFile; + EnvironmentFile = cfg.environmentFile; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix index df424ede6066b..0c5648c14149d 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix @@ -4,16 +4,12 @@ with lib; let cfg = config.services.prometheus.exporters.smartctl; - format = pkgs.formats.yaml {}; - configFile = format.generate "smartctl-exporter.yml" { - smartctl_exporter = { - bind_to = "${cfg.listenAddress}:${toString cfg.port}"; - url_path = "/metrics"; - smartctl_location = "${pkgs.smartmontools}/bin/smartctl"; - collect_not_more_than_period = cfg.maxInterval; - devices = cfg.devices; - }; - }; + args = concatStrings [ + "--web.listen-address=\"${cfg.listenAddress}:${toString cfg.port}\" " + "--smartctl.path=\"${pkgs.smartmontools}/bin/smartctl\" " + "--smartctl.interval=\"${cfg.maxInterval}\" " + "${concatMapStringsSep " " (device: "--smartctl.device=${device}") cfg.devices}" + ]; in { port = 9633; @@ -50,17 +46,13 @@ in { "CAP_SYS_ADMIN" ]; DevicePolicy = "closed"; - DeviceAllow = lib.mkOverride 50 ( - if cfg.devices != [] then - cfg.devices - else [ - "block-blkext rw" - "block-sd rw" - "char-nvme rw" - ] - ); + DeviceAllow = lib.mkOverride 50 [ + "block-blkext rw" + "block-sd rw" + "char-nvme rw" + ]; ExecStart = '' - ${pkgs.prometheus-smartctl-exporter}/bin/smartctl_exporter -config ${configFile} + ${pkgs.prometheus-smartctl-exporter}/bin/smartctl_exporter ${args} ''; PrivateDevices = lib.mkForce false; ProtectProc = "invisible"; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/statsd.nix b/nixos/modules/services/monitoring/prometheus/exporters/statsd.nix new file mode 100644 index 0000000000000..d9d732d8c125a --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/statsd.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.statsd; +in +{ + port = 9102; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-statsd-exporter}/bin/statsd_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unifi-poller.nix b/nixos/modules/services/monitoring/prometheus/exporters/unpoller.nix index d1c82b2fd1c22..5cd1e2c65e906 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unifi-poller.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unpoller.nix @@ -3,12 +3,13 @@ with lib; let - cfg = config.services.prometheus.exporters.unifi-poller; + cfg = config.services.prometheus.exporters.unpoller; - configFile = pkgs.writeText "prometheus-unifi-poller-exporter.json" (generators.toJSON {} { + configFile = pkgs.writeText "prometheus-unpoller-exporter.json" (generators.toJSON {} { poller = { inherit (cfg.log) debug quiet; }; unifi = { inherit (cfg) controllers; }; influxdb.disable = true; + datadog.disable = true; # workaround for https://github.com/unpoller/unpoller/issues/442 prometheus = { http_listen = "${cfg.listenAddress}:${toString cfg.port}"; report_errors = cfg.log.prometheusErrors; @@ -20,8 +21,8 @@ in { port = 9130; extraOpts = { - inherit (options.services.unifi-poller.unifi) controllers; - inherit (options.services.unifi-poller) loki; + inherit (options.services.unpoller.unifi) controllers; + inherit (options.services.unpoller) loki; log = { debug = mkEnableOption (lib.mdDoc "debug logging including line numbers, high resolution timestamps, per-device logs."); quiet = mkEnableOption (lib.mdDoc "startup and error logs only."); @@ -30,7 +31,7 @@ in { }; serviceOpts.serviceConfig = { - ExecStart = "${pkgs.unifi-poller}/bin/unifi-poller --config ${configFile}"; + ExecStart = "${pkgs.unpoller}/bin/unpoller --config ${configFile}"; DynamicUser = false; }; } diff --git a/nixos/modules/services/monitoring/thanos.nix b/nixos/modules/services/monitoring/thanos.nix index 41462da4ff4c4..e6d8afc66624f 100644 --- a/nixos/modules/services/monitoring/thanos.nix +++ b/nixos/modules/services/monitoring/thanos.nix @@ -300,7 +300,7 @@ let max-time = mkParamDef types.str "9999-12-31T23:59:59Z" '' End of time range limit to serve. - Thanos Store serves only blocks, which happened eariler than this + Thanos Store serves only blocks, which happened earlier than this value. Option can be a constant time in RFC3339 format or time duration relative to current time, such as -1d or 2h45m. Valid duration units are ms, s, m, h, d, w, y. diff --git a/nixos/modules/services/monitoring/tremor-rs.nix b/nixos/modules/services/monitoring/tremor-rs.nix new file mode 100644 index 0000000000000..213e8a474868c --- /dev/null +++ b/nixos/modules/services/monitoring/tremor-rs.nix @@ -0,0 +1,129 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.tremor-rs; + + loggerSettingsFormat = pkgs.formats.yaml { }; + loggerConfigFile = loggerSettingsFormat.generate "logger.yaml" cfg.loggerSettings; +in { + + options = { + services.tremor-rs = { + enable = lib.mkEnableOption (lib.mdDoc "Tremor event- or stream-processing system"); + + troyFileList = mkOption { + type = types.listOf types.path; + default = []; + description = lib.mdDoc "List of troy files to load."; + }; + + tremorLibDir = mkOption { + type = types.path; + default = ""; + description = lib.mdDoc "Directory where to find /lib containing tremor script files"; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc "The host tremor should be listening on"; + }; + + port = mkOption { + type = types.port; + default = 9898; + description = lib.mdDoc "the port tremor should be listening on"; + }; + + loggerSettings = mkOption { + description = lib.mdDoc "Tremor logger configuration"; + default = {}; + type = loggerSettingsFormat.type; + + example = { + refresh_rate = "30 seconds"; + appenders.stdout.kind = "console"; + root = { + level = "warn"; + appenders = [ "stdout" ]; + }; + loggers = { + tremor_runtime = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + tremor = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + }; + }; + + defaultText = literalExpression '' + { + refresh_rate = "30 seconds"; + appenders.stdout.kind = "console"; + root = { + level = "warn"; + appenders = [ "stdout" ]; + }; + loggers = { + tremor_runtime = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + tremor = { + level = "debug"; + appenders = [ "stdout" ]; + additive = false; + }; + }; + } + ''; + + }; + }; + }; + + config = mkIf (cfg.enable) { + + environment.systemPackages = [ pkgs.tremor-rs ] ; + + systemd.services.tremor-rs = { + description = "Tremor event- or stream-processing system"; + wantedBy = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + environment.TREMOR_PATH = "${pkgs.tremor-rs}/lib:${cfg.tremorLibDir}"; + + serviceConfig = { + ExecStart = "${pkgs.tremor-rs}/bin/tremor --logger-config ${loggerConfigFile} server run ${concatStringsSep " " cfg.troyFileList} --api-host ${cfg.host}:${toString cfg.port}"; + DynamicUser = true; + Restart = "always"; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/monitoring/unifi-poller.nix b/nixos/modules/services/monitoring/unpoller.nix index b30e28a3ecc93..f0ced5513d64b 100644 --- a/nixos/modules/services/monitoring/unifi-poller.nix +++ b/nixos/modules/services/monitoring/unpoller.nix @@ -3,15 +3,19 @@ with lib; let - cfg = config.services.unifi-poller; + cfg = config.services.unpoller; - configFile = pkgs.writeText "unifi-poller.json" (generators.toJSON {} { + configFile = pkgs.writeText "unpoller.json" (generators.toJSON {} { inherit (cfg) poller influxdb loki prometheus unifi; }); in { - options.services.unifi-poller = { - enable = mkEnableOption (lib.mdDoc "unifi-poller"); + imports = [ + (lib.mkRenamedOptionModule [ "services" "unifi-poller" ] [ "services" "unpoller" ]) + ]; + + options.services.unpoller = { + enable = mkEnableOption (lib.mdDoc "unpoller"); poller = { debug = mkOption { @@ -86,8 +90,8 @@ in { }; pass = mkOption { type = types.path; - default = pkgs.writeText "unifi-poller-influxdb-default.password" "unifipoller"; - defaultText = literalExpression "unifi-poller-influxdb-default.password"; + default = pkgs.writeText "unpoller-influxdb-default.password" "unifipoller"; + defaultText = literalExpression "unpoller-influxdb-default.password"; description = lib.mdDoc '' Path of a file containing the password for influxdb. This file needs to be readable by the unifi-poller user. @@ -135,8 +139,8 @@ in { }; pass = mkOption { type = types.path; - default = pkgs.writeText "unifi-poller-loki-default.password" ""; - defaultText = "unifi-poller-influxdb-default.password"; + default = pkgs.writeText "unpoller-loki-default.password" ""; + defaultText = "unpoller-influxdb-default.password"; description = lib.mdDoc '' Path of a file containing the password for Loki. This file needs to be readable by the unifi-poller user. @@ -184,8 +188,8 @@ in { }; pass = mkOption { type = types.path; - default = pkgs.writeText "unifi-poller-unifi-default.password" "unifi"; - defaultText = literalExpression "unifi-poller-unifi-default.password"; + default = pkgs.writeText "unpoller-unifi-default.password" "unifi"; + defaultText = literalExpression "unpoller-unifi-default.password"; description = lib.mdDoc '' Path of a file containing the password for the unifi service user. This file needs to be readable by the unifi-poller user. @@ -303,7 +307,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = "${pkgs.unifi-poller}/bin/unifi-poller --config ${configFile}"; + ExecStart = "${pkgs.unpoller}/bin/unpoller --config ${configFile}"; Restart = "always"; PrivateTmp = true; ProtectHome = true; diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index c7abaeb2973ee..bb11b6a1c1d01 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -12,7 +12,7 @@ let upsOptions = {name, config, ...}: { options = { - # This can be infered from the UPS model by looking at + # This can be inferred from the UPS model by looking at # /nix/store/nut/share/driver.list driver = mkOption { type = types.str; @@ -228,7 +228,7 @@ in "} ''; "nut/upssched.conf".source = cfg.schedulerRules; - # These file are containing private informations and thus should not + # These file are containing private information and thus should not # be stored inside the Nix store. /* "nut/upsd.conf".source = ""; diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix index 3a6091de679d9..8e6c825b35eac 100644 --- a/nixos/modules/services/monitoring/uptime-kuma.nix +++ b/nixos/modules/services/monitoring/uptime-kuma.nix @@ -13,9 +13,8 @@ in package = mkOption { type = types.package; - example = literalExpression "pkgs.uptime-kuma"; default = pkgs.uptime-kuma; - defaultText = "pkgs.uptime-kuma"; + defaultText = literalExpression "pkgs.uptime-kuma"; description = lib.mdDoc "Uptime Kuma package to use."; }; @@ -29,7 +28,7 @@ in }; description = lib.mdDoc '' Additional configuration for Uptime Kuma, see - <https://github.com/louislam/uptime-kuma/wiki/Environment-Variables"> + <https://github.com/louislam/uptime-kuma/wiki/Environment-Variables> for supported values. ''; }; diff --git a/nixos/modules/services/monitoring/zabbix-proxy.nix b/nixos/modules/services/monitoring/zabbix-proxy.nix index e7e353f366046..85da416ba6c33 100644 --- a/nixos/modules/services/monitoring/zabbix-proxy.nix +++ b/nixos/modules/services/monitoring/zabbix-proxy.nix @@ -102,7 +102,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = if cfg.database.type == "mysql" then mysql.port else pgsql.port; defaultText = literalExpression '' if config.${opt.database.type} == "mysql" diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 51e1282db4189..13a062c32128a 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -54,7 +54,7 @@ in services.kubo = { - enable = mkEnableOption (lib.mdDoc "Interplanetary File System (WARNING: may cause severe network degredation)"); + enable = mkEnableOption (lib.mdDoc "Interplanetary File System (WARNING: may cause severe network degradation)"); package = mkOption { type = types.package; diff --git a/nixos/modules/services/network-filesystems/moosefs.nix b/nixos/modules/services/network-filesystems/moosefs.nix index c9a5a43ebcd91..ab82a2a07dd4b 100644 --- a/nixos/modules/services/network-filesystems/moosefs.nix +++ b/nixos/modules/services/network-filesystems/moosefs.nix @@ -52,7 +52,7 @@ let chunkserverCfg = settingsFormat.generate "mfschunkserver.cfg" cfg.chunkserver.settings; - # generic template for all deamons + # generic template for all daemons systemdService = name: extraConfig: configFile: { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; @@ -94,7 +94,7 @@ in { Enable Moosefs master daemon. You need to run `mfsmaster-init` on a freshly installed master server to - initialize the `DATA_PATH` direcory. + initialize the `DATA_PATH` directory. ''; default = false; }; diff --git a/nixos/modules/services/network-filesystems/orangefs/client.nix b/nixos/modules/services/network-filesystems/orangefs/client.nix index 471e17970ae1d..68f23f477af19 100644 --- a/nixos/modules/services/network-filesystems/orangefs/client.nix +++ b/nixos/modules/services/network-filesystems/orangefs/client.nix @@ -21,7 +21,7 @@ in { fileSystems = mkOption { description = lib.mdDoc '' The orangefs file systems to be mounted. - This option is prefered over using {option}`fileSystems` directly since + This option is preferred over using {option}`fileSystems` directly since the pvfs client service needs to be running for it to be mounted. ''; diff --git a/nixos/modules/services/network-filesystems/orangefs/server.nix b/nixos/modules/services/network-filesystems/orangefs/server.nix index 8e6838c046784..e20e7975ebaa0 100644 --- a/nixos/modules/services/network-filesystems/orangefs/server.nix +++ b/nixos/modules/services/network-filesystems/orangefs/server.nix @@ -209,7 +209,7 @@ in { after = [ "network-online.target" ]; serviceConfig = { - # Run as "simple" in forground mode. + # Run as "simple" in foreground mode. # This is more reliable ExecStart = '' ${pkgs.orangefs}/bin/pvfs2-server -d \ diff --git a/nixos/modules/services/network-filesystems/tahoe.nix b/nixos/modules/services/network-filesystems/tahoe.nix index 4213f437f4b2c..14c0a3d4725f1 100644 --- a/nixos/modules/services/network-filesystems/tahoe.nix +++ b/nixos/modules/services/network-filesystems/tahoe.nix @@ -18,7 +18,7 @@ in }; tub.port = mkOption { default = 3458; - type = types.int; + type = types.port; description = lib.mdDoc '' The port on which the introducer will listen. ''; @@ -58,7 +58,7 @@ in }; tub.port = mkOption { default = 3457; - type = types.int; + type = types.port; description = lib.mdDoc '' The port on which the tub will listen. @@ -80,7 +80,7 @@ in }; web.port = mkOption { default = 3456; - type = types.int; + type = types.port; description = lib.mdDoc '' The port on which the Web server will listen. diff --git a/nixos/modules/services/networking/3proxy.nix b/nixos/modules/services/networking/3proxy.nix index e643ed941315e..ef695a7f49fa4 100644 --- a/nixos/modules/services/networking/3proxy.nix +++ b/nixos/modules/services/networking/3proxy.nix @@ -158,7 +158,7 @@ in { description = lib.mdDoc '' List of target IP ranges, use empty list for any. May also contain host names instead of addresses. - It's possible to use wildmask in the begginning and in the the end of hostname, e.g. `*badsite.com` or `*badcontent*`. + It's possible to use wildmask in the beginning and in the the end of hostname, e.g. `*badsite.com` or `*badcontent*`. Hostname is only checked if hostname presents in request. ''; }; diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix index eaeaeaeb6a7f2..bda99cb7942b8 100644 --- a/nixos/modules/services/networking/adguardhome.nix +++ b/nixos/modules/services/networking/adguardhome.nix @@ -51,8 +51,8 @@ in }; settings = mkOption { - default = { }; - type = submodule { + default = null; + type = nullOr (submodule { freeformType = (pkgs.formats.yaml { }).type; options = { schema_version = mkOption { @@ -79,7 +79,7 @@ in ''; }; }; - }; + }); description = lib.mdDoc '' AdGuard Home configuration. Refer to <https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file> @@ -89,6 +89,10 @@ in On start and if {option}`mutableSettings` is `true`, these options are merged into the configuration file on start, taking precedence over configuration changes made on the web interface. + + Set this to `null` (default) for a non-declarative configuration without any + Nix-supplied values. + Declarative configurations are supplied with a default `schema_version`, `bind_host`, and `bind_port`. ::: ''; }; @@ -105,15 +109,15 @@ in config = mkIf cfg.enable { assertions = [ { - assertion = cfg.settings != { } - -> (hasAttrByPath [ "dns" "bind_host" ] cfg.settings) + assertion = cfg.settings != null -> cfg.mutableSettings + || (hasAttrByPath [ "dns" "bind_host" ] cfg.settings) || (hasAttrByPath [ "dns" "bind_hosts" ] cfg.settings); message = "AdGuard setting dns.bind_host or dns.bind_hosts needs to be configured for a minimal working configuration"; } { - assertion = cfg.settings != { } - -> hasAttrByPath [ "dns" "bootstrap_dns" ] cfg.settings; + assertion = cfg.settings != null -> cfg.mutableSettings + || hasAttrByPath [ "dns" "bootstrap_dns" ] cfg.settings; message = "AdGuard setting dns.bootstrap_dns needs to be configured for a minimal working configuration"; } @@ -128,7 +132,7 @@ in StartLimitBurst = 10; }; - preStart = optionalString (cfg.settings != { }) '' + preStart = optionalString (cfg.settings != null) '' if [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ] \ && [ "${toString cfg.mutableSettings}" = "1" ]; then # Writing directly to AdGuardHome.yaml results in empty file diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 56113bd34594d..3933ed5a2315a 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -106,13 +106,14 @@ in default = true; description = lib.mdDoc '' Whether to open the firewall for UDP port 5353. + Disabling this setting also disables discovering of network devices. ''; }; allowPointToPoint = mkOption { type = types.bool; default = false; - description= lib.mdDoc '' + description = lib.mdDoc '' Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large latencies with such links and opens a potential security hole by allowing mDNS access from Internet connections. diff --git a/nixos/modules/services/networking/biboumi.nix b/nixos/modules/services/networking/biboumi.nix index 896a2350e3d55..1428856764e65 100644 --- a/nixos/modules/services/networking/biboumi.nix +++ b/nixos/modules/services/networking/biboumi.nix @@ -45,7 +45,7 @@ in default = "/etc/ssl/certs/ca-certificates.crt"; description = lib.mdDoc '' Specifies which file should be used as the list of trusted CA - when negociating a TLS session. + when negotiating a TLS session. ''; }; options.db_name = mkOption { @@ -111,7 +111,7 @@ in description = lib.mdDoc '' A directory that should contain the policy files, used to customize Botan’s behaviour - when negociating the TLS connections with the IRC servers. + when negotiating the TLS connections with the IRC servers. ''; }; options.port = mkOption { diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix index 6df809a8b7648..a86d52b7202d8 100644 --- a/nixos/modules/services/networking/bitcoind.nix +++ b/nixos/modules/services/networking/bitcoind.nix @@ -95,7 +95,7 @@ let } ''; type = types.attrsOf (types.submodule rpcUserOpts); - description = lib.mdDoc "RPC user information for JSON-RPC connnections."; + description = lib.mdDoc "RPC user information for JSON-RPC connections."; }; }; diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix index 88c04597e2bc6..146bffaa6edf8 100644 --- a/nixos/modules/services/networking/bitlbee.nix +++ b/nixos/modules/services/networking/bitlbee.nix @@ -60,7 +60,7 @@ in type = types.str; default = "127.0.0.1"; description = lib.mdDoc '' - The interface the BitlBee deamon will be listening to. If `127.0.0.1`, + The interface the BitlBee daemon will be listening to. If `127.0.0.1`, only clients on the local host can connect to it; if `0.0.0.0`, clients can access it from any network interface. ''; diff --git a/nixos/modules/services/networking/chisel-server.nix b/nixos/modules/services/networking/chisel-server.nix index d3724743209b2..134c71430cd07 100644 --- a/nixos/modules/services/networking/chisel-server.nix +++ b/nixos/modules/services/networking/chisel-server.nix @@ -17,7 +17,7 @@ in { }; port = mkOption { description = mdDoc "Port to listen on, falls back to 8080"; - type = with types; nullOr int; + type = with types; nullOr port; default = null; }; authfile = mkOption { diff --git a/nixos/modules/services/networking/cloudflared.nix b/nixos/modules/services/networking/cloudflared.nix new file mode 100644 index 0000000000000..b3f0e37d8e9e3 --- /dev/null +++ b/nixos/modules/services/networking/cloudflared.nix @@ -0,0 +1,331 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.cloudflared; + + originRequest = { + connectTimeout = mkOption { + type = with types; nullOr str; + default = null; + example = "30s"; + description = lib.mdDoc '' + Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#tlstimeout](tlsTimeout). + ''; + }; + + tlsTimeout = mkOption { + type = with types; nullOr str; + default = null; + example = "10s"; + description = lib.mdDoc '' + Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. + ''; + }; + + tcpKeepAlive = mkOption { + type = with types; nullOr str; + default = null; + example = "30s"; + description = lib.mdDoc '' + The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. + ''; + }; + + noHappyEyeballs = mkOption { + type = with types; nullOr bool; + default = null; + example = false; + description = lib.mdDoc '' + Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. + ''; + }; + + keepAliveConnections = mkOption { + type = with types; nullOr int; + default = null; + example = 100; + description = lib.mdDoc '' + Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. + ''; + }; + + keepAliveTimeout = mkOption { + type = with types; nullOr str; + default = null; + example = "1m30s"; + description = lib.mdDoc '' + Timeout after which an idle keepalive connection can be discarded. + ''; + }; + + httpHostHeader = mkOption { + type = with types; nullOr str; + default = null; + example = ""; + description = lib.mdDoc '' + Sets the HTTP `Host` header on requests sent to the local service. + ''; + }; + + originServerName = mkOption { + type = with types; nullOr str; + default = null; + example = ""; + description = lib.mdDoc '' + Hostname that `cloudflared` should expect from your origin server certificate. + ''; + }; + + caPool = mkOption { + type = with types; nullOr (either str path); + default = null; + example = ""; + description = lib.mdDoc '' + Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. + ''; + }; + + noTLSVerify = mkOption { + type = with types; nullOr bool; + default = null; + example = false; + description = lib.mdDoc '' + Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. + ''; + }; + + disableChunkedEncoding = mkOption { + type = with types; nullOr bool; + default = null; + example = false; + description = lib.mdDoc '' + Disables chunked transfer encoding. Useful if you are running a WSGI server. + ''; + }; + + proxyAddress = mkOption { + type = with types; nullOr str; + default = null; + example = "127.0.0.1"; + description = lib.mdDoc '' + `cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen address for that proxy. + ''; + }; + + proxyPort = mkOption { + type = with types; nullOr int; + default = null; + example = 0; + description = lib.mdDoc '' + `cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. + ''; + }; + + proxyType = mkOption { + type = with types; nullOr (enum [ "" "socks" ]); + default = null; + example = ""; + description = lib.mdDoc '' + `cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: + + - `""` for the regular proxy + - `"socks"` for a SOCKS5 proxy. Refer to the [https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/](tutorial on connecting through Cloudflare Access using kubectl) for more information. + ''; + }; + }; +in +{ + options.services.cloudflared = { + enable = mkEnableOption (lib.mdDoc "Cloudflare Tunnel client daemon (formerly Argo Tunnel)"); + + user = mkOption { + type = types.str; + default = "cloudflared"; + description = lib.mdDoc "User account under which Cloudflared runs."; + }; + + group = mkOption { + type = types.str; + default = "cloudflared"; + description = lib.mdDoc "Group under which cloudflared runs."; + }; + + package = mkOption { + type = types.package; + default = pkgs.cloudflared; + defaultText = "pkgs.cloudflared"; + description = lib.mdDoc "The package to use for Cloudflared."; + }; + + tunnels = mkOption { + description = lib.mdDoc '' + Cloudflare tunnels. + ''; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + inherit originRequest; + + credentialsFile = mkOption { + type = types.str; + description = lib.mdDoc '' + Credential file. + + See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#credentials-file](Credentials file). + ''; + }; + + warp-routing = { + enabled = mkOption { + type = with types; nullOr bool; + default = null; + description = lib.mdDoc '' + Enable warp routing. + + See [https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/](Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel). + ''; + }; + }; + + default = mkOption { + type = types.str; + description = lib.mdDoc '' + Catch-all service if no ingress matches. + + See `service`. + ''; + example = "http_status:404"; + }; + + ingress = mkOption { + type = with types; attrsOf (either str (submodule ({ hostname, ... }: { + options = { + inherit originRequest; + + service = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + Service to pass the traffic. + + See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#supported-protocols](Supported protocols). + ''; + example = "http://localhost:80, tcp://localhost:8000, unix:/home/production/echo.sock, hello_world or http_status:404"; + }; + + path = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + Path filter. + + If not specified, all paths will be matched. + ''; + example = "/*.(jpg|png|css|js)"; + }; + + }; + }))); + default = { }; + description = lib.mdDoc '' + Ingress rules. + + See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/](Ingress rules). + ''; + example = { + "*.domain.com" = "http://localhost:80"; + "*.anotherone.com" = "http://localhost:80"; + }; + }; + }; + })); + + default = { }; + example = { + "00000000-0000-0000-0000-000000000000" = { + credentialsFile = "/tmp/test"; + ingress = { + "*.domain1.com" = { + service = "http://localhost:80"; + }; + }; + default = "http_status:404"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.targets = + mapAttrs' + (name: tunnel: + nameValuePair "cloudflared-tunnel-${name}" { + description = "Cloudflare tunnel '${name}' target"; + requires = [ "cloudflared-tunnel-${name}.service" ]; + after = [ "cloudflared-tunnel-${name}.service" ]; + unitConfig.StopWhenUnneeded = true; + } + ) + config.services.cloudflared.tunnels; + + systemd.services = + mapAttrs' + (name: tunnel: + let + filterConfig = lib.attrsets.filterAttrsRecursive (_: v: ! builtins.elem v [ null [ ] { } ]); + + filterIngressSet = filterAttrs (_: v: builtins.typeOf v == "set"); + filterIngressStr = filterAttrs (_: v: builtins.typeOf v == "string"); + + ingressesSet = filterIngressSet tunnel.ingress; + ingressesStr = filterIngressStr tunnel.ingress; + + fullConfig = { + tunnel = name; + "credentials-file" = tunnel.credentialsFile; + ingress = + (map + (key: { + hostname = key; + } // getAttr key (filterConfig (filterConfig ingressesSet))) + (attrNames ingressesSet)) + ++ + (map + (key: { + hostname = key; + service = getAttr key ingressesStr; + }) + (attrNames ingressesStr)) + ++ [{ service = tunnel.default; }]; + }; + mkConfigFile = pkgs.writeText "cloudflared.yml" (builtins.toJSON fullConfig); + in + nameValuePair "cloudflared-tunnel-${name}" ({ + after = [ "network.target" "network-online.target" ]; + wants = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/cloudflared tunnel --config=${mkConfigFile} --no-autoupdate run"; + Restart = "on-failure"; + }; + }) + ) + config.services.cloudflared.tunnels; + + users.users = mkIf (cfg.user == "cloudflared") { + cloudflared = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = mkIf (cfg.group == "cloudflared") { + cloudflared = { }; + }; + }; + + meta.maintainers = with maintainers; [ bbigras ]; +} diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index bee41dcf765d2..f1c36138be3e4 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -142,7 +142,7 @@ in }; consulAddr = mkOption { - description = lib.mdDoc "Consul api listening adddress"; + description = lib.mdDoc "Consul api listening address"; default = "localhost:8500"; type = types.str; }; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 5c32817979afd..4d843641f58a3 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -71,7 +71,7 @@ with lib; package = mkOption { type = package; default = pkgs.ddclient; - defaultText = "pkgs.ddclient"; + defaultText = lib.literalExpression "pkgs.ddclient"; description = lib.mdDoc '' The ddclient executable package run by the service. ''; diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix index cfc37b74b9a94..4886654e8c033 100644 --- a/nixos/modules/services/networking/dnsmasq.nix +++ b/nixos/modules/services/networking/dnsmasq.nix @@ -7,15 +7,27 @@ let dnsmasq = pkgs.dnsmasq; stateDir = "/var/lib/dnsmasq"; + # True values are just put as `name` instead of `name=true`, and false values + # are turned to comments (false values are expected to be overrides e.g. + # mkForce) + formatKeyValue = + name: value: + if value == true + then name + else if value == false + then "# setting `${name}` explicitly set to false" + else generators.mkKeyValueDefault { } "=" name value; + + settingsFormat = pkgs.formats.keyValue { + mkKeyValue = formatKeyValue; + listsAsDuplicateKeys = true; + }; + + # Because formats.generate is outputting a file, we use of conf-file. Once + # `extraConfig` is deprecated we can just use + # `dnsmasqConf = format.generate "dnsmasq.conf" cfg.settings` dnsmasqConf = pkgs.writeText "dnsmasq.conf" '' - dhcp-leasefile=${stateDir}/dnsmasq.leases - ${optionalString cfg.resolveLocalQueries '' - conf-file=/etc/dnsmasq-conf.conf - resolv-file=/etc/dnsmasq-resolv.conf - ''} - ${flip concatMapStrings cfg.servers (server: '' - server=${server} - '')} + conf-file=${settingsFormat.generate "dnsmasq.conf" cfg.settings} ${cfg.extraConfig} ''; @@ -23,6 +35,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "dnsmasq" "servers" ] [ "services" "dnsmasq" "settings" "server" ]) + ]; + ###### interface options = { @@ -46,15 +62,6 @@ in ''; }; - servers = mkOption { - type = types.listOf types.str; - default = []; - example = [ "8.8.8.8" "8.8.4.4" ]; - description = lib.mdDoc '' - The DNS servers which dnsmasq should query. - ''; - }; - alwaysKeepRunning = mkOption { type = types.bool; default = false; @@ -63,12 +70,49 @@ in ''; }; + settings = mkOption { + type = types.submodule { + + freeformType = settingsFormat.type; + + options.server = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "8.8.8.8" "8.8.4.4" ]; + description = lib.mdDoc '' + The DNS servers which dnsmasq should query. + ''; + }; + + }; + default = { }; + description = lib.mdDoc '' + Configuration of dnsmasq. Lists get added one value per line (empty + lists and false values don't get added, though false values get + turned to comments). Gets merged with + + { + dhcp-leasefile = "${stateDir}/dnsmasq.leases"; + conf-file = optional cfg.resolveLocalQueries "/etc/dnsmasq-conf.conf"; + resolv-file = optional cfg.resolveLocalQueries "/etc/dnsmasq-resolv.conf"; + } + ''; + example = literalExpression '' + { + domain-needed = true; + dhcp-range = [ "192.168.0.2,192.168.0.254" ]; + } + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; description = lib.mdDoc '' Extra configuration directives that should be added to `dnsmasq.conf`. + + This option is deprecated, please use {option}`settings` instead. ''; }; @@ -81,6 +125,14 @@ in config = mkIf cfg.enable { + warnings = lib.optional (cfg.extraConfig != "") "Text based config is deprecated, dnsmasq now supports `services.dnsmasq.settings` for an attribute-set based config"; + + services.dnsmasq.settings = { + dhcp-leasefile = mkDefault "${stateDir}/dnsmasq.leases"; + conf-file = mkDefault (optional cfg.resolveLocalQueries "/etc/dnsmasq-conf.conf"); + resolv-file = mkDefault (optional cfg.resolveLocalQueries "/etc/dnsmasq-resolv.conf"); + }; + networking.nameservers = optional cfg.resolveLocalQueries "127.0.0.1"; diff --git a/nixos/modules/services/networking/epmd.nix b/nixos/modules/services/networking/epmd.nix index 534b80906211f..0bc8c71f4eaa3 100644 --- a/nixos/modules/services/networking/epmd.nix +++ b/nixos/modules/services/networking/epmd.nix @@ -32,7 +32,7 @@ in default = "[::]:4369"; description = lib.mdDoc '' the listenStream used by the systemd socket. - see https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream= for more informations. + see https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream= for more information. use this to change the port epmd will run on. if not defined, epmd will use "[::]:4369" ''; diff --git a/nixos/modules/services/networking/ergochat.nix b/nixos/modules/services/networking/ergochat.nix index 1a70b1f8613ed..a003512677ebc 100644 --- a/nixos/modules/services/networking/ergochat.nix +++ b/nixos/modules/services/networking/ergochat.nix @@ -17,10 +17,10 @@ in { configFile = lib.mkOption { type = lib.types.path; default = (pkgs.formats.yaml {}).generate "ergo.conf" cfg.settings; - defaultText = "generated config file from <literal>.settings</literal>"; + defaultText = lib.literalMD "generated config file from `settings`"; description = lib.mdDoc '' Path to configuration file. - Setting this will skip any configuration done via `.settings` + Setting this will skip any configuration done via `settings` ''; }; diff --git a/nixos/modules/services/networking/firefox-syncserver.nix b/nixos/modules/services/networking/firefox-syncserver.nix index c3d9f43f74577..9733fb16d9032 100644 --- a/nixos/modules/services/networking/firefox-syncserver.nix +++ b/nixos/modules/services/networking/firefox-syncserver.nix @@ -11,8 +11,10 @@ let format = pkgs.formats.toml {}; settings = { - database_url = dbURL; human_logs = true; + syncstorage = { + database_url = dbURL; + }; tokenserver = { node_type = "mysql"; database_url = dbURL; @@ -253,8 +255,7 @@ in serviceConfig = { User = defaultUser; Group = defaultUser; - ExecStart = "${cfg.package}/bin/syncstorage --config ${configFile}"; - Stderr = "journal"; + ExecStart = "${cfg.package}/bin/syncserver --config ${configFile}"; EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}"; # hardening diff --git a/nixos/modules/services/networking/firewall-iptables.nix b/nixos/modules/services/networking/firewall-iptables.nix new file mode 100644 index 0000000000000..63e952194d671 --- /dev/null +++ b/nixos/modules/services/networking/firewall-iptables.nix @@ -0,0 +1,334 @@ +/* This module enables a simple firewall. + + The firewall can be customised in arbitrary ways by setting + ‘networking.firewall.extraCommands’. For modularity, the firewall + uses several chains: + + - ‘nixos-fw’ is the main chain for input packet processing. + + - ‘nixos-fw-accept’ is called for accepted packets. If you want + additional logging, or want to reject certain packets anyway, you + can insert rules at the start of this chain. + + - ‘nixos-fw-log-refuse’ and ‘nixos-fw-refuse’ are called for + refused packets. (The former jumps to the latter after logging + the packet.) If you want additional logging, or want to accept + certain packets anyway, you can insert rules at the start of + this chain. + + - ‘nixos-fw-rpfilter’ is used as the main chain in the mangle table, + called from the built-in ‘PREROUTING’ chain. If the kernel + supports it and `cfg.checkReversePath` is set this chain will + perform a reverse path filter test. + + - ‘nixos-drop’ is used while reloading the firewall in order to drop + all traffic. Since reloading isn't implemented in an atomic way + this'll prevent any traffic from leaking through while reloading + the firewall. However, if the reloading fails, the ‘firewall-stop’ + script will be called which in return will effectively disable the + complete firewall (in the default configuration). + +*/ + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.networking.firewall; + + inherit (config.boot.kernelPackages) kernel; + + kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); + + helpers = import ./helpers.nix { inherit config lib; }; + + writeShScript = name: text: + let + dir = pkgs.writeScriptBin name '' + #! ${pkgs.runtimeShell} -e + ${text} + ''; + in + "${dir}/bin/${name}"; + + startScript = writeShScript "firewall-start" '' + ${helpers} + + # Flush the old firewall rules. !!! Ideally, updating the + # firewall would be atomic. Apparently that's possible + # with iptables-restore. + ip46tables -D INPUT -j nixos-fw 2> /dev/null || true + for chain in nixos-fw nixos-fw-accept nixos-fw-log-refuse nixos-fw-refuse; do + ip46tables -F "$chain" 2> /dev/null || true + ip46tables -X "$chain" 2> /dev/null || true + done + + + # The "nixos-fw-accept" chain just accepts packets. + ip46tables -N nixos-fw-accept + ip46tables -A nixos-fw-accept -j ACCEPT + + + # The "nixos-fw-refuse" chain rejects or drops packets. + ip46tables -N nixos-fw-refuse + + ${if cfg.rejectPackets then '' + # Send a reset for existing TCP connections that we've + # somehow forgotten about. Send ICMP "port unreachable" + # for everything else. + ip46tables -A nixos-fw-refuse -p tcp ! --syn -j REJECT --reject-with tcp-reset + ip46tables -A nixos-fw-refuse -j REJECT + '' else '' + ip46tables -A nixos-fw-refuse -j DROP + ''} + + + # The "nixos-fw-log-refuse" chain performs logging, then + # jumps to the "nixos-fw-refuse" chain. + ip46tables -N nixos-fw-log-refuse + + ${optionalString cfg.logRefusedConnections '' + ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: " + ''} + ${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) '' + ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type broadcast \ + -j LOG --log-level info --log-prefix "refused broadcast: " + ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type multicast \ + -j LOG --log-level info --log-prefix "refused multicast: " + ''} + ip46tables -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse + ${optionalString cfg.logRefusedPackets '' + ip46tables -A nixos-fw-log-refuse \ + -j LOG --log-level info --log-prefix "refused packet: " + ''} + ip46tables -A nixos-fw-log-refuse -j nixos-fw-refuse + + + # The "nixos-fw" chain does the actual work. + ip46tables -N nixos-fw + + # Clean up rpfilter rules + ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t mangle -F nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t mangle -X nixos-fw-rpfilter 2> /dev/null || true + + ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) '' + # Perform a reverse-path test to refuse spoofers + # For now, we just drop, as the mangle table doesn't have a log-refuse yet + ip46tables -t mangle -N nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t mangle -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN + + # Allows this host to act as a DHCP4 client without first having to use APIPA + iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN + + # Allows this host to act as a DHCPv4 server + iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN + + ${optionalString cfg.logReversePathDrops '' + ip46tables -t mangle -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: " + ''} + ip46tables -t mangle -A nixos-fw-rpfilter -j DROP + + ip46tables -t mangle -A PREROUTING -j nixos-fw-rpfilter + ''} + + # Accept all traffic on the trusted interfaces. + ${flip concatMapStrings cfg.trustedInterfaces (iface: '' + ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept + '')} + + # Accept packets from established or related connections. + ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept + + # Accept connections to the allowed TCP ports. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (port: + '' + ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedTCPPorts + ) cfg.allInterfaces)} + + # Accept connections to the allowed TCP port ranges. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (rangeAttr: + let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in + '' + ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedTCPPortRanges + ) cfg.allInterfaces)} + + # Accept packets on the allowed UDP ports. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (port: + '' + ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedUDPPorts + ) cfg.allInterfaces)} + + # Accept packets on the allowed UDP port ranges. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (rangeAttr: + let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in + '' + ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedUDPPortRanges + ) cfg.allInterfaces)} + + # Optionally respond to ICMPv4 pings. + ${optionalString cfg.allowPing '' + iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null) + "-m limit ${cfg.pingLimit} " + }-j nixos-fw-accept + ''} + + ${optionalString config.networking.enableIPv6 '' + # Accept all ICMPv6 messages except redirects and node + # information queries (type 139). See RFC 4890, section + # 4.4. + ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP + ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP + ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept + + # Allow this host to act as a DHCPv6 client + ip6tables -A nixos-fw -d fe80::/64 -p udp --dport 546 -j nixos-fw-accept + ''} + + ${cfg.extraCommands} + + # Reject/drop everything else. + ip46tables -A nixos-fw -j nixos-fw-log-refuse + + + # Enable the firewall. + ip46tables -A INPUT -j nixos-fw + ''; + + stopScript = writeShScript "firewall-stop" '' + ${helpers} + + # Clean up in case reload fails + ip46tables -D INPUT -j nixos-drop 2>/dev/null || true + + # Clean up after added ruleset + ip46tables -D INPUT -j nixos-fw 2>/dev/null || true + + ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) '' + ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true + ''} + + ${cfg.extraStopCommands} + ''; + + reloadScript = writeShScript "firewall-reload" '' + ${helpers} + + # Create a unique drop rule + ip46tables -D INPUT -j nixos-drop 2>/dev/null || true + ip46tables -F nixos-drop 2>/dev/null || true + ip46tables -X nixos-drop 2>/dev/null || true + ip46tables -N nixos-drop + ip46tables -A nixos-drop -j DROP + + # Don't allow traffic to leak out until the script has completed + ip46tables -A INPUT -j nixos-drop + + ${cfg.extraStopCommands} + + if ${startScript}; then + ip46tables -D INPUT -j nixos-drop 2>/dev/null || true + else + echo "Failed to reload firewall... Stopping" + ${stopScript} + exit 1 + fi + ''; + +in + +{ + + options = { + + networking.firewall = { + extraCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -A INPUT -p icmp -j ACCEPT"; + description = lib.mdDoc '' + Additional shell commands executed as part of the firewall + initialisation script. These are executed just before the + final "reject" firewall rule is added, so they can be used + to allow packets that would otherwise be refused. + + This option only works with the iptables based firewall. + ''; + }; + + extraStopCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -P INPUT ACCEPT"; + description = lib.mdDoc '' + Additional shell commands executed as part of the firewall + shutdown script. These are executed just after the removal + of the NixOS input rule, or if the service enters a failed + state. + + This option only works with the iptables based firewall. + ''; + }; + }; + + }; + + # FIXME: Maybe if `enable' is false, the firewall should still be + # built but not started by default? + config = mkIf (cfg.enable && config.networking.nftables.enable == false) { + + assertions = [ + # This is approximately "checkReversePath -> kernelHasRPFilter", + # but the checkReversePath option can include non-boolean + # values. + { + assertion = cfg.checkReversePath == false || kernelHasRPFilter; + message = "This kernel does not support rpfilter"; + } + ]; + + networking.firewall.checkReversePath = mkIf (!kernelHasRPFilter) (mkDefault false); + + systemd.services.firewall = { + description = "Firewall"; + wantedBy = [ "sysinit.target" ]; + wants = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = [ cfg.package ] ++ cfg.extraPackages; + + # FIXME: this module may also try to load kernel modules, but + # containers don't have CAP_SYS_MODULE. So the host system had + # better have all necessary modules already loaded. + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + unitConfig.DefaultDependencies = false; + + reloadIfChanged = true; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "@${startScript} firewall-start"; + ExecReload = "@${reloadScript} firewall-reload"; + ExecStop = "@${stopScript} firewall-stop"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/firewall-nftables.nix b/nixos/modules/services/networking/firewall-nftables.nix new file mode 100644 index 0000000000000..0ed3c228075d3 --- /dev/null +++ b/nixos/modules/services/networking/firewall-nftables.nix @@ -0,0 +1,167 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.networking.firewall; + + ifaceSet = concatStringsSep ", " ( + map (x: ''"${x}"'') cfg.trustedInterfaces + ); + + portsToNftSet = ports: portRanges: concatStringsSep ", " ( + map (x: toString x) ports + ++ map (x: "${toString x.from}-${toString x.to}") portRanges + ); + +in + +{ + + options = { + + networking.firewall = { + extraInputRules = mkOption { + type = types.lines; + default = ""; + example = "ip6 saddr { fc00::/7, fe80::/10 } tcp dport 24800 accept"; + description = lib.mdDoc '' + Additional nftables rules to be appended to the input-allow + chain. + + This option only works with the nftables based firewall. + ''; + }; + + extraForwardRules = mkOption { + type = types.lines; + default = ""; + example = "iifname wg0 accept"; + description = lib.mdDoc '' + Additional nftables rules to be appended to the forward-allow + chain. + + This option only works with the nftables based firewall. + ''; + }; + }; + + }; + + config = mkIf (cfg.enable && config.networking.nftables.enable) { + + assertions = [ + { + assertion = cfg.extraCommands == ""; + message = "extraCommands is incompatible with the nftables based firewall: ${cfg.extraCommands}"; + } + { + assertion = cfg.extraStopCommands == ""; + message = "extraStopCommands is incompatible with the nftables based firewall: ${cfg.extraStopCommands}"; + } + { + assertion = cfg.pingLimit == null || !(hasPrefix "--" cfg.pingLimit); + message = "nftables syntax like \"2/second\" should be used in networking.firewall.pingLimit"; + } + { + assertion = config.networking.nftables.rulesetFile == null; + message = "networking.nftables.rulesetFile conflicts with the firewall"; + } + ]; + + networking.nftables.ruleset = '' + + table inet nixos-fw { + + ${optionalString (cfg.checkReversePath != false) '' + chain rpfilter { + type filter hook prerouting priority mangle + 10; policy drop; + + meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" + fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept + + ${optionalString cfg.logReversePathDrops '' + log level info prefix "rpfilter drop: " + ''} + + } + ''} + + chain input { + type filter hook input priority filter; policy drop; + + ${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''} + + # Some ICMPv6 types like NDP is untracked + ct state vmap { invalid : drop, established : accept, related : accept, * : jump input-allow } comment "*: new and untracked" + + ${optionalString cfg.logRefusedConnections '' + tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: " + ''} + ${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) '' + pkttype broadcast log level info prefix "refused broadcast: " + pkttype multicast log level info prefix "refused multicast: " + ''} + ${optionalString cfg.logRefusedPackets '' + pkttype host log level info prefix "refused packet: " + ''} + + ${optionalString cfg.rejectPackets '' + meta l4proto tcp reject with tcp reset + reject + ''} + + } + + chain input-allow { + + ${concatStrings (mapAttrsToList (iface: cfg: + let + ifaceExpr = optionalString (iface != "default") "iifname ${iface}"; + tcpSet = portsToNftSet cfg.allowedTCPPorts cfg.allowedTCPPortRanges; + udpSet = portsToNftSet cfg.allowedUDPPorts cfg.allowedUDPPortRanges; + in + '' + ${optionalString (tcpSet != "") "${ifaceExpr} tcp dport { ${tcpSet} } accept"} + ${optionalString (udpSet != "") "${ifaceExpr} udp dport { ${udpSet} } accept"} + '' + ) cfg.allInterfaces)} + + ${optionalString cfg.allowPing '' + icmp type echo-request ${optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping" + ''} + + icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4." + ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client" + + ${cfg.extraInputRules} + + } + + ${optionalString cfg.filterForward '' + chain forward { + type filter hook forward priority filter; policy drop; + + ct state vmap { invalid : drop, established : accept, related : accept, * : jump forward-allow } comment "*: new and untracked" + + } + + chain forward-allow { + + icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3." + + ct status dnat accept comment "allow port forward" + + ${cfg.extraForwardRules} + + } + ''} + + } + + ''; + + }; + +} diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 0242a3780ffc5..4e332d489e4dc 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -1,35 +1,3 @@ -/* This module enables a simple firewall. - - The firewall can be customised in arbitrary ways by setting - ‘networking.firewall.extraCommands’. For modularity, the firewall - uses several chains: - - - ‘nixos-fw’ is the main chain for input packet processing. - - - ‘nixos-fw-accept’ is called for accepted packets. If you want - additional logging, or want to reject certain packets anyway, you - can insert rules at the start of this chain. - - - ‘nixos-fw-log-refuse’ and ‘nixos-fw-refuse’ are called for - refused packets. (The former jumps to the latter after logging - the packet.) If you want additional logging, or want to accept - certain packets anyway, you can insert rules at the start of - this chain. - - - ‘nixos-fw-rpfilter’ is used as the main chain in the mangle table, - called from the built-in ‘PREROUTING’ chain. If the kernel - supports it and `cfg.checkReversePath` is set this chain will - perform a reverse path filter test. - - - ‘nixos-drop’ is used while reloading the firewall in order to drop - all traffic. Since reloading isn't implemented in an atomic way - this'll prevent any traffic from leaking through while reloading - the firewall. However, if the reloading fails, the ‘firewall-stop’ - script will be called which in return will effectively disable the - complete firewall (in the default configuration). - -*/ - { config, lib, pkgs, ... }: with lib; @@ -38,216 +6,6 @@ let cfg = config.networking.firewall; - inherit (config.boot.kernelPackages) kernel; - - kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); - - helpers = import ./helpers.nix { inherit config lib; }; - - writeShScript = name: text: let dir = pkgs.writeScriptBin name '' - #! ${pkgs.runtimeShell} -e - ${text} - ''; in "${dir}/bin/${name}"; - - defaultInterface = { default = mapAttrs (name: value: cfg.${name}) commonOptions; }; - allInterfaces = defaultInterface // cfg.interfaces; - - startScript = writeShScript "firewall-start" '' - ${helpers} - - # Flush the old firewall rules. !!! Ideally, updating the - # firewall would be atomic. Apparently that's possible - # with iptables-restore. - ip46tables -D INPUT -j nixos-fw 2> /dev/null || true - for chain in nixos-fw nixos-fw-accept nixos-fw-log-refuse nixos-fw-refuse; do - ip46tables -F "$chain" 2> /dev/null || true - ip46tables -X "$chain" 2> /dev/null || true - done - - - # The "nixos-fw-accept" chain just accepts packets. - ip46tables -N nixos-fw-accept - ip46tables -A nixos-fw-accept -j ACCEPT - - - # The "nixos-fw-refuse" chain rejects or drops packets. - ip46tables -N nixos-fw-refuse - - ${if cfg.rejectPackets then '' - # Send a reset for existing TCP connections that we've - # somehow forgotten about. Send ICMP "port unreachable" - # for everything else. - ip46tables -A nixos-fw-refuse -p tcp ! --syn -j REJECT --reject-with tcp-reset - ip46tables -A nixos-fw-refuse -j REJECT - '' else '' - ip46tables -A nixos-fw-refuse -j DROP - ''} - - - # The "nixos-fw-log-refuse" chain performs logging, then - # jumps to the "nixos-fw-refuse" chain. - ip46tables -N nixos-fw-log-refuse - - ${optionalString cfg.logRefusedConnections '' - ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: " - ''} - ${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) '' - ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type broadcast \ - -j LOG --log-level info --log-prefix "refused broadcast: " - ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type multicast \ - -j LOG --log-level info --log-prefix "refused multicast: " - ''} - ip46tables -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse - ${optionalString cfg.logRefusedPackets '' - ip46tables -A nixos-fw-log-refuse \ - -j LOG --log-level info --log-prefix "refused packet: " - ''} - ip46tables -A nixos-fw-log-refuse -j nixos-fw-refuse - - - # The "nixos-fw" chain does the actual work. - ip46tables -N nixos-fw - - # Clean up rpfilter rules - ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true - ip46tables -t mangle -F nixos-fw-rpfilter 2> /dev/null || true - ip46tables -t mangle -X nixos-fw-rpfilter 2> /dev/null || true - - ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) '' - # Perform a reverse-path test to refuse spoofers - # For now, we just drop, as the mangle table doesn't have a log-refuse yet - ip46tables -t mangle -N nixos-fw-rpfilter 2> /dev/null || true - ip46tables -t mangle -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN - - # Allows this host to act as a DHCP4 client without first having to use APIPA - iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN - - # Allows this host to act as a DHCPv4 server - iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN - - ${optionalString cfg.logReversePathDrops '' - ip46tables -t mangle -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: " - ''} - ip46tables -t mangle -A nixos-fw-rpfilter -j DROP - - ip46tables -t mangle -A PREROUTING -j nixos-fw-rpfilter - ''} - - # Accept all traffic on the trusted interfaces. - ${flip concatMapStrings cfg.trustedInterfaces (iface: '' - ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept - '')} - - # Accept packets from established or related connections. - ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept - - # Accept connections to the allowed TCP ports. - ${concatStrings (mapAttrsToList (iface: cfg: - concatMapStrings (port: - '' - ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} - '' - ) cfg.allowedTCPPorts - ) allInterfaces)} - - # Accept connections to the allowed TCP port ranges. - ${concatStrings (mapAttrsToList (iface: cfg: - concatMapStrings (rangeAttr: - let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in - '' - ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} - '' - ) cfg.allowedTCPPortRanges - ) allInterfaces)} - - # Accept packets on the allowed UDP ports. - ${concatStrings (mapAttrsToList (iface: cfg: - concatMapStrings (port: - '' - ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} - '' - ) cfg.allowedUDPPorts - ) allInterfaces)} - - # Accept packets on the allowed UDP port ranges. - ${concatStrings (mapAttrsToList (iface: cfg: - concatMapStrings (rangeAttr: - let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in - '' - ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} - '' - ) cfg.allowedUDPPortRanges - ) allInterfaces)} - - # Optionally respond to ICMPv4 pings. - ${optionalString cfg.allowPing '' - iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null) - "-m limit ${cfg.pingLimit} " - }-j nixos-fw-accept - ''} - - ${optionalString config.networking.enableIPv6 '' - # Accept all ICMPv6 messages except redirects and node - # information queries (type 139). See RFC 4890, section - # 4.4. - ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP - ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP - ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept - - # Allow this host to act as a DHCPv6 client - ip6tables -A nixos-fw -d fe80::/64 -p udp --dport 546 -j nixos-fw-accept - ''} - - ${cfg.extraCommands} - - # Reject/drop everything else. - ip46tables -A nixos-fw -j nixos-fw-log-refuse - - - # Enable the firewall. - ip46tables -A INPUT -j nixos-fw - ''; - - stopScript = writeShScript "firewall-stop" '' - ${helpers} - - # Clean up in case reload fails - ip46tables -D INPUT -j nixos-drop 2>/dev/null || true - - # Clean up after added ruleset - ip46tables -D INPUT -j nixos-fw 2>/dev/null || true - - ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) '' - ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true - ''} - - ${cfg.extraStopCommands} - ''; - - reloadScript = writeShScript "firewall-reload" '' - ${helpers} - - # Create a unique drop rule - ip46tables -D INPUT -j nixos-drop 2>/dev/null || true - ip46tables -F nixos-drop 2>/dev/null || true - ip46tables -X nixos-drop 2>/dev/null || true - ip46tables -N nixos-drop - ip46tables -A nixos-drop -j DROP - - # Don't allow traffic to leak out until the script has completed - ip46tables -A INPUT -j nixos-drop - - ${cfg.extraStopCommands} - - if ${startScript}; then - ip46tables -D INPUT -j nixos-drop 2>/dev/null || true - else - echo "Failed to reload firewall... Stopping" - ${stopScript} - exit 1 - fi - ''; - canonicalizePortList = ports: lib.unique (builtins.sort builtins.lessThan ports); @@ -257,22 +15,20 @@ let default = [ ]; apply = canonicalizePortList; example = [ 22 80 ]; - description = - lib.mdDoc '' - List of TCP ports on which incoming connections are - accepted. - ''; + description = lib.mdDoc '' + List of TCP ports on which incoming connections are + accepted. + ''; }; allowedTCPPortRanges = mkOption { type = types.listOf (types.attrsOf types.port); default = [ ]; - example = [ { from = 8999; to = 9003; } ]; - description = - lib.mdDoc '' - A range of TCP ports on which incoming connections are - accepted. - ''; + example = [{ from = 8999; to = 9003; }]; + description = lib.mdDoc '' + A range of TCP ports on which incoming connections are + accepted. + ''; }; allowedUDPPorts = mkOption { @@ -280,20 +36,18 @@ let default = [ ]; apply = canonicalizePortList; example = [ 53 ]; - description = - lib.mdDoc '' - List of open UDP ports. - ''; + description = lib.mdDoc '' + List of open UDP ports. + ''; }; allowedUDPPortRanges = mkOption { type = types.listOf (types.attrsOf types.port); default = [ ]; - example = [ { from = 60000; to = 61000; } ]; - description = - lib.mdDoc '' - Range of open UDP ports. - ''; + example = [{ from = 60000; to = 61000; }]; + description = lib.mdDoc '' + Range of open UDP ports. + ''; }; }; @@ -301,240 +55,222 @@ in { - ###### interface - options = { networking.firewall = { enable = mkOption { type = types.bool; default = true; - description = - lib.mdDoc '' - Whether to enable the firewall. This is a simple stateful - firewall that blocks connection attempts to unauthorised TCP - or UDP ports on this machine. It does not affect packet - forwarding. - ''; + description = lib.mdDoc '' + Whether to enable the firewall. This is a simple stateful + firewall that blocks connection attempts to unauthorised TCP + or UDP ports on this machine. + ''; }; package = mkOption { type = types.package; - default = pkgs.iptables; - defaultText = literalExpression "pkgs.iptables"; + default = if config.networking.nftables.enable then pkgs.nftables else pkgs.iptables; + defaultText = literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"''; example = literalExpression "pkgs.iptables-legacy"; - description = - lib.mdDoc '' - The iptables package to use for running the firewall service." - ''; + description = lib.mdDoc '' + The package to use for running the firewall service. + ''; }; logRefusedConnections = mkOption { type = types.bool; default = true; - description = - lib.mdDoc '' - Whether to log rejected or dropped incoming connections. - Note: The logs are found in the kernel logs, i.e. dmesg - or journalctl -k. - ''; + description = lib.mdDoc '' + Whether to log rejected or dropped incoming connections. + Note: The logs are found in the kernel logs, i.e. dmesg + or journalctl -k. + ''; }; logRefusedPackets = mkOption { type = types.bool; default = false; - description = - lib.mdDoc '' - Whether to log all rejected or dropped incoming packets. - This tends to give a lot of log messages, so it's mostly - useful for debugging. - Note: The logs are found in the kernel logs, i.e. dmesg - or journalctl -k. - ''; + description = lib.mdDoc '' + Whether to log all rejected or dropped incoming packets. + This tends to give a lot of log messages, so it's mostly + useful for debugging. + Note: The logs are found in the kernel logs, i.e. dmesg + or journalctl -k. + ''; }; logRefusedUnicastsOnly = mkOption { type = types.bool; default = true; - description = - lib.mdDoc '' - If {option}`networking.firewall.logRefusedPackets` - and this option are enabled, then only log packets - specifically directed at this machine, i.e., not broadcasts - or multicasts. - ''; + description = lib.mdDoc '' + If {option}`networking.firewall.logRefusedPackets` + and this option are enabled, then only log packets + specifically directed at this machine, i.e., not broadcasts + or multicasts. + ''; }; rejectPackets = mkOption { type = types.bool; default = false; - description = - lib.mdDoc '' - If set, refused packets are rejected rather than dropped - (ignored). This means that an ICMP "port unreachable" error - message is sent back to the client (or a TCP RST packet in - case of an existing connection). Rejecting packets makes - port scanning somewhat easier. - ''; + description = lib.mdDoc '' + If set, refused packets are rejected rather than dropped + (ignored). This means that an ICMP "port unreachable" error + message is sent back to the client (or a TCP RST packet in + case of an existing connection). Rejecting packets makes + port scanning somewhat easier. + ''; }; trustedInterfaces = mkOption { type = types.listOf types.str; default = [ ]; example = [ "enp0s2" ]; - description = - lib.mdDoc '' - Traffic coming in from these interfaces will be accepted - unconditionally. Traffic from the loopback (lo) interface - will always be accepted. - ''; + description = lib.mdDoc '' + Traffic coming in from these interfaces will be accepted + unconditionally. Traffic from the loopback (lo) interface + will always be accepted. + ''; }; allowPing = mkOption { type = types.bool; default = true; - description = - lib.mdDoc '' - Whether to respond to incoming ICMPv4 echo requests - ("pings"). ICMPv6 pings are always allowed because the - larger address space of IPv6 makes network scanning much - less effective. - ''; + description = lib.mdDoc '' + Whether to respond to incoming ICMPv4 echo requests + ("pings"). ICMPv6 pings are always allowed because the + larger address space of IPv6 makes network scanning much + less effective. + ''; }; pingLimit = mkOption { type = types.nullOr (types.separatedString " "); default = null; example = "--limit 1/minute --limit-burst 5"; - description = - lib.mdDoc '' - If pings are allowed, this allows setting rate limits - on them. If non-null, this option should be in the form of - flags like "--limit 1/minute --limit-burst 5" - ''; + description = lib.mdDoc '' + If pings are allowed, this allows setting rate limits on them. + + For the iptables based firewall, it should be set like + "--limit 1/minute --limit-burst 5". + + For the nftables based firewall, it should be set like + "2/second" or "1/minute burst 5 packets". + ''; }; checkReversePath = mkOption { - type = types.either types.bool (types.enum ["strict" "loose"]); - default = kernelHasRPFilter; - defaultText = literalMD "`true` if supported by the chosen kernel"; + type = types.either types.bool (types.enum [ "strict" "loose" ]); + default = true; + defaultText = literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support"; example = "loose"; - description = - lib.mdDoc '' - Performs a reverse path filter test on a packet. If a reply - to the packet would not be sent via the same interface that - the packet arrived on, it is refused. - - If using asymmetric routing or other complicated routing, set - this option to loose mode or disable it and setup your own - counter-measures. - - This option can be either true (or "strict"), "loose" (only - drop the packet if the source address is not reachable via any - interface) or false. Defaults to the value of - kernelHasRPFilter. - ''; + description = lib.mdDoc '' + Performs a reverse path filter test on a packet. If a reply + to the packet would not be sent via the same interface that + the packet arrived on, it is refused. + + If using asymmetric routing or other complicated routing, set + this option to loose mode or disable it and setup your own + counter-measures. + + This option can be either true (or "strict"), "loose" (only + drop the packet if the source address is not reachable via any + interface) or false. + ''; }; logReversePathDrops = mkOption { type = types.bool; default = false; - description = - lib.mdDoc '' - Logs dropped packets failing the reverse path filter test if - the option networking.firewall.checkReversePath is enabled. - ''; + description = lib.mdDoc '' + Logs dropped packets failing the reverse path filter test if + the option networking.firewall.checkReversePath is enabled. + ''; + }; + + filterForward = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Enable filtering in IP forwarding. + + This option only works with the nftables based firewall. + ''; }; connectionTrackingModules = mkOption { type = types.listOf types.str; default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; - description = - lib.mdDoc '' - List of connection-tracking helpers that are auto-loaded. - The complete list of possible values is given in the example. - - As helpers can pose as a security risk, it is advised to - set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers unless you - know what you are doing. Connection tracking is disabled - by default. - - Loading of helpers is recommended to be done through the - CT target. More info: - https://home.regit.org/netfilter-en/secure-use-of-helpers/ - ''; + description = lib.mdDoc '' + List of connection-tracking helpers that are auto-loaded. + The complete list of possible values is given in the example. + + As helpers can pose as a security risk, it is advised to + set this to an empty list and disable the setting + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. + + Loading of helpers is recommended to be done through the + CT target. More info: + https://home.regit.org/netfilter-en/secure-use-of-helpers/ + ''; }; autoLoadConntrackHelpers = mkOption { type = types.bool; default = false; - description = - lib.mdDoc '' - Whether to auto-load connection-tracking helpers. - See the description at networking.firewall.connectionTrackingModules - - (needs kernel 3.5+) - ''; - }; + description = lib.mdDoc '' + Whether to auto-load connection-tracking helpers. + See the description at networking.firewall.connectionTrackingModules - extraCommands = mkOption { - type = types.lines; - default = ""; - example = "iptables -A INPUT -p icmp -j ACCEPT"; - description = - lib.mdDoc '' - Additional shell commands executed as part of the firewall - initialisation script. These are executed just before the - final "reject" firewall rule is added, so they can be used - to allow packets that would otherwise be refused. - ''; + (needs kernel 3.5+) + ''; }; extraPackages = mkOption { type = types.listOf types.package; default = [ ]; example = literalExpression "[ pkgs.ipset ]"; - description = - lib.mdDoc '' - Additional packages to be included in the environment of the system - as well as the path of networking.firewall.extraCommands. - ''; - }; - - extraStopCommands = mkOption { - type = types.lines; - default = ""; - example = "iptables -P INPUT ACCEPT"; - description = - lib.mdDoc '' - Additional shell commands executed as part of the firewall - shutdown script. These are executed just after the removal - of the NixOS input rule, or if the service enters a failed - state. - ''; + description = lib.mdDoc '' + Additional packages to be included in the environment of the system + as well as the path of networking.firewall.extraCommands. + ''; }; interfaces = mkOption { default = { }; - type = with types; attrsOf (submodule [ { options = commonOptions; } ]); - description = - lib.mdDoc '' - Interface-specific open ports. - ''; + type = with types; attrsOf (submodule [{ options = commonOptions; }]); + description = lib.mdDoc '' + Interface-specific open ports. + ''; + }; + + allInterfaces = mkOption { + internal = true; + visible = false; + default = { default = mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces; + type = with types; attrsOf (submodule [{ options = commonOptions; }]); + description = lib.mdDoc '' + All open ports. + ''; }; } // commonOptions; }; - ###### implementation - - # FIXME: Maybe if `enable' is false, the firewall should still be - # built but not started by default? config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.filterForward -> config.networking.nftables.enable; + message = "filterForward only works with the nftables based firewall"; + } + ]; + networking.firewall.trustedInterfaces = [ "lo" ]; environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; @@ -545,40 +281,6 @@ in options nf_conntrack nf_conntrack_helper=1 ''; - assertions = [ - # This is approximately "checkReversePath -> kernelHasRPFilter", - # but the checkReversePath option can include non-boolean - # values. - { assertion = cfg.checkReversePath == false || kernelHasRPFilter; - message = "This kernel does not support rpfilter"; } - ]; - - systemd.services.firewall = { - description = "Firewall"; - wantedBy = [ "sysinit.target" ]; - wants = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; - after = [ "systemd-modules-load.service" ]; - - path = [ cfg.package ] ++ cfg.extraPackages; - - # FIXME: this module may also try to load kernel modules, but - # containers don't have CAP_SYS_MODULE. So the host system had - # better have all necessary modules already loaded. - unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - unitConfig.DefaultDependencies = false; - - reloadIfChanged = true; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStart = "@${startScript} firewall-start"; - ExecReload = "@${reloadScript} firewall-reload"; - ExecStop = "@${stopScript} firewall-stop"; - }; - }; - }; } diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index ffb2ee841c64d..3ea95b3bdae97 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -55,7 +55,7 @@ in passwordFile = mkOption { type = types.str; default = ""; - description = lib.mdDoc "File that containts password"; + description = lib.mdDoc "File that contains password"; }; }; @@ -92,7 +92,7 @@ in passwordFile = mkOption { type = types.str; default = ""; - description = lib.mdDoc "File that containts password"; + description = lib.mdDoc "File that contains password"; }; }; diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix index 0334c5a00bab5..cc46819eed5a6 100644 --- a/nixos/modules/services/networking/headscale.nix +++ b/nixos/modules/services/networking/headscale.nix @@ -1,15 +1,18 @@ -{ config, lib, pkgs, ... }: -with lib; -let +{ + config, + lib, + pkgs, + ... +}: +with lib; let cfg = config.services.headscale; dataDir = "/var/lib/headscale"; runDir = "/run/headscale"; - settingsFormat = pkgs.formats.yaml { }; + settingsFormat = pkgs.formats.yaml {}; configFile = settingsFormat.generate "headscale.yaml" cfg.settings; -in -{ +in { options = { services.headscale = { enable = mkEnableOption (lib.mdDoc "headscale, Open Source coordination server for Tailscale"); @@ -51,15 +54,6 @@ in ''; }; - serverUrl = mkOption { - type = types.str; - default = "http://127.0.0.1:8080"; - description = lib.mdDoc '' - The url clients will connect to. - ''; - example = "https://myheadscale.example.com:443"; - }; - address = mkOption { type = types.str; default = "127.0.0.1"; @@ -78,337 +72,346 @@ in example = 443; }; - privateKeyFile = mkOption { - type = types.path; - default = "${dataDir}/private.key"; - description = lib.mdDoc '' - Path to private key file, generated automatically if it does not exist. - ''; - }; - - derp = { - urls = mkOption { - type = types.listOf types.str; - default = [ "https://controlplane.tailscale.com/derpmap/default" ]; - description = lib.mdDoc '' - List of urls containing DERP maps. - See [How Tailscale works](https://tailscale.com/blog/how-tailscale-works/) for more information on DERP maps. - ''; - }; - - paths = mkOption { - type = types.listOf types.path; - default = [ ]; - description = lib.mdDoc '' - List of file paths containing DERP maps. - See [How Tailscale works](https://tailscale.com/blog/how-tailscale-works/) for more information on DERP maps. - ''; - }; - - - autoUpdate = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Whether to automatically update DERP maps on a set frequency. - ''; - example = false; - }; - - updateFrequency = mkOption { - type = types.str; - default = "24h"; - description = lib.mdDoc '' - Frequency to update DERP maps. - ''; - example = "5m"; - }; - - }; - - ephemeralNodeInactivityTimeout = mkOption { - type = types.str; - default = "30m"; - description = lib.mdDoc '' - Time before an inactive ephemeral node is deleted. - ''; - example = "5m"; - }; - - database = { - type = mkOption { - type = types.enum [ "sqlite3" "postgres" ]; - example = "postgres"; - default = "sqlite3"; - description = lib.mdDoc "Database engine to use."; - }; - - host = mkOption { - type = types.nullOr types.str; - default = null; - example = "127.0.0.1"; - description = lib.mdDoc "Database host address."; - }; - - port = mkOption { - type = types.nullOr types.port; - default = null; - example = 3306; - description = lib.mdDoc "Database host port."; - }; - - name = mkOption { - type = types.nullOr types.str; - default = null; - example = "headscale"; - description = lib.mdDoc "Database name."; - }; - - user = mkOption { - type = types.nullOr types.str; - default = null; - example = "headscale"; - description = lib.mdDoc "Database user."; - }; - - passwordFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/headscale-dbpassword"; - description = lib.mdDoc '' - A file containing the password corresponding to - {option}`database.user`. - ''; - }; - - path = mkOption { - type = types.nullOr types.str; - default = "${dataDir}/db.sqlite"; - description = lib.mdDoc "Path to the sqlite3 database file."; - }; - }; - - logLevel = mkOption { - type = types.str; - default = "info"; - description = lib.mdDoc '' - headscale log level. - ''; - example = "debug"; - }; - - dns = { - nameservers = mkOption { - type = types.listOf types.str; - default = [ "1.1.1.1" ]; - description = lib.mdDoc '' - List of nameservers to pass to Tailscale clients. - ''; - }; - - domains = mkOption { - type = types.listOf types.str; - default = [ ]; - description = lib.mdDoc '' - Search domains to inject to Tailscale clients. - ''; - example = [ "mydomain.internal" ]; - }; - - magicDns = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). - Only works if there is at least a nameserver defined. - ''; - example = false; - }; - - baseDomain = mkOption { - type = types.str; - default = ""; - description = lib.mdDoc '' - Defines the base domain to create the hostnames for MagicDNS. - {option}`baseDomain` must be a FQDNs, without the trailing dot. - The FQDN of the hosts will be - `hostname.namespace.base_domain` (e.g. - `myhost.mynamespace.example.com`). - ''; - }; - }; - - openIdConnect = { - issuer = mkOption { - type = types.str; - default = ""; - description = lib.mdDoc '' - URL to OpenID issuer. - ''; - example = "https://openid.example.com"; - }; - - clientId = mkOption { - type = types.str; - default = ""; - description = lib.mdDoc '' - OpenID Connect client ID. - ''; - }; - - clientSecretFile = mkOption { - type = types.nullOr types.path; - default = null; - description = lib.mdDoc '' - Path to OpenID Connect client secret file. - ''; - }; - - domainMap = mkOption { - type = types.attrsOf types.str; - default = { }; - description = lib.mdDoc '' - Domain map is used to map incomming users (by their email) to - a namespace. The key can be a string, or regex. - ''; - example = { - ".*" = "default-namespace"; - }; - }; - - }; - - tls = { - letsencrypt = { - hostname = mkOption { - type = types.nullOr types.str; - default = ""; - description = lib.mdDoc '' - Domain name to request a TLS certificate for. - ''; - }; - challengeType = mkOption { - type = types.enum [ "TLS-ALPN-01" "HTTP-01" ]; - default = "HTTP-01"; - description = lib.mdDoc '' - Type of ACME challenge to use, currently supported types: - `HTTP-01` or `TLS-ALPN-01`. - ''; - }; - httpListen = mkOption { - type = types.nullOr types.str; - default = ":http"; - description = lib.mdDoc '' - When HTTP-01 challenge is chosen, letsencrypt must set up a - verification endpoint, and it will be listening on: - `:http = port 80`. - ''; - }; - }; - - certFile = mkOption { - type = types.nullOr types.path; - default = null; - description = lib.mdDoc '' - Path to already created certificate. - ''; - }; - keyFile = mkOption { - type = types.nullOr types.path; - default = null; - description = lib.mdDoc '' - Path to key for already created certificate. - ''; - }; - }; - - aclPolicyFile = mkOption { - type = types.nullOr types.path; - default = null; - description = lib.mdDoc '' - Path to a file containg ACL policies. - ''; - }; - settings = mkOption { - type = settingsFormat.type; - default = { }; description = lib.mdDoc '' Overrides to {file}`config.yaml` as a Nix attribute set. - This option is ideal for overriding settings not exposed as Nix options. Check the [example config](https://github.com/juanfont/headscale/blob/main/config-example.yaml) for possible options. ''; + type = types.submodule { + freeformType = settingsFormat.type; + + options = { + server_url = mkOption { + type = types.str; + default = "http://127.0.0.1:8080"; + description = lib.mdDoc '' + The url clients will connect to. + ''; + example = "https://myheadscale.example.com:443"; + }; + + private_key_path = mkOption { + type = types.path; + default = "${dataDir}/private.key"; + description = lib.mdDoc '' + Path to private key file, generated automatically if it does not exist. + ''; + }; + + noise.private_key_path = mkOption { + type = types.path; + default = "${dataDir}/noise_private.key"; + description = lib.mdDoc '' + Path to noise private key file, generated automatically if it does not exist. + ''; + }; + + derp = { + urls = mkOption { + type = types.listOf types.str; + default = ["https://controlplane.tailscale.com/derpmap/default"]; + description = lib.mdDoc '' + List of urls containing DERP maps. + See [How Tailscale works](https://tailscale.com/blog/how-tailscale-works/) for more information on DERP maps. + ''; + }; + + paths = mkOption { + type = types.listOf types.path; + default = []; + description = lib.mdDoc '' + List of file paths containing DERP maps. + See [How Tailscale works](https://tailscale.com/blog/how-tailscale-works/) for more information on DERP maps. + ''; + }; + + auto_update_enable = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to automatically update DERP maps on a set frequency. + ''; + example = false; + }; + + update_frequency = mkOption { + type = types.str; + default = "24h"; + description = lib.mdDoc '' + Frequency to update DERP maps. + ''; + example = "5m"; + }; + }; + + ephemeral_node_inactivity_timeout = mkOption { + type = types.str; + default = "30m"; + description = lib.mdDoc '' + Time before an inactive ephemeral node is deleted. + ''; + example = "5m"; + }; + + db_type = mkOption { + type = types.enum ["sqlite3" "postgres"]; + example = "postgres"; + default = "sqlite3"; + description = lib.mdDoc "Database engine to use."; + }; + + db_host = mkOption { + type = types.nullOr types.str; + default = null; + example = "127.0.0.1"; + description = lib.mdDoc "Database host address."; + }; + + db_port = mkOption { + type = types.nullOr types.port; + default = null; + example = 3306; + description = lib.mdDoc "Database host port."; + }; + + db_name = mkOption { + type = types.nullOr types.str; + default = null; + example = "headscale"; + description = lib.mdDoc "Database name."; + }; + + db_user = mkOption { + type = types.nullOr types.str; + default = null; + example = "headscale"; + description = lib.mdDoc "Database user."; + }; + + db_password_file = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/headscale-dbpassword"; + description = lib.mdDoc '' + A file containing the password corresponding to + {option}`database.user`. + ''; + }; + + db_path = mkOption { + type = types.nullOr types.str; + default = "${dataDir}/db.sqlite"; + description = lib.mdDoc "Path to the sqlite3 database file."; + }; + + log.level = mkOption { + type = types.str; + default = "info"; + description = lib.mdDoc '' + headscale log level. + ''; + example = "debug"; + }; + + log.format = mkOption { + type = types.str; + default = "text"; + description = lib.mdDoc '' + headscale log format. + ''; + example = "json"; + }; + + dns_config = { + nameservers = mkOption { + type = types.listOf types.str; + default = ["1.1.1.1"]; + description = lib.mdDoc '' + List of nameservers to pass to Tailscale clients. + ''; + }; + + override_local_dns = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to use [Override local DNS](https://tailscale.com/kb/1054/dns/). + ''; + example = true; + }; + + domains = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + Search domains to inject to Tailscale clients. + ''; + example = ["mydomain.internal"]; + }; + + magic_dns = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). + Only works if there is at least a nameserver defined. + ''; + example = false; + }; + + base_domain = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc '' + Defines the base domain to create the hostnames for MagicDNS. + {option}`baseDomain` must be a FQDNs, without the trailing dot. + The FQDN of the hosts will be + `hostname.namespace.base_domain` (e.g. + `myhost.mynamespace.example.com`). + ''; + }; + }; + + oidc = { + issuer = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc '' + URL to OpenID issuer. + ''; + example = "https://openid.example.com"; + }; + + client_id = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc '' + OpenID Connect client ID. + ''; + }; + + client_secret_file = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Path to OpenID Connect client secret file. + ''; + }; + + domain_map = mkOption { + type = types.attrsOf types.str; + default = {}; + description = lib.mdDoc '' + Domain map is used to map incomming users (by their email) to + a namespace. The key can be a string, or regex. + ''; + example = { + ".*" = "default-namespace"; + }; + }; + }; + + tls_letsencrypt_hostname = mkOption { + type = types.nullOr types.str; + default = ""; + description = lib.mdDoc '' + Domain name to request a TLS certificate for. + ''; + }; + + tls_letsencrypt_challenge_type = mkOption { + type = types.enum ["TLS-ALPN-01" "HTTP-01"]; + default = "HTTP-01"; + description = lib.mdDoc '' + Type of ACME challenge to use, currently supported types: + `HTTP-01` or `TLS-ALPN-01`. + ''; + }; + + tls_letsencrypt_listen = mkOption { + type = types.nullOr types.str; + default = ":http"; + description = lib.mdDoc '' + When HTTP-01 challenge is chosen, letsencrypt must set up a + verification endpoint, and it will be listening on: + `:http = port 80`. + ''; + }; + + tls_cert_path = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Path to already created certificate. + ''; + }; + + tls_key_path = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Path to key for already created certificate. + ''; + }; + + acl_policy_path = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Path to a file containg ACL policies. + ''; + }; + }; + }; }; - - }; - }; - config = mkIf cfg.enable { + imports = [ + # TODO address + port = listen_addr + (mkRenamedOptionModule ["services" "headscale" "serverUrl"] ["services" "headscale" "settings" "server_url"]) + (mkRenamedOptionModule ["services" "headscale" "privateKeyFile"] ["services" "headscale" "settings" "private_key_path"]) + (mkRenamedOptionModule ["services" "headscale" "derp" "urls"] ["services" "headscale" "settings" "derp" "urls"]) + (mkRenamedOptionModule ["services" "headscale" "derp" "paths"] ["services" "headscale" "settings" "derp" "paths"]) + (mkRenamedOptionModule ["services" "headscale" "derp" "autoUpdate"] ["services" "headscale" "settings" "derp" "auto_update_enable"]) + (mkRenamedOptionModule ["services" "headscale" "derp" "updateFrequency"] ["services" "headscale" "settings" "derp" "update_frequency"]) + (mkRenamedOptionModule ["services" "headscale" "ephemeralNodeInactivityTimeout"] ["services" "headscale" "settings" "ephemeral_node_inactivity_timeout"]) + (mkRenamedOptionModule ["services" "headscale" "database" "type"] ["services" "headscale" "settings" "db_type"]) + (mkRenamedOptionModule ["services" "headscale" "database" "path"] ["services" "headscale" "settings" "db_path"]) + (mkRenamedOptionModule ["services" "headscale" "database" "host"] ["services" "headscale" "settings" "db_host"]) + (mkRenamedOptionModule ["services" "headscale" "database" "port"] ["services" "headscale" "settings" "db_port"]) + (mkRenamedOptionModule ["services" "headscale" "database" "name"] ["services" "headscale" "settings" "db_name"]) + (mkRenamedOptionModule ["services" "headscale" "database" "user"] ["services" "headscale" "settings" "db_user"]) + (mkRenamedOptionModule ["services" "headscale" "database" "passwordFile"] ["services" "headscale" "settings" "db_password_file"]) + (mkRenamedOptionModule ["services" "headscale" "logLevel"] ["services" "headscale" "settings" "log" "level"]) + (mkRenamedOptionModule ["services" "headscale" "dns" "nameservers"] ["services" "headscale" "settings" "dns_config" "nameservers"]) + (mkRenamedOptionModule ["services" "headscale" "dns" "domains"] ["services" "headscale" "settings" "dns_config" "domains"]) + (mkRenamedOptionModule ["services" "headscale" "dns" "magicDns"] ["services" "headscale" "settings" "dns_config" "magic_dns"]) + (mkRenamedOptionModule ["services" "headscale" "dns" "baseDomain"] ["services" "headscale" "settings" "dns_config" "base_domain"]) + (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "issuer"] ["services" "headscale" "settings" "oidc" "issuer"]) + (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "clientId"] ["services" "headscale" "settings" "oidc" "client_id"]) + (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "clientSecretFile"] ["services" "headscale" "settings" "oidc" "client_secret_file"]) + (mkRenamedOptionModule ["services" "headscale" "openIdConnect" "domainMap"] ["services" "headscale" "settings" "oidc" "domain_map"]) + (mkRenamedOptionModule ["services" "headscale" "tls" "letsencrypt" "hostname"] ["services" "headscale" "settings" "tls_letsencrypt_hostname"]) + (mkRenamedOptionModule ["services" "headscale" "tls" "letsencrypt" "challengeType"] ["services" "headscale" "settings" "tls_letsencrypt_challenge_type"]) + (mkRenamedOptionModule ["services" "headscale" "tls" "letsencrypt" "httpListen"] ["services" "headscale" "settings" "tls_letsencrypt_listen"]) + (mkRenamedOptionModule ["services" "headscale" "tls" "certFile"] ["services" "headscale" "settings" "tls_cert_path"]) + (mkRenamedOptionModule ["services" "headscale" "tls" "keyFile"] ["services" "headscale" "settings" "tls_key_path"]) + (mkRenamedOptionModule ["services" "headscale" "aclPolicyFile"] ["services" "headscale" "settings" "acl_policy_path"]) + ]; + + config = mkIf cfg.enable { services.headscale.settings = { - server_url = mkDefault cfg.serverUrl; listen_addr = mkDefault "${cfg.address}:${toString cfg.port}"; - private_key_path = mkDefault cfg.privateKeyFile; - - derp = { - urls = mkDefault cfg.derp.urls; - paths = mkDefault cfg.derp.paths; - auto_update_enable = mkDefault cfg.derp.autoUpdate; - update_frequency = mkDefault cfg.derp.updateFrequency; - }; - # Turn off update checks since the origin of our package # is nixpkgs and not Github. disable_check_updates = true; - ephemeral_node_inactivity_timeout = mkDefault cfg.ephemeralNodeInactivityTimeout; - - db_type = mkDefault cfg.database.type; - db_path = mkDefault cfg.database.path; - - log_level = mkDefault cfg.logLevel; - - dns_config = { - nameservers = mkDefault cfg.dns.nameservers; - domains = mkDefault cfg.dns.domains; - magic_dns = mkDefault cfg.dns.magicDns; - base_domain = mkDefault cfg.dns.baseDomain; - }; - unix_socket = "${runDir}/headscale.sock"; - # OpenID Connect - oidc = { - issuer = mkDefault cfg.openIdConnect.issuer; - client_id = mkDefault cfg.openIdConnect.clientId; - domain_map = mkDefault cfg.openIdConnect.domainMap; - }; - tls_letsencrypt_cache_dir = "${dataDir}/.cache"; - - } // optionalAttrs (cfg.database.host != null) { - db_host = mkDefault cfg.database.host; - } // optionalAttrs (cfg.database.port != null) { - db_port = mkDefault cfg.database.port; - } // optionalAttrs (cfg.database.name != null) { - db_name = mkDefault cfg.database.name; - } // optionalAttrs (cfg.database.user != null) { - db_user = mkDefault cfg.database.user; - } // optionalAttrs (cfg.tls.letsencrypt.hostname != null) { - tls_letsencrypt_hostname = mkDefault cfg.tls.letsencrypt.hostname; - } // optionalAttrs (cfg.tls.letsencrypt.challengeType != null) { - tls_letsencrypt_challenge_type = mkDefault cfg.tls.letsencrypt.challengeType; - } // optionalAttrs (cfg.tls.letsencrypt.httpListen != null) { - tls_letsencrypt_listen = mkDefault cfg.tls.letsencrypt.httpListen; - } // optionalAttrs (cfg.tls.certFile != null) { - tls_cert_path = mkDefault cfg.tls.certFile; - } // optionalAttrs (cfg.tls.keyFile != null) { - tls_key_path = mkDefault cfg.tls.keyFile; - } // optionalAttrs (cfg.aclPolicyFile != null) { - acl_policy_path = mkDefault cfg.aclPolicyFile; }; # Setup the headscale configuration in a known path in /etc to @@ -416,7 +419,7 @@ in # for communication. environment.etc."headscale/config.yaml".source = configFile; - users.groups.headscale = mkIf (cfg.group == "headscale") { }; + users.groups.headscale = mkIf (cfg.group == "headscale") {}; users.users.headscale = mkIf (cfg.user == "headscale") { description = "headscale user"; @@ -427,70 +430,68 @@ in systemd.services.headscale = { description = "headscale coordination server for Tailscale"; - after = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ configFile ]; + after = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + restartTriggers = [configFile]; environment.GIN_MODE = "release"; script = '' - ${optionalString (cfg.database.passwordFile != null) '' - export HEADSCALE_DB_PASS="$(head -n1 ${escapeShellArg cfg.database.passwordFile})" + ${optionalString (cfg.settings.db_password_file != null) '' + export HEADSCALE_DB_PASS="$(head -n1 ${escapeShellArg cfg.settings.db_password_file})" ''} - ${optionalString (cfg.openIdConnect.clientSecretFile != null) '' - export HEADSCALE_OIDC_CLIENT_SECRET="$(head -n1 ${escapeShellArg cfg.openIdConnect.clientSecretFile})" + ${optionalString (cfg.settings.oidc.client_secret_file != null) '' + export HEADSCALE_OIDC_CLIENT_SECRET="$(head -n1 ${escapeShellArg cfg.settings.oidc.client_secret_file})" ''} exec ${cfg.package}/bin/headscale serve ''; - serviceConfig = - let - capabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024) "CAP_NET_BIND_SERVICE"; - in - { - Restart = "always"; - Type = "simple"; - User = cfg.user; - Group = cfg.group; - - # Hardening options - RuntimeDirectory = "headscale"; - # Allow headscale group access so users can be added and use the CLI. - RuntimeDirectoryMode = "0750"; - - StateDirectory = "headscale"; - StateDirectoryMode = "0750"; - - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - PrivateDevices = true; - ProtectKernelTunables = true; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - PrivateMounts = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectHostname = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RestrictNamespaces = true; - RemoveIPC = true; - UMask = "0077"; - - CapabilityBoundingSet = capabilityBoundingSet; - AmbientCapabilities = capabilityBoundingSet; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; - SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; - }; + serviceConfig = let + capabilityBoundingSet = ["CAP_CHOWN"] ++ optional (cfg.port < 1024) "CAP_NET_BIND_SERVICE"; + in { + Restart = "always"; + Type = "simple"; + User = cfg.user; + Group = cfg.group; + + # Hardening options + RuntimeDirectory = "headscale"; + # Allow headscale group access so users can be added and use the CLI. + RuntimeDirectoryMode = "0750"; + + StateDirectory = "headscale"; + StateDirectoryMode = "0750"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + RemoveIPC = true; + UMask = "0077"; + + CapabilityBoundingSet = capabilityBoundingSet; + AmbientCapabilities = capabilityBoundingSet; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + SystemCallFilter = ["@system-service" "~@privileged" "@chown"]; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + }; }; }; - meta.maintainers = with maintainers; [ kradalby ]; + meta.maintainers = with maintainers; [kradalby misterio77]; } diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index 4506bbbc5eb73..df6d0f49eec48 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -96,7 +96,7 @@ let hardenService = # Add some common systemd service hardening settings, # but allow each service (here) to override - # settings by explicitely setting those to `null`. + # settings by explicitly setting those to `null`. # More hardening would be nice but makes # customizing hylafax setups very difficult. # If at all, it should only be added along diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index b60cbe664b6f6..3f6cb97296b50 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -473,7 +473,7 @@ in type = with types; nullOr str; default = null; description = lib.mdDoc '' - Router Familiy to trust for first hops. + Router Family to trust for first hops. ''; }; @@ -495,7 +495,7 @@ in ntcp2.enable = mkEnableTrueOption "NTCP2"; ntcp2.published = mkEnableOption (lib.mdDoc "NTCP2 publication"); ntcp2.port = mkOption { - type = types.int; + type = types.port; default = 0; description = lib.mdDoc '' Port to listen for incoming NTCP2 connections (0=auto). diff --git a/nixos/modules/services/networking/iperf3.nix b/nixos/modules/services/networking/iperf3.nix index a70085bb1f5a1..0a204524e00fa 100644 --- a/nixos/modules/services/networking/iperf3.nix +++ b/nixos/modules/services/networking/iperf3.nix @@ -7,7 +7,7 @@ let port = mkOption { type = types.ints.u16; default = 5201; - description = lib.mdDoc "Server port to listen on for iperf3 client requsts."; + description = lib.mdDoc "Server port to listen on for iperf3 client requests."; }; affinity = mkOption { type = types.nullOr types.ints.unsigned; diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix index f39b149dd609f..945f4113bd47d 100644 --- a/nixos/modules/services/networking/kea.nix +++ b/nixos/modules/services/networking/kea.nix @@ -47,7 +47,7 @@ in type = listOf str; default = []; description = lib.mdDoc '' - List of additonal arguments to pass to the daemon. + List of additional arguments to pass to the daemon. ''; }; @@ -86,7 +86,7 @@ in type = listOf str; default = []; description = lib.mdDoc '' - List of additonal arguments to pass to the daemon. + List of additional arguments to pass to the daemon. ''; }; @@ -146,7 +146,7 @@ in type = listOf str; default = []; description = lib.mdDoc '' - List of additonal arguments to pass to the daemon. + List of additional arguments to pass to the daemon. ''; }; @@ -207,7 +207,7 @@ in type = listOf str; default = []; description = lib.mdDoc '' - List of additonal arguments to pass to the daemon. + List of additional arguments to pass to the daemon. ''; }; diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix index e9df08f00c37d..29fbea5545c36 100644 --- a/nixos/modules/services/networking/keepalived/default.nix +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -84,13 +84,11 @@ let '' ) vrrpInstances); - virtualIpLine = (ip: - ip.addr + virtualIpLine = ip: ip.addr + optionalString (notNullOrEmpty ip.brd) " brd ${ip.brd}" + optionalString (notNullOrEmpty ip.dev) " dev ${ip.dev}" + optionalString (notNullOrEmpty ip.scope) " scope ${ip.scope}" - + optionalString (notNullOrEmpty ip.label) " label ${ip.label}" - ); + + optionalString (notNullOrEmpty ip.label) " label ${ip.label}"; notNullOrEmpty = s: !(s == null || s == ""); diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index ee7ea83456d49..e97195d829194 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -43,7 +43,7 @@ in { type = types.listOf types.str; default = []; description = lib.mdDoc '' - List of additional command line paramters for knotd + List of additional command line parameters for knotd ''; }; diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index b5df31c28d7cd..785729d8f742c 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -106,7 +106,7 @@ in type = types.bool; default = true; description = lib.mdDoc '' - Whether to disable send and accept redirects for all nework interfaces. + Whether to disable send and accept redirects for all network interfaces. See the Libreswan [ FAQ](https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F) page for why this is recommended. ''; diff --git a/nixos/modules/services/networking/lxd-image-server.nix b/nixos/modules/services/networking/lxd-image-server.nix index 1099169440a89..d8e32eb997e8a 100644 --- a/nixos/modules/services/networking/lxd-image-server.nix +++ b/nixos/modules/services/networking/lxd-image-server.nix @@ -87,7 +87,7 @@ in }; }; }) - # this is seperate so it can be enabled on mirrored hosts + # this is separate so it can be enabled on mirrored hosts (mkIf (cfg.nginx.enable) { # https://github.com/Avature/lxd-image-server/blob/master/resources/nginx/includes/lxd-image-server.pkg.conf services.nginx.virtualHosts = { diff --git a/nixos/modules/services/networking/mmsd.nix b/nixos/modules/services/networking/mmsd.nix new file mode 100644 index 0000000000000..7e262a9326c1e --- /dev/null +++ b/nixos/modules/services/networking/mmsd.nix @@ -0,0 +1,38 @@ +{ pkgs, lib, config, ... }: +with lib; +let + cfg = config.services.mmsd; + dbusServiceFile = pkgs.writeTextDir "share/dbus-1/services/org.ofono.mms.service" '' + [D-BUS Service] + Name=org.ofono.mms + SystemdService=dbus-org.ofono.mms.service + + # Exec= is still required despite SystemdService= being used: + # https://github.com/freedesktop/dbus/blob/ef55a3db0d8f17848f8a579092fb05900cc076f5/test/data/systemd-activation/com.example.SystemdActivatable1.service + Exec=${pkgs.coreutils}/bin/false mmsd + ''; +in +{ + options.services.mmsd = { + enable = mkEnableOption (mdDoc "Multimedia Messaging Service Daemon"); + extraArgs = mkOption { + type = with types; listOf str; + description = mdDoc "Extra arguments passed to `mmsd-tng`"; + default = []; + example = ["--debug"]; + }; + }; + config = mkIf cfg.enable { + services.dbus.packages = [ dbusServiceFile ]; + systemd.user.services.mmsd = { + after = [ "ModemManager.service" ]; + aliases = [ "dbus-org.ofono.mms.service" ]; + serviceConfig = { + Type = "dbus"; + ExecStart = "${pkgs.mmsd-tng}/bin/mmsdtng " + escapeShellArgs cfg.extraArgs; + BusName = "org.ofono.mms"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/morty.nix b/nixos/modules/services/networking/morty.nix index 4b20c34cfc9b4..72514764a7c6e 100644 --- a/nixos/modules/services/networking/morty.nix +++ b/nixos/modules/services/networking/morty.nix @@ -50,7 +50,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 3000; description = lib.mdDoc "Listing port"; }; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 6543eb34b4b26..270450cb0c62c 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -479,7 +479,7 @@ let Directories to be scanned for further config files to include. Directories will processed in the order given, `*.conf` files in the directory will be - read in case-sensistive alphabetical order. + read in case-sensitive alphabetical order. ''; default = []; }; diff --git a/nixos/modules/services/networking/mtprotoproxy.nix b/nixos/modules/services/networking/mtprotoproxy.nix index fc3d5dc963a0b..3dd197697b23a 100644 --- a/nixos/modules/services/networking/mtprotoproxy.nix +++ b/nixos/modules/services/networking/mtprotoproxy.nix @@ -40,7 +40,7 @@ in enable = mkEnableOption (lib.mdDoc "mtprotoproxy"); port = mkOption { - type = types.int; + type = types.port; default = 3256; description = lib.mdDoc '' TCP port to accept mtproto connections on. diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix index 7eb3761aad37b..82e68bf92af1f 100644 --- a/nixos/modules/services/networking/mullvad-vpn.nix +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -14,6 +14,15 @@ with lib; ''; }; + enableExcludeWrapper = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + This option activates the wrapper that allows the use of mullvad-exclude. + Might have minor security impact, so consider disabling if you do not use the feature. + ''; + }; + package = mkOption { type = types.package; default = pkgs.mullvad; @@ -27,12 +36,22 @@ with lib; config = mkIf cfg.enable { boot.kernelModules = [ "tun" ]; + environment.systemPackages = [ cfg.package ]; + # mullvad-daemon writes to /etc/iproute2/rt_tables networking.iproute2.enable = true; # See https://github.com/NixOS/nixpkgs/issues/113589 networking.firewall.checkReversePath = "loose"; + # See https://github.com/NixOS/nixpkgs/issues/176603 + security.wrappers.mullvad-exclude = mkIf cfg.enableExcludeWrapper { + setuid = true; + owner = "root"; + group = "root"; + source = "${cfg.package}/bin/mullvad-exclude"; + }; + systemd.services.mullvad-daemon = { description = "Mullvad VPN daemon"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/multipath.nix b/nixos/modules/services/networking/multipath.nix index cb6b6db272c24..54ee2a0156878 100644 --- a/nixos/modules/services/networking/multipath.nix +++ b/nixos/modules/services/networking/multipath.nix @@ -28,7 +28,7 @@ in { type = package; description = lib.mdDoc "multipath-tools package to use"; default = pkgs.multipath-tools; - defaultText = "pkgs.multipath-tools"; + defaultText = lib.literalExpression "pkgs.multipath-tools"; }; devices = mkOption { diff --git a/nixos/modules/services/networking/nat-iptables.nix b/nixos/modules/services/networking/nat-iptables.nix new file mode 100644 index 0000000000000..d1bed401feeb9 --- /dev/null +++ b/nixos/modules/services/networking/nat-iptables.nix @@ -0,0 +1,191 @@ +# This module enables Network Address Translation (NAT). +# XXX: todo: support multiple upstream links +# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.nat; + + mkDest = externalIP: + if externalIP == null + then "-j MASQUERADE" + else "-j SNAT --to-source ${externalIP}"; + dest = mkDest cfg.externalIP; + destIPv6 = mkDest cfg.externalIPv6; + + # Whether given IP (plus optional port) is an IPv6. + isIPv6 = ip: builtins.length (lib.splitString ":" ip) > 2; + + helpers = import ./helpers.nix { inherit config lib; }; + + flushNat = '' + ${helpers} + ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true + ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true + + ${cfg.extraStopCommands} + ''; + + mkSetupNat = { iptables, dest, internalIPs, forwardPorts }: '' + # We can't match on incoming interface in POSTROUTING, so + # mark packets coming from the internal interfaces. + ${concatMapStrings (iface: '' + ${iptables} -w -t nat -A nixos-nat-pre \ + -i '${iface}' -j MARK --set-mark 1 + '') cfg.internalInterfaces} + + # NAT the marked packets. + ${optionalString (cfg.internalInterfaces != []) '' + ${iptables} -w -t nat -A nixos-nat-post -m mark --mark 1 \ + ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} + ''} + + # NAT packets coming from the internal IPs. + ${concatMapStrings (range: '' + ${iptables} -w -t nat -A nixos-nat-post \ + -s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} + '') internalIPs} + + # NAT from external ports to internal ports. + ${concatMapStrings (fwd: '' + ${iptables} -w -t nat -A nixos-nat-pre \ + -i ${toString cfg.externalInterface} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + ${concatMapStrings (loopbackip: + let + matchIP = if isIPv6 fwd.destination then "[[]([0-9a-fA-F:]+)[]]" else "([0-9.]+)"; + m = builtins.match "${matchIP}:([0-9-]+)" fwd.destination; + destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0; + destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1); + in '' + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself + ${iptables} -w -t nat -A nixos-nat-out \ + -d ${loopbackip} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT + ${iptables} -w -t nat -A nixos-nat-pre \ + -d ${loopbackip} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + ${iptables} -w -t nat -A nixos-nat-post \ + -d ${destinationIP} -p ${fwd.proto} \ + --dport ${destinationPorts} \ + -j SNAT --to-source ${loopbackip} + '') fwd.loopbackIPs} + '') forwardPorts} + ''; + + setupNat = '' + ${helpers} + # Create subchains where we store rules + ip46tables -w -t nat -N nixos-nat-pre + ip46tables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-out + + ${mkSetupNat { + iptables = "iptables"; + inherit dest; + inherit (cfg) internalIPs; + forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts; + }} + + ${optionalString cfg.enableIPv6 (mkSetupNat { + iptables = "ip6tables"; + dest = destIPv6; + internalIPs = cfg.internalIPv6s; + forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; + })} + + ${optionalString (cfg.dmzHost != null) '' + iptables -w -t nat -A nixos-nat-pre \ + -i ${toString cfg.externalInterface} -j DNAT \ + --to-destination ${cfg.dmzHost} + ''} + + ${cfg.extraCommands} + + # Append our chains to the nat tables + ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre + ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A OUTPUT -j nixos-nat-out + ''; + +in + +{ + + options = { + + networking.nat.extraCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -A INPUT -p icmp -j ACCEPT"; + description = lib.mdDoc '' + Additional shell commands executed as part of the nat + initialisation script. + + This option is incompatible with the nftables based nat module. + ''; + }; + + networking.nat.extraStopCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -D INPUT -p icmp -j ACCEPT || true"; + description = lib.mdDoc '' + Additional shell commands executed as part of the nat + teardown script. + + This option is incompatible with the nftables based nat module. + ''; + }; + + }; + + + config = mkIf (!config.networking.nftables.enable) + (mkMerge [ + ({ networking.firewall.extraCommands = mkBefore flushNat; }) + (mkIf config.networking.nat.enable { + + networking.firewall = mkIf config.networking.firewall.enable { + extraCommands = setupNat; + extraStopCommands = flushNat; + }; + + systemd.services = mkIf (!config.networking.firewall.enable) { + nat = { + description = "Network Address Translation"; + wantedBy = [ "network.target" ]; + after = [ "network-pre.target" "systemd-modules-load.service" ]; + path = [ config.networking.firewall.package ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = flushNat + setupNat; + + postStop = flushNat; + }; + }; + }) + ]); +} diff --git a/nixos/modules/services/networking/nat-nftables.nix b/nixos/modules/services/networking/nat-nftables.nix new file mode 100644 index 0000000000000..483910a16658c --- /dev/null +++ b/nixos/modules/services/networking/nat-nftables.nix @@ -0,0 +1,184 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.nat; + + mkDest = externalIP: + if externalIP == null + then "masquerade" + else "snat ${externalIP}"; + dest = mkDest cfg.externalIP; + destIPv6 = mkDest cfg.externalIPv6; + + toNftSet = list: concatStringsSep ", " list; + toNftRange = ports: replaceStrings [ ":" ] [ "-" ] (toString ports); + + ifaceSet = toNftSet (map (x: ''"${x}"'') cfg.internalInterfaces); + ipSet = toNftSet cfg.internalIPs; + ipv6Set = toNftSet cfg.internalIPv6s; + oifExpr = optionalString (cfg.externalInterface != null) ''oifname "${cfg.externalInterface}"''; + + # Whether given IP (plus optional port) is an IPv6. + isIPv6 = ip: length (lib.splitString ":" ip) > 2; + + splitIPPorts = IPPorts: + let + matchIP = if isIPv6 IPPorts then "[[]([0-9a-fA-F:]+)[]]" else "([0-9.]+)"; + m = builtins.match "${matchIP}:([0-9-]+)" IPPorts; + in + { + IP = if m == null then throw "bad ip:ports `${IPPorts}'" else elemAt m 0; + ports = if m == null then throw "bad ip:ports `${IPPorts}'" else elemAt m 1; + }; + + mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }: + let + # nftables does not support both port and port range as values in a dnat map. + # e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }" + # So we split them. + fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts; + fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts; + + # nftables maps for port forward + # l4proto . dport : addr . port + toFwdMap = forwardPorts: toNftSet (map + (fwd: + with (splitIPPorts fwd.destination); + "${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}" + ) + forwardPorts); + fwdMap = toFwdMap fwdPorts; + fwdRangeMap = toFwdMap fwdPortsRange; + + # nftables maps for port forward loopback dnat + # daddr . l4proto . dport : addr . port + toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap + (fwd: map + (loopbackip: + with (splitIPPorts fwd.destination); + "${loopbackip} . ${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}" + ) + fwd.loopbackIPs) + forwardPorts); + fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts; + fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange; + + # nftables set for port forward loopback snat + # daddr . l4proto . dport + fwdLoopSnatSet = toNftSet (map + (fwd: + with (splitIPPorts fwd.destination); + "${IP} . ${fwd.proto} . ${ports}" + ) + forwardPorts); + in + '' + chain pre { + type nat hook prerouting priority dstnat; + + ${optionalString (fwdMap != "") '' + iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" + ''} + ${optionalString (fwdRangeMap != "") '' + iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward" + ''} + + ${optionalString (fwdLoopDnatMap != "") '' + dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" + ''} + ${optionalString (fwdLoopDnatRangeMap != "") '' + dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT" + ''} + + ${optionalString (dmzHost != null) '' + iifname "${cfg.externalInterface}" dnat ${dmzHost} comment "dmz" + ''} + } + + chain post { + type nat hook postrouting priority srcnat; + + ${optionalString (ifaceSet != "") '' + iifname { ${ifaceSet} } ${oifExpr} ${dest} comment "from internal interfaces" + ''} + ${optionalString (ipSet != "") '' + ${ipVer} saddr { ${ipSet} } ${oifExpr} ${dest} comment "from internal IPs" + ''} + + ${optionalString (fwdLoopSnatSet != "") '' + iifname != "${cfg.externalInterface}" ${ipVer} daddr . meta l4proto . th dport { ${fwdLoopSnatSet} } masquerade comment "port forward loopback snat" + ''} + } + + chain out { + type nat hook output priority mangle; + + ${optionalString (fwdLoopDnatMap != "") '' + dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" + ''} + ${optionalString (fwdLoopDnatRangeMap != "") '' + dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself" + ''} + } + ''; + +in + +{ + + config = mkIf (config.networking.nftables.enable && cfg.enable) { + + assertions = [ + { + assertion = cfg.extraCommands == ""; + message = "extraCommands is incompatible with the nftables based nat module: ${cfg.extraCommands}"; + } + { + assertion = cfg.extraStopCommands == ""; + message = "extraStopCommands is incompatible with the nftables based nat module: ${cfg.extraStopCommands}"; + } + { + assertion = config.networking.nftables.rulesetFile == null; + message = "networking.nftables.rulesetFile conflicts with the nat module"; + } + ]; + + networking.nftables.ruleset = '' + table ip nixos-nat { + ${mkTable { + ipVer = "ip"; + inherit dest ipSet; + forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts; + inherit (cfg) dmzHost; + }} + } + + ${optionalString cfg.enableIPv6 '' + table ip6 nixos-nat { + ${mkTable { + ipVer = "ip6"; + dest = destIPv6; + ipSet = ipv6Set; + forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; + dmzHost = null; + }} + } + ''} + ''; + + networking.firewall.extraForwardRules = optionalString config.networking.firewall.filterForward '' + ${optionalString (ifaceSet != "") '' + iifname { ${ifaceSet} } ${oifExpr} accept comment "from internal interfaces" + ''} + ${optionalString (ipSet != "") '' + ip saddr { ${ipSet} } ${oifExpr} accept comment "from internal IPs" + ''} + ${optionalString (ipv6Set != "") '' + ip6 saddr { ${ipv6Set} } ${oifExpr} accept comment "from internal IPv6s" + ''} + ''; + + }; +} diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 0b70ae47ccf52..a6f403b46f875 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -7,219 +7,95 @@ with lib; let - cfg = config.networking.nat; - - mkDest = externalIP: if externalIP == null - then "-j MASQUERADE" - else "-j SNAT --to-source ${externalIP}"; - dest = mkDest cfg.externalIP; - destIPv6 = mkDest cfg.externalIPv6; - - # Whether given IP (plus optional port) is an IPv6. - isIPv6 = ip: builtins.length (lib.splitString ":" ip) > 2; - - helpers = import ./helpers.nix { inherit config lib; }; - - flushNat = '' - ${helpers} - ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true - ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true - ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true - ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true - ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true - ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true - ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true - ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true - ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true - - ${cfg.extraStopCommands} - ''; - - mkSetupNat = { iptables, dest, internalIPs, forwardPorts }: '' - # We can't match on incoming interface in POSTROUTING, so - # mark packets coming from the internal interfaces. - ${concatMapStrings (iface: '' - ${iptables} -w -t nat -A nixos-nat-pre \ - -i '${iface}' -j MARK --set-mark 1 - '') cfg.internalInterfaces} - - # NAT the marked packets. - ${optionalString (cfg.internalInterfaces != []) '' - ${iptables} -w -t nat -A nixos-nat-post -m mark --mark 1 \ - ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} - ''} - - # NAT packets coming from the internal IPs. - ${concatMapStrings (range: '' - ${iptables} -w -t nat -A nixos-nat-post \ - -s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} - '') internalIPs} - - # NAT from external ports to internal ports. - ${concatMapStrings (fwd: '' - ${iptables} -w -t nat -A nixos-nat-pre \ - -i ${toString cfg.externalInterface} -p ${fwd.proto} \ - --dport ${builtins.toString fwd.sourcePort} \ - -j DNAT --to-destination ${fwd.destination} - ${concatMapStrings (loopbackip: - let - matchIP = if isIPv6 fwd.destination then "[[]([0-9a-fA-F:]+)[]]" else "([0-9.]+)"; - m = builtins.match "${matchIP}:([0-9-]+)" fwd.destination; - destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0; - destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1); - in '' - # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself - ${iptables} -w -t nat -A nixos-nat-out \ - -d ${loopbackip} -p ${fwd.proto} \ - --dport ${builtins.toString fwd.sourcePort} \ - -j DNAT --to-destination ${fwd.destination} - - # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT - ${iptables} -w -t nat -A nixos-nat-pre \ - -d ${loopbackip} -p ${fwd.proto} \ - --dport ${builtins.toString fwd.sourcePort} \ - -j DNAT --to-destination ${fwd.destination} - - ${iptables} -w -t nat -A nixos-nat-post \ - -d ${destinationIP} -p ${fwd.proto} \ - --dport ${destinationPorts} \ - -j SNAT --to-source ${loopbackip} - '') fwd.loopbackIPs} - '') forwardPorts} - ''; - - setupNat = '' - ${helpers} - # Create subchains where we store rules - ip46tables -w -t nat -N nixos-nat-pre - ip46tables -w -t nat -N nixos-nat-post - ip46tables -w -t nat -N nixos-nat-out - - ${mkSetupNat { - iptables = "iptables"; - inherit dest; - inherit (cfg) internalIPs; - forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts; - }} - - ${optionalString cfg.enableIPv6 (mkSetupNat { - iptables = "ip6tables"; - dest = destIPv6; - internalIPs = cfg.internalIPv6s; - forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; - })} - - ${optionalString (cfg.dmzHost != null) '' - iptables -w -t nat -A nixos-nat-pre \ - -i ${toString cfg.externalInterface} -j DNAT \ - --to-destination ${cfg.dmzHost} - ''} - - ${cfg.extraCommands} - - # Append our chains to the nat tables - ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre - ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post - ip46tables -w -t nat -A OUTPUT -j nixos-nat-out - ''; + cfg = config.networking.nat; in { - ###### interface - options = { networking.nat.enable = mkOption { type = types.bool; default = false; - description = - lib.mdDoc '' - Whether to enable Network Address Translation (NAT). - ''; + description = lib.mdDoc '' + Whether to enable Network Address Translation (NAT). + ''; }; networking.nat.enableIPv6 = mkOption { type = types.bool; default = false; - description = - lib.mdDoc '' - Whether to enable IPv6 NAT. - ''; + description = lib.mdDoc '' + Whether to enable IPv6 NAT. + ''; }; networking.nat.internalInterfaces = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "eth0" ]; - description = - lib.mdDoc '' - The interfaces for which to perform NAT. Packets coming from - these interface and destined for the external interface will - be rewritten. - ''; + description = lib.mdDoc '' + The interfaces for which to perform NAT. Packets coming from + these interface and destined for the external interface will + be rewritten. + ''; }; networking.nat.internalIPs = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "192.168.1.0/24" ]; - description = - lib.mdDoc '' - The IP address ranges for which to perform NAT. Packets - coming from these addresses (on any interface) and destined - for the external interface will be rewritten. - ''; + description = lib.mdDoc '' + The IP address ranges for which to perform NAT. Packets + coming from these addresses (on any interface) and destined + for the external interface will be rewritten. + ''; }; networking.nat.internalIPv6s = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "fc00::/64" ]; - description = - lib.mdDoc '' - The IPv6 address ranges for which to perform NAT. Packets - coming from these addresses (on any interface) and destined - for the external interface will be rewritten. - ''; + description = lib.mdDoc '' + The IPv6 address ranges for which to perform NAT. Packets + coming from these addresses (on any interface) and destined + for the external interface will be rewritten. + ''; }; networking.nat.externalInterface = mkOption { type = types.nullOr types.str; default = null; example = "eth1"; - description = - lib.mdDoc '' - The name of the external network interface. - ''; + description = lib.mdDoc '' + The name of the external network interface. + ''; }; networking.nat.externalIP = mkOption { type = types.nullOr types.str; default = null; example = "203.0.113.123"; - description = - lib.mdDoc '' - The public IP address to which packets from the local - network are to be rewritten. If this is left empty, the - IP address associated with the external interface will be - used. - ''; + description = lib.mdDoc '' + The public IP address to which packets from the local + network are to be rewritten. If this is left empty, the + IP address associated with the external interface will be + used. + ''; }; networking.nat.externalIPv6 = mkOption { type = types.nullOr types.str; default = null; example = "2001:dc0:2001:11::175"; - description = - lib.mdDoc '' - The public IPv6 address to which packets from the local - network are to be rewritten. If this is left empty, the - IP address associated with the external interface will be - used. - ''; + description = lib.mdDoc '' + The public IPv6 address to which packets from the local + network are to be rewritten. If this is left empty, the + IP address associated with the external interface will be + used. + ''; }; networking.nat.forwardPorts = mkOption { @@ -246,122 +122,75 @@ in loopbackIPs = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = literalExpression ''[ "55.1.2.3" ]''; description = lib.mdDoc "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT"; }; }; }); - default = []; + default = [ ]; example = [ { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; } { sourcePort = 8080; destination = "[fc00::2]:80"; proto = "tcp"; } ]; - description = - lib.mdDoc '' - List of forwarded ports from the external interface to - internal destinations by using DNAT. Destination can be - IPv6 if IPv6 NAT is enabled. - ''; + description = lib.mdDoc '' + List of forwarded ports from the external interface to + internal destinations by using DNAT. Destination can be + IPv6 if IPv6 NAT is enabled. + ''; }; networking.nat.dmzHost = mkOption { type = types.nullOr types.str; default = null; example = "10.0.0.1"; - description = - lib.mdDoc '' - The local IP address to which all traffic that does not match any - forwarding rule is forwarded. - ''; - }; - - networking.nat.extraCommands = mkOption { - type = types.lines; - default = ""; - example = "iptables -A INPUT -p icmp -j ACCEPT"; - description = - lib.mdDoc '' - Additional shell commands executed as part of the nat - initialisation script. - ''; - }; - - networking.nat.extraStopCommands = mkOption { - type = types.lines; - default = ""; - example = "iptables -D INPUT -p icmp -j ACCEPT || true"; - description = - lib.mdDoc '' - Additional shell commands executed as part of the nat - teardown script. - ''; + description = lib.mdDoc '' + The local IP address to which all traffic that does not match any + forwarding rule is forwarded. + ''; }; }; - ###### implementation - - config = mkMerge [ - { networking.firewall.extraCommands = mkBefore flushNat; } - (mkIf config.networking.nat.enable { - - assertions = [ - { assertion = cfg.enableIPv6 -> config.networking.enableIPv6; - message = "networking.nat.enableIPv6 requires networking.enableIPv6"; - } - { assertion = (cfg.dmzHost != null) -> (cfg.externalInterface != null); - message = "networking.nat.dmzHost requires networking.nat.externalInterface"; - } - { assertion = (cfg.forwardPorts != []) -> (cfg.externalInterface != null); - message = "networking.nat.forwardPorts requires networking.nat.externalInterface"; - } - ]; - - # Use the same iptables package as in config.networking.firewall. - # When the firewall is enabled, this should be deduplicated without any - # error. - environment.systemPackages = [ config.networking.firewall.package ]; - - boot = { - kernelModules = [ "nf_nat_ftp" ]; - kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = mkOverride 99 true; - "net.ipv4.conf.default.forwarding" = mkOverride 99 true; - } // optionalAttrs cfg.enableIPv6 { - # Do not prevent IPv6 autoconfiguration. - # See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>. - "net.ipv6.conf.all.accept_ra" = mkOverride 99 2; - "net.ipv6.conf.default.accept_ra" = mkOverride 99 2; - - # Forward IPv6 packets. - "net.ipv6.conf.all.forwarding" = mkOverride 99 true; - "net.ipv6.conf.default.forwarding" = mkOverride 99 true; - }; - }; - - networking.firewall = mkIf config.networking.firewall.enable { - extraCommands = setupNat; - extraStopCommands = flushNat; + config = mkIf config.networking.nat.enable { + + assertions = [ + { + assertion = cfg.enableIPv6 -> config.networking.enableIPv6; + message = "networking.nat.enableIPv6 requires networking.enableIPv6"; + } + { + assertion = (cfg.dmzHost != null) -> (cfg.externalInterface != null); + message = "networking.nat.dmzHost requires networking.nat.externalInterface"; + } + { + assertion = (cfg.forwardPorts != [ ]) -> (cfg.externalInterface != null); + message = "networking.nat.forwardPorts requires networking.nat.externalInterface"; + } + ]; + + # Use the same iptables package as in config.networking.firewall. + # When the firewall is enabled, this should be deduplicated without any + # error. + environment.systemPackages = [ config.networking.firewall.package ]; + + boot = { + kernelModules = [ "nf_nat_ftp" ]; + kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = mkOverride 99 true; + "net.ipv4.conf.default.forwarding" = mkOverride 99 true; + } // optionalAttrs cfg.enableIPv6 { + # Do not prevent IPv6 autoconfiguration. + # See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>. + "net.ipv6.conf.all.accept_ra" = mkOverride 99 2; + "net.ipv6.conf.default.accept_ra" = mkOverride 99 2; + + # Forward IPv6 packets. + "net.ipv6.conf.all.forwarding" = mkOverride 99 true; + "net.ipv6.conf.default.forwarding" = mkOverride 99 true; }; + }; - systemd.services = mkIf (!config.networking.firewall.enable) { nat = { - description = "Network Address Translation"; - wantedBy = [ "network.target" ]; - after = [ "network-pre.target" "systemd-modules-load.service" ]; - path = [ config.networking.firewall.package ]; - unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - - script = flushNat + setupNat; - - postStop = flushNat; - }; }; - }) - ]; + }; } diff --git a/nixos/modules/services/networking/ncdns.nix b/nixos/modules/services/networking/ncdns.nix index 1d494332095f4..cc97beb14e01f 100644 --- a/nixos/modules/services/networking/ncdns.nix +++ b/nixos/modules/services/networking/ncdns.nix @@ -85,7 +85,7 @@ in ``` bit. IN NS ns1.example.com. ``` - If unset ncdns will generate an internal psuedo-hostname under the + If unset ncdns will generate an internal pseudo-hostname under the zone, which will resolve to the value of {option}`services.ncdns.identity.address`. If you are only using ncdns locally you can ignore this. diff --git a/nixos/modules/services/networking/ndppd.nix b/nixos/modules/services/networking/ndppd.nix index 6cbc9712be312..98c58d2d5db1b 100644 --- a/nixos/modules/services/networking/ndppd.nix +++ b/nixos/modules/services/networking/ndppd.nix @@ -43,7 +43,7 @@ let timeout = mkOption { type = types.int; description = lib.mdDoc '' - Controls how long to wait for a Neighbor Advertisment Message before + Controls how long to wait for a Neighbor Advertisement Message before invalidating the entry, in milliseconds. ''; default = 500; @@ -74,7 +74,7 @@ let type = types.nullOr types.str; description = lib.mdDoc '' This is the target address is to match against. If no netmask - is provided, /128 is assumed. The addresses of serveral rules + is provided, /128 is assumed. The addresses of several rules may or may not overlap. Defaults to the name of the attrset. ''; diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index d2d7543e8cf3e..bd13e8c9929a3 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -12,11 +12,9 @@ in default = false; description = lib.mdDoc '' - Whether to enable nftables. nftables is a Linux-based packet - filtering framework intended to replace frameworks like iptables. - - This conflicts with the standard networking firewall, so make sure to - disable it before using nftables. + Whether to enable nftables and use nftables based firewall if enabled. + nftables is a Linux-based packet filtering framework intended to + replace frameworks like iptables. Note that if you have Docker enabled you will not be able to use nftables without intervention. Docker uses iptables internally to @@ -37,7 +35,7 @@ in # Check out https://wiki.nftables.org/ for better documentation. # Table for both IPv4 and IPv6. table inet filter { - # Block all incomming connections traffic except SSH and "ping". + # Block all incoming connections traffic except SSH and "ping". chain input { type filter hook input priority 0; @@ -79,19 +77,17 @@ in lib.mdDoc '' The ruleset to be used with nftables. Should be in a format that can be loaded using "/bin/nft -f". The ruleset is updated atomically. + This option conflicts with rulesetFile. ''; }; networking.nftables.rulesetFile = mkOption { - type = types.path; - default = pkgs.writeTextFile { - name = "nftables-rules"; - text = cfg.ruleset; - }; - defaultText = literalMD ''a file with the contents of {option}`networking.nftables.ruleset`''; + type = types.nullOr types.path; + default = null; description = lib.mdDoc '' The ruleset file to be used with nftables. Should be in a format that can be loaded using "nft -f". The ruleset is updated atomically. + This option conflicts with ruleset and nftables based firewall. ''; }; }; @@ -99,10 +95,6 @@ in ###### implementation config = mkIf cfg.enable { - assertions = [{ - assertion = config.networking.firewall.enable == false; - message = "You can not use nftables and iptables at the same time. networking.firewall.enable must be set to false."; - }]; boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; networking.networkmanager.firewallBackend = mkDefault "nftables"; @@ -116,7 +108,9 @@ in rulesScript = pkgs.writeScript "nftables-rules" '' #! ${pkgs.nftables}/bin/nft -f flush ruleset - include "${cfg.rulesetFile}" + ${if cfg.rulesetFile != null then '' + include "${cfg.rulesetFile}" + '' else cfg.ruleset} ''; in { Type = "oneshot"; diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 5e5d9469efc77..890ee0b7d8d1c 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -67,7 +67,7 @@ in Additional plugins dir used to configure nomad. ''; example = literalExpression '' - [ "<pluginDir>" "pkgs.<plugins-name>"] + [ "<pluginDir>" pkgs.<plugins-name> ] ''; }; diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 57da208bd7af2..09f3bdc7ae07d 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -371,7 +371,7 @@ let default = null; example = "2000::1@1234"; description = lib.mdDoc '' - This address will be used for zone-transfere requests if configured + This address will be used for zone-transfer requests if configured as a secondary server or notifications in case of a primary server. Supply either a plain IPv4 or IPv6 address with an optional port number (ip@port). @@ -588,7 +588,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 53; description = lib.mdDoc '' Port the service should bind do. @@ -825,7 +825,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8952; description = lib.mdDoc '' Port number for remote control operations (uses TLS over TCP). diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index 7e3bb565d10bf..dc180d4a4f954 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -147,9 +147,9 @@ in systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; systemd.tmpfiles.rules = [ - "d ${stateDir} 0755 chrony chrony - -" - "f ${driftFile} 0640 chrony chrony -" - "f ${keyFile} 0640 chrony chrony -" + "d ${stateDir} 0750 chrony chrony - -" + "f ${driftFile} 0640 chrony chrony - -" + "f ${keyFile} 0640 chrony chrony - -" ]; systemd.services.chronyd = @@ -164,15 +164,47 @@ in path = [ chronyPkg ]; unitConfig.ConditionCapability = "CAP_SYS_TIME"; - serviceConfig = - { Type = "simple"; - ExecStart = "${chronyPkg}/bin/chronyd ${builtins.toString chronyFlags}"; - - ProtectHome = "yes"; - ProtectSystem = "full"; - PrivateTmp = "yes"; - }; - + serviceConfig = { + Type = "simple"; + ExecStart = "${chronyPkg}/bin/chronyd ${builtins.toString chronyFlags}"; + + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # Access write directories + ReadWritePaths = [ "${stateDir}" ]; + UMask = "0027"; + # Capabilities + CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_SYS_RESOURCE" "CAP_SYS_TIME" ]; + # Device Access + DeviceAllow = [ "char-pps rw" "char-ptp rw" "char-rtc rw" ]; + DevicePolicy = "closed"; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "full"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = false; + ProtectHostname = true; + ProtectClock = false; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ]; + }; }; }; } diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix index 6ed832b6fa1b4..401dbe97c52d7 100644 --- a/nixos/modules/services/networking/nylon.nix +++ b/nixos/modules/services/networking/nylon.nix @@ -81,7 +81,7 @@ let }; port = mkOption { - type = types.int; + type = types.port; default = 1080; description = lib.mdDoc '' What port to listen for client requests, default is 1080. diff --git a/nixos/modules/services/networking/openconnect.nix b/nixos/modules/services/networking/openconnect.nix index 469f0a3bc3bb6..4676b1733af68 100644 --- a/nixos/modules/services/networking/openconnect.nix +++ b/nixos/modules/services/networking/openconnect.nix @@ -32,6 +32,7 @@ let description = lib.mdDoc "Username to authenticate with."; example = "example-user"; type = types.nullOr types.str; + default = null; }; # Note: It does not make sense to provide a way to declaratively @@ -108,7 +109,7 @@ let ExecStart = "${openconnect}/bin/openconnect --config=${ generateConfig name icfg } ${icfg.gateway}"; - StandardInput = "file:${icfg.passwordFile}"; + StandardInput = lib.mkIf (icfg.passwordFile != null) "file:${icfg.passwordFile}"; ProtectHome = true; }; diff --git a/nixos/modules/services/networking/ostinato.nix b/nixos/modules/services/networking/ostinato.nix index 40c227ea0c684..dc07313ea901c 100644 --- a/nixos/modules/services/networking/ostinato.nix +++ b/nixos/modules/services/networking/ostinato.nix @@ -54,7 +54,7 @@ in default = "0.0.0.0"; description = lib.mdDoc '' By default, the Drone RPC server will listen on all interfaces and - local IPv4 adresses for incoming connections from clients. Specify + local IPv4 addresses for incoming connections from clients. Specify a single IPv4 or IPv6 address if you want to restrict that. To listen on any IPv6 address, use :: ''; diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index 473c2a1f1fbab..2f07cefc736e3 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -38,7 +38,7 @@ in { }; dns.port = mkOption { - type = types.int; + type = types.port; default = 53; description = lib.mdDoc '' Port number Recursor DNS server will bind to. @@ -67,7 +67,7 @@ in { }; api.port = mkOption { - type = types.int; + type = types.port; default = 8082; description = lib.mdDoc '' Port number Recursor REST API server will bind to. diff --git a/nixos/modules/services/networking/pixiecore.nix b/nixos/modules/services/networking/pixiecore.nix index ea4008d4d5151..f410be4716466 100644 --- a/nixos/modules/services/networking/pixiecore.nix +++ b/nixos/modules/services/networking/pixiecore.nix @@ -23,7 +23,7 @@ in mode = mkOption { description = lib.mdDoc "Which mode to use"; default = "boot"; - type = types.enum [ "api" "boot" ]; + type = types.enum [ "api" "boot" "quick" ]; }; debug = mkOption { @@ -38,6 +38,12 @@ in description = lib.mdDoc "Handle DHCP traffic without binding to the DHCP server port"; }; + quick = mkOption { + description = lib.mdDoc "Which quick option to use"; + default = "xyz"; + type = types.enum [ "arch" "centos" "coreos" "debian" "fedora" "ubuntu" "xyz" ]; + }; + kernel = mkOption { type = types.str or types.path; default = ""; @@ -117,6 +123,8 @@ in then [ "boot" cfg.kernel ] ++ optional (cfg.initrd != "") cfg.initrd ++ optionals (cfg.cmdLine != "") [ "--cmdline" cfg.cmdLine ] + else if cfg.mode == "quick" + then [ "quick" cfg.quick ] else [ "api" cfg.apiServer ]; in '' diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index dfd1ed4036abc..f317510258ba5 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -52,7 +52,7 @@ in { the right place to store any secret Have a look to Pleroma section in the NixOS manual for more - informations. + information. ''; }; @@ -141,6 +141,8 @@ in { NoNewPrivileges = true; CapabilityBoundingSet = "~CAP_SYS_ADMIN"; }; + # disksup requires bash + path = [ pkgs.bash ]; }; }; diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix index 6aa5928d63707..850a128cf1a46 100644 --- a/nixos/modules/services/networking/powerdns.nix +++ b/nixos/modules/services/networking/powerdns.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.powerdns; configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}"; + finalConfigDir = if cfg.secretFile == null then configDir else "/run/pdns"; in { options = { services.powerdns = { @@ -19,6 +20,19 @@ in { for details on supported values. ''; }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/powerdns.env"; + description = lib.mdDoc '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: `$ENVIRONMENT` + or `''${VARIABLE}`. + The file should contain lines formatted as `SECRET_VAR=SECRET_VALUE`. + This is useful to avoid putting secrets into the nix store. + ''; + }; }; }; @@ -31,7 +45,13 @@ in { after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; serviceConfig = { - ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; + EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile; + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "pdns-pre-start" '' + umask 077 + ${pkgs.envsubst}/bin/envsubst -i "${configDir}/pdns.conf" > ${finalConfigDir}/pdns.conf + ''); + ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${finalConfigDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; }; }; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 6cd4678ae4ace..342638f93bae9 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -263,7 +263,7 @@ let if builtins.isString x then ''"${x}"'' else if builtins.isBool x then boolToString x else if builtins.isInt x then toString x - else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }'' + else if builtins.isList x then "{ ${lib.concatMapStringsSep ", " toLua x} }" else throw "Invalid Lua value"; createSSLOptsStr = o: '' @@ -309,7 +309,7 @@ let type = types.int; default = 300; description = lib.mdDoc '' - Timout after which the room is destroyed or unlocked if not + Timeout after which the room is destroyed or unlocked if not configured, in seconds ''; }; @@ -489,7 +489,7 @@ in Setting this option to true will prevent you from building a NixOS configuration which won't comply with this standard. - You can explicitely decide to ignore this standard if you + You can explicitly decide to ignore this standard if you know what you are doing by setting this option to false. [1] https://xmpp.org/extensions/xep-0423.html @@ -649,7 +649,7 @@ in extraPluginPaths = mkOption { type = types.listOf types.path; default = []; - description = lib.mdDoc "Addtional path in which to look find plugins/modules"; + description = lib.mdDoc "Additional path in which to look find plugins/modules"; }; uploadHttp = mkOption { @@ -733,7 +733,7 @@ in Having a server not XEP-0423-compliant might make your XMPP experience terrible. See the NixOS manual for further - informations. + information. If you know what you're doing, you can disable this warning by setting config.services.prosody.xmppComplianceSuite to false. diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index a343dab7af254..9ec507fe2ab6a 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -77,7 +77,7 @@ in { <https://radicale.org/3.0.html#documentation/authentication-and-rights>. This option only works in conjunction with {option}`settings`. Setting this will also set {option}`settings.rights.type` and - {option}`settings.rights.file` to approriate values. + {option}`settings.rights.file` to appropriate values. ''; default = { }; example = literalExpression '' diff --git a/nixos/modules/services/networking/redsocks.nix b/nixos/modules/services/networking/redsocks.nix index 85ae3125ded80..45feb1313c924 100644 --- a/nixos/modules/services/networking/redsocks.nix +++ b/nixos/modules/services/networking/redsocks.nix @@ -81,7 +81,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 12345; description = lib.mdDoc "Port on which redsocks should listen."; }; diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index d21f108024e51..7f6358d00d0b5 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -8,7 +8,6 @@ let resilioSync = pkgs.resilio-sync; sharedFoldersRecord = map (entry: { - secret = entry.secret; dir = entry.directory; use_relay_server = entry.useRelayServer; @@ -40,6 +39,36 @@ let shared_folders = sharedFoldersRecord; })); + sharedFoldersSecretFiles = map (entry: { + dir = entry.directory; + secretFile = if builtins.hasAttr "secret" entry then + toString (pkgs.writeTextFile { + name = "secret-file"; + text = entry.secret; + }) + else + entry.secretFile; + }) cfg.sharedFolders; + + runConfigPath = "/run/rslsync/config.json"; + + createConfig = pkgs.writeShellScriptBin "create-resilio-config" ( + if cfg.sharedFolders != [ ] then '' + ${pkgs.jq}/bin/jq \ + '.shared_folders |= map(.secret = $ARGS.named[.dir])' \ + ${ + lib.concatMapStringsSep " \\\n " + (entry: ''--arg '${entry.dir}' "$(cat '${entry.secretFile}')"'') + sharedFoldersSecretFiles + } \ + <${configFile} \ + >${runConfigPath} + '' else '' + # no secrets, passing through config + cp ${configFile} ${runConfigPath}; + '' + ); + in { options = { @@ -186,7 +215,7 @@ in default = []; type = types.listOf (types.attrsOf types.anything); example = - [ { secret = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y"; + [ { secretFile = "/run/resilio-secret"; directory = "/home/user/sync_test"; useRelayServer = true; useTracker = true; @@ -202,9 +231,6 @@ in description = lib.mdDoc '' Shared folder list. If enabled, web UI must be disabled. Secrets can be generated using `rslsync --generate-secret`. - Note that this secret will be - put inside the Nix store, so it is realistically not very - secret. If you would like to be able to modify the contents of this directories, it is recommended that you make your user a @@ -256,10 +282,14 @@ in Restart = "on-abort"; UMask = "0002"; User = "rslsync"; + RuntimeDirectory = "rslsync"; + ExecStartPre = "${createConfig}/bin/create-resilio-config"; ExecStart = '' - ${resilioSync}/bin/rslsync --nodaemon --config ${configFile} + ${resilioSync}/bin/rslsync --nodaemon --config ${runConfigPath} ''; }; }; }; + + meta.maintainers = with maintainers; [ jwoudenberg ]; } diff --git a/nixos/modules/services/networking/rpcbind.nix b/nixos/modules/services/networking/rpcbind.nix index aa04214debb0a..60e78dfec51ba 100644 --- a/nixos/modules/services/networking/rpcbind.nix +++ b/nixos/modules/services/networking/rpcbind.nix @@ -35,6 +35,16 @@ with lib; systemd.services.rpcbind = { wantedBy = [ "multi-user.target" ]; + # rpcbind performs a check for /var/run/rpcbind.lock at startup + # and will crash if /var/run isn't present. In the stock NixOS + # var.conf tmpfiles configuration file, /var/run is symlinked to + # /run, so rpcbind can enter a race condition in which /var/run + # isn't symlinked yet but tries to interact with the path, so + # controlling the order explicitly here ensures that rpcbind can + # start successfully. The `wants` instead of `requires` should + # avoid creating a strict/brittle dependency. + wants = [ "systemd-tmpfiles-setup.service" ]; + after = [ "systemd-tmpfiles-setup.service" ]; }; users.users.rpc = { diff --git a/nixos/modules/services/networking/sabnzbd.nix b/nixos/modules/services/networking/sabnzbd.nix index 8486be1bc66c1..8f3545df89950 100644 --- a/nixos/modules/services/networking/sabnzbd.nix +++ b/nixos/modules/services/networking/sabnzbd.nix @@ -20,7 +20,7 @@ in package = mkOption { type = types.package; default = pkgs.sabnzbd; - defaultText = "pkgs.sabnzbd"; + defaultText = lib.literalExpression "pkgs.sabnzbd"; description = lib.mdDoc "The sabnzbd executable package run by the service."; }; diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index 214b6c6a787a5..6c57ddbde2d40 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -124,7 +124,7 @@ in description = lib.mdDoc '' Whether to run searx in uWSGI as a "vassal", instead of using its built-in HTTP server. This is the recommended mode for public or - large instances, but is unecessary for LAN or local-only use. + large instances, but is unnecessary for LAN or local-only use. ::: {.warning} The built-in HTTP server logs all queries by default. @@ -223,7 +223,7 @@ in module = "searx.webapp"; env = [ "SEARX_SETTINGS_PATH=${cfg.settingsFile}" - # searxng compatiblity https://github.com/searxng/searxng/issues/1519 + # searxng compatibility https://github.com/searxng/searxng/issues/1519 "SEARXNG_SETTINGS_PATH=${cfg.settingsFile}" ]; buffer-size = 32768; diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 8d69b5304c882..c8e888eafcc24 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.softether; - package = cfg.package.override { dataDir = cfg.dataDir; }; + package = cfg.package.override { inherit (cfg) dataDir; }; in { @@ -88,7 +88,7 @@ in }; } - (mkIf (cfg.vpnserver.enable) { + (mkIf cfg.vpnserver.enable { systemd.services.vpnserver = { description = "SoftEther VPN Server"; after = [ "softether-init.service" ]; @@ -109,7 +109,7 @@ in }; }) - (mkIf (cfg.vpnbridge.enable) { + (mkIf cfg.vpnbridge.enable { systemd.services.vpnbridge = { description = "SoftEther VPN Bridge"; after = [ "softether-init.service" ]; @@ -130,7 +130,7 @@ in }; }) - (mkIf (cfg.vpnclient.enable) { + (mkIf cfg.vpnclient.enable { systemd.services.vpnclient = { description = "SoftEther VPN Client"; after = [ "softether-init.service" ]; diff --git a/nixos/modules/services/networking/stubby.nix b/nixos/modules/services/networking/stubby.nix index 491371e468e5b..183002ff72b98 100644 --- a/nixos/modules/services/networking/stubby.nix +++ b/nixos/modules/services/networking/stubby.nix @@ -7,7 +7,9 @@ let settingsFormat = pkgs.formats.yaml { }; confFile = settingsFormat.generate "stubby.yml" cfg.settings; in { - imports = map (x: + imports = [ + (mkRemovedOptionModule [ "stubby" "debugLogging" ] "Use services.stubby.logLevel = \"debug\"; instead.") + ] ++ map (x: (mkRemovedOptionModule [ "services" "stubby" x ] "Stubby configuration moved to services.stubby.settings.")) [ "authenticationMode" @@ -49,10 +51,22 @@ in { ''; }; - debugLogging = mkOption { - default = false; - type = types.bool; - description = lib.mdDoc "Enable or disable debug level logging."; + logLevel = let + logLevels = { + emerg = 0; + alert = 1; + crit = 2; + error = 3; + warning = 4; + notice = 5; + info = 6; + debug = 7; + }; + in mkOption { + default = null; + type = types.nullOr (types.enum (attrNames logLevels ++ attrValues logLevels)); + apply = v: if isString v then logLevels.${v} else v; + description = lib.mdDoc "Log verbosity (syslog keyword or level)."; }; }; @@ -80,7 +94,7 @@ in { Type = "notify"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; - ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}"; + ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString (cfg.logLevel != null) "-v ${toString cfg.logLevel}"}"; DynamicUser = true; CacheDirectory = "stubby"; }; diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix index 3bd0367a0bb16..4f592fb312d33 100644 --- a/nixos/modules/services/networking/stunnel.nix +++ b/nixos/modules/services/networking/stunnel.nix @@ -78,7 +78,7 @@ in servers = mkOption { description = lib.mdDoc '' - Define the server configuations. + Define the server configurations. See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`. ''; diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index 0a48e73932e82..13d84736e2c27 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -13,7 +13,7 @@ let serviceName = iface: "supplicant-${if (iface=="WLAN") then "wlan@" else ( if (iface=="LAN") then "lan@" else ( if (iface=="DBUS") then "dbus" - else (replaceChars [" "] ["-"] iface)))}"; + else (replaceStrings [" "] ["-"] iface)))}"; # TODO: Use proper privilege separation for wpa_supplicant supplicantService = iface: suppl: @@ -27,7 +27,7 @@ let driverArg = optionalString (suppl.driver != null) "-D${suppl.driver}"; bridgeArg = optionalString (suppl.bridge!="") "-b${suppl.bridge}"; confFileArg = optionalString (suppl.configFile.path!=null) "-c${suppl.configFile.path}"; - extraConfFile = pkgs.writeText "supplicant-extra-conf-${replaceChars [" "] ["-"] iface}" '' + extraConfFile = pkgs.writeText "supplicant-extra-conf-${replaceStrings [" "] ["-"] iface}" '' ${optionalString suppl.userControlled.enable "ctrl_interface=DIR=${suppl.userControlled.socketDir} GROUP=${suppl.userControlled.group}"} ${optionalString suppl.configFile.writable "update_config=1"} ${suppl.extraConf} @@ -223,7 +223,7 @@ in text = '' ${flip (concatMapStringsSep "\n") (filter (n: n!="WLAN" && n!="LAN" && n!="DBUS") (attrNames cfg)) (iface: flip (concatMapStringsSep "\n") (splitString " " iface) (i: '' - ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="${i}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="supplicant-${replaceChars [" "] ["-"] iface}.service", TAG+="SUPPLICANT_ASSIGNED"''))} + ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="${i}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="supplicant-${replaceStrings [" "] ["-"] iface}.service", TAG+="SUPPLICANT_ASSIGNED"''))} ${optionalString (hasAttr "WLAN" cfg) '' ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="/run/current-system/systemd/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-wlan@$result.service" diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index eb3afe118c644..233bfdf9ebf57 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -4,10 +4,7 @@ with lib; let cfg = config.services.tailscale; - firewallOn = config.networking.firewall.enable; - rpfMode = config.networking.firewall.checkReversePath; isNetworkd = config.networking.useNetworkd; - rpfIsStrict = rpfMode == true || rpfMode == "strict"; in { meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ]; @@ -38,10 +35,23 @@ in { defaultText = literalExpression "pkgs.tailscale"; description = lib.mdDoc "The package to use for tailscale"; }; + + useRoutingFeatures = mkOption { + type = types.enum [ "none" "client" "server" "both" ]; + default = "none"; + example = "server"; + description = lib.mdDoc '' + Enables settings required for Tailscale's routing features like subnet routers and exit nodes. + + To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`. + + When set to `client` or `both`, reverse path filtering will be set to loose instead of strict. + When set to `server` or `both`, IP forwarding will be enabled. + ''; + }; }; config = mkIf cfg.enable { - warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'"; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { @@ -71,6 +81,13 @@ in { stopIfChanged = false; }; + boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") { + "net.ipv4.conf.all.forwarding" = mkDefault true; + "net.ipv6.conf.all.forwarding" = mkDefault true; + }; + + networking.firewall.checkReversePath = mkIf (cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both") "loose"; + networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ]; systemd.network.networks."50-tailscale" = mkIf isNetworkd { diff --git a/nixos/modules/services/networking/tayga.nix b/nixos/modules/services/networking/tayga.nix new file mode 100644 index 0000000000000..299ae2777f7c0 --- /dev/null +++ b/nixos/modules/services/networking/tayga.nix @@ -0,0 +1,195 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.tayga; + + # Converts an address set to a string + strAddr = addr: "${addr.address}/${toString addr.prefixLength}"; + + configFile = pkgs.writeText "tayga.conf" '' + tun-device ${cfg.tunDevice} + + ipv4-addr ${cfg.ipv4.address} + ${optionalString (cfg.ipv6.address != null) "ipv6-addr ${cfg.ipv6.address}"} + + prefix ${strAddr cfg.ipv6.pool} + dynamic-pool ${strAddr cfg.ipv4.pool} + data-dir ${cfg.dataDir} + ''; + + addrOpts = v: + assert v == 4 || v == 6; + { + options = { + address = mkOption { + type = types.str; + description = lib.mdDoc "IPv${toString v} address."; + }; + + prefixLength = mkOption { + type = types.addCheck types.int (n: n >= 0 && n <= (if v == 4 then 32 else 128)); + description = lib.mdDoc '' + Subnet mask of the interface, specified as the number of + bits in the prefix ("${if v == 4 then "24" else "64"}"). + ''; + }; + }; + }; + + versionOpts = v: { + options = { + router = { + address = mkOption { + type = types.str; + description = lib.mdDoc "The IPv${toString v} address of the router."; + }; + }; + + address = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc "The source IPv${toString v} address of the TAYGA server."; + }; + + pool = mkOption { + type = with types; nullOr (submodule (addrOpts v)); + description = lib.mdDoc "The pool of IPv${toString v} addresses which are used for translation."; + }; + }; + }; +in +{ + options = { + services.tayga = { + enable = mkEnableOption (lib.mdDoc "Tayga"); + + package = mkOption { + type = types.package; + default = pkgs.tayga; + defaultText = lib.literalMD "pkgs.tayga"; + description = lib.mdDoc "This option specifies the TAYGA package to use."; + }; + + ipv4 = mkOption { + type = types.submodule (versionOpts 4); + description = lib.mdDoc "IPv4-specific configuration."; + example = literalExpression '' + { + address = "192.0.2.0"; + router = { + address = "192.0.2.1"; + }; + pool = { + address = "192.0.2.1"; + prefixLength = 24; + }; + } + ''; + }; + + ipv6 = mkOption { + type = types.submodule (versionOpts 6); + description = lib.mdDoc "IPv6-specific configuration."; + example = literalExpression '' + { + address = "2001:db8::1"; + router = { + address = "64:ff9b::1"; + }; + pool = { + address = "64:ff9b::"; + prefixLength = 96; + }; + } + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/tayga"; + description = lib.mdDoc "Directory for persistent data"; + }; + + tunDevice = mkOption { + type = types.str; + default = "nat64"; + description = lib.mdDoc "Name of the nat64 tun device"; + }; + }; + }; + + config = mkIf cfg.enable { + networking.interfaces."${cfg.tunDevice}" = { + virtual = true; + virtualType = "tun"; + virtualOwner = mkIf config.networking.useNetworkd ""; + ipv4 = { + addresses = [ + { address = cfg.ipv4.router.address; prefixLength = 32; } + ]; + routes = [ + cfg.ipv4.pool + ]; + }; + ipv6 = { + addresses = [ + { address = cfg.ipv6.router.address; prefixLength = 128; } + ]; + routes = [ + cfg.ipv6.pool + ]; + }; + }; + + systemd.services.tayga = { + description = "Stateless NAT64 implementation"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/tayga -d --nodetach --config ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + Restart = "always"; + + # Hardening Score: + # - nixos-scripts: 2.1 + # - systemd-networkd: 1.6 + ProtectHome = true; + SystemCallFilter = [ + "@network-io" + "@system-service" + "~@privileged" + "~@resources" + ]; + ProtectKernelLogs = true; + AmbientCapabilities = [ + "CAP_NET_ADMIN" + ]; + CapabilityBoundingSet = ""; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + StateDirectory = "tayga"; + DynamicUser = mkIf config.networking.useNetworkd true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + NoNewPrivileges = true; + ProtectControlGroups = true; + SystemCallArchitectures = "native"; + PrivateTmp = true; + LockPersonality = true; + ProtectSystem = true; + PrivateUsers = true; + ProtectProc = "invisible"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 09b23a60a4afc..7db83e6a584ba 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -349,91 +349,94 @@ in ###### implementation - config = mkIf (cfg.networks != { }) { - - environment.etc = foldr (a: b: a // b) { } - (flip mapAttrsToList cfg.networks (network: data: - flip mapAttrs' data.hosts (host: text: nameValuePair - ("tinc/${network}/hosts/${host}") - ({ mode = "0644"; user = "tinc.${network}"; inherit text; }) - ) // { - "tinc/${network}/tinc.conf" = { - mode = "0444"; - text = '' - ${toTincConf ({ Interface = "tinc.${network}"; } // data.settings)} - ${data.extraConfig} - ''; + config = mkIf (cfg.networks != { }) ( + let + etcConfig = foldr (a: b: a // b) { } + (flip mapAttrsToList cfg.networks (network: data: + flip mapAttrs' data.hosts (host: text: nameValuePair + ("tinc/${network}/hosts/${host}") + ({ mode = "0644"; user = "tinc.${network}"; inherit text; }) + ) // { + "tinc/${network}/tinc.conf" = { + mode = "0444"; + text = '' + ${toTincConf ({ Interface = "tinc.${network}"; } // data.settings)} + ${data.extraConfig} + ''; + }; + } + )); + in { + environment.etc = etcConfig; + + systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair + ("tinc.${network}") + (let version = getVersion data.package; in { + description = "Tinc Daemon - ${network}"; + wantedBy = [ "multi-user.target" ]; + path = [ data.package ]; + reloadTriggers = mkIf (versionAtLeast version "1.1pre") [ (builtins.toJSON etcConfig) ]; + restartTriggers = mkIf (versionOlder version "1.1pre") [ (builtins.toJSON etcConfig) ]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = "3"; + ExecReload = mkIf (versionAtLeast version "1.1pre") "${data.package}/bin/tinc -n ${network} reload"; + ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}"; }; - } - )); - - systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair - ("tinc.${network}") - ({ - description = "Tinc Daemon - ${network}"; - wantedBy = [ "multi-user.target" ]; - path = [ data.package ]; - restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ]; - serviceConfig = { - Type = "simple"; - Restart = "always"; - RestartSec = "3"; - ExecReload = mkIf (versionAtLeast (getVersion data.package) "1.1pre") "${data.package}/bin/tinc -n ${network} reload"; - ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}"; + preStart = '' + mkdir -p /etc/tinc/${network}/hosts + chown tinc.${network} /etc/tinc/${network}/hosts + mkdir -p /etc/tinc/${network}/invitations + chown tinc.${network} /etc/tinc/${network}/invitations + + # Determine how we should generate our keys + if type tinc >/dev/null 2>&1; then + # Tinc 1.1+ uses the tinc helper application for key generation + ${if data.ed25519PrivateKeyFile != null then " # ed25519 Keyfile managed by nix" else '' + # Prefer ED25519 keys (only in 1.1+) + [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys + ''} + ${if data.rsaPrivateKeyFile != null then " # RSA Keyfile managed by nix" else '' + [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 + ''} + # In case there isn't anything to do + true + else + # Tinc 1.0 uses the tincd application + [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096 + fi + ''; + }) + ); + + environment.systemPackages = let + cli-wrappers = pkgs.stdenv.mkDerivation { + name = "tinc-cli-wrappers"; + nativeBuildInputs = [ pkgs.makeWrapper ]; + buildCommand = '' + mkdir -p $out/bin + ${concatStringsSep "\n" (mapAttrsToList (network: data: + optionalString (versionAtLeast data.package.version "1.1pre") '' + makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \ + --add-flags "--pidfile=/run/tinc.${network}.pid" \ + --add-flags "--config=/etc/tinc/${network}" + '') cfg.networks)} + ''; }; - preStart = '' - mkdir -p /etc/tinc/${network}/hosts - chown tinc.${network} /etc/tinc/${network}/hosts - mkdir -p /etc/tinc/${network}/invitations - chown tinc.${network} /etc/tinc/${network}/invitations - - # Determine how we should generate our keys - if type tinc >/dev/null 2>&1; then - # Tinc 1.1+ uses the tinc helper application for key generation - ${if data.ed25519PrivateKeyFile != null then " # ed25519 Keyfile managed by nix" else '' - # Prefer ED25519 keys (only in 1.1+) - [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys - ''} - ${if data.rsaPrivateKeyFile != null then " # RSA Keyfile managed by nix" else '' - [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 - ''} - # In case there isn't anything to do - true - else - # Tinc 1.0 uses the tincd application - [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096 - fi - ''; - }) - ); - - environment.systemPackages = let - cli-wrappers = pkgs.stdenv.mkDerivation { - name = "tinc-cli-wrappers"; - nativeBuildInputs = [ pkgs.makeWrapper ]; - buildCommand = '' - mkdir -p $out/bin - ${concatStringsSep "\n" (mapAttrsToList (network: data: - optionalString (versionAtLeast data.package.version "1.1pre") '' - makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \ - --add-flags "--pidfile=/run/tinc.${network}.pid" \ - --add-flags "--config=/etc/tinc/${network}" - '') cfg.networks)} - ''; - }; - in [ cli-wrappers ]; - - users.users = flip mapAttrs' cfg.networks (network: _: - nameValuePair ("tinc.${network}") ({ - description = "Tinc daemon user for ${network}"; - isSystemUser = true; - group = "tinc.${network}"; - }) - ); - users.groups = flip mapAttrs' cfg.networks (network: _: - nameValuePair "tinc.${network}" {} - ); - }; + in [ cli-wrappers ]; + + users.users = flip mapAttrs' cfg.networks (network: _: + nameValuePair ("tinc.${network}") ({ + description = "Tinc daemon user for ${network}"; + isSystemUser = true; + group = "tinc.${network}"; + }) + ); + users.groups = flip mapAttrs' cfg.networks (network: _: + nameValuePair "tinc.${network}" {} + ); + }); meta.maintainers = with maintainers; [ minijackson mic92 ]; } diff --git a/nixos/modules/services/networking/tmate-ssh-server.nix b/nixos/modules/services/networking/tmate-ssh-server.nix index 1b8f6662ef4ca..f7740b1ddfccb 100644 --- a/nixos/modules/services/networking/tmate-ssh-server.nix +++ b/nixos/modules/services/networking/tmate-ssh-server.nix @@ -44,7 +44,7 @@ in openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = mdDoc "Whether to automatically open the specified ports in the firewall."; }; diff --git a/nixos/modules/services/networking/tox-node.nix b/nixos/modules/services/networking/tox-node.nix index fa5b241f91836..884fd55dae51d 100644 --- a/nixos/modules/services/networking/tox-node.nix +++ b/nixos/modules/services/networking/tox-node.nix @@ -8,7 +8,7 @@ let homeDir = "/var/lib/tox-node"; configFile = let - src = "${pkg.src}/dpkg/config.yml"; + src = "${pkg.src}/tox_node/dpkg/config.yml"; confJSON = pkgs.writeText "config.json" ( builtins.toJSON { log-type = cfg.logType; diff --git a/nixos/modules/services/networking/twingate.nix b/nixos/modules/services/networking/twingate.nix new file mode 100644 index 0000000000000..17140bffd2187 --- /dev/null +++ b/nixos/modules/services/networking/twingate.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.twingate; + +in { + + options.services.twingate = { + enable = mkEnableOption (lib.mdDoc "Twingate Client daemon"); + }; + + config = mkIf cfg.enable { + + networking.firewall.checkReversePath = lib.mkDefault false; + networking.networkmanager.enable = true; + + environment.systemPackages = [ pkgs.twingate ]; # for the CLI + systemd.packages = [ pkgs.twingate ]; + + systemd.services.twingate.preStart = '' + cp -r -n ${pkgs.twingate}/etc/twingate/. /etc/twingate/ + ''; + + systemd.services.twingate.wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index fa24c70e63de3..c85dd03867f77 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -245,7 +245,7 @@ in { NotifyAccess = "main"; Type = "notify"; - # FIXME: Which of these do we actualy need, can we drop the chroot flag? + # FIXME: Which of these do we actually need, can we drop the chroot flag? AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index d30f7c89633b3..d220aa9fbbe49 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -24,8 +24,8 @@ in services.unifi.jrePackage = mkOption { type = types.package; - default = pkgs.jre8; - defaultText = literalExpression "pkgs.jre8"; + default = if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3") then pkgs.jdk11 else pkgs.jre8; + defaultText = literalExpression ''if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3" then pkgs.jdk11 else pkgs.jre8''; description = lib.mdDoc '' The JRE package to use. Check the release notes to ensure it is supported. ''; @@ -76,7 +76,7 @@ in default = null; example = 4096; description = lib.mdDoc '' - Set the maximimum heap size for the JVM in MB. If this option isn't set, the + Set the maximum heap size for the JVM in MB. If this option isn't set, the JVM will decide this value at runtime. ''; }; diff --git a/nixos/modules/services/networking/v2raya.nix b/nixos/modules/services/networking/v2raya.nix new file mode 100644 index 0000000000000..2d697b4fb56f3 --- /dev/null +++ b/nixos/modules/services/networking/v2raya.nix @@ -0,0 +1,39 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + options = { + services.v2raya = { + enable = options.mkEnableOption (mdDoc "the v2rayA service"); + }; + }; + + config = mkIf config.services.v2raya.enable { + environment.systemPackages = [ pkgs.v2raya ]; + + systemd.services.v2raya = { + unitConfig = { + Description = "v2rayA service"; + Documentation = "https://github.com/v2rayA/v2rayA/wiki"; + After = [ "network.target" "nss-lookup.target" "iptables.service" "ip6tables.service" ]; + Wants = [ "network.target" ]; + }; + + serviceConfig = { + User = "root"; + ExecStart = "${getExe pkgs.v2raya} --log-disable-timestamp"; + Environment = [ "V2RAYA_LOG_FILE=/var/log/v2raya/v2raya.log" ]; + LimitNPROC = 500; + LimitNOFILE = 1000000; + Restart = "on-failure"; + Type = "simple"; + }; + + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ iptables bash iproute2 ]; # required by v2rayA TProxy functionality + }; + }; + + meta.maintainers = with maintainers; [ elliot ]; +} diff --git a/nixos/modules/services/networking/vsftpd.nix b/nixos/modules/services/networking/vsftpd.nix index 5fee7b66a4dc0..b1f0f7403243f 100644 --- a/nixos/modules/services/networking/vsftpd.nix +++ b/nixos/modules/services/networking/vsftpd.nix @@ -168,7 +168,7 @@ in The default is a file containing the users from {option}`userlist`. - If explicitely set to null userlist_file will not be set in vsftpd's config file. + If explicitly set to null userlist_file will not be set in vsftpd's config file. ''; }; diff --git a/nixos/modules/services/networking/webhook.nix b/nixos/modules/services/networking/webhook.nix new file mode 100644 index 0000000000000..b020db6961c32 --- /dev/null +++ b/nixos/modules/services/networking/webhook.nix @@ -0,0 +1,214 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.webhook; + defaultUser = "webhook"; + + hookFormat = pkgs.formats.json {}; + + hookType = types.submodule ({ name, ... }: { + freeformType = hookFormat.type; + options = { + id = mkOption { + type = types.str; + default = name; + description = mdDoc '' + The ID of your hook. This value is used to create the HTTP endpoint (`protocol://yourserver:port/prefix/''${id}`). + ''; + }; + execute-command = mkOption { + type = types.str; + description = mdDoc "The command that should be executed when the hook is triggered."; + }; + }; + }); + + hookFiles = mapAttrsToList (name: hook: hookFormat.generate "webhook-${name}.json" [ hook ]) cfg.hooks + ++ mapAttrsToList (name: hook: pkgs.writeText "webhook-${name}.json.tmpl" "[${hook}]") cfg.hooksTemplated; + +in { + options = { + services.webhook = { + enable = mkEnableOption (mdDoc '' + [Webhook](https://github.com/adnanh/webhook), a server written in Go that allows you to create HTTP endpoints (hooks), + which execute configured commands for any person or service that knows the URL + ''); + + package = mkPackageOption pkgs "webhook" {}; + user = mkOption { + type = types.str; + default = defaultUser; + description = mdDoc '' + Webhook will be run under this user. + + If set, you must create this user yourself! + ''; + }; + group = mkOption { + type = types.str; + default = defaultUser; + description = mdDoc '' + Webhook will be run under this group. + + If set, you must create this group yourself! + ''; + }; + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = mdDoc '' + The IP webhook should serve hooks on. + + The default means it can be reached on any interface if `openFirewall = true`. + ''; + }; + port = mkOption { + type = types.port; + default = 9000; + description = mdDoc "The port webhook should be reachable from."; + }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open the configured port in the firewall for external ingress traffic. + Preferably the Webhook server is instead put behind a reverse proxy. + ''; + }; + enableTemplates = mkOption { + type = types.bool; + default = cfg.hooksTemplated != {}; + defaultText = literalExpression "hooksTemplated != {}"; + description = mdDoc '' + Enable the generated hooks file to be parsed as a Go template. + See [the documentation](https://github.com/adnanh/webhook/blob/master/docs/Templates.md) for more information. + ''; + }; + urlPrefix = mkOption { + type = types.str; + default = "hooks"; + description = mdDoc '' + The URL path prefix to use for served hooks (`protocol://yourserver:port/''${prefix}/hook-id`). + ''; + }; + hooks = mkOption { + type = types.attrsOf hookType; + default = {}; + example = { + echo = { + execute-command = "echo"; + response-message = "Webhook is reachable!"; + }; + redeploy-webhook = { + execute-command = "/var/scripts/redeploy.sh"; + command-working-directory = "/var/webhook"; + }; + }; + description = mdDoc '' + The actual configuration of which hooks will be served. + + Read more on the [project homepage] and on the [hook definition] page. + At least one hook needs to be configured. + + [hook definition]: https://github.com/adnanh/webhook/blob/master/docs/Hook-Definition.md + [project homepage]: https://github.com/adnanh/webhook#configuration + ''; + }; + hooksTemplated = mkOption { + type = types.attrsOf types.str; + default = {}; + example = { + echo-template = '' + { + "id": "echo-template", + "execute-command": "echo", + "response-message": "{{ getenv "MESSAGE" }}" + } + ''; + }; + description = mdDoc '' + Same as {option}`hooks`, but these hooks are specified as literal strings instead of Nix values, + and hence can include [template syntax](https://github.com/adnanh/webhook/blob/master/docs/Templates.md) + which might not be representable as JSON. + + Template syntax requires the {option}`enableTemplates` option to be set to `true`, which is + done by default if this option is set. + ''; + }; + verbose = mkOption { + type = types.bool; + default = true; + description = mdDoc "Whether to show verbose output."; + }; + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "-secure" ]; + description = mdDoc '' + These are arguments passed to the webhook command in the systemd service. + You can find the available arguments and options in the [documentation][parameters]. + + [parameters]: https://github.com/adnanh/webhook/blob/master/docs/Webhook-Parameters.md + ''; + }; + environment = mkOption { + type = types.attrsOf types.str; + default = {}; + description = mdDoc "Extra environment variables passed to webhook."; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = let + overlappingHooks = builtins.intersectAttrs cfg.hooks cfg.hooksTemplated; + in [ + { + assertion = hookFiles != []; + message = "At least one hook needs to be configured for webhook to run."; + } + { + assertion = overlappingHooks == {}; + message = "`services.webhook.hooks` and `services.webhook.hooksTemplated` have overlapping attribute(s): ${concatStringsSep ", " (builtins.attrNames overlappingHooks)}"; + } + ]; + + users.users = mkIf (cfg.user == defaultUser) { + ${defaultUser} = + { + isSystemUser = true; + group = cfg.group; + description = "Webhook daemon user"; + }; + }; + + users.groups = mkIf (cfg.user == defaultUser && cfg.group == defaultUser) { + ${defaultUser} = {}; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + systemd.services.webhook = { + description = "Webhook service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = config.networking.proxy.envVars // cfg.environment; + script = let + args = [ "-ip" cfg.ip "-port" (toString cfg.port) "-urlprefix" cfg.urlPrefix ] + ++ concatMap (hook: [ "-hooks" hook ]) hookFiles + ++ optional cfg.enableTemplates "-template" + ++ optional cfg.verbose "-verbose" + ++ cfg.extraArgs; + in '' + ${cfg.package}/bin/webhook ${escapeShellArgs args} + ''; + serviceConfig = { + Restart = "on-failure"; + User = cfg.user; + Group = cfg.group; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index a678d743bb77b..34210580f538a 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -273,7 +273,11 @@ let after = [ "network.target" "network-online.target" ]; wantedBy = optional values.autostart "multi-user.target"; environment.DEVICE = name; - path = [ pkgs.kmod pkgs.wireguard-tools config.networking.resolvconf.package ]; + path = [ + pkgs.wireguard-tools + config.networking.firewall.package # iptables or nftables + config.networking.resolvconf.package # openresolv or systemd + ]; serviceConfig = { Type = "oneshot"; @@ -281,7 +285,7 @@ let }; script = '' - ${optionalString (!config.boot.isContainer) "modprobe wireguard"} + ${optionalString (!config.boot.isContainer) "${pkgs.kmod}/bin/modprobe wireguard"} ${optionalString (values.configFile != null) '' cp ${values.configFile} ${configPath} ''} diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index e3c3d3ba3c962..1d6556f626be9 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -251,6 +251,21 @@ let ''; }; + dynamicEndpointRefreshRestartSeconds = mkOption { + default = null; + example = 5; + type = with types; nullOr ints.unsigned; + description = lib.mdDoc '' + When the dynamic endpoint refresh that is configured via + dynamicEndpointRefreshSeconds exits (likely due to a failure), + restart that service after this many seconds. + + If set to `null` the value of + {option}`networking.wireguard.dynamicEndpointRefreshSeconds` + will be used as the default. + ''; + }; + persistentKeepalive = mkOption { default = null; type = with types; nullOr int; @@ -288,7 +303,7 @@ let set -e # If the parent dir does not already exist, create it. - # Otherwise, does nothing, keeping existing permisions intact. + # Otherwise, does nothing, keeping existing permissions intact. mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" if [ ! -f "${values.privateKeyFile}" ]; then @@ -300,7 +315,7 @@ let peerUnitServiceName = interfaceName: publicKey: dynamicRefreshEnabled: let - keyToUnitName = replaceChars + keyToUnitName = replaceStrings [ "/" "-" " " "+" "=" ] [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ]; unitName = keyToUnitName publicKey; @@ -348,7 +363,16 @@ let # cannot be used with systemd timers (see `man systemd.timer`), # which is why `simple` with a loop is the best choice here. # It also makes starting and stopping easiest. + # + # Restart if the service exits (e.g. when wireguard gives up after "Name or service not known" dns failures): + Restart = "always"; + RestartSec = if null != peer.dynamicEndpointRefreshRestartSeconds + then peer.dynamicEndpointRefreshRestartSeconds + else peer.dynamicEndpointRefreshSeconds; }; + unitConfig = lib.optionalAttrs dynamicRefreshEnabled { + StartLimitIntervalSec = 0; + }; script = let wg_setup = concatStringsSep " " ( diff --git a/nixos/modules/services/networking/xinetd.nix b/nixos/modules/services/networking/xinetd.nix index 2ec0cd18dcba7..b9120f37ba247 100644 --- a/nixos/modules/services/networking/xinetd.nix +++ b/nixos/modules/services/networking/xinetd.nix @@ -78,7 +78,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 0; example = 123; description = lib.mdDoc "Port number of the service."; diff --git a/nixos/modules/services/networking/yggdrasil.xml b/nixos/modules/services/networking/yggdrasil.xml index bc9da84fa4317..a7b8c469529a0 100644 --- a/nixos/modules/services/networking/yggdrasil.xml +++ b/nixos/modules/services/networking/yggdrasil.xml @@ -30,7 +30,7 @@ An annotated example of a simple configuration: settings = { Peers = [ # Yggdrasil will automatically connect and "peer" with other nodes it - # discovers via link-local multicast annoucements. Unless this is the + # discovers via link-local multicast announcements. Unless this is the # case (it probably isn't) a node needs peers within the existing # network that it can tunnel to. "tcp://1.2.3.4:1024" @@ -78,7 +78,7 @@ in { }]; services.radvd = { - # Annouce the 300::/8 prefix to eth0. + # Announce the 300::/8 prefix to eth0. enable = true; config = '' interface eth0 diff --git a/nixos/modules/services/networking/znc/options.nix b/nixos/modules/services/networking/znc/options.nix index ce8e7a89a4df5..bd67ec86d5130 100644 --- a/nixos/modules/services/networking/znc/options.nix +++ b/nixos/modules/services/networking/znc/options.nix @@ -18,7 +18,7 @@ let }; port = mkOption { - type = types.ints.u16; + type = types.port; default = 6697; description = lib.mdDoc '' IRC server port. @@ -188,7 +188,7 @@ in port = mkOption { default = 5000; - type = types.int; + type = types.port; description = lib.mdDoc '' Specifies the port on which to listen. ''; diff --git a/nixos/modules/services/printing/cups-pdf.nix b/nixos/modules/services/printing/cups-pdf.nix new file mode 100644 index 0000000000000..07f24367132f5 --- /dev/null +++ b/nixos/modules/services/printing/cups-pdf.nix @@ -0,0 +1,185 @@ +{ config, lib, pkgs, ... }: + +let + + # cups calls its backends as user `lp` (which is good!), + # but cups-pdf wants to be called as `root`, so it can change ownership of files. + # We add a suid wrapper and a wrapper script to trick cups into calling the suid wrapper. + # Note that a symlink to the suid wrapper alone wouldn't suffice, cups would complain + # > File "/nix/store/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-cups-progs/lib/cups/backend/cups-pdf" has insecure permissions (0104554/uid=0/gid=20) + + # wrapper script that redirects calls to the suid wrapper + cups-pdf-wrapper = pkgs.writeTextFile { + name = "${pkgs.cups-pdf-to-pdf.name}-wrapper.sh"; + executable = true; + destination = "/lib/cups/backend/cups-pdf"; + checkPhase = '' + ${pkgs.stdenv.shellDryRun} "$target" + ${lib.getExe pkgs.shellcheck} "$target" + ''; + text = '' + #! ${pkgs.runtimeShell} + exec "${config.security.wrapperDir}/cups-pdf" "$@" + ''; + }; + + # wrapped cups-pdf package that uses the suid wrapper + cups-pdf-wrapped = pkgs.buildEnv { + name = "${pkgs.cups-pdf-to-pdf.name}-wrapped"; + # using the wrapper as first path ensures it is used + paths = [ cups-pdf-wrapper pkgs.cups-pdf-to-pdf ]; + ignoreCollisions = true; + }; + + instanceSettings = name: { + freeformType = with lib.types; nullOr (oneOf [ int str path package ]); + # override defaults: + # inject instance name into paths, + # also avoid conflicts between user names and special dirs + options.Out = lib.mkOption { + type = with lib.types; nullOr singleLineStr; + default = "/var/spool/cups-pdf-${name}/users/\${USER}"; + defaultText = "/var/spool/cups-pdf-{instance-name}/users/\${USER}"; + example = "\${HOME}/cups-pdf"; + description = lib.mdDoc '' + output directory; + `''${HOME}` will be expanded to the user's home directory, + `''${USER}` will be expanded to the user name. + ''; + }; + options.AnonDirName = lib.mkOption { + type = with lib.types; nullOr singleLineStr; + default = "/var/spool/cups-pdf-${name}/anonymous"; + defaultText = "/var/spool/cups-pdf-{instance-name}/anonymous"; + example = "/var/lib/cups-pdf"; + description = lib.mdDoc "path for anonymously created PDF files"; + }; + options.Spool = lib.mkOption { + type = with lib.types; nullOr singleLineStr; + default = "/var/spool/cups-pdf-${name}/spool"; + defaultText = "/var/spool/cups-pdf-{instance-name}/spool"; + example = "/var/lib/cups-pdf"; + description = lib.mdDoc "spool directory"; + }; + options.Anonuser = lib.mkOption { + type = lib.types.singleLineStr; + default = "root"; + description = lib.mdDoc '' + User for anonymous PDF creation. + An empty string disables this feature. + ''; + }; + options.GhostScript = lib.mkOption { + type = with lib.types; nullOr path; + default = lib.getExe pkgs.ghostscript; + defaultText = lib.literalExpression "lib.getExe pkgs.ghostscript"; + example = lib.literalExpression ''''${pkgs.ghostscript}/bin/ps2pdf''; + description = lib.mdDoc "location of GhostScript binary"; + }; + }; + + instanceConfig = { name, config, ... }: { + options = { + enable = (lib.mkEnableOption (lib.mdDoc "this cups-pdf instance")) // { default = true; }; + installPrinter = (lib.mkEnableOption (lib.mdDoc '' + a CUPS printer queue for this instance. + The queue will be named after the instance and will use the {file}`CUPS-PDF_opt.ppd` ppd file. + If this is disabled, you need to add the queue yourself to use the instance + '')) // { default = true; }; + confFileText = lib.mkOption { + type = lib.types.lines; + description = lib.mdDoc '' + This will contain the contents of {file}`cups-pdf.conf` for this instance, derived from {option}`settings`. + You can use this option to append text to the file. + ''; + }; + settings = lib.mkOption { + type = lib.types.submodule (instanceSettings name); + default = {}; + example = { + Out = "\${HOME}/cups-pdf"; + UserUMask = "0033"; + }; + description = lib.mdDoc '' + Settings for a cups-pdf instance, see the descriptions in the template config file in the cups-pdf package. + The key value pairs declared here will be translated into proper key value pairs for {file}`cups-pdf.conf`. + Setting a value to `null` disables the option and removes it from the file. + ''; + }; + }; + config.confFileText = lib.pipe config.settings [ + (lib.filterAttrs (key: value: value != null)) + (lib.mapAttrs (key: builtins.toString)) + (lib.mapAttrsToList (key: value: "${key} ${value}\n")) + lib.concatStrings + ]; + }; + + cupsPdfCfg = config.services.printing.cups-pdf; + + copyConfigFileCmds = lib.pipe cupsPdfCfg.instances [ + (lib.filterAttrs (name: lib.getAttr "enable")) + (lib.mapAttrs (name: lib.getAttr "confFileText")) + (lib.mapAttrs (name: pkgs.writeText "cups-pdf-${name}.conf")) + (lib.mapAttrsToList (name: confFile: "ln --symbolic --no-target-directory ${confFile} /var/lib/cups/cups-pdf-${name}.conf\n")) + lib.concatStrings + ]; + + printerSettings = lib.pipe cupsPdfCfg.instances [ + (lib.filterAttrs (name: lib.getAttr "enable")) + (lib.filterAttrs (name: lib.getAttr "installPrinter")) + (lib.mapAttrsToList (name: instance: (lib.mapAttrs (key: lib.mkDefault) { + inherit name; + model = "CUPS-PDF_opt.ppd"; + deviceUri = "cups-pdf:/${name}"; + description = "virtual printer for cups-pdf instance ${name}"; + location = instance.settings.Out; + }))) + ]; + +in + +{ + + options.services.printing.cups-pdf = { + enable = lib.mkEnableOption (lib.mdDoc '' + the cups-pdf virtual pdf printer backend. + By default, this will install a single printer `pdf`. + but this can be changed/extended with {option}`services.printing.cups-pdf.instances` + ''); + instances = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule instanceConfig); + default.pdf = {}; + example.pdf.settings = { + Out = "\${HOME}/cups-pdf"; + UserUMask = "0033"; + }; + description = lib.mdDoc '' + Permits to raise one or more cups-pdf instances. + Each instance is named by an attribute name, and the attribute's values control the instance' configuration. + ''; + }; + }; + + config = lib.mkIf cupsPdfCfg.enable { + services.printing.enable = true; + services.printing.drivers = [ cups-pdf-wrapped ]; + hardware.printers.ensurePrinters = printerSettings; + # the cups module will install the default config file, + # but we don't need it and it would confuse cups-pdf + systemd.services.cups.preStart = lib.mkAfter '' + rm -f /var/lib/cups/cups-pdf.conf + ${copyConfigFileCmds} + ''; + security.wrappers.cups-pdf = { + group = "lp"; + owner = "root"; + permissions = "+r,ug+x"; + setuid = true; + source = "${pkgs.cups-pdf-to-pdf}/lib/cups/backend/cups-pdf"; + }; + }; + + meta.maintainers = [ lib.maintainers.yarny ]; + +} diff --git a/nixos/modules/services/printing/ipp-usb.nix b/nixos/modules/services/printing/ipp-usb.nix new file mode 100644 index 0000000000000..8ed2ff8268710 --- /dev/null +++ b/nixos/modules/services/printing/ipp-usb.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: { + options = { + services.ipp-usb = { + enable = lib.mkEnableOption (lib.mdDoc "ipp-usb, a daemon to turn an USB printer/scanner supporting IPP everywhere (aka AirPrint, WSD, AirScan) into a locally accessible network printer/scanner"); + }; + }; + config = lib.mkIf config.services.ipp-usb.enable { + systemd.services.ipp-usb = { + description = "Daemon for IPP over USB printer support"; + after = [ "cups.service" "avahi-daemon.service" ]; + wants = [ "avahi-daemon.service" ]; + serviceConfig = { + ExecStart = [ "${pkgs.ipp-usb}/bin/ipp-usb" ]; + Type = "simple"; + Restart = "on-failure"; + StateDirectory = "ipp-usb"; + LogsDirectory = "ipp-usb"; + + # hardening. + ProtectHome = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + MemoryDenyWriteExecute = true; + # breaks the daemon, presumably because it messes with DeviceAllow + ProtectClock = false; + ProtectKernelTunables = true; + ProtectKernelLogs = true; + ProtectSystem = "strict"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + PrivateMounts = true; + ProtectHostname = true; + ProtectKernelModules = true; + RemoveIPC = true; + RestrictNamespaces = true; + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6" ]; + ProtectProc = "noaccess"; + }; + }; + + # starts the systemd service + services.udev.packages = [ pkgs.ipp-usb ]; + services.avahi = { + enable = true; + publish = { + enable = true; + userServices = true; + }; + }; + # enable printing and scanning by default, but not required. + services.printing.enable = lib.mkDefault true; + hardware.sane.enable = lib.mkDefault true; + # so that sane discovers scanners + hardware.sane.extraBackends = [ pkgs.sane-airscan ]; + }; +} + + diff --git a/nixos/modules/services/search/elasticsearch-curator.nix b/nixos/modules/services/search/elasticsearch-curator.nix index f073ec7cf2bdc..0a21d705ef87d 100644 --- a/nixos/modules/services/search/elasticsearch-curator.nix +++ b/nixos/modules/services/search/elasticsearch-curator.nix @@ -50,7 +50,7 @@ in { }; port = mkOption { description = lib.mdDoc "the port that elasticsearch is listening on"; - type = types.int; + type = types.port; default = 9200; }; actionYAML = mkOption { diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 4a9dd50310e20..fa1627566ebed 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -66,7 +66,7 @@ in port = mkOption { description = lib.mdDoc "Elasticsearch port to listen for HTTP traffic."; default = 9200; - type = types.int; + type = types.port; }; tcp_port = mkOption { diff --git a/nixos/modules/services/search/kibana.nix b/nixos/modules/services/search/kibana.nix index ffc7c4b68cae4..5eb2381d5d399 100644 --- a/nixos/modules/services/search/kibana.nix +++ b/nixos/modules/services/search/kibana.nix @@ -43,7 +43,7 @@ in { port = mkOption { description = lib.mdDoc "Kibana listening port"; default = 5601; - type = types.int; + type = types.port; }; cert = mkOption { diff --git a/nixos/modules/services/search/meilisearch.nix b/nixos/modules/services/search/meilisearch.nix index 9262b927cba42..3983b1b2c92ce 100644 --- a/nixos/modules/services/search/meilisearch.nix +++ b/nixos/modules/services/search/meilisearch.nix @@ -21,7 +21,7 @@ in package = mkOption { description = lib.mdDoc "The package to use for meilisearch. Use this if you require specific features to be enabled. The default package has no features."; default = pkgs.meilisearch; - defaultText = "pkgs.meilisearch"; + defaultText = lib.literalExpression "pkgs.meilisearch"; type = types.package; }; diff --git a/nixos/modules/services/security/aesmd.nix b/nixos/modules/services/security/aesmd.nix index 7b0a46d6d029c..8b3f010d7c4d0 100644 --- a/nixos/modules/services/security/aesmd.nix +++ b/nixos/modules/services/security/aesmd.nix @@ -25,6 +25,22 @@ in default = false; description = lib.mdDoc "Whether to build the PSW package in debug mode."; }; + environment = mkOption { + type = with types; attrsOf str; + default = { }; + description = mdDoc "Additional environment variables to pass to the AESM service."; + # Example environment variable for `sgx-azure-dcap-client` provider library + example = { + AZDCAP_COLLATERAL_VERSION = "v2"; + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; + }; + }; + quoteProviderLibrary = mkOption { + type = with types; nullOr path; + default = null; + example = literalExpression "pkgs.sgx-azure-dcap-client"; + description = lib.mdDoc "Custom quote provider library to use."; + }; settings = mkOption { description = lib.mdDoc "AESM configuration"; default = { }; @@ -83,7 +99,6 @@ in storeAesmFolder = "${sgx-psw}/aesm"; # Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp aesmDataFolder = "/var/opt/aesmd/data"; - aesmStateDirSystemd = "%S/aesmd"; in { description = "Intel Architectural Enclave Service Manager"; @@ -98,8 +113,8 @@ in environment = { NAME = "aesm_service"; AESM_PATH = storeAesmFolder; - LD_LIBRARY_PATH = storeAesmFolder; - }; + LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ]; + } // cfg.environment; # Make sure any of the SGX application enclave devices is available unitConfig.AssertPathExists = [ diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index e208eed008ae0..3b124a4f0e088 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -161,7 +161,7 @@ in type = types.str; example = "2 4 16 128"; description = lib.mdDoc '' - "bantime-increment.multipliers" used to calculate next value of ban time instead of formula, coresponding + "bantime-increment.multipliers" used to calculate next value of ban time instead of formula, corresponding previously ban count and given "bantime.factor" (for multipliers default is 1); following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours @@ -174,7 +174,7 @@ in example = true; description = lib.mdDoc '' "bantime-increment.overalljails" (if true) specifies the search of IP in the database will be executed - cross over all jails, if false (dafault), only current jail of the ban IP will be searched + cross over all jails, if false (default), only current jail of the ban IP will be searched ''; }; diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 788e06ffecf01..55120799c9934 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -100,6 +100,14 @@ in readOnly = true; type = lib.types.path; }; + tls_chain = lib.mkOption { + description = lib.mdDoc "TLS chain in pem format."; + type = lib.types.path; + }; + tls_key = lib.mkOption { + description = lib.mdDoc "TLS key in pem format."; + type = lib.types.path; + }; log_level = lib.mkOption { description = lib.mdDoc "Log level of the server."; default = "default"; diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 1612b0edf0168..98695b1ef0603 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -5,10 +5,47 @@ with lib; let cfg = config.services.opensnitch; format = pkgs.formats.json {}; + + predefinedRules = flip mapAttrs cfg.rules (name: cfg: { + file = pkgs.writeText "rule" (builtins.toJSON cfg); + }); + in { options = { services.opensnitch = { - enable = mkEnableOption (lib.mdDoc "Opensnitch application firewall"); + enable = mkEnableOption (mdDoc "Opensnitch application firewall"); + + rules = mkOption { + default = {}; + example = literalExpression '' + { + "tor" = { + "name" = "tor"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" ="simple"; + "sensitive" = false; + "operand" = "process.path"; + "data" = "''${lib.getBin pkgs.tor}/bin/tor"; + }; + }; + }; + ''; + + description = mdDoc '' + Declarative configuration of firewall rules. + All rules will be stored in `/var/lib/opensnitch/rules`. + See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules) + for available options. + ''; + + type = types.submodule { + freeformType = format.type; + }; + }; + settings = mkOption { type = types.submodule { freeformType = format.type; @@ -18,7 +55,7 @@ in { Address = mkOption { type = types.str; - description = lib.mdDoc '' + description = mdDoc '' Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is mandatory) or TCP socket (192.168.1.100:50051). ''; @@ -26,7 +63,7 @@ in { LogFile = mkOption { type = types.path; - description = lib.mdDoc '' + description = mdDoc '' File to write logs to (use /dev/stdout to write logs to standard output). ''; @@ -36,7 +73,7 @@ in { DefaultAction = mkOption { type = types.enum [ "allow" "deny" ]; - description = lib.mdDoc '' + description = mdDoc '' Default action whether to block or allow application internet access. ''; @@ -46,28 +83,28 @@ in { type = types.enum [ "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h" ]; - description = lib.mdDoc '' + description = mdDoc '' Default duration of firewall rule. ''; }; InterceptUnknown = mkOption { type = types.bool; - description = lib.mdDoc '' - Wheter to intercept spare connections. + description = mdDoc '' + Whether to intercept spare connections. ''; }; ProcMonitorMethod = mkOption { type = types.enum [ "ebpf" "proc" "ftrace" "audit" ]; - description = lib.mdDoc '' + description = mdDoc '' Which process monitoring method to use. ''; }; LogLevel = mkOption { type = types.enum [ 0 1 2 3 4 ]; - description = lib.mdDoc '' + description = mdDoc '' Default log level from 0 to 4 (debug, info, important, warning, error). ''; @@ -75,7 +112,7 @@ in { Firewall = mkOption { type = types.enum [ "iptables" "nftables" ]; - description = lib.mdDoc '' + description = mdDoc '' Which firewall backend to use. ''; }; @@ -84,14 +121,14 @@ in { MaxEvents = mkOption { type = types.int; - description = lib.mdDoc '' + description = mdDoc '' Max events to send to the GUI. ''; }; MaxStats = mkOption { type = types.int; - description = lib.mdDoc '' + description = mdDoc '' Max stats per item to keep in backlog. ''; }; @@ -99,9 +136,8 @@ in { }; }; }; - description = lib.mdDoc '' - opensnitchd configuration. Refer to - <https://github.com/evilsocket/opensnitch/wiki/Configurations> + description = mdDoc '' + opensnitchd configuration. Refer to [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Configurations) for details on supported values. ''; }; @@ -118,6 +154,25 @@ in { services.opensnitchd.wantedBy = [ "multi-user.target" ]; }; + systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let + rules = flip mapAttrsToList predefinedRules (file: content: { + inherit (content) file; + local = "/var/lib/opensnitch/rules/${file}.json"; + }); + in '' + # Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path, + # but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from + # `cfg.rules`). + find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) '' + -not \( ${concatMapStringsSep " -o " ({ local, ... }: + "-name '${baseNameOf local}*'") + rules} \) \ + ''} -delete + ${concatMapStrings ({ file, local }: '' + ln -sf '${file}' "${local}" + '') rules} + ''); + environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; }; diff --git a/nixos/modules/services/security/physlock.nix b/nixos/modules/services/security/physlock.nix index 3db9e0ac44586..cd77476591521 100644 --- a/nixos/modules/services/security/physlock.nix +++ b/nixos/modules/services/security/physlock.nix @@ -57,6 +57,14 @@ in ''; }; + muteKernelMessages = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Disable kernel messages on console while physlock is running. + ''; + }; + lockOn = { suspend = mkOption { @@ -116,7 +124,7 @@ in ++ cfg.lockOn.extraTargets; serviceConfig = { Type = "forking"; - ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}"; + ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.muteKernelMessages "m"}${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}"; }; }; diff --git a/nixos/modules/services/security/shibboleth-sp.nix b/nixos/modules/services/security/shibboleth-sp.nix index 6626ea213625b..e7897c3324cf6 100644 --- a/nixos/modules/services/security/shibboleth-sp.nix +++ b/nixos/modules/services/security/shibboleth-sp.nix @@ -27,13 +27,13 @@ in { fastcgi.shibAuthorizerPort = mkOption { type = types.int; default = 9100; - description = lib.mdDoc "Port for shibauthorizer FastCGI proccess to bind to"; + description = lib.mdDoc "Port for shibauthorizer FastCGI process to bind to"; }; fastcgi.shibResponderPort = mkOption { type = types.int; default = 9101; - description = lib.mdDoc "Port for shibauthorizer FastCGI proccess to bind to"; + description = lib.mdDoc "Port for shibauthorizer FastCGI process to bind to"; }; }; }; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index b85b78f269a1d..2aa2964f88185 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -146,7 +146,7 @@ let ]))]; description = lib.mdDoc (descriptionGeneric optionName); }; - optionBandwith = optionName: mkOption { + optionBandwidth = optionName: mkOption { type = with types; nullOr (either int str); default = null; description = lib.mdDoc (descriptionGeneric optionName); @@ -205,7 +205,7 @@ in (mkRemovedOptionModule [ "services" "tor" "client" "transparentProxy" "isolationOptions" ] "Use services.tor.settings.TransPort instead.") (mkRemovedOptionModule [ "services" "tor" "client" "transparentProxy" "listenAddress" ] "Use services.tor.settings.TransPort instead.") (mkRenamedOptionModule [ "services" "tor" "controlPort" ] [ "services" "tor" "settings" "ControlPort" ]) - (mkRemovedOptionModule [ "services" "tor" "extraConfig" ] "Plese use services.tor.settings instead.") + (mkRemovedOptionModule [ "services" "tor" "extraConfig" ] "Please use services.tor.settings instead.") (mkRenamedOptionModule [ "services" "tor" "hiddenServices" ] [ "services" "tor" "relay" "onionServices" ]) (mkRenamedOptionModule [ "services" "tor" "relay" "accountingMax" ] [ "services" "tor" "settings" "AccountingMax" ]) (mkRenamedOptionModule [ "services" "tor" "relay" "accountingStart" ] [ "services" "tor" "settings" "AccountingStart" ]) @@ -546,7 +546,7 @@ in }; options.Address = optionString "Address"; options.AssumeReachable = optionBool "AssumeReachable"; - options.AccountingMax = optionBandwith "AccountingMax"; + options.AccountingMax = optionBandwidth "AccountingMax"; options.AccountingStart = optionString "AccountingStart"; options.AuthDirHasIPv6Connectivity = optionBool "AuthDirHasIPv6Connectivity"; options.AuthDirListBadExits = optionBool "AuthDirListBadExits"; @@ -559,8 +559,8 @@ in default = [".onion" ".exit"]; example = [".onion"]; }; - options.BandwidthBurst = optionBandwith "BandwidthBurst"; - options.BandwidthRate = optionBandwith "BandwidthRate"; + options.BandwidthBurst = optionBandwidth "BandwidthBurst"; + options.BandwidthRate = optionBandwidth "BandwidthRate"; options.BridgeAuthoritativeDir = optionBool "BridgeAuthoritativeDir"; options.BridgeRecordUsageByCountry = optionBool "BridgeRecordUsageByCountry"; options.BridgeRelay = optionBool "BridgeRelay" // { default = false; }; @@ -709,7 +709,7 @@ in options.LogMessageDomains = optionBool "LogMessageDomains"; options.LongLivedPorts = optionPorts "LongLivedPorts"; options.MainloopStats = optionBool "MainloopStats"; - options.MaxAdvertisedBandwidth = optionBandwith "MaxAdvertisedBandwidth"; + options.MaxAdvertisedBandwidth = optionBandwidth "MaxAdvertisedBandwidth"; options.MaxCircuitDirtiness = optionInt "MaxCircuitDirtiness"; options.MaxClientCircuitsPending = optionInt "MaxClientCircuitsPending"; options.NATDPort = optionIsolablePorts "NATDPort"; @@ -719,8 +719,8 @@ in options.OfflineMasterKey = optionBool "OfflineMasterKey"; options.OptimisticData = optionBool "OptimisticData"; # default is null and like "auto" options.PaddingStatistics = optionBool "PaddingStatistics"; - options.PerConnBWBurst = optionBandwith "PerConnBWBurst"; - options.PerConnBWRate = optionBandwith "PerConnBWRate"; + options.PerConnBWBurst = optionBandwidth "PerConnBWBurst"; + options.PerConnBWRate = optionBandwidth "PerConnBWRate"; options.PidFile = optionPath "PidFile"; options.ProtocolWarnings = optionBool "ProtocolWarnings"; options.PublishHidServDescriptors = optionBool "PublishHidServDescriptors"; @@ -732,8 +732,8 @@ in options.ReducedExitPolicy = optionBool "ReducedExitPolicy"; options.RefuseUnknownExits = optionBool "RefuseUnknownExits"; # default is null and like "auto" options.RejectPlaintextPorts = optionPorts "RejectPlaintextPorts"; - options.RelayBandwidthBurst = optionBandwith "RelayBandwidthBurst"; - options.RelayBandwidthRate = optionBandwith "RelayBandwidthRate"; + options.RelayBandwidthBurst = optionBandwidth "RelayBandwidthBurst"; + options.RelayBandwidthRate = optionBandwidth "RelayBandwidthRate"; #options.RunAsDaemon options.Sandbox = optionBool "Sandbox"; options.ServerDNSAllowBrokenConfig = optionBool "ServerDNSAllowBrokenConfig"; diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 1b1fa84c4fa37..1d846b194077c 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -118,9 +118,9 @@ in description = lib.mdDoc '' The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device - instances. Using this setting, you can controll whether the daemon + instances. Using this setting, you can control whether the daemon will try to restore the attribute values to the state before - modificaton on shutdown. + modification on shutdown. ''; }; diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index 81423e57fd2c3..aaa3f5507f770 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -22,9 +22,9 @@ let # we can only check for values consistently after converting them to their corresponding environment variable name. configEnv = let - configEnv = listToAttrs (concatLists (mapAttrsToList (name: value: - if value != null then [ (nameValuePair (nameToEnvVar name) (if isBool value then boolToString value else toString value)) ] else [] - ) cfg.config)); + configEnv = concatMapAttrs (name: value: optionalAttrs (value != null) { + ${nameToEnvVar name} = if isBool value then boolToString value else toString value; + }) cfg.config; in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault"; } // configEnv; @@ -162,8 +162,8 @@ in { webVaultPackage = mkOption { type = package; - default = pkgs.vaultwarden-vault; - defaultText = literalExpression "pkgs.vaultwarden-vault"; + default = pkgs.vaultwarden.webvault; + defaultText = literalExpression "pkgs.vaultwarden.webvault"; description = lib.mdDoc "Web vault package to use."; }; }; diff --git a/nixos/modules/services/system/automatic-timezoned.nix b/nixos/modules/services/system/automatic-timezoned.nix new file mode 100644 index 0000000000000..9bdd64dd33a3c --- /dev/null +++ b/nixos/modules/services/system/automatic-timezoned.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.automatic-timezoned; +in +{ + options = { + services.automatic-timezoned = { + enable = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Enable `automatic-timezoned`, simple daemon for keeping the system + timezone up-to-date based on the current location. It uses geoclue2 to + determine the current location and systemd-timedated to actually set + the timezone. + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.automatic-timezoned; + defaultText = literalExpression "pkgs.automatic-timezoned"; + description = mdDoc '' + Which `automatic-timezoned` package to use. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.freedesktop.timedate1.set-timezone" + && subject.user == "automatic-timezoned") { + return polkit.Result.YES; + } + }); + ''; + + services.geoclue2 = { + enable = true; + appConfig.automatic-timezoned = { + isAllowed = true; + isSystem = true; + users = [ (toString config.ids.uids.automatic-timezoned) ]; + }; + }; + + systemd.services = { + + automatic-timezoned = { + description = "Automatically update system timezone based on location"; + requires = [ "automatic-timezoned-geoclue-agent.service" ]; + after = [ "automatic-timezoned-geoclue-agent.service" ]; + serviceConfig = { + Type = "exec"; + User = "automatic-timezoned"; + ExecStart = "${cfg.package}/bin/automatic-timezoned --zoneinfo-path=${pkgs.tzdata}/share/zoneinfo/zone1970.tab"; + }; + wantedBy = [ "default.target" ]; + }; + + automatic-timezoned-geoclue-agent = { + description = "Geoclue agent for automatic-timezoned"; + requires = [ "geoclue.service" ]; + after = [ "geoclue.service" ]; + serviceConfig = { + Type = "exec"; + User = "automatic-timezoned"; + ExecStart = "${pkgs.geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/agent"; + Restart = "on-failure"; + PrivateTmp = true; + }; + wantedBy = [ "default.target" ]; + }; + + }; + + users = { + users.automatic-timezoned = { + description = "automatic-timezoned"; + uid = config.ids.uids.automatic-timezoned; + group = "automatic-timezoned"; + }; + groups.automatic-timezoned = { + gid = config.ids.gids.automatic-timezoned; + }; + }; + }; +} diff --git a/nixos/modules/services/system/cachix-agent/default.nix b/nixos/modules/services/system/cachix-agent/default.nix index aa3b2153422ca..11769d4e3095f 100644 --- a/nixos/modules/services/system/cachix-agent/default.nix +++ b/nixos/modules/services/system/cachix-agent/default.nix @@ -67,7 +67,8 @@ in { serviceConfig = { # we don't want to kill children processes as those are deployments KillMode = "process"; - Restart = "on-failure"; + Restart = "always"; + RestartSec = 5; EnvironmentFile = cfg.credentialsFile; ExecStart = '' ${cfg.package}/bin/cachix ${lib.optionalString cfg.verbose "--verbose"} ${lib.optionalString (cfg.host != null) "--host ${cfg.host}"} \ diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix index 30b2ca568e12f..d75070dea4346 100644 --- a/nixos/modules/services/system/cloud-init.nix +++ b/nixos/modules/services/system/cloud-init.nix @@ -27,7 +27,7 @@ in This configuration is not completely compatible with the NixOS way of doing configuration, as configuration done by - cloud-init might be overriden by a subsequent nixos-rebuild + cloud-init might be overridden by a subsequent nixos-rebuild call. However, some parts of cloud-init fall outside of NixOS's responsibility, like filesystem resizing and ssh public key provisioning, and cloud-init is useful for that diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index c0de00bb914ca..c677088101f0c 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -1,8 +1,6 @@ # D-Bus configuration and system bus daemon. -{ config, lib, options, pkgs, ... }: - -with lib; +{ config, lib, pkgs, ... }: let @@ -16,11 +14,11 @@ let serviceDirectories = cfg.packages; }; + inherit (lib) mkOption mkIf mkMerge types; + in { - ###### interface - options = { services.dbus = { @@ -35,6 +33,18 @@ in ''; }; + implementation = mkOption { + type = types.enum [ "dbus" "broker" ]; + default = "dbus"; + description = lib.mdDoc '' + The implementation to use for the message bus defined by the D-Bus specification. + Can be either the classic dbus daemon or dbus-broker, which aims to provide high + performance and reliability, while keeping compatibility to the D-Bus + reference implementation. + ''; + + }; + packages = mkOption { type = types.listOf types.path; default = [ ]; @@ -65,75 +75,117 @@ in ''; default = "disabled"; }; - - socketActivated = mkOption { - type = types.nullOr types.bool; - default = null; - visible = false; - description = lib.mdDoc '' - Removed option, do not use. - ''; - }; }; }; - ###### implementation + config = mkIf cfg.enable (mkMerge [ + { + environment.etc."dbus-1".source = configDir; - config = mkIf cfg.enable { - warnings = optional (cfg.socketActivated != null) ( - let - files = showFiles options.services.dbus.socketActivated.files; - in - "The option 'services.dbus.socketActivated' in ${files} no longer has" - + " any effect and can be safely removed: the user D-Bus session is" - + " now always socket activated." - ); + environment.pathsToLink = [ + "/etc/dbus-1" + "/share/dbus-1" + ]; - environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ]; + users.users.messagebus = { + uid = config.ids.uids.messagebus; + description = "D-Bus system message bus daemon user"; + home = homeDir; + group = "messagebus"; + }; - environment.etc."dbus-1".source = configDir; + users.groups.messagebus.gid = config.ids.gids.messagebus; + + # You still need the dbus reference implementation installed to use dbus-broker + systemd.packages = [ + pkgs.dbus + ]; + + services.dbus.packages = [ + pkgs.dbus + config.system.path + ]; + + systemd.user.sockets.dbus.wantedBy = [ + "sockets.target" + ]; + } + + (mkIf (cfg.implementation == "dbus") { + environment.systemPackages = [ + pkgs.dbus + ]; + + security.wrappers.dbus-daemon-launch-helper = { + source = "${pkgs.dbus}/libexec/dbus-daemon-launch-helper"; + owner = "root"; + group = "messagebus"; + setuid = true; + setgid = false; + permissions = "u+rx,g+rx,o-rx"; + }; - users.users.messagebus = { - uid = config.ids.uids.messagebus; - description = "D-Bus system message bus daemon user"; - home = homeDir; - group = "messagebus"; - }; + systemd.services.dbus = { + # Don't restart dbus-daemon. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ + configDir + ]; + environment = { + LD_LIBRARY_PATH = config.system.nssModules.path; + }; + }; - users.groups.messagebus.gid = config.ids.gids.messagebus; + systemd.user.services.dbus = { + # Don't restart dbus-daemon. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ + configDir + ]; + }; - systemd.packages = [ pkgs.dbus.daemon ]; + }) - security.wrappers.dbus-daemon-launch-helper = { - source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; - owner = "root"; - group = "messagebus"; - setuid = true; - setgid = false; - permissions = "u+rx,g+rx,o-rx"; - }; + (mkIf (cfg.implementation == "broker") { + environment.systemPackages = [ + pkgs.dbus-broker + ]; - services.dbus.packages = [ - pkgs.dbus.out - config.system.path - ]; + systemd.packages = [ + pkgs.dbus-broker + ]; - systemd.services.dbus = { - # Don't restart dbus-daemon. Bad things tend to happen if we do. - reloadIfChanged = true; - restartTriggers = [ configDir ]; - environment = { LD_LIBRARY_PATH = config.system.nssModules.path; }; - }; + # Just to be sure we don't restart through the unit alias + systemd.services.dbus.reloadIfChanged = true; + systemd.user.services.dbus.reloadIfChanged = true; - systemd.user = { - services.dbus = { - # Don't restart dbus-daemon. Bad things tend to happen if we do. + # NixOS Systemd Module doesn't respect 'Install' + # https://github.com/NixOS/nixpkgs/issues/108643 + systemd.services.dbus-broker = { + aliases = [ + "dbus.service" + ]; + # Don't restart dbus. Bad things tend to happen if we do. reloadIfChanged = true; - restartTriggers = [ configDir ]; + restartTriggers = [ + configDir + ]; + environment = { + LD_LIBRARY_PATH = config.system.nssModules.path; + }; }; - sockets.dbus.wantedBy = [ "sockets.target" ]; - }; - environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ]; - }; + systemd.user.services.dbus-broker = { + aliases = [ + "dbus.service" + ]; + # Don't restart dbus. Bad things tend to happen if we do. + reloadIfChanged = true; + restartTriggers = [ + configDir + ]; + }; + }) + + ]); } diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix index 0c9e44a45c15e..4ed48e463741a 100644 --- a/nixos/modules/services/system/kerberos/default.nix +++ b/nixos/modules/services/system/kerberos/default.nix @@ -51,7 +51,7 @@ in ###### interface options = { services.kerberos_server = { - enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentification server"); + enable = lib.mkEnableOption (lib.mdDoc "the kerberos authentication server"); realms = mkOption { type = types.attrsOf (types.submodule realm); diff --git a/nixos/modules/services/system/kerberos/mit.nix b/nixos/modules/services/system/kerberos/mit.nix index 25d7d51e808ab..112000140453f 100644 --- a/nixos/modules/services/system/kerberos/mit.nix +++ b/nixos/modules/services/system/kerberos/mit.nix @@ -33,7 +33,7 @@ let in { - config = mkIf (cfg.enable && kerberos == pkgs.krb5Full) { + config = mkIf (cfg.enable && kerberos == pkgs.krb5) { systemd.services.kadmind = { description = "Kerberos Administration Daemon"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/system/self-deploy.nix b/nixos/modules/services/system/self-deploy.nix index 9b1ebfd375229..16a793a42253c 100644 --- a/nixos/modules/services/system/self-deploy.nix +++ b/nixos/modules/services/system/self-deploy.nix @@ -18,7 +18,7 @@ let in lib.concatStrings (lib.mapAttrsToList toArg args); - isPathType = x: lib.strings.isCoercibleToString x && builtins.substring 0 1 (toString x) == "/"; + isPathType = x: lib.types.path.check x; in { diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 70fad4d7d76c7..de3d077daec96 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -66,7 +66,7 @@ in { `true`. String values must be quoted, integer and boolean values must not. See <https://git.deluge-torrent.org/deluge/tree/deluge/core/preferencesmanager.py#n41> - for the availaible options. + for the available options. ''; }; @@ -117,7 +117,7 @@ in { when {option}`services.deluge.declarative` is set to `true`. See <https://dev.deluge-torrent.org/wiki/UserGuide/Authentication> for - more informations. + more information. ''; }; diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix index b681c58dfe2ad..b813f1205119c 100644 --- a/nixos/modules/services/torrent/magnetico.nix +++ b/nixos/modules/services/torrent/magnetico.nix @@ -143,7 +143,7 @@ in { The path to the file holding the credentials to access the web interface. If unset no authentication will be required. - The file must constain user names and password hashes in the format + The file must contain user names and password hashes in the format `username:hash `, one for each line. Usernames must start with a lowecase ([a-z]) ASCII character, might contain non-consecutive underscores except at the end, and consists of diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix index 935c11e3eb005..627439e1079bf 100644 --- a/nixos/modules/services/torrent/rtorrent.nix +++ b/nixos/modules/services/torrent/rtorrent.nix @@ -82,7 +82,7 @@ in { type = types.lines; default = ""; description = lib.mdDoc '' - The content of {file}`rtorrent.rc`. The [modernized configuration template](https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template) with the values specified in this module will be prepended using mkBefore. You can use mkForce to overwrite the config completly. + The content of {file}`rtorrent.rc`. The [modernized configuration template](https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template) with the values specified in this module will be prepended using mkBefore. You can use mkForce to overwrite the config completely. ''; }; }; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 9b53f5de143d4..4378233848338 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -44,7 +44,7 @@ in (each time the service starts). See [Transmission's Wiki](https://github.com/transmission/transmission/wiki/Editing-Configuration-Files) - for documentation of settings not explicitely covered by this module. + for documentation of settings not explicitly covered by this module. ''; default = {}; type = types.submodule { @@ -174,6 +174,8 @@ in }; }; + package = mkPackageOption pkgs "transmission" {}; + downloadDirPermissions = mkOption { type = with types; nullOr str; default = null; @@ -287,7 +289,7 @@ in install -D -m 600 -o '${cfg.user}' -g '${cfg.group}' /dev/stdin \ '${cfg.home}/${settingsDir}/settings.json' '')]; - ExecStart="${pkgs.transmission}/bin/transmission-daemon -f -g ${cfg.home}/${settingsDir} ${escapeShellArgs cfg.extraFlags}"; + ExecStart="${cfg.package}/bin/transmission-daemon -f -g ${cfg.home}/${settingsDir} ${escapeShellArgs cfg.extraFlags}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = cfg.user; Group = cfg.group; @@ -353,7 +355,7 @@ in PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; - # ProtectHome=true would not allow BindPaths= to work accross /home, + # ProtectHome=true would not allow BindPaths= to work across /home, # and ProtectHome=tmpfs would break statfs(), # preventing transmission-daemon to report the available free space. # However, RootDirectory= is used, so this is not a security concern @@ -385,7 +387,7 @@ in }; # It's useful to have transmission in path, e.g. for remote control - environment.systemPackages = [ pkgs.transmission ]; + environment.systemPackages = [ cfg.package ]; users.users = optionalAttrs (cfg.user == "transmission") ({ transmission = { @@ -457,7 +459,7 @@ in ]; security.apparmor.policies."bin.transmission-daemon".profile = '' - include "${pkgs.transmission.apparmor}/bin.transmission-daemon" + include "${cfg.package.apparmor}/bin.transmission-daemon" ''; security.apparmor.includes."local/bin.transmission-daemon" = '' r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, diff --git a/nixos/modules/services/video/unifi-video.nix b/nixos/modules/services/video/unifi-video.nix index fcc3cb02a1b0e..93d4d5060b70c 100644 --- a/nixos/modules/services/video/unifi-video.nix +++ b/nixos/modules/services/video/unifi-video.nix @@ -148,7 +148,7 @@ in openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = lib.mdDoc '' Whether or not to open the required ports on the firewall. ''; @@ -159,7 +159,7 @@ in default = 1024; example = 4096; description = lib.mdDoc '' - Set the maximimum heap size for the JVM in MB. + Set the maximum heap size for the JVM in MB. ''; }; diff --git a/nixos/modules/services/web-apps/akkoma.md b/nixos/modules/services/web-apps/akkoma.md new file mode 100644 index 0000000000000..fc849be0c8726 --- /dev/null +++ b/nixos/modules/services/web-apps/akkoma.md @@ -0,0 +1,332 @@ +# Akkoma {#module-services-akkoma} + +[Akkoma](https://akkoma.dev/) is a lightweight ActivityPub microblogging server forked from Pleroma. + +## Service configuration {#modules-services-akkoma-service-configuration} + +The Elixir configuration file required by Akkoma is generated automatically from +[{option}`services.akkoma.config`](options.html#opt-services.akkoma.config). Secrets must be +included from external files outside of the Nix store by setting the configuration option to +an attribute set containing the attribute {option}`_secret` – a string pointing to the file +containing the actual value of the option. + +For the mandatory configuration settings these secrets will be generated automatically if the +referenced file does not exist during startup, unless disabled through +[{option}`services.akkoma.initSecrets`](options.html#opt-services.akkoma.initSecrets). + +The following configuration binds Akkoma to the Unix socket `/run/akkoma/socket`, expecting to +be run behind a HTTP proxy on `fediverse.example.com`. + + +```nix +services.akkoma.enable = true; +services.akkoma.config = { + ":pleroma" = { + ":instance" = { + name = "My Akkoma instance"; + description = "More detailed description"; + email = "admin@example.com"; + registration_open = false; + }; + + "Pleroma.Web.Endpoint" = { + url.host = "fediverse.example.com"; + }; + }; +}; +``` + +Please refer to the [configuration cheat sheet](https://docs.akkoma.dev/stable/configuration/cheatsheet/) +for additional configuration options. + +## User management {#modules-services-akkoma-user-management} + +After the Akkoma service is running, the administration utility can be used to +[manage users](https://docs.akkoma.dev/stable/administration/CLI_tasks/user/). In particular an +administrative user can be created with + +```ShellSession +$ pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> +``` + +## Proxy configuration {#modules-services-akkoma-proxy-configuration} + +Although it is possible to expose Akkoma directly, it is common practice to operate it behind an +HTTP reverse proxy such as nginx. + +```nix +services.akkoma.nginx = { + enableACME = true; + forceSSL = true; +}; + +services.nginx = { + enable = true; + + clientMaxBodySize = "16m"; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; +}; +``` + +Please refer to [](#module-security-acme) for details on how to provision an SSL/TLS certificate. + +### Media proxy {#modules-services-akkoma-media-proxy} + +Without the media proxy function, Akkoma does not store any remote media like pictures or video +locally, and clients have to fetch them directly from the source server. + +```nix +# Enable nginx slice module distributed with Tengine +services.nginx.package = pkgs.tengine; + +# Enable media proxy +services.akkoma.config.":pleroma".":media_proxy" = { + enabled = true; + proxy_opts.redirect_on_failure = true; +}; + +# Adjust the persistent cache size as needed: +# Assuming an average object size of 128 KiB, around 1 MiB +# of memory is required for the key zone per GiB of cache. +# Ensure that the cache directory exists and is writable by nginx. +services.nginx.commonHttpConfig = '' + proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache + levels= keys_zone=akkoma_media_cache:16m max_size=16g + inactive=1y use_temp_path=off; +''; + +services.akkoma.nginx = { + locations."/proxy" = { + proxyPass = "http://unix:/run/akkoma/socket"; + + extraConfig = '' + proxy_cache akkoma_media_cache; + + # Cache objects in slices of 1 MiB + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + + # Decouple proxy and upstream responses + proxy_buffering on; + proxy_cache_lock on; + proxy_ignore_client_abort on; + + # Default cache times for various responses + proxy_cache_valid 200 1y; + proxy_cache_valid 206 301 304 1h; + + # Allow serving of stale items + proxy_cache_use_stale error timeout invalid_header updating; + ''; + }; +}; +``` + +#### Prefetch remote media {#modules-services-akkoma-prefetch-remote-media} + +The following example enables the `MediaProxyWarmingPolicy` MRF policy which automatically +fetches all media associated with a post through the media proxy, as soon as the post is +received by the instance. + +```nix +services.akkoma.config.":pleroma".":mrf".policies = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy" +]; +``` + +#### Media previews {#modules-services-akkoma-media-previews} + +Akkoma can generate previews for media. + +```nix +services.akkoma.config.":pleroma".":media_preview_proxy" = { + enabled = true; + thumbnail_max_width = 1920; + thumbnail_max_height = 1080; +}; +``` + +## Frontend management {#modules-services-akkoma-frontend-management} + +Akkoma will be deployed with the `pleroma-fe` and `admin-fe` frontends by default. These can be +modified by setting +[{option}`services.akkoma.frontends`](options.html#opt-services.akkoma.frontends). + +The following example overrides the primary frontend’s default configuration using a custom +derivation. + +```nix +services.akkoma.frontends.primary.package = pkgs.runCommand "pleroma-fe" { + config = builtins.toJSON { + expertLevel = 1; + collapseMessageWithSubject = false; + stopGifs = false; + replyVisibility = "following"; + webPushHideIfCW = true; + hideScopeNotice = true; + renderMisskeyMarkdown = false; + hideSiteFavicon = true; + postContentType = "text/markdown"; + showNavShortcuts = false; + }; + nativeBuildInputs = with pkgs; [ jq xorg.lndir ]; + passAsFile = [ "config" ]; +} '' + mkdir $out + lndir ${pkgs.akkoma-frontends.pleroma-fe} $out + + rm $out/static/config.json + jq -s add ${pkgs.akkoma-frontends.pleroma-fe}/static/config.json ${config} \ + >$out/static/config.json +''; +``` + +## Federation policies {#modules-services-akkoma-federation-policies} + +Akkoma comes with a number of modules to police federation with other ActivityPub instances. +The most valuable for typical users is the +[`:mrf_simple`](https://docs.akkoma.dev/stable/configuration/cheatsheet/#mrf_simple) module +which allows limiting federation based on instance hostnames. + +This configuration snippet provides an example on how these can be used. Choosing an adequate +federation policy is not trivial and entails finding a balance between connectivity to the rest +of the fediverse and providing a pleasant experience to the users of an instance. + + +```nix +services.akkoma.config.":pleroma" = with (pkgs.formats.elixirConf { }).lib; { + ":mrf".policies = map mkRaw [ + "Pleroma.Web.ActivityPub.MRF.SimplePolicy" + ]; + + ":mrf_simple" = { + # Tag all media as sensitive + media_nsfw = mkMap { + "nsfw.weird.kinky" = "Untagged NSFW content"; + }; + + # Reject all activities except deletes + reject = mkMap { + "kiwifarms.cc" = "Persistent harassment of users, no moderation"; + }; + + # Force posts to be visible by followers only + followers_only = mkMap { + "beta.birdsite.live" = "Avoid polluting timelines with Twitter posts"; + }; + }; +}; +``` + +## Upload filters {#modules-services-akkoma-upload-filters} + +This example strips GPS and location metadata from uploads, deduplicates them and anonymises the +the file name. + +```nix +services.akkoma.config.":pleroma"."Pleroma.Upload".filters = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Upload.Filter.Exiftool" + "Pleroma.Upload.Filter.Dedupe" + "Pleroma.Upload.Filter.AnonymizeFilename" + ]; +``` + +## Migration from Pleroma {#modules-services-akkoma-migration-pleroma} + +Pleroma instances can be migrated to Akkoma either by copying the database and upload data or by +pointing Akkoma to the existing data. The necessary database migrations are run automatically +during startup of the service. + +The configuration has to be copy‐edited manually. + +Depending on the size of the database, the initial migration may take a long time and exceed the +startup timeout of the system manager. To work around this issue one may adjust the startup timeout +{option}`systemd.services.akkoma.serviceConfig.TimeoutStartSec` or simply run the migrations +manually: + +```ShellSession +pleroma_ctl migrate +``` + +### Copying data {#modules-services-akkoma-migration-pleroma-copy} + +Copying the Pleroma data instead of re‐using it in place may permit easier reversion to Pleroma, +but allows the two data sets to diverge. + +First disable Pleroma and then copy its database and upload data: + +```ShellSession +# Create a copy of the database +nix-shell -p postgresql --run 'createdb -T pleroma akkoma' + +# Copy upload data +mkdir /var/lib/akkoma +cp -R --reflink=auto /var/lib/pleroma/uploads /var/lib/akkoma/ +``` + +After the data has been copied, enable the Akkoma service and verify that the migration has been +successful. If no longer required, the original data may then be deleted: + +```ShellSession +# Delete original database +nix-shell -p postgresql --run 'dropdb pleroma' + +# Delete original Pleroma state +rm -r /var/lib/pleroma +``` + +### Re‐using data {#modules-services-akkoma-migration-pleroma-reuse} + +To re‐use the Pleroma data in place, disable Pleroma and enable Akkoma, pointing it to the +Pleroma database and upload directory. + +```nix +# Adjust these settings according to the database name and upload directory path used by Pleroma +services.akkoma.config.":pleroma"."Pleroma.Repo".database = "pleroma"; +services.akkoma.config.":pleroma".":instance".upload_dir = "/var/lib/pleroma/uploads"; +``` + +Please keep in mind that after the Akkoma service has been started, any migrations applied by +Akkoma have to be rolled back before the database can be used again with Pleroma. This can be +achieved through `pleroma_ctl ecto.rollback`. Refer to the +[Ecto SQL documentation](https://hexdocs.pm/ecto_sql/Mix.Tasks.Ecto.Rollback.html) for +details. + +## Advanced deployment options {#modules-services-akkoma-advanced-deployment} + +### Confinement {#modules-services-akkoma-confinement} + +The Akkoma systemd service may be confined to a chroot with + +```nix +services.systemd.akkoma.confinement.enable = true; +``` + +Confinement of services is not generally supported in NixOS and therefore disabled by default. +Depending on the Akkoma configuration, the default confinement settings may be insufficient and +lead to subtle errors at run time, requiring adjustment: + +Use +[{option}`services.systemd.akkoma.confinement.packages`](options.html#opt-systemd.services._name_.confinement.packages) +to make packages available in the chroot. + +{option}`services.systemd.akkoma.serviceConfig.BindPaths` and +{option}`services.systemd.akkoma.serviceConfig.BindReadOnlyPaths` permit access to outside paths +through bind mounts. Refer to +[{manpage}`systemd.exec(5)`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#BindPaths=) +for details. + +### Distributed deployment {#modules-services-akkoma-distributed-deployment} + +Being an Elixir application, Akkoma can be deployed in a distributed fashion. + +This requires setting +[{option}`services.akkoma.dist.address`](options.html#opt-services.akkoma.dist.address) and +[{option}`services.akkoma.dist.cookie`](options.html#opt-services.akkoma.dist.cookie). The +specifics depend strongly on the deployment environment. For more information please check the +relevant [Erlang documentation](https://www.erlang.org/doc/reference_manual/distributed.html). diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix new file mode 100644 index 0000000000000..47ba53e42221a --- /dev/null +++ b/nixos/modules/services/web-apps/akkoma.nix @@ -0,0 +1,1086 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.akkoma; + ex = cfg.config; + db = ex.":pleroma"."Pleroma.Repo"; + web = ex.":pleroma"."Pleroma.Web.Endpoint"; + + isConfined = config.systemd.services.akkoma.confinement.enable; + hasSmtp = (attrByPath [ ":pleroma" "Pleroma.Emails.Mailer" "adapter" "value" ] null ex) == "Swoosh.Adapters.SMTP"; + + isAbsolutePath = v: isString v && substring 0 1 v == "/"; + isSecret = v: isAttrs v && v ? _secret && isAbsolutePath v._secret; + + absolutePath = with types; mkOptionType { + name = "absolutePath"; + description = "absolute path"; + descriptionClass = "noun"; + check = isAbsolutePath; + inherit (str) merge; + }; + + secret = mkOptionType { + name = "secret"; + description = "secret value"; + descriptionClass = "noun"; + check = isSecret; + nestedTypes = { + _secret = absolutePath; + }; + }; + + ipAddress = with types; mkOptionType { + name = "ipAddress"; + description = "IPv4 or IPv6 address"; + descriptionClass = "conjunction"; + check = x: str.check x && builtins.match "[.0-9:A-Fa-f]+" x != null; + inherit (str) merge; + }; + + elixirValue = let + elixirValue' = with types; + nullOr (oneOf [ bool int float str (attrsOf elixirValue') (listOf elixirValue') ]) // { + description = "Elixir value"; + }; + in elixirValue'; + + frontend = { + options = { + package = mkOption { + type = types.package; + description = mdDoc "Akkoma frontend package."; + example = literalExpression "pkgs.akkoma-frontends.pleroma-fe"; + }; + + name = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Akkoma frontend name."; + example = "pleroma-fe"; + }; + + ref = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Akkoma frontend reference."; + example = "stable"; + }; + }; + }; + + sha256 = builtins.hashString "sha256"; + + replaceSec = let + replaceSec' = { }@args: v: + if isAttrs v + then if v ? _secret + then if isAbsolutePath v._secret + then sha256 v._secret + else abort "Invalid secret path (_secret = ${v._secret})" + else mapAttrs (_: val: replaceSec' args val) v + else if isList v + then map (replaceSec' args) v + else v; + in replaceSec' { }; + + # Erlang/Elixir uses a somewhat special format for IP addresses + erlAddr = addr: fileContents + (pkgs.runCommand addr { + nativeBuildInputs = with pkgs; [ elixir ]; + code = '' + case :inet.parse_address('${addr}') do + {:ok, addr} -> IO.inspect addr + {:error, _} -> System.halt(65) + end + ''; + passAsFile = [ "code" ]; + } ''elixir "$codePath" >"$out"''); + + format = pkgs.formats.elixirConf { }; + configFile = format.generate "config.exs" + (replaceSec + (attrsets.updateManyAttrsByPath [{ + path = [ ":pleroma" "Pleroma.Web.Endpoint" "http" "ip" ]; + update = addr: + if isAbsolutePath addr + then format.lib.mkTuple + [ (format.lib.mkAtom ":local") addr ] + else format.lib.mkRaw (erlAddr addr); + }] cfg.config)); + + writeShell = { name, text, runtimeInputs ? [ ] }: + pkgs.writeShellApplication { inherit name text runtimeInputs; } + "/bin/${name}"; + + genScript = writeShell { + name = "akkoma-gen-cookie"; + runtimeInputs = with pkgs; [ coreutils util-linux ]; + text = '' + install -m 0400 \ + -o ${escapeShellArg cfg.user } \ + -g ${escapeShellArg cfg.group} \ + <(hexdump -n 16 -e '"%02x"' /dev/urandom) \ + "$RUNTIME_DIRECTORY/cookie" + ''; + }; + + copyScript = writeShell { + name = "akkoma-copy-cookie"; + runtimeInputs = with pkgs; [ coreutils ]; + text = '' + install -m 0400 \ + -o ${escapeShellArg cfg.user} \ + -g ${escapeShellArg cfg.group} \ + ${escapeShellArg cfg.dist.cookie._secret} \ + "$RUNTIME_DIRECTORY/cookie" + ''; + }; + + secretPaths = catAttrs "_secret" (collect isSecret cfg.config); + + vapidKeygen = pkgs.writeText "vapidKeygen.exs" '' + [public_path, private_path] = System.argv() + {public_key, private_key} = :crypto.generate_key :ecdh, :prime256v1 + File.write! public_path, Base.url_encode64(public_key, padding: false) + File.write! private_path, Base.url_encode64(private_key, padding: false) + ''; + + initSecretsScript = writeShell { + name = "akkoma-init-secrets"; + runtimeInputs = with pkgs; [ coreutils elixir ]; + text = let + key-base = web.secret_key_base; + jwt-signer = ex.":joken".":default_signer"; + signing-salt = web.signing_salt; + liveview-salt = web.live_view.signing_salt; + vapid-private = ex.":web_push_encryption".":vapid_details".private_key; + vapid-public = ex.":web_push_encryption".":vapid_details".public_key; + in '' + secret() { + # Generate default secret if non‐existent + test -e "$2" || install -D -m 0600 <(tr -dc 'A-Za-z-._~' </dev/urandom | head -c "$1") "$2" + if [ "$(stat --dereference --format='%s' "$2")" -lt "$1" ]; then + echo "Secret '$2' is smaller than minimum size of $1 bytes." >&2 + exit 65 + fi + } + + secret 64 ${escapeShellArg key-base._secret} + secret 64 ${escapeShellArg jwt-signer._secret} + secret 8 ${escapeShellArg signing-salt._secret} + secret 8 ${escapeShellArg liveview-salt._secret} + + ${optionalString (isSecret vapid-public) '' + { test -e ${escapeShellArg vapid-private._secret} && \ + test -e ${escapeShellArg vapid-public._secret}; } || \ + elixir ${escapeShellArgs [ vapidKeygen vapid-public._secret vapid-private._secret ]} + ''} + ''; + }; + + configScript = writeShell { + name = "akkoma-config"; + runtimeInputs = with pkgs; [ coreutils replace-secret ]; + text = '' + cd "$RUNTIME_DIRECTORY" + tmp="$(mktemp config.exs.XXXXXXXXXX)" + trap 'rm -f "$tmp"' EXIT TERM + + cat ${escapeShellArg configFile} >"$tmp" + ${concatMapStrings (file: '' + replace-secret ${escapeShellArgs [ (sha256 file) file ]} "$tmp" + '') secretPaths} + + chown ${escapeShellArg cfg.user}:${escapeShellArg cfg.group} "$tmp" + chmod 0400 "$tmp" + mv -f "$tmp" config.exs + ''; + }; + + pgpass = let + esc = escape [ ":" ''\'' ]; + in if (cfg.initDb.password != null) + then pkgs.writeText "pgpass.conf" '' + *:*:*${esc cfg.initDb.username}:${esc (sha256 cfg.initDb.password._secret)} + '' + else null; + + escapeSqlId = x: ''"${replaceStrings [ ''"'' ] [ ''""'' ] x}"''; + escapeSqlStr = x: "'${replaceStrings [ "'" ] [ "''" ] x}'"; + + setupSql = pkgs.writeText "setup.psql" '' + \set ON_ERROR_STOP on + + ALTER ROLE ${escapeSqlId db.username} + LOGIN PASSWORD ${if db ? password + then "${escapeSqlStr (sha256 db.password._secret)}" + else "NULL"}; + + ALTER DATABASE ${escapeSqlId db.database} + OWNER TO ${escapeSqlId db.username}; + + \connect ${escapeSqlId db.database} + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + ''; + + dbHost = if db ? socket_dir then db.socket_dir + else if db ? socket then db.socket + else if db ? hostname then db.hostname + else null; + + initDbScript = writeShell { + name = "akkoma-initdb"; + runtimeInputs = with pkgs; [ coreutils replace-secret config.services.postgresql.package ]; + text = '' + pgpass="$(mktemp -t pgpass-XXXXXXXXXX.conf)" + setupSql="$(mktemp -t setup-XXXXXXXXXX.psql)" + trap 'rm -f "$pgpass $setupSql"' EXIT TERM + + ${optionalString (dbHost != null) '' + export PGHOST=${escapeShellArg dbHost} + ''} + export PGUSER=${escapeShellArg cfg.initDb.username} + ${optionalString (pgpass != null) '' + cat ${escapeShellArg pgpass} >"$pgpass" + replace-secret ${escapeShellArgs [ + (sha256 cfg.initDb.password._secret) cfg.initDb.password._secret ]} "$pgpass" + export PGPASSFILE="$pgpass" + ''} + + cat ${escapeShellArg setupSql} >"$setupSql" + ${optionalString (db ? password) '' + replace-secret ${escapeShellArgs [ + (sha256 db.password._secret) db.password._secret ]} "$setupSql" + ''} + + # Create role if non‐existent + psql -tAc "SELECT 1 FROM pg_roles + WHERE rolname = "${escapeShellArg (escapeSqlStr db.username)} | grep -F -q 1 || \ + psql -tAc "CREATE ROLE "${escapeShellArg (escapeSqlId db.username)} + + # Create database if non‐existent + psql -tAc "SELECT 1 FROM pg_database + WHERE datname = "${escapeShellArg (escapeSqlStr db.database)} | grep -F -q 1 || \ + psql -tAc "CREATE DATABASE "${escapeShellArg (escapeSqlId db.database)}" + OWNER "${escapeShellArg (escapeSqlId db.username)}" + TEMPLATE template0 + ENCODING 'utf8' + LOCALE 'C'" + + psql -f "$setupSql" + ''; + }; + + envWrapper = let + script = writeShell { + name = "akkoma-env"; + text = '' + cd "${cfg.package}" + + RUNTIME_DIRECTORY="''${RUNTIME_DIRECTORY:-/run/akkoma}" + AKKOMA_CONFIG_PATH="$RUNTIME_DIRECTORY/config.exs" \ + ERL_EPMD_ADDRESS="${cfg.dist.address}" \ + ERL_EPMD_PORT="${toString cfg.dist.epmdPort}" \ + ERL_FLAGS="${concatStringsSep " " [ + "-kernel inet_dist_use_interface '${erlAddr cfg.dist.address}'" + "-kernel inet_dist_listen_min ${toString cfg.dist.portMin}" + "-kernel inet_dist_listen_max ${toString cfg.dist.portMax}" + ]}" \ + RELEASE_COOKIE="$(<"$RUNTIME_DIRECTORY/cookie")" \ + RELEASE_NAME="akkoma" \ + exec "${cfg.package}/bin/$(basename "$0")" "$@" + ''; + }; + in pkgs.runCommandLocal "akkoma-env" { } '' + mkdir -p "$out/bin" + + ln -r -s ${escapeShellArg script} "$out/bin/pleroma" + ln -r -s ${escapeShellArg script} "$out/bin/pleroma_ctl" + ''; + + userWrapper = pkgs.writeShellApplication { + name = "pleroma_ctl"; + text = '' + if [ "''${1-}" == "update" ]; then + echo "OTP releases are not supported on NixOS." >&2 + exit 64 + fi + + exec sudo -u ${escapeShellArg cfg.user} \ + "${envWrapper}/bin/pleroma_ctl" "$@" + ''; + }; + + socketScript = if isAbsolutePath web.http.ip + then writeShell { + name = "akkoma-socket"; + runtimeInputs = with pkgs; [ coreutils inotify-tools ]; + text = '' + coproc { + inotifywait -q -m -e create ${escapeShellArg (dirOf web.http.ip)} + } + + trap 'kill "$COPROC_PID"' EXIT TERM + + until test -S ${escapeShellArg web.http.ip} + do read -r -u "''${COPROC[0]}" + done + + chmod 0666 ${escapeShellArg web.http.ip} + ''; + } + else null; + + staticDir = ex.":pleroma".":instance".static_dir; + uploadDir = ex.":pleroma".":instance".upload_dir; + + staticFiles = pkgs.runCommandLocal "akkoma-static" { } '' + ${concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p $out/frontends/${escapeShellArg val.name}/ + ln -s ${escapeShellArg val.package} $out/frontends/${escapeShellArg val.name}/${escapeShellArg val.ref} + '') cfg.frontends)} + + ${optionalString (cfg.extraStatic != null) + (concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p "$out/$(dirname ${escapeShellArg key})" + ln -s ${escapeShellArg val} $out/${escapeShellArg key} + '') cfg.extraStatic))} + ''; +in { + options = { + services.akkoma = { + enable = mkEnableOption (mdDoc "Akkoma"); + + package = mkOption { + type = types.package; + default = pkgs.akkoma; + defaultText = literalExpression "pkgs.akkoma"; + description = mdDoc "Akkoma package to use."; + }; + + user = mkOption { + type = types.nonEmptyStr; + default = "akkoma"; + description = mdDoc "User account under which Akkoma runs."; + }; + + group = mkOption { + type = types.nonEmptyStr; + default = "akkoma"; + description = mdDoc "Group account under which Akkoma runs."; + }; + + initDb = { + enable = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Whether to automatically initialise the database on startup. This will create a + database role and database if they do not already exist, and (re)set the role password + and the ownership of the database. + + This setting can be used safely even if the database already exists and contains data. + + The database settings are configured through + [{option}`config.services.akkoma.config.":pleroma"."Pleroma.Repo"`](#opt-services.akkoma.config.__pleroma_._Pleroma.Repo_). + + If disabled, the database has to be set up manually: + + ```SQL + CREATE ROLE akkoma LOGIN; + + CREATE DATABASE akkoma + OWNER akkoma + TEMPLATE template0 + ENCODING 'utf8' + LOCALE 'C'; + + \connect akkoma + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + ``` + ''; + }; + + username = mkOption { + type = types.nonEmptyStr; + default = config.services.postgresql.superUser; + defaultText = literalExpression "config.services.postgresql.superUser"; + description = mdDoc '' + Name of the database user to initialise the database with. + + This user is required to have the `CREATEROLE` and `CREATEDB` capabilities. + ''; + }; + + password = mkOption { + type = types.nullOr secret; + default = null; + description = mdDoc '' + Password of the database user to initialise the database with. + + If set to `null`, no password will be used. + + The attribute `_secret` should point to a file containing the secret. + ''; + }; + }; + + initSecrets = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Whether to initialise non‐existent secrets with random values. + + If enabled, appropriate secrets for the following options will be created automatically + if the files referenced in the `_secrets` attribute do not exist during startup. + + - {option}`config.":pleroma"."Pleroma.Web.Endpoint".secret_key_base` + - {option}`config.":pleroma"."Pleroma.Web.Endpoint".signing_salt` + - {option}`config.":pleroma"."Pleroma.Web.Endpoint".live_view.signing_salt` + - {option}`config.":web_push_encryption".":vapid_details".private_key` + - {option}`config.":web_push_encryption".":vapid_details".public_key` + - {option}`config.":joken".":default_signer"` + ''; + }; + + installWrapper = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Whether to install a wrapper around `pleroma_ctl` to simplify administration of the + Akkoma instance. + ''; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = with pkgs; [ exiftool ffmpeg_5-headless graphicsmagick-imagemagick-compat ]; + defaultText = literalExpression "with pkgs; [ exiftool graphicsmagick-imagemagick-compat ffmpeg_5-headless ]"; + example = literalExpression "with pkgs; [ exiftool imagemagick ffmpeg_5-full ]"; + description = mdDoc '' + List of extra packages to include in the executable search path of the service unit. + These are needed by various configurable components such as: + + - ExifTool for the `Pleroma.Upload.Filter.Exiftool` upload filter, + - ImageMagick for still image previews in the media proxy as well as for the + `Pleroma.Upload.Filters.Mogrify` upload filter, and + - ffmpeg for video previews in the media proxy. + ''; + }; + + frontends = mkOption { + description = mdDoc "Akkoma frontends."; + type = with types; attrsOf (submodule frontend); + default = { + primary = { + package = pkgs.akkoma-frontends.pleroma-fe; + name = "pleroma-fe"; + ref = "stable"; + }; + admin = { + package = pkgs.akkoma-frontends.admin-fe; + name = "admin-fe"; + ref = "stable"; + }; + }; + defaultText = literalExpression '' + { + primary = { + package = pkgs.akkoma-frontends.pleroma-fe; + name = "pleroma-fe"; + ref = "stable"; + }; + admin = { + package = pkgs.akkoma-frontends.admin-fe; + name = "admin-fe"; + ref = "stable"; + }; + } + ''; + }; + + extraStatic = mkOption { + type = with types; nullOr (attrsOf package); + description = mdDoc '' + Attribute set of extra packages to add to the static files directory. + + Do not add frontends here. These should be configured through + [{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends). + ''; + default = null; + example = literalExpression '' + { + "emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg; + "static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''' + … + '''; + "favicon.png" = let + rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c"; + in pkgs.stdenvNoCC.mkDerivation { + name = "favicon.png"; + + src = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/TilCreator/NixOwO/''${rev}/NixOwO_plain.svg"; + hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E="; + }; + + nativeBuildInputs = with pkgs; [ librsvg ]; + + dontUnpack = true; + installPhase = ''' + rsvg-convert -o $out -w 96 -h 96 $src + '''; + }; + } + ''; + }; + + dist = { + address = mkOption { + type = ipAddress; + default = "127.0.0.1"; + description = mdDoc '' + Listen address for Erlang distribution protocol and Port Mapper Daemon (epmd). + ''; + }; + + epmdPort = mkOption { + type = types.port; + default = 4369; + description = mdDoc "TCP port to bind Erlang Port Mapper Daemon to."; + }; + + portMin = mkOption { + type = types.port; + default = 49152; + description = mdDoc "Lower bound for Erlang distribution protocol TCP port."; + }; + + portMax = mkOption { + type = types.port; + default = 65535; + description = mdDoc "Upper bound for Erlang distribution protocol TCP port."; + }; + + cookie = mkOption { + type = types.nullOr secret; + default = null; + example = { _secret = "/var/lib/secrets/akkoma/releaseCookie"; }; + description = mdDoc '' + Erlang release cookie. + + If set to `null`, a temporary random cookie will be generated. + ''; + }; + }; + + config = mkOption { + description = mdDoc '' + Configuration for Akkoma. The attributes are serialised to Elixir DSL. + + Refer to <https://docs.akkoma.dev/stable/configuration/cheatsheet/> for + configuration options. + + Settings containing secret data should be set to an attribute set containing the + attribute `_secret` - a string pointing to a file containing the value the option + should be set to. + ''; + type = types.submodule { + freeformType = format.type; + options = { + ":pleroma" = { + ":instance" = { + name = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Instance name."; + }; + + email = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Instance administrator email."; + }; + + description = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Instance description."; + }; + + static_dir = mkOption { + type = types.path; + default = toString staticFiles; + defaultText = literalMD '' + Derivation gathering the following paths into a directory: + + - [{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends) + - [{option}`services.akkoma.extraStatic`](#opt-services.akkoma.extraStatic) + ''; + description = mdDoc '' + Directory of static files. + + This directory can be built using a derivation, or it can be managed as mutable + state by setting the option to an absolute path. + ''; + }; + + upload_dir = mkOption { + type = absolutePath; + default = "/var/lib/akkoma/uploads"; + description = mdDoc '' + Directory where Akkoma will put uploaded files. + ''; + }; + }; + + "Pleroma.Repo" = mkOption { + type = elixirValue; + default = { + adapter = format.lib.mkRaw "Ecto.Adapters.Postgres"; + socket_dir = "/run/postgresql"; + username = cfg.user; + database = "akkoma"; + }; + defaultText = literalExpression '' + { + adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres"; + socket_dir = "/run/postgresql"; + username = config.services.akkoma.user; + database = "akkoma"; + } + ''; + description = mdDoc '' + Database configuration. + + Refer to + <https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options> + for options. + ''; + }; + + "Pleroma.Web.Endpoint" = { + url = { + host = mkOption { + type = types.nonEmptyStr; + default = config.networking.fqdn; + defaultText = literalExpression "config.networking.fqdn"; + description = mdDoc "Domain name of the instance."; + }; + + scheme = mkOption { + type = types.nonEmptyStr; + default = "https"; + description = mdDoc "URL scheme."; + }; + + port = mkOption { + type = types.port; + default = 443; + description = mdDoc "External port number."; + }; + }; + + http = { + ip = mkOption { + type = types.either absolutePath ipAddress; + default = "/run/akkoma/socket"; + example = "::1"; + description = mdDoc '' + Listener IP address or Unix socket path. + + The value is automatically converted to Elixir’s internal address + representation during serialisation. + ''; + }; + + port = mkOption { + type = types.port; + default = if isAbsolutePath web.http.ip then 0 else 4000; + defaultText = literalExpression '' + if isAbsolutePath config.services.akkoma.config.:pleroma"."Pleroma.Web.Endpoint".http.ip + then 0 + else 4000; + ''; + description = mdDoc '' + Listener port number. + + Must be 0 if using a Unix socket. + ''; + }; + }; + + secret_key_base = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/key-base"; }; + description = mdDoc '' + Secret key used as a base to generate further secrets for encrypting and + signing data. + + The attribute `_secret` should point to a file containing the secret. + + This key can generated can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z-._~' </dev/urandom | head -c 64 + ``` + ''; + }; + + live_view = { + signing_salt = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/liveview-salt"; }; + description = mdDoc '' + LiveView signing salt. + + The attribute `_secret` should point to a file containing the secret. + + This salt can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8 + ``` + ''; + }; + }; + + signing_salt = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/signing-salt"; }; + description = mdDoc '' + Signing salt. + + The attribute `_secret` should point to a file containing the secret. + + This salt can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8 + ``` + ''; + }; + }; + + ":frontends" = mkOption { + type = elixirValue; + default = mapAttrs + (key: val: format.lib.mkMap { name = val.name; ref = val.ref; }) + cfg.frontends; + defaultText = literalExpression '' + lib.mapAttrs (key: val: + (pkgs.formats.elixirConf { }).lib.mkMap { name = val.name; ref = val.ref; }) + config.services.akkoma.frontends; + ''; + description = mdDoc '' + Frontend configuration. + + Users should rely on the default value and prefer to configure frontends through + [{option}`config.services.akkoma.frontends`](#opt-services.akkoma.frontends). + ''; + }; + }; + + ":web_push_encryption" = mkOption { + default = { }; + description = mdDoc '' + Web Push Notifications configuration. + + The necessary key pair can be generated as follows: + + ```ShellSession + $ nix-shell -p nodejs --run 'npx web-push generate-vapid-keys' + ``` + ''; + type = types.submodule { + freeformType = elixirValue; + options = { + ":vapid_details" = { + subject = mkOption { + type = types.nonEmptyStr; + default = "mailto:${ex.":pleroma".":instance".email}"; + defaultText = literalExpression '' + "mailto:''${config.services.akkoma.config.":pleroma".":instance".email}" + ''; + description = mdDoc "mailto URI for administrative contact."; + }; + + public_key = mkOption { + type = with types; either nonEmptyStr secret; + default = { _secret = "/var/lib/secrets/akkoma/vapid-public"; }; + description = mdDoc "base64-encoded public ECDH key."; + }; + + private_key = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/vapid-private"; }; + description = mdDoc '' + base64-encoded private ECDH key. + + The attribute `_secret` should point to a file containing the secret. + ''; + }; + }; + }; + }; + }; + + ":joken" = { + ":default_signer" = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/jwt-signer"; }; + description = mdDoc '' + JWT signing secret. + + The attribute `_secret` should point to a file containing the secret. + + This secret can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 64 + ``` + ''; + }; + }; + + ":logger" = { + ":backends" = mkOption { + type = types.listOf elixirValue; + visible = false; + default = with format.lib; [ + (mkTuple [ (mkRaw "ExSyslogger") (mkAtom ":ex_syslogger") ]) + ]; + }; + + ":ex_syslogger" = { + ident = mkOption { + type = types.str; + visible = false; + default = "akkoma"; + }; + + level = mkOption { + type = types.nonEmptyStr; + apply = format.lib.mkAtom; + default = ":info"; + example = ":warning"; + description = mdDoc '' + Log level. + + Refer to + <https://hexdocs.pm/logger/Logger.html#module-levels> + for options. + ''; + }; + }; + }; + + ":tzdata" = { + ":data_dir" = mkOption { + type = elixirValue; + internal = true; + default = format.lib.mkRaw '' + Path.join(System.fetch_env!("CACHE_DIRECTORY"), "tzdata") + ''; + }; + }; + }; + }; + }; + + nginx = mkOption { + type = with types; nullOr (submodule + (import ../web-servers/nginx/vhost-options.nix { inherit config lib; })); + default = null; + description = mdDoc '' + Extra configuration for the nginx virtual host of Akkoma. + + If set to `null`, no virtual host will be added to the nginx configuration. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + warnings = optionals (!config.security.sudo.enable) ['' + The pleroma_ctl wrapper enabled by the installWrapper option relies on + sudo, which appears to have been disabled through security.sudo.enable. + '']; + + users = { + users."${cfg.user}" = { + description = "Akkoma user"; + group = cfg.group; + isSystemUser = true; + }; + groups."${cfg.group}" = { }; + }; + + # Confinement of the main service unit requires separation of the + # configuration generation into a separate unit to permit access to secrets + # residing outside of the chroot. + systemd.services.akkoma-config = { + description = "Akkoma social network configuration"; + reloadTriggers = [ configFile ] ++ secretPaths; + + unitConfig.PropagatesReloadTo = [ "akkoma.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + UMask = "0077"; + + RuntimeDirectory = "akkoma"; + + ExecStart = mkMerge [ + (mkIf (cfg.dist.cookie == null) [ genScript ]) + (mkIf (cfg.dist.cookie != null) [ copyScript ]) + (mkIf cfg.initSecrets [ initSecretsScript ]) + [ configScript ] + ]; + + ExecReload = mkMerge [ + (mkIf cfg.initSecrets [ initSecretsScript ]) + [ configScript ] + ]; + }; + }; + + systemd.services.akkoma-initdb = mkIf cfg.initDb.enable { + description = "Akkoma social network database setup"; + requires = [ "akkoma-config.service" ]; + requiredBy = [ "akkoma.service" ]; + after = [ "akkoma-config.service" "postgresql.service" ]; + before = [ "akkoma.service" ]; + + serviceConfig = { + Type = "oneshot"; + User = mkIf (db ? socket_dir || db ? socket) + cfg.initDb.username; + RemainAfterExit = true; + UMask = "0077"; + ExecStart = initDbScript; + PrivateTmp = true; + }; + }; + + systemd.services.akkoma = let + runtimeInputs = with pkgs; [ coreutils gawk gnused ] ++ cfg.extraPackages; + in { + description = "Akkoma social network"; + documentation = [ "https://docs.akkoma.dev/stable/" ]; + + # This service depends on network-online.target and is sequenced after + # it because it requires access to the Internet to function properly. + bindsTo = [ "akkoma-config.service" ]; + wants = [ "network-online.service" ]; + wantedBy = [ "multi-user.target" ]; + after = [ + "akkoma-config.target" + "network.target" + "network-online.target" + "postgresql.service" + ]; + + confinement.packages = mkIf isConfined runtimeInputs; + path = runtimeInputs; + + serviceConfig = { + Type = "exec"; + User = cfg.user; + Group = cfg.group; + UMask = "0077"; + + # The run‐time directory is preserved as it is managed by the akkoma-config.service unit. + RuntimeDirectory = "akkoma"; + RuntimeDirectoryPreserve = true; + + CacheDirectory = "akkoma"; + + BindPaths = [ "${uploadDir}:${uploadDir}:norbind" ]; + BindReadOnlyPaths = mkMerge [ + (mkIf (!isStorePath staticDir) [ "${staticDir}:${staticDir}:norbind" ]) + (mkIf isConfined (mkMerge [ + [ "/etc/hosts" "/etc/resolv.conf" ] + (mkIf (isStorePath staticDir) (map (dir: "${dir}:${dir}:norbind") + (splitString "\n" (readFile ((pkgs.closureInfo { rootPaths = staticDir; }) + "/store-paths"))))) + (mkIf (db ? socket_dir) [ "${db.socket_dir}:${db.socket_dir}:norbind" ]) + (mkIf (db ? socket) [ "${db.socket}:${db.socket}:norbind" ]) + ])) + ]; + + ExecStartPre = "${envWrapper}/bin/pleroma_ctl migrate"; + ExecStart = "${envWrapper}/bin/pleroma start"; + ExecStartPost = socketScript; + ExecStop = "${envWrapper}/bin/pleroma stop"; + ExecStopPost = mkIf (isAbsolutePath web.http.ip) + "${pkgs.coreutils}/bin/rm -f '${web.http.ip}'"; + + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectSystem = mkIf (!isConfined) "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + + CapabilityBoundingSet = mkIf + (any (port: port > 0 && port < 1024) + [ web.http.port cfg.dist.epmdPort cfg.dist.portMin ]) + [ "CAP_NET_BIND_SERVICE" ]; + + NoNewPrivileges = true; + SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; + SystemCallArchitectures = "native"; + + DeviceAllow = null; + DevicePolicy = "closed"; + + # SMTP adapter uses dynamic port 0 binding, which is incompatible with bind address filtering + SocketBindAllow = mkIf (!hasSmtp) (mkMerge [ + [ "tcp:${toString cfg.dist.epmdPort}" "tcp:${toString cfg.dist.portMin}-${toString cfg.dist.portMax}" ] + (mkIf (web.http.port != 0) [ "tcp:${toString web.http.port}" ]) + ]); + SocketBindDeny = mkIf (!hasSmtp) "any"; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${uploadDir} 0700 ${cfg.user} ${cfg.group} - -" + "Z ${uploadDir} ~0700 ${cfg.user} ${cfg.group} - -" + ]; + + environment.systemPackages = mkIf (cfg.installWrapper) [ userWrapper ]; + + services.nginx.virtualHosts = mkIf (cfg.nginx != null) { + ${web.url.host} = mkMerge [ cfg.nginx { + locations."/" = { + proxyPass = + if isAbsolutePath web.http.ip + then "http://unix:${web.http.ip}" + else if hasInfix ":" web.http.ip + then "http://[${web.http.ip}]:${toString web.http.port}" + else "http://${web.http.ip}:${toString web.http.port}"; + + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }]; + }; + }; + + meta.maintainers = with maintainers; [ mvs ]; + meta.doc = ./akkoma.xml; +} diff --git a/nixos/modules/services/web-apps/akkoma.xml b/nixos/modules/services/web-apps/akkoma.xml new file mode 100644 index 0000000000000..76e6b806f30fe --- /dev/null +++ b/nixos/modules/services/web-apps/akkoma.xml @@ -0,0 +1,396 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-akkoma"> + <title>Akkoma</title> + <para> + <link xlink:href="https://akkoma.dev/">Akkoma</link> is a + lightweight ActivityPub microblogging server forked from Pleroma. + </para> + <section xml:id="modules-services-akkoma-service-configuration"> + <title>Service configuration</title> + <para> + The Elixir configuration file required by Akkoma is generated + automatically from + <link xlink:href="options.html#opt-services.akkoma.config"><option>services.akkoma.config</option></link>. + Secrets must be included from external files outside of the Nix + store by setting the configuration option to an attribute set + containing the attribute <option>_secret</option> – a string + pointing to the file containing the actual value of the option. + </para> + <para> + For the mandatory configuration settings these secrets will be + generated automatically if the referenced file does not exist + during startup, unless disabled through + <link xlink:href="options.html#opt-services.akkoma.initSecrets"><option>services.akkoma.initSecrets</option></link>. + </para> + <para> + The following configuration binds Akkoma to the Unix socket + <literal>/run/akkoma/socket</literal>, expecting to be run behind + a HTTP proxy on <literal>fediverse.example.com</literal>. + </para> + <programlisting language="nix"> +services.akkoma.enable = true; +services.akkoma.config = { + ":pleroma" = { + ":instance" = { + name = "My Akkoma instance"; + description = "More detailed description"; + email = "admin@example.com"; + registration_open = false; + }; + + "Pleroma.Web.Endpoint" = { + url.host = "fediverse.example.com"; + }; + }; +}; +</programlisting> + <para> + Please refer to the + <link xlink:href="https://docs.akkoma.dev/stable/configuration/cheatsheet/">configuration + cheat sheet</link> for additional configuration options. + </para> + </section> + <section xml:id="modules-services-akkoma-user-management"> + <title>User management</title> + <para> + After the Akkoma service is running, the administration utility + can be used to + <link xlink:href="https://docs.akkoma.dev/stable/administration/CLI_tasks/user/">manage + users</link>. In particular an administrative user can be created + with + </para> + <programlisting> +$ pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> +</programlisting> + </section> + <section xml:id="modules-services-akkoma-proxy-configuration"> + <title>Proxy configuration</title> + <para> + Although it is possible to expose Akkoma directly, it is common + practice to operate it behind an HTTP reverse proxy such as nginx. + </para> + <programlisting language="nix"> +services.akkoma.nginx = { + enableACME = true; + forceSSL = true; +}; + +services.nginx = { + enable = true; + + clientMaxBodySize = "16m"; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; +}; +</programlisting> + <para> + Please refer to <xref linkend="module-security-acme" /> for + details on how to provision an SSL/TLS certificate. + </para> + <section xml:id="modules-services-akkoma-media-proxy"> + <title>Media proxy</title> + <para> + Without the media proxy function, Akkoma does not store any + remote media like pictures or video locally, and clients have to + fetch them directly from the source server. + </para> + <programlisting language="nix"> +# Enable nginx slice module distributed with Tengine +services.nginx.package = pkgs.tengine; + +# Enable media proxy +services.akkoma.config.":pleroma".":media_proxy" = { + enabled = true; + proxy_opts.redirect_on_failure = true; +}; + +# Adjust the persistent cache size as needed: +# Assuming an average object size of 128 KiB, around 1 MiB +# of memory is required for the key zone per GiB of cache. +# Ensure that the cache directory exists and is writable by nginx. +services.nginx.commonHttpConfig = '' + proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache + levels= keys_zone=akkoma_media_cache:16m max_size=16g + inactive=1y use_temp_path=off; +''; + +services.akkoma.nginx = { + locations."/proxy" = { + proxyPass = "http://unix:/run/akkoma/socket"; + + extraConfig = '' + proxy_cache akkoma_media_cache; + + # Cache objects in slices of 1 MiB + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + + # Decouple proxy and upstream responses + proxy_buffering on; + proxy_cache_lock on; + proxy_ignore_client_abort on; + + # Default cache times for various responses + proxy_cache_valid 200 1y; + proxy_cache_valid 206 301 304 1h; + + # Allow serving of stale items + proxy_cache_use_stale error timeout invalid_header updating; + ''; + }; +}; +</programlisting> + <section xml:id="modules-services-akkoma-prefetch-remote-media"> + <title>Prefetch remote media</title> + <para> + The following example enables the + <literal>MediaProxyWarmingPolicy</literal> MRF policy which + automatically fetches all media associated with a post through + the media proxy, as soon as the post is received by the + instance. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma".":mrf".policies = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy" +]; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-media-previews"> + <title>Media previews</title> + <para> + Akkoma can generate previews for media. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma".":media_preview_proxy" = { + enabled = true; + thumbnail_max_width = 1920; + thumbnail_max_height = 1080; +}; +</programlisting> + </section> + </section> + </section> + <section xml:id="modules-services-akkoma-frontend-management"> + <title>Frontend management</title> + <para> + Akkoma will be deployed with the <literal>pleroma-fe</literal> and + <literal>admin-fe</literal> frontends by default. These can be + modified by setting + <link xlink:href="options.html#opt-services.akkoma.frontends"><option>services.akkoma.frontends</option></link>. + </para> + <para> + The following example overrides the primary frontend’s default + configuration using a custom derivation. + </para> + <programlisting language="nix"> +services.akkoma.frontends.primary.package = pkgs.runCommand "pleroma-fe" { + config = builtins.toJSON { + expertLevel = 1; + collapseMessageWithSubject = false; + stopGifs = false; + replyVisibility = "following"; + webPushHideIfCW = true; + hideScopeNotice = true; + renderMisskeyMarkdown = false; + hideSiteFavicon = true; + postContentType = "text/markdown"; + showNavShortcuts = false; + }; + nativeBuildInputs = with pkgs; [ jq xorg.lndir ]; + passAsFile = [ "config" ]; +} '' + mkdir $out + lndir ${pkgs.akkoma-frontends.pleroma-fe} $out + + rm $out/static/config.json + jq -s add ${pkgs.akkoma-frontends.pleroma-fe}/static/config.json ${config} \ + >$out/static/config.json +''; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-federation-policies"> + <title>Federation policies</title> + <para> + Akkoma comes with a number of modules to police federation with + other ActivityPub instances. The most valuable for typical users + is the + <link xlink:href="https://docs.akkoma.dev/stable/configuration/cheatsheet/#mrf_simple"><literal>:mrf_simple</literal></link> + module which allows limiting federation based on instance + hostnames. + </para> + <para> + This configuration snippet provides an example on how these can be + used. Choosing an adequate federation policy is not trivial and + entails finding a balance between connectivity to the rest of the + fediverse and providing a pleasant experience to the users of an + instance. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma" = with (pkgs.formats.elixirConf { }).lib; { + ":mrf".policies = map mkRaw [ + "Pleroma.Web.ActivityPub.MRF.SimplePolicy" + ]; + + ":mrf_simple" = { + # Tag all media as sensitive + media_nsfw = mkMap { + "nsfw.weird.kinky" = "Untagged NSFW content"; + }; + + # Reject all activities except deletes + reject = mkMap { + "kiwifarms.cc" = "Persistent harassment of users, no moderation"; + }; + + # Force posts to be visible by followers only + followers_only = mkMap { + "beta.birdsite.live" = "Avoid polluting timelines with Twitter posts"; + }; + }; +}; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-upload-filters"> + <title>Upload filters</title> + <para> + This example strips GPS and location metadata from uploads, + deduplicates them and anonymises the the file name. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma"."Pleroma.Upload".filters = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Upload.Filter.Exiftool" + "Pleroma.Upload.Filter.Dedupe" + "Pleroma.Upload.Filter.AnonymizeFilename" + ]; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-migration-pleroma"> + <title>Migration from Pleroma</title> + <para> + Pleroma instances can be migrated to Akkoma either by copying the + database and upload data or by pointing Akkoma to the existing + data. The necessary database migrations are run automatically + during startup of the service. + </para> + <para> + The configuration has to be copy‐edited manually. + </para> + <para> + Depending on the size of the database, the initial migration may + take a long time and exceed the startup timeout of the system + manager. To work around this issue one may adjust the startup + timeout + <option>systemd.services.akkoma.serviceConfig.TimeoutStartSec</option> + or simply run the migrations manually: + </para> + <programlisting> +pleroma_ctl migrate +</programlisting> + <section xml:id="modules-services-akkoma-migration-pleroma-copy"> + <title>Copying data</title> + <para> + Copying the Pleroma data instead of re‐using it in place may + permit easier reversion to Pleroma, but allows the two data sets + to diverge. + </para> + <para> + First disable Pleroma and then copy its database and upload + data: + </para> + <programlisting> +# Create a copy of the database +nix-shell -p postgresql --run 'createdb -T pleroma akkoma' + +# Copy upload data +mkdir /var/lib/akkoma +cp -R --reflink=auto /var/lib/pleroma/uploads /var/lib/akkoma/ +</programlisting> + <para> + After the data has been copied, enable the Akkoma service and + verify that the migration has been successful. If no longer + required, the original data may then be deleted: + </para> + <programlisting> +# Delete original database +nix-shell -p postgresql --run 'dropdb pleroma' + +# Delete original Pleroma state +rm -r /var/lib/pleroma +</programlisting> + </section> + <section xml:id="modules-services-akkoma-migration-pleroma-reuse"> + <title>Re‐using data</title> + <para> + To re‐use the Pleroma data in place, disable Pleroma and enable + Akkoma, pointing it to the Pleroma database and upload + directory. + </para> + <programlisting language="nix"> +# Adjust these settings according to the database name and upload directory path used by Pleroma +services.akkoma.config.":pleroma"."Pleroma.Repo".database = "pleroma"; +services.akkoma.config.":pleroma".":instance".upload_dir = "/var/lib/pleroma/uploads"; +</programlisting> + <para> + Please keep in mind that after the Akkoma service has been + started, any migrations applied by Akkoma have to be rolled back + before the database can be used again with Pleroma. This can be + achieved through <literal>pleroma_ctl ecto.rollback</literal>. + Refer to the + <link xlink:href="https://hexdocs.pm/ecto_sql/Mix.Tasks.Ecto.Rollback.html">Ecto + SQL documentation</link> for details. + </para> + </section> + </section> + <section xml:id="modules-services-akkoma-advanced-deployment"> + <title>Advanced deployment options</title> + <section xml:id="modules-services-akkoma-confinement"> + <title>Confinement</title> + <para> + The Akkoma systemd service may be confined to a chroot with + </para> + <programlisting language="nix"> +services.systemd.akkoma.confinement.enable = true; +</programlisting> + <para> + Confinement of services is not generally supported in NixOS and + therefore disabled by default. Depending on the Akkoma + configuration, the default confinement settings may be + insufficient and lead to subtle errors at run time, requiring + adjustment: + </para> + <para> + Use + <link xlink:href="options.html#opt-systemd.services._name_.confinement.packages"><option>services.systemd.akkoma.confinement.packages</option></link> + to make packages available in the chroot. + </para> + <para> + <option>services.systemd.akkoma.serviceConfig.BindPaths</option> + and + <option>services.systemd.akkoma.serviceConfig.BindReadOnlyPaths</option> + permit access to outside paths through bind mounts. Refer to + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#BindPaths="><link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html"><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></link></link> + for details. + </para> + </section> + <section xml:id="modules-services-akkoma-distributed-deployment"> + <title>Distributed deployment</title> + <para> + Being an Elixir application, Akkoma can be deployed in a + distributed fashion. + </para> + <para> + This requires setting + <link xlink:href="options.html#opt-services.akkoma.dist.address"><option>services.akkoma.dist.address</option></link> + and + <link xlink:href="options.html#opt-services.akkoma.dist.cookie"><option>services.akkoma.dist.cookie</option></link>. + The specifics depend strongly on the deployment environment. For + more information please check the relevant + <link xlink:href="https://www.erlang.org/doc/reference_manual/distributed.html">Erlang + documentation</link>. + </para> + </section> + </section> +</chapter> diff --git a/nixos/modules/services/web-apps/alps.nix b/nixos/modules/services/web-apps/alps.nix index b73cb82925d9b..1a58df2da1d29 100644 --- a/nixos/modules/services/web-apps/alps.nix +++ b/nixos/modules/services/web-apps/alps.nix @@ -70,6 +70,23 @@ in { ''; }; }; + + package = mkOption { + internal = true; + type = types.package; + default = pkgs.alps; + }; + + args = mkOption { + internal = true; + type = types.listOf types.str; + default = [ + "-addr" "${cfg.bindIP}:${toString cfg.port}" + "-theme" "${cfg.theme}" + "imaps://${cfg.imaps.host}:${toString cfg.imaps.port}" + "smpts://${cfg.smtps.host}:${toString cfg.smtps.port}" + ]; + }; }; config = mkIf cfg.enable { @@ -80,16 +97,35 @@ in { after = [ "network.target" "network-online.target" ]; serviceConfig = { - ExecStart = '' - ${pkgs.alps}/bin/alps \ - -addr ${cfg.bindIP}:${toString cfg.port} \ - -theme ${cfg.theme} \ - imaps://${cfg.imaps.host}:${toString cfg.imaps.port} \ - smpts://${cfg.smtps.host}:${toString cfg.smtps.port} - ''; - StateDirectory = "alps"; - WorkingDirectory = "/var/lib/alps"; + ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}"; + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindAllow = cfg.port; + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; }; }; }; diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index 08cff3286571b..fe98c1777ea05 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -56,7 +56,7 @@ in }; listenPort = mkOption { - type = types.int; + type = types.port; default = 8090; description = lib.mdDoc "Port to listen on."; }; @@ -78,7 +78,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 443; example = 80; description = lib.mdDoc "Port used at the proxy"; diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index 8d28eb162ef20..4cc858216944c 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -56,7 +56,7 @@ in }; listenPort = mkOption { - type = types.int; + type = types.port; default = 8091; description = lib.mdDoc "Port to listen on."; }; @@ -78,7 +78,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 443; example = 80; description = lib.mdDoc "Port used at the proxy"; diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 40bb377e2c88a..d846c98577c84 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -359,7 +359,7 @@ in { }; systemd.services.bookstack-setup = { - description = "Preperation tasks for BookStack"; + description = "Preparation tasks for BookStack"; before = [ "phpfpm-bookstack.service" ]; after = optional db.createLocally "mysql.service"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/web-apps/changedetection-io.nix b/nixos/modules/services/web-apps/changedetection-io.nix index ace4cf1eabc92..fc00aee435163 100644 --- a/nixos/modules/services/web-apps/changedetection-io.nix +++ b/nixos/modules/services/web-apps/changedetection-io.nix @@ -138,7 +138,8 @@ in StateDirectory = mkIf defaultStateDir "changedetection-io"; StateDirectoryMode = mkIf defaultStateDir "0750"; WorkingDirectory = cfg.datastorePath; - Environment = lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}" + Environment = [ "HIDE_REFERER=true" ] + ++ lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}" ++ lib.optional cfg.behindProxy "USE_X_SETTINGS=1" ++ lib.optional cfg.webDriverSupport "WEBDRIVER_URL=http://127.0.0.1:${toString cfg.chromePort}/wd/hub" ++ lib.optional cfg.playwrightSupport "PLAYWRIGHT_DRIVER_URL=ws://127.0.0.1:${toString cfg.chromePort}/?stealth=1&--disable-web-security=true"; diff --git a/nixos/modules/services/web-apps/code-server.nix b/nixos/modules/services/web-apps/code-server.nix index 0d6b6c529b6d2..24e34e0c58338 100644 --- a/nixos/modules/services/web-apps/code-server.nix +++ b/nixos/modules/services/web-apps/code-server.nix @@ -15,7 +15,7 @@ in { package = mkOption { default = pkgs.code-server; - defaultText = "pkgs.code-server"; + defaultText = lib.literalExpression "pkgs.code-server"; description = lib.mdDoc "Which code-server derivation to use."; type = types.package; }; diff --git a/nixos/modules/services/web-apps/dex.nix b/nixos/modules/services/web-apps/dex.nix index 1dcc6f7a7c5bc..f69f1749aeb83 100644 --- a/nixos/modules/services/web-apps/dex.nix +++ b/nixos/modules/services/web-apps/dex.nix @@ -83,11 +83,12 @@ in AmbientCapabilities = "CAP_NET_BIND_SERVICE"; BindReadOnlyPaths = [ "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" + "-/etc/dex" "-/etc/hosts" "-/etc/localtime" - "-/etc/dex" + "-/etc/nsswitch.conf" + "-/etc/resolv.conf" + "-/etc/ssl/certs/ca-certificates.crt" ]; BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 6500b8cad217b..b8104ade4676d 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -19,9 +19,9 @@ let # We only want to create a database if we're actually going to connect to it. databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == null; - tlsEnabled = (cfg.enableACME + tlsEnabled = cfg.enableACME || cfg.sslCertificate != null - || cfg.sslCertificateKey != null); + || cfg.sslCertificateKey != null; in { options = { @@ -820,10 +820,10 @@ in services.nginx = lib.mkIf cfg.nginx.enable { enable = true; - additionalModules = [ pkgs.nginxModules.brotli ]; recommendedTlsSettings = true; recommendedOptimisation = true; + recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedProxySettings = true; diff --git a/nixos/modules/services/web-apps/dolibarr.nix b/nixos/modules/services/web-apps/dolibarr.nix index 5335c439329c0..f262099354d2c 100644 --- a/nixos/modules/services/web-apps/dolibarr.nix +++ b/nixos/modules/services/web-apps/dolibarr.nix @@ -1,11 +1,11 @@ { config, pkgs, lib, ... }: let - inherit (lib) any boolToString concatStringsSep isBool isString literalExpression mapAttrsToList mkDefault mkEnableOption mkIf mkOption optionalAttrs types; + inherit (lib) any boolToString concatStringsSep isBool isString mapAttrsToList mkDefault mkEnableOption mkIf mkMerge mkOption optionalAttrs types; package = pkgs.dolibarr.override { inherit (cfg) stateDir; }; cfg = config.services.dolibarr; - vhostCfg = config.services.nginx.virtualHosts."${cfg.domain}"; + vhostCfg = lib.optionalAttr (cfg.nginx != null) config.services.nginx.virtualHosts."${cfg.domain}"; mkConfigFile = filename: settings: let @@ -38,7 +38,7 @@ let force_install_database = cfg.database.name; force_install_databaselogin = cfg.database.user; - force_install_mainforcehttps = vhostCfg.forceSSL; + force_install_mainforcehttps = vhostCfg.forceSSL or false; force_install_createuser = false; force_install_dolibarrlogin = null; } // optionalAttrs (cfg.database.passwordFile != null) { @@ -183,7 +183,8 @@ in }; # implementation - config = mkIf cfg.enable { + config = mkIf cfg.enable (mkMerge [ + { assertions = [ { assertion = cfg.database.createLocally -> cfg.database.user == cfg.user; @@ -214,7 +215,7 @@ in # Security settings dolibarr_main_prod = true; - dolibarr_main_force_https = vhostCfg.forceSSL; + dolibarr_main_force_https = vhostCfg.forceSSL or false; dolibarr_main_restrict_os_commands = "${pkgs.mariadb}/bin/mysqldump, ${pkgs.mariadb}/bin/mysql"; dolibarr_nocsrfcheck = false; dolibarr_main_instance_unique_id = '' @@ -314,7 +315,9 @@ in users.groups = optionalAttrs (cfg.group == "dolibarr") { dolibarr = { }; }; - - users.users."${config.services.nginx.group}".extraGroups = [ cfg.group ]; - }; + } + (mkIf (cfg.nginx != null) { + users.users."${config.services.nginx.group}".extraGroups = mkIf (cfg.nginx != null) [ cfg.group ]; + }) +]); } diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix index 7da6dce1f9543..b3fdb681e2f30 100644 --- a/nixos/modules/services/web-apps/healthchecks.nix +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -98,7 +98,7 @@ in description = lib.mdDoc '' Environment variables which are read by healthchecks `(local)_settings.py`. - Settings which are explictly covered in options bewlow, are type-checked and/or transformed + Settings which are explicitly covered in options bewlow, are type-checked and/or transformed before added to the environment, everything else is passed as a string. See <https://healthchecks.io/docs/self_hosted_configuration/> diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index e26dee68615e0..90ca3002c5924 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -76,7 +76,7 @@ in ''; }; port = mkOption { - type = types.int; + type = types.port; default = 3000; example = 80; description = lib.mdDoc '' @@ -291,7 +291,8 @@ in }; defaultNotePath = mkOption { type = types.nullOr types.str; - default = "./public/default.md"; + default = "${cfg.package}/public/default.md"; + defaultText = literalExpression "\"\${cfg.package}/public/default.md\""; description = lib.mdDoc '' Path to the default Note file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -299,7 +300,8 @@ in }; docsPath = mkOption { type = types.nullOr types.str; - default = "./public/docs"; + default = "${cfg.package}/public/docs"; + defaultText = literalExpression "\"\${cfg.package}/public/docs\""; description = lib.mdDoc '' Path to the docs directory. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -307,7 +309,8 @@ in }; indexPath = mkOption { type = types.nullOr types.str; - default = "./public/views/index.ejs"; + default = "${cfg.package}/public/views/index.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/index.ejs\""; description = lib.mdDoc '' Path to the index template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -315,7 +318,8 @@ in }; hackmdPath = mkOption { type = types.nullOr types.str; - default = "./public/views/hackmd.ejs"; + default = "${cfg.package}/public/views/hackmd.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/hackmd.ejs\""; description = lib.mdDoc '' Path to the hackmd template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -323,8 +327,8 @@ in }; errorPath = mkOption { type = types.nullOr types.str; - default = null; - defaultText = literalExpression "./public/views/error.ejs"; + default = "${cfg.package}/public/views/error.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/error.ejs\""; description = lib.mdDoc '' Path to the error template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -332,8 +336,8 @@ in }; prettyPath = mkOption { type = types.nullOr types.str; - default = null; - defaultText = literalExpression "./public/views/pretty.ejs"; + default = "${cfg.package}/public/views/pretty.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/pretty.ejs\""; description = lib.mdDoc '' Path to the pretty template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -341,8 +345,8 @@ in }; slidePath = mkOption { type = types.nullOr types.str; - default = null; - defaultText = literalExpression "./public/views/slide.hbs"; + default = "${cfg.package}/public/views/slide.hbs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/slide.hbs\""; description = lib.mdDoc '' Path to the slide template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -351,7 +355,7 @@ in uploadsPath = mkOption { type = types.str; default = "${cfg.workDir}/uploads"; - defaultText = literalExpression "/var/lib/${name}/uploads"; + defaultText = literalExpression "\"\${cfg.workDir}/uploads\""; description = lib.mdDoc '' Path under which uploaded files are saved. ''; @@ -449,7 +453,7 @@ in ''; }; port = mkOption { - type = types.int; + type = types.port; default = 9000; description = lib.mdDoc '' Minio listen port. @@ -999,8 +1003,8 @@ in ``` # snippet of HedgeDoc-related config - services.hedgedoc.configuration.dbURL = "postgres://hedgedoc:\''${DB_PASSWORD}@db-host:5432/hedgedocdb"; - services.hedgedoc.configuration.minio.secretKey = "$MINIO_SECRET_KEY"; + services.hedgedoc.settings.dbURL = "postgres://hedgedoc:\''${DB_PASSWORD}@db-host:5432/hedgedocdb"; + services.hedgedoc.settings.minio.secretKey = "$MINIO_SECRET_KEY"; ``` ``` diff --git a/nixos/modules/services/web-apps/ihatemoney/default.nix b/nixos/modules/services/web-apps/ihatemoney/default.nix index b0da0acfcf8a9..a61aa445f82c5 100644 --- a/nixos/modules/services/web-apps/ihatemoney/default.nix +++ b/nixos/modules/services/web-apps/ihatemoney/default.nix @@ -68,7 +68,7 @@ in example = { http = ":8000"; }; - description = lib.mdDoc "Additionnal configuration of the UWSGI vassal running ihatemoney. It should notably specify on which interfaces and ports the vassal should listen."; + description = lib.mdDoc "Additional configuration of the UWSGI vassal running ihatemoney. It should notably specify on which interfaces and ports the vassal should listen."; }; defaultSender = { name = mkOption { diff --git a/nixos/modules/services/web-apps/invidious.nix b/nixos/modules/services/web-apps/invidious.nix index e106478628f5e..61c52ee03dc6f 100644 --- a/nixos/modules/services/web-apps/invidious.nix +++ b/nixos/modules/services/web-apps/invidious.nix @@ -151,7 +151,7 @@ in package = lib.mkOption { type = types.package; default = pkgs.invidious; - defaultText = "pkgs.invidious"; + defaultText = lib.literalExpression "pkgs.invidious"; description = lib.mdDoc "The Invidious package to use."; }; @@ -171,7 +171,7 @@ in description = lib.mdDoc '' A file including Invidious settings. - It gets merged with the setttings specified in {option}`services.invidious.settings` + It gets merged with the settings specified in {option}`services.invidious.settings` and can be used to store secrets like `hmac_key` outside of the nix store. ''; }; diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix index cccf70295e898..8be1fd3055d09 100644 --- a/nixos/modules/services/web-apps/invoiceplane.nix +++ b/nixos/modules/services/web-apps/invoiceplane.nix @@ -74,7 +74,7 @@ let type = types.path; default = "/var/lib/invoiceplane/${name}"; description = lib.mdDoc '' - This directory is used for uploads of attachements and cache. + This directory is used for uploads of attachments and cache. The directory passed here is automatically created and permissions adjusted as required. ''; @@ -327,7 +327,7 @@ in )) eachSite; systemd.services = - (mapAttrs' (hostName: cfg: ( + mapAttrs' (hostName: cfg: ( nameValuePair "invoiceplane-cron-${hostName}" (mkIf cfg.cron.enable { serviceConfig = { Type = "oneshot"; @@ -335,7 +335,7 @@ in ExecStart = "${pkgs.curl}/bin/curl --header 'Host: ${hostName}' http://localhost/invoices/cron/recur/${cfg.cron.key}"; }; }) - )) eachSite); + )) eachSite; } diff --git a/nixos/modules/services/web-apps/isso.nix b/nixos/modules/services/web-apps/isso.nix index 941e1dd0f9ea1..1a852ec352f2c 100644 --- a/nixos/modules/services/web-apps/isso.nix +++ b/nixos/modules/services/web-apps/isso.nix @@ -63,6 +63,28 @@ in { Restart = "on-failure"; RestartSec = 1; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; }; }; }; diff --git a/nixos/modules/services/web-apps/jitsi-meet.nix b/nixos/modules/services/web-apps/jitsi-meet.nix index a42e249189f6c..5b0934b2fb76f 100644 --- a/nixos/modules/services/web-apps/jitsi-meet.nix +++ b/nixos/modules/services/web-apps/jitsi-meet.nix @@ -28,7 +28,7 @@ let ''); # Essential config - it's probably not good to have these as option default because - # types.attrs doesn't do merging. Let's merge explicitly, can still be overriden if + # types.attrs doesn't do merging. Let's merge explicitly, can still be overridden if # user desires. defaultCfg = { hosts = { diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 521cf778a36bf..d52190a28648e 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -482,6 +482,10 @@ in assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null); message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL"; } + { + assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true; + message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably"; + } ]; environment.systemPackages = [ keycloakBuild ]; @@ -544,7 +548,13 @@ in create_role="$(mktemp)" trap 'rm -f "$create_role"' EXIT + # Read the password from the credentials directory and + # escape any single quotes by adding additional single + # quotes after them, following the rules laid out here: + # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")" + db_password="''${db_password//\'/\'\'}" + echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" > "$create_role" psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role" psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' @@ -566,8 +576,16 @@ in script = '' set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + + # Read the password from the credentials directory and + # escape any single quotes by adding additional single + # quotes after them, following the rules laid out here: + # https://dev.mysql.com/doc/refman/8.0/en/string-literals.html db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")" - ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';" + db_password="''${db_password//\'/\'\'}" + + ( echo "SET sql_mode = 'NO_BACKSLASH_ESCAPES';" + echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';" echo "CREATE DATABASE IF NOT EXISTS keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;" echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';" ) | mysql -N @@ -632,12 +650,17 @@ in ${secretReplacements} + # Escape any backslashes in the db parameters, since + # they're otherwise unexpectedly read as escape + # sequences. + sed -i '/db-/ s|\\|\\\\|g' /run/keycloak/conf/keycloak.conf + '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' export KEYCLOAK_ADMIN=admin - export KEYCLOAK_ADMIN_PASSWORD=${cfg.initialAdminPassword} + export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh start --optimized ''; }; diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index f6a1b55952435..7093d1de0dacf 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -49,7 +49,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = if cfg.database.type == "pgsql" then 5442 else 3306; defaultText = literalExpression "3306"; description = lib.mdDoc "Database host port."; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index d159d2ade0630..b6e2309555f2f 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -1,7 +1,9 @@ -{ config, lib, pkgs, ... }: +{ lib, pkgs, config, options, ... }: let cfg = config.services.mastodon; + opt = options.services.mastodon; + # We only want to create a database if we're actually going to connect to it. databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "/run/postgresql"; @@ -23,7 +25,6 @@ let REDIS_HOST = cfg.redis.host; REDIS_PORT = toString(cfg.redis.port); DB_HOST = cfg.database.host; - DB_PORT = toString(cfg.database.port); DB_NAME = cfg.database.name; LOCAL_DOMAIN = cfg.localDomain; SMTP_SERVER = cfg.smtp.host; @@ -37,7 +38,8 @@ let TRUSTED_PROXY_IP = cfg.trustedProxy; } - // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) + // lib.optionalAttrs (cfg.database.host != "/run/postgresql" && cfg.database.port != null) { DB_PORT = toString cfg.database.port; } + // lib.optionalAttrs cfg.smtp.authenticate { SMTP_LOGIN = cfg.smtp.user; } // cfg.extraConfig; systemCallsList = [ "@cpu-emulation" "@debug" "@keyring" "@ipc" "@mount" "@obsolete" "@privileged" "@setuid" ]; @@ -92,12 +94,18 @@ let ] else [] ) env)))); - mastodonEnv = pkgs.writeShellScriptBin "mastodon-env" '' + mastodonTootctl = pkgs.writeShellScriptBin "mastodon-tootctl" '' + #! ${pkgs.runtimeShell} set -a export RAILS_ROOT="${cfg.package}" source "${envFile}" source /var/lib/mastodon/.secrets_env - eval -- "\$@" + + sudo=exec + if [[ "$USER" != ${cfg.user} ]]; then + sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env' + fi + $sudo ${cfg.package}/bin/tootctl "$@" ''; in { @@ -133,15 +141,10 @@ in { description = lib.mdDoc '' User under which mastodon runs. If it is set to "mastodon", that user will be created, otherwise it should be set to the - name of a user created elsewhere. In both cases, - `mastodon` and a package containing only - the shell script `mastodon-env` will be added to - the user's package set. To run a command from - `mastodon` such as `tootctl` - with the environment configured by this module use - `mastodon-env`, as in: - - `mastodon-env tootctl accounts create newuser --email newuser@example.com` + name of a user created elsewhere. + In both cases, the `mastodon` package will be added to the user's package set + and a tootctl wrapper to system packages that switches to the configured account + and load the right environment. ''; type = lib.types.str; default = "mastodon"; @@ -313,8 +316,13 @@ in { }; port = lib.mkOption { - type = lib.types.int; - default = 5432; + type = lib.types.nullOr lib.types.port; + default = if cfg.database.createLocally then null else 5432; + defaultText = lib.literalExpression '' + if config.${opt.database.createLocally} + then null + else 5432 + ''; description = lib.mdDoc "Database host port."; }; @@ -332,8 +340,8 @@ in { passwordFile = lib.mkOption { type = lib.types.nullOr lib.types.path; - default = "/var/lib/mastodon/secrets/db-password"; - example = "/run/keys/mastodon-db-password"; + default = null; + example = "/var/lib/mastodon/secrets/db-password"; description = lib.mdDoc '' A file containing the password corresponding to {option}`database.user`. @@ -372,17 +380,19 @@ in { }; user = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "mastodon@example.com"; description = lib.mdDoc "SMTP login name."; - type = lib.types.str; }; passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/var/lib/mastodon/secrets/smtp-password"; description = lib.mdDoc '' Path to file containing the SMTP password. ''; - default = "/var/lib/mastodon/secrets/smtp-password"; - example = "/run/keys/mastodon-smtp-password"; - type = lib.types.str; }; }; @@ -465,10 +475,37 @@ in { assertions = [ { assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user); - message = ''For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user and services.mastodon.database.user must be identical.''; + message = '' + For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer + authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user + and services.mastodon.database.user must be identical. + ''; + } + { + assertion = !databaseActuallyCreateLocally -> (cfg.database.host != "/run/postgresql"); + message = '' + <option>services.mastodon.database.host</option> needs to be set if + <option>services.mastodon.database.createLocally</option> is not enabled. + ''; + } + { + assertion = cfg.smtp.authenticate -> (cfg.smtp.user != null); + message = '' + <option>services.mastodon.smtp.user</option> needs to be set if + <option>services.mastodon.smtp.authenticate</option> is enabled. + ''; + } + { + assertion = cfg.smtp.authenticate -> (cfg.smtp.passwordFile != null); + message = '' + <option>services.mastodon.smtp.passwordFile</option> needs to be set if + <option>services.mastodon.smtp.authenticate</option> is enabled. + ''; } ]; + environment.systemPackages = [ mastodonTootctl ]; + systemd.services.mastodon-init-dirs = { script = '' umask 077 @@ -493,10 +530,11 @@ in { OTP_SECRET="$(cat ${cfg.otpSecretFile})" VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})" VAPID_PUBLIC_KEY="$(cat ${cfg.vapidPublicKeyFile})" + '' + lib.optionalString (cfg.database.passwordFile != null) '' DB_PASS="$(cat ${cfg.database.passwordFile})" - '' + (if cfg.smtp.authenticate then '' + '' + lib.optionalString cfg.smtp.authenticate '' SMTP_PASSWORD="$(cat ${cfg.smtp.passwordFile})" - '' else "") + '' + '' + '' EOF ''; environment = env; @@ -511,7 +549,16 @@ in { }; systemd.services.mastodon-init-db = lib.mkIf cfg.automaticMigrations { - script = '' + script = lib.optionalString (!databaseActuallyCreateLocally) '' + umask 077 + + export PGPASSFILE + PGPASSFILE=$(mktemp) + cat > $PGPASSFILE <<EOF + ${cfg.database.host}:${toString cfg.database.port}:${cfg.database.name}:${cfg.database.user}:$(cat ${cfg.database.passwordFile}) + EOF + + '' + '' if [ `psql ${cfg.database.name} -c \ "select count(*) from pg_class c \ join pg_namespace s on s.oid = c.relnamespace \ @@ -522,12 +569,18 @@ in { else rails db:migrate fi + '' + lib.optionalString (!databaseActuallyCreateLocally) '' + rm $PGPASSFILE + unset PGPASSFILE ''; path = [ cfg.package pkgs.postgresql ]; - environment = env; + environment = env // lib.optionalAttrs (!databaseActuallyCreateLocally) { + PGHOST = cfg.database.host; + PGUSER = cfg.database.user; + }; serviceConfig = { Type = "oneshot"; - EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; WorkingDirectory = cfg.package; # System Call Filtering SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ]; @@ -555,7 +608,7 @@ in { ExecStart = "${cfg.package}/run-streaming.sh"; Restart = "always"; RestartSec = 20; - EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; WorkingDirectory = cfg.package; # Runtime directory and mode RuntimeDirectory = "mastodon-streaming"; @@ -582,7 +635,7 @@ in { ExecStart = "${cfg.package}/bin/puma -C config/puma.rb"; Restart = "always"; RestartSec = 20; - EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; WorkingDirectory = cfg.package; # Runtime directory and mode RuntimeDirectory = "mastodon-web"; @@ -610,7 +663,7 @@ in { ExecStart = "${cfg.package}/bin/sidekiq -c ${toString cfg.sidekiqThreads} -r ${cfg.package}"; Restart = "always"; RestartSec = 20; - EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; WorkingDirectory = cfg.package; # System Call Filtering SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ]; @@ -623,7 +676,7 @@ in { environment = env; serviceConfig = { Type = "oneshot"; - EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; } // cfgService; script = let olderThanDays = toString cfg.mediaAutoRemove.olderThanDays; @@ -639,8 +692,9 @@ in { recommendedProxySettings = true; # required for redirections to work virtualHosts."${cfg.localDomain}" = { root = "${cfg.package}/public/"; - forceSSL = true; # mastodon only supports https - enableACME = true; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; locations."/system/".alias = "/var/lib/mastodon/public-system/"; @@ -688,7 +742,7 @@ in { inherit (cfg) group; }; }) - (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package mastodonEnv ]) + (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package pkgs.imagemagick ]) ]; users.groups.${cfg.group}.members = lib.optional cfg.configureNginx config.services.nginx.user; diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 117d540ba36b1..0435d21ce8a2b 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -174,7 +174,7 @@ in { CURRENT_PACKAGE=$(readlink ${dataDir}/current-package) NEW_PACKAGE=${cfg.package} if [ "$CURRENT_PACKAGE" != "$NEW_PACKAGE" ]; then - # keeping tmp arround between upgrades seems to bork stuff, so delete it + # keeping tmp around between upgrades seems to bork stuff, so delete it rm -rf ${dataDir}/tmp fi elif [ -e ${dataDir}/tmp ]; then diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix index 71292c47d63a8..56a53198b3fbf 100644 --- a/nixos/modules/services/web-apps/mattermost.nix +++ b/nixos/modules/services/web-apps/mattermost.nix @@ -106,7 +106,7 @@ in package = mkOption { type = types.package; default = pkgs.mattermost; - defaultText = "pkgs.mattermost"; + defaultText = lib.literalExpression "pkgs.mattermost"; description = lib.mdDoc "Mattermost derivation to use."; }; @@ -170,7 +170,7 @@ in type = types.attrs; default = { }; description = lib.mdDoc '' - Addtional configuration options as Nix attribute set in config.json schema. + Additional configuration options as Nix attribute set in config.json schema. ''; }; @@ -238,7 +238,7 @@ in package = mkOption { type = types.package; default = pkgs.matterircd; - defaultText = "pkgs.matterircd"; + defaultText = lib.literalExpression "pkgs.matterircd"; description = lib.mdDoc "matterircd derivation to use."; }; parameters = mkOption { diff --git a/nixos/modules/services/web-apps/mediawiki.nix b/nixos/modules/services/web-apps/mediawiki.nix index e332847f5a285..07f2967486299 100644 --- a/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixos/modules/services/web-apps/mediawiki.nix @@ -129,7 +129,7 @@ let ## Set $wgCacheDirectory to a writable directory on the web server ## to make your wiki go slightly faster. The directory should not - ## be publically accessible from the web. + ## be publicly accessible from the web. $wgCacheDirectory = "${cacheDir}"; # Site language code, should be one of the list in ./languages/data/Names.php diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 34a108cebd2b8..7cc8ce10ffe07 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -21,6 +21,13 @@ in services.miniflux = { enable = mkEnableOption (lib.mdDoc "miniflux and creates a local postgres database for it"); + package = mkOption { + type = types.package; + default = pkgs.miniflux; + defaultText = literalExpression "pkgs.miniflux"; + description = lib.mdDoc "Miniflux package to use."; + }; + config = mkOption { type = types.attrsOf types.str; example = literalExpression '' @@ -89,7 +96,7 @@ in after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { - ExecStart = "${pkgs.miniflux}/bin/miniflux"; + ExecStart = "${cfg.package}/bin/miniflux"; User = dbUser; DynamicUser = true; RuntimeDirectory = "miniflux"; @@ -122,6 +129,6 @@ in environment = cfg.config; }; - environment.systemPackages = [ pkgs.miniflux ]; + environment.systemPackages = [ cfg.package ]; }; } diff --git a/nixos/modules/services/web-apps/moodle.nix b/nixos/modules/services/web-apps/moodle.nix index dc434d0fc8032..5f8d9c5b15f4c 100644 --- a/nixos/modules/services/web-apps/moodle.nix +++ b/nixos/modules/services/web-apps/moodle.nix @@ -96,7 +96,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; description = lib.mdDoc "Database host port."; default = { mysql = 3306; diff --git a/nixos/modules/services/web-apps/netbox.nix b/nixos/modules/services/web-apps/netbox.nix index f09a8dfc5b215..e028f16004efe 100644 --- a/nixos/modules/services/web-apps/netbox.nix +++ b/nixos/modules/services/web-apps/netbox.nix @@ -9,6 +9,10 @@ let name = "configuration.py"; text = '' STATIC_ROOT = '${staticDir}' + MEDIA_ROOT = '${cfg.dataDir}/media' + REPORTS_ROOT = '${cfg.dataDir}/reports' + SCRIPTS_ROOT = '${cfg.dataDir}/scripts' + ALLOWED_HOSTS = ['*'] DATABASE = { 'NAME': 'netbox', @@ -42,11 +46,10 @@ let installPhase = old.installPhase + '' ln -s ${configFile} $out/opt/netbox/netbox/netbox/configuration.py '' + optionalString cfg.enableLdap '' - ln -s ${ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py + ln -s ${cfg.ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py ''; })).override { - plugins = ps: ((cfg.plugins ps) - ++ optionals cfg.enableLdap [ ps.django-auth-ldap ]); + inherit (cfg) plugins; }; netboxManageScript = with pkgs; (writeScriptBin "netbox-manage" '' #!${stdenv.shell} @@ -132,13 +135,15 @@ in { type = types.path; default = ""; description = lib.mdDoc '' - Path to the Configuration-File for LDAP-Authentification, will be loaded as `ldap_config.py`. + Path to the Configuration-File for LDAP-Authentication, will be loaded as `ldap_config.py`. See the [documentation](https://netbox.readthedocs.io/en/stable/installation/6-ldap/#configuration) for possible options. ''; }; }; config = mkIf cfg.enable { + services.netbox.plugins = mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]); + services.redis.servers.netbox.enable = true; services.postgresql = { diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 04599884f139c..90801e9968175 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -13,7 +13,12 @@ let phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: (with all; - enabled + # disable default openssl extension + (lib.filter (e: e.pname != "php-openssl") enabled) + # use OpenSSL 1.1 for RC4 Nextcloud encryption if user + # has acknowledged the brokenness of the ciphers (RC4). + # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. + ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -71,7 +76,7 @@ in { * setting `listen.owner` & `listen.group` in the phpfpm-pool to a different value Further details about this can be found in the `Nextcloud`-section of the NixOS-manual - (which can be openend e.g. by running `nixos-help`). + (which can be opened e.g. by running `nixos-help`). '') (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] '' Use services.nextcloud.nginx.enableImagemagick instead. @@ -80,6 +85,40 @@ in { options.services.nextcloud = { enable = mkEnableOption (lib.mdDoc "nextcloud"); + + enableBrokenCiphersForSSE = mkOption { + type = types.bool; + default = versionOlder stateVersion "22.11"; + defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; + description = lib.mdDoc '' + This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 + rather than latest OpenSSL (≥ 3), this is not recommended unless you need + it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is + considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). + + This cipher has been disabled in OpenSSL ≥ 3 and requires + a specific legacy profile to re-enable it. + + If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have + server-side encryption configured, you will not be able to access + your files anymore. Enabling this option can restore access to your files. + Upon testing we didn't encounter any data corruption when turning + this on and off again, but this cannot be guaranteed for + each Nextcloud installation. + + It is `true` by default for systems with a [](#opt-system.stateVersion) below + `22.11` to make sure that existing installations won't break on update. On newer + NixOS systems you have to explicitly enable it on your own. + + Please note that this only provides additional value when using + external storage such as S3 since it's not an end-to-end encryption. + If this is not the case, + it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. + + In the future, Nextcloud may move to AES-256-GCM, by then, + this option will be removed. + ''; + }; hostName = mkOption { type = types.str; description = lib.mdDoc "FQDN for the nextcloud instance."; @@ -349,7 +388,7 @@ in { default = []; description = lib.mdDoc '' Trusted domains, from which the nextcloud installation will be - acessible. You don't need to add + accessible. You don't need to add `services.nextcloud.hostname` here. ''; }; @@ -649,6 +688,23 @@ in { ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) + ++ (optional cfg.enableBrokenCiphersForSSE '' + You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. + This is only necessary if you're using Nextcloud's server-side encryption. + Please keep in mind that it's using the broken RC4 cipher. + + If you don't use that feature, you can switch to OpenSSL 3 and get + rid of this warning by declaring + + services.nextcloud.enableBrokenCiphersForSSE = false; + + If you need to use server-side encryption you can ignore this warning. + Otherwise you'd have to disable server-side encryption first in order + to be able to safely disable this option and get rid of this warning. + See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this. + + For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 + '') ++ (optional isUnsupportedMariadb '' You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! Please note that this isn't supported officially by Nextcloud. You can either @@ -702,7 +758,7 @@ in { nextcloud-setup = let c = cfg.config; - writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]"; + writePhpArray = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]"; requiresReadSecretFunction = c.dbpassFile != null || c.objectstore.s3.enable; objectstoreConfig = let s3 = c.objectstore.s3; in optionalString s3.enable '' 'objectstore' => [ @@ -782,8 +838,8 @@ in { '' } 'dbtype' => '${c.dbtype}', - 'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)}, - 'trusted_proxies' => ${writePhpArrary (c.trustedProxies)}, + 'trusted_domains' => ${writePhpArray ([ cfg.hostName ] ++ c.extraTrustedDomains)}, + 'trusted_proxies' => ${writePhpArray (c.trustedProxies)}, ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"} ${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles},"} ${objectstoreConfig} diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index a0b69dbd606ce..4207c4008d5b7 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -170,6 +170,20 @@ </listitem> </itemizedlist> </listitem> + <listitem> + <formalpara> + <title>Server-side encryption</title> + <para> + Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>. + This is not an end-to-end encryption, but can be used to encrypt files that will be persisted + to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 + for PHP's openssl extension because this is implemented using the legacy cipher RC4. + If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>, + this is disabled by default. To turn it on again and for further information please refer to + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />. + </para> + </formalpara> + </listitem> </itemizedlist> </section> @@ -269,7 +283,7 @@ <para> If major-releases will be abandoned by upstream, we should check first if those are needed - in NixOS for a safe upgrade-path before removing those. In that case we shold keep those + in NixOS for a safe upgrade-path before removing those. In that case we should keep those packages, but mark them as insecure in an expression like this (in <literal><nixpkgs/pkgs/servers/nextcloud/default.nix></literal>): <programlisting>/* ... */ diff --git a/nixos/modules/services/web-apps/onlyoffice.nix b/nixos/modules/services/web-apps/onlyoffice.nix index db4a9582794e6..79ed3e43dd18a 100644 --- a/nixos/modules/services/web-apps/onlyoffice.nix +++ b/nixos/modules/services/web-apps/onlyoffice.nix @@ -29,7 +29,7 @@ in package = mkOption { type = types.package; default = pkgs.onlyoffice-documentserver; - defaultText = "pkgs.onlyoffice-documentserver"; + defaultText = lib.literalExpression "pkgs.onlyoffice-documentserver"; description = lib.mdDoc "Which package to use for the OnlyOffice instance."; }; @@ -54,7 +54,7 @@ in postgresName = mkOption { type = types.str; default = "onlyoffice"; - description = lib.mdDoc "The name of databse OnlyOffice should user."; + description = lib.mdDoc "The name of database OnlyOffice should user."; }; postgresPasswordFile = mkOption { diff --git a/nixos/modules/services/web-apps/outline.nix b/nixos/modules/services/web-apps/outline.nix index 8a312d79584e3..b72dd8243bb49 100644 --- a/nixos/modules/services/web-apps/outline.nix +++ b/nixos/modules/services/web-apps/outline.nix @@ -6,10 +6,10 @@ let in { # See here for a reference of all the options: - # https://github.com/outline/outline/blob/v0.65.2/.env.sample - # https://github.com/outline/outline/blob/v0.65.2/app.json - # https://github.com/outline/outline/blob/v0.65.2/server/env.ts - # https://github.com/outline/outline/blob/v0.65.2/shared/types.ts + # https://github.com/outline/outline/blob/v0.67.0/.env.sample + # https://github.com/outline/outline/blob/v0.67.0/app.json + # https://github.com/outline/outline/blob/v0.67.0/server/env.ts + # https://github.com/outline/outline/blob/v0.67.0/shared/types.ts # The order is kept the same here to make updating easier. options.services.outline = { enable = lib.mkEnableOption (lib.mdDoc "outline"); @@ -123,7 +123,7 @@ in description = lib.mdDoc '' To support uploading of images for avatars and document attachments an s3-compatible storage must be provided. AWS S3 is recommended for - redundency however if you want to keep all file storage local an + redundancy however if you want to keep all file storage local an alternative such as [minio](https://github.com/minio/minio) can be used. @@ -435,6 +435,16 @@ in ''; }; + sentryTunnel = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = lib.mdDoc '' + Optionally add a + [Sentry proxy tunnel](https://docs.sentry.io/platforms/javascript/troubleshooting/#using-the-tunnel-option) + for bypassing ad blockers in the UI. + ''; + }; + logo = lib.mkOption { type = lib.types.nullOr lib.types.str; default = null; @@ -455,7 +465,7 @@ in options = { host = lib.mkOption { type = lib.types.str; - description = lib.mdDoc "Host name or IP adress of the SMTP server."; + description = lib.mdDoc "Host name or IP address of the SMTP server."; }; port = lib.mkOption { type = lib.types.port; @@ -621,6 +631,7 @@ in DEBUG = cfg.debugOutput; GOOGLE_ANALYTICS_ID = lib.optionalString (cfg.googleAnalyticsId != null) cfg.googleAnalyticsId; SENTRY_DSN = lib.optionalString (cfg.sentryDsn != null) cfg.sentryDsn; + SENTRY_TUNNEL = lib.optionalString (cfg.sentryTunnel != null) cfg.sentryTunnel; TEAM_LOGO = lib.optionalString (cfg.logo != null) cfg.logo; DEFAULT_LANGUAGE = cfg.defaultLanguage; diff --git a/nixos/modules/services/web-apps/peering-manager.nix b/nixos/modules/services/web-apps/peering-manager.nix new file mode 100644 index 0000000000000..666b82621268c --- /dev/null +++ b/nixos/modules/services/web-apps/peering-manager.nix @@ -0,0 +1,265 @@ +{ config, lib, pkgs, buildEnv, ... }: + +with lib; + +let + cfg = config.services.peering-manager; + configFile = pkgs.writeTextFile { + name = "configuration.py"; + text = '' + ALLOWED_HOSTS = ['*'] + DATABASE = { + 'NAME': 'peering-manager', + 'USER': 'peering-manager', + 'HOST': '/run/postgresql', + } + + # Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate + # configuration exists for each. Full connection details are required in both sections, and it is strongly recommended + # to use two separate database IDs. + REDIS = { + 'tasks': { + 'UNIX_SOCKET_PATH': '${config.services.redis.servers.peering-manager.unixSocket}', + 'DATABASE': 0, + }, + 'caching': { + 'UNIX_SOCKET_PATH': '${config.services.redis.servers.peering-manager.unixSocket}', + 'DATABASE': 1, + } + } + + with open("${cfg.secretKeyFile}", "r") as file: + SECRET_KEY = file.readline() + '' + lib.optionalString (cfg.peeringdbApiKeyFile != null) '' + with open("${cfg.peeringdbApiKeyFile}", "r") as file: + PEERINGDB_API_KEY = file.readline() + '' + '' + + ${cfg.extraConfig} + ''; + }; + pkg = (pkgs.peering-manager.overrideAttrs (old: { + postInstall = '' + ln -s ${configFile} $out/opt/peering-manager/peering_manager/configuration.py + '' + optionalString cfg.enableLdap '' + ln -s ${cfg.ldapConfigPath} $out/opt/peering-manager/peering_manager/ldap_config.py + ''; + })).override { + inherit (cfg) plugins; + }; + peeringManagerManageScript = with pkgs; (writeScriptBin "peering-manager-manage" '' + #!${stdenv.shell} + export PYTHONPATH=${pkg.pythonPath} + sudo -u peering-manager ${pkg}/bin/peering-manager "$@" + ''); + +in { + options.services.peering-manager = { + enable = mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Enable Peering Manager. + + This module requires a reverse proxy that serves `/static` separately. + See this [example](https://github.com/peering-manager-community/peering-manager/blob/develop/contrib/nginx.conf/) on how to configure this. + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "[::1]"; + description = lib.mdDoc '' + Address the server will listen on. + ''; + }; + + port = mkOption { + type = types.port; + default = 8001; + description = lib.mdDoc '' + Port the server will listen on. + ''; + }; + + plugins = mkOption { + type = types.functionTo (types.listOf types.package); + default = _: []; + defaultText = literalExpression '' + python3Packages: with python3Packages; []; + ''; + description = lib.mdDoc '' + List of plugin packages to install. + ''; + }; + + secretKeyFile = mkOption { + type = types.path; + description = lib.mdDoc '' + Path to a file containing the secret key. + ''; + }; + + peeringdbApiKeyFile = mkOption { + type = with types; nullOr path; + default = null; + description = lib.mdDoc '' + Path to a file containing the PeeringDB API key. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Additional lines of configuration appended to the `configuration.py`. + See the [documentation](https://peering-manager.readthedocs.io/en/stable/configuration/optional-settings/) for more possible options. + ''; + }; + + enableLdap = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Enable LDAP-Authentication for Peering Manager. + + This requires a configuration file being pass through `ldapConfigPath`. + ''; + }; + + ldapConfigPath = mkOption { + type = types.path; + description = lib.mdDoc '' + Path to the Configuration-File for LDAP-Authentication, will be loaded as `ldap_config.py`. + See the [documentation](https://peering-manager.readthedocs.io/en/stable/setup/6-ldap/#configuration) for possible options. + ''; + }; + }; + + config = mkIf cfg.enable { + services.peering-manager.plugins = mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]); + + system.build.peeringManagerPkg = pkg; + + services.redis.servers.peering-manager.enable = true; + + services.postgresql = { + enable = true; + ensureDatabases = [ "peering-manager" ]; + ensureUsers = [ + { + name = "peering-manager"; + ensurePermissions = { + "DATABASE \"peering-manager\"" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + environment.systemPackages = [ peeringManagerManageScript ]; + + systemd.targets.peering-manager = { + description = "Target for all Peering Manager services"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "redis-peering-manager.service" ]; + }; + + systemd.services = let + defaultServiceConfig = { + WorkingDirectory = "/var/lib/peering-manager"; + User = "peering-manager"; + Group = "peering-manager"; + StateDirectory = "peering-manager"; + StateDirectoryMode = "0750"; + Restart = "on-failure"; + }; + in { + peering-manager-migration = { + description = "Peering Manager migrations"; + wantedBy = [ "peering-manager.target" ]; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + Type = "oneshot"; + ExecStart = '' + ${pkg}/bin/peering-manager migrate + ''; + }; + }; + + peering-manager = { + description = "Peering Manager WSGI Service"; + wantedBy = [ "peering-manager.target" ]; + after = [ "peering-manager-migration.service" ]; + + preStart = '' + ${pkg}/bin/peering-manager remove_stale_contenttypes --no-input + ''; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + ExecStart = '' + ${pkg.python.pkgs.gunicorn}/bin/gunicorn peering_manager.wsgi \ + --bind ${cfg.listenAddress}:${toString cfg.port} \ + --pythonpath ${pkg}/opt/peering-manager + ''; + }; + }; + + peering-manager-rq = { + description = "Peering Manager Request Queue Worker"; + wantedBy = [ "peering-manager.target" ]; + after = [ "peering-manager.service" ]; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + ExecStart = '' + ${pkg}/bin/peering-manager rqworker high default low + ''; + }; + }; + + peering-manager-housekeeping = { + description = "Peering Manager housekeeping job"; + after = [ "peering-manager.service" ]; + + environment = { + PYTHONPATH = pkg.pythonPath; + }; + + serviceConfig = defaultServiceConfig // { + Type = "oneshot"; + ExecStart = '' + ${pkg}/bin/peering-manager housekeeping + ''; + }; + }; + }; + + systemd.timers.peering-manager-housekeeping = { + description = "Run Peering Manager housekeeping job"; + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnCalendar = "daily"; + }; + }; + + users.users.peering-manager = { + home = "/var/lib/peering-manager"; + isSystemUser = true; + group = "peering-manager"; + }; + users.groups.peering-manager = {}; + users.groups."${config.services.redis.servers.peering-manager.user}".members = [ "peering-manager" ]; + }; +} diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index 046577e61566a..7e418f2869c85 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -67,7 +67,11 @@ let node ~/dist/server/tools/peertube.js $@ ''; - nginxCommonHeaders = '' + nginxCommonHeaders = lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; + '' + '' add_header Access-Control-Allow-Origin '*'; add_header Access-Control-Allow-Methods 'GET, OPTIONS'; add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; @@ -157,6 +161,18 @@ in { description = lib.mdDoc "Configure nginx as a reverse proxy for peertube."; }; + secrets = { + secretsFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/secrets/peertube"; + description = lib.mdDoc '' + Secrets to run PeerTube. + Generate one using `openssl rand -hex 32` + ''; + }; + }; + database = { createLocally = lib.mkOption { type = lib.types.bool; @@ -197,7 +213,7 @@ in { passwordFile = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; - example = "/run/keys/peertube/password-posgressql-db"; + example = "/run/keys/peertube/password-postgresql"; description = lib.mdDoc "Password for PostgreSQL database."; }; }; @@ -278,6 +294,11 @@ in { prevent this. ''; } + { assertion = cfg.secrets.secretsFile != null; + message = '' + <option>services.peertube.secrets.secretsFile</option> needs to be set. + ''; + } { assertion = !(cfg.redis.enableUnixSocket && (cfg.redis.host != null || cfg.redis.port != null)); message = '' <option>services.peertube.redis.createLocally</option> and redis network connection (<option>services.peertube.redis.host</option> or <option>services.peertube.redis.port</option>) enabled. Disable either of them. @@ -345,6 +366,7 @@ in { captions = lib.mkDefault "/var/lib/peertube/storage/captions/"; cache = lib.mkDefault "/var/lib/peertube/storage/cache/"; plugins = lib.mkDefault "/var/lib/peertube/storage/plugins/"; + well_known = lib.mkDefault "/var/lib/peertube/storage/well_known/"; client_overrides = lib.mkDefault "/var/lib/peertube/storage/client-overrides/"; }; import = { @@ -370,7 +392,7 @@ in { systemd.services.peertube-init-db = lib.mkIf cfg.database.createLocally { description = "Initialization database for PeerTube daemon"; after = [ "network.target" "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; + requires = [ "postgresql.service" ]; script = let psqlSetupCommands = pkgs.writeText "peertube-init.sql" '' @@ -399,7 +421,9 @@ in { systemd.services.peertube = { description = "PeerTube daemon"; after = [ "network.target" ] - ++ lib.optionals cfg.redis.createLocally [ "redis.service" ] + ++ lib.optional cfg.redis.createLocally "redis-peertube.service" + ++ lib.optionals cfg.database.createLocally [ "postgresql.service" "peertube-init-db.service" ]; + requires = lib.optional cfg.redis.createLocally "redis-peertube.service" ++ lib.optionals cfg.database.createLocally [ "postgresql.service" "peertube-init-db.service" ]; wantedBy = [ "multi-user.target" ]; @@ -411,6 +435,10 @@ in { #!/bin/sh umask 077 cat > /var/lib/peertube/config/local.yaml <<EOF + ${lib.optionalString (cfg.secrets.secretsFile != null) '' + secrets: + peertube: '$(cat ${cfg.secrets.secretsFile})' + ''} ${lib.optionalString ((!cfg.database.createLocally) && (cfg.database.passwordFile != null)) '' database: password: '$(cat ${cfg.database.passwordFile})' @@ -437,6 +465,7 @@ in { RestartSec = 20; TimeoutSec = 60; WorkingDirectory = cfg.package; + SyslogIdentifier = "peertube"; # User and group User = cfg.user; Group = cfg.group; @@ -487,6 +516,10 @@ in { extraConfig = '' client_max_body_size 12G; add_header X-File-Maximum-Size 8G always; + '' + lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; ''; }; @@ -497,6 +530,10 @@ in { extraConfig = '' client_max_body_size 6M; add_header X-File-Maximum-Size 4M always; + '' + lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; ''; }; @@ -534,9 +571,14 @@ in { ''; }; + locations."~ ^/plugins/[^/]+(/[^/]+)?/ws/" = { + tryFiles = "/dev/null @api_websocket"; + priority = 1230; + }; + locations."@api_websocket" = { proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; - priority = 1230; + priority = 1240; extraConfig = '' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -560,10 +602,14 @@ in { priority = 1320; extraConfig = '' add_header Cache-Control 'public, max-age=604800, immutable'; + '' + lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + '' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 '' + add_header Alt-Svc 'h3=":443"; ma=86400'; ''; }; - locations."~ ^/lazy-static/(avatars|banners)/" = { + locations."^~ /lazy-static/avatars/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.avatars; priority = 1330; @@ -581,6 +627,26 @@ in { add_header Cache-Control 'public, max-age=7200'; rewrite ^/lazy-static/avatars/(.*)$ /$1 break; + ''; + }; + + locations."^~ /lazy-static/banners/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.avatars; + priority = 1340; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Cache-Control 'no-cache'; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + ${nginxCommonHeaders} + add_header Cache-Control 'public, max-age=7200'; + rewrite ^/lazy-static/banners/(.*)$ /$1 break; ''; }; @@ -588,7 +654,7 @@ in { locations."^~ /lazy-static/previews/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.previews; - priority = 1340; + priority = 1350; extraConfig = '' if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} @@ -606,10 +672,34 @@ in { ''; }; + locations."^~ /static/streaming-playlists/private/" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1410; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_limit_rate 5M; + ''; + }; + + locations."^~ /static/webseed/private/" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1420; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_limit_rate 5M; + ''; + }; + locations."^~ /static/thumbnails/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.thumbnails; - priority = 1350; + priority = 1430; extraConfig = '' if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} @@ -630,8 +720,14 @@ in { locations."^~ /static/redundancy/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.redundancy; - priority = 1360; + priority = 1440; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -644,15 +740,14 @@ in { access_log off; } + aio threads; sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 800k; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/redundancy/(.*)$ /$1 break; ''; }; @@ -660,8 +755,14 @@ in { locations."^~ /static/streaming-playlists/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.streaming_playlists; - priority = 1370; + priority = 1450; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -679,20 +780,24 @@ in { sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 5M; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/streaming-playlists/(.*)$ /$1 break; ''; }; - locations."~ ^/static/webseed/" = { + locations."^~ /static/webseed/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.videos; - priority = 1380; + priority = 1460; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -710,14 +815,16 @@ in { sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 800k; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/webseed/(.*)$ /$1 break; ''; }; + + extraConfig = lib.optionalString cfg.enableWebHttps '' + add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains'; + ''; }; }; diff --git a/nixos/modules/services/web-apps/pgpkeyserver-lite.nix b/nixos/modules/services/web-apps/pgpkeyserver-lite.nix index 0ab39b0793150..dd51bacd75ea1 100644 --- a/nixos/modules/services/web-apps/pgpkeyserver-lite.nix +++ b/nixos/modules/services/web-apps/pgpkeyserver-lite.nix @@ -41,7 +41,7 @@ in defaultText = literalExpression "head config.${sksOpt.hkpAddress}"; type = types.str; description = lib.mdDoc '' - Wich ip address the sks-keyserver is listening on. + Which IP address the sks-keyserver is listening on. ''; }; diff --git a/nixos/modules/services/web-apps/snipe-it.nix b/nixos/modules/services/web-apps/snipe-it.nix index 6da44f1bdf34c..93b0aafab64bf 100644 --- a/nixos/modules/services/web-apps/snipe-it.nix +++ b/nixos/modules/services/web-apps/snipe-it.nix @@ -381,7 +381,7 @@ in { }; systemd.services.snipe-it-setup = { - description = "Preperation tasks for snipe-it"; + description = "Preparation tasks for snipe-it"; before = [ "phpfpm-snipe-it.service" ]; after = optional db.createLocally "mysql.service"; wantedBy = [ "multi-user.target" ]; @@ -454,8 +454,9 @@ in { # A placeholder file for invalid barcodes invalid_barcode_location="${cfg.dataDir}/public/uploads/barcodes/invalid_barcode.gif" - [ ! -e "$invalid_barcode_location" ] \ - && cp ${snipe-it}/share/snipe-it/invalid_barcode.gif "$invalid_barcode_location" + if [ ! -e "$invalid_barcode_location" ]; then + cp ${snipe-it}/share/snipe-it/invalid_barcode.gif "$invalid_barcode_location" + fi ''; }; diff --git a/nixos/modules/services/web-apps/sogo.nix b/nixos/modules/services/web-apps/sogo.nix index ca1f426623f54..5e5d9472829d8 100644 --- a/nixos/modules/services/web-apps/sogo.nix +++ b/nixos/modules/services/web-apps/sogo.nix @@ -49,7 +49,7 @@ in { Replacement-filepath mapping for sogo.conf. Every key is replaced with the contents of the file specified as value. - In the example, every occurence of LDAP_BINDPW will be replaced with the text of the + In the example, every occurrence of LDAP_BINDPW will be replaced with the text of the specified file. ''; type = attrsOf str; diff --git a/nixos/modules/services/web-apps/wiki-js.nix b/nixos/modules/services/web-apps/wiki-js.nix index c5627a28b8493..b6e5b4594f1da 100644 --- a/nixos/modules/services/web-apps/wiki-js.nix +++ b/nixos/modules/services/web-apps/wiki-js.nix @@ -17,7 +17,7 @@ in { default = null; example = "/root/wiki-js.env"; description = lib.mdDoc '' - Environment fiel to inject e.g. secrets into the configuration. + Environment file to inject e.g. secrets into the configuration. ''; }; diff --git a/nixos/modules/services/web-apps/zabbix.nix b/nixos/modules/services/web-apps/zabbix.nix index 0e43922f35de8..2cea7e7cea723 100644 --- a/nixos/modules/services/web-apps/zabbix.nix +++ b/nixos/modules/services/web-apps/zabbix.nix @@ -51,7 +51,7 @@ in server = { port = mkOption { - type = types.int; + type = types.port; description = lib.mdDoc "The port of the Zabbix server to connect to."; default = 10051; }; @@ -78,7 +78,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = if cfg.database.type == "mysql" then config.services.mysql.port else if cfg.database.type == "pgsql" then config.services.postgresql.port diff --git a/nixos/modules/services/web-servers/agate.nix b/nixos/modules/services/web-servers/agate.nix index 9d635c64a44e0..a0c8a8c94ee5a 100644 --- a/nixos/modules/services/web-servers/agate.nix +++ b/nixos/modules/services/web-servers/agate.nix @@ -43,7 +43,7 @@ in type = types.listOf types.str; description = lib.mdDoc '' Domain name of this Gemini server, enables checking hostname and port - in requests. (multiple occurences means basic vhosts) + in requests. (multiple occurrences means basic vhosts) ''; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix index 0d60d533c994e..7b87f9ef4bded 100644 --- a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -61,7 +61,7 @@ in description = lib.mdDoc '' Listen addresses for this virtual host. - Compared to `listen` this only sets the addreses + Compared to `listen` this only sets the addresses and the ports are chosen automatically. ''; default = [ "*" ]; diff --git a/nixos/modules/services/web-servers/garage-doc.xml b/nixos/modules/services/web-servers/garage-doc.xml new file mode 100644 index 0000000000000..16f6fde94b5a8 --- /dev/null +++ b/nixos/modules/services/web-servers/garage-doc.xml @@ -0,0 +1,139 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-garage"> + <title>Garage</title> + <para> + <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link> + is an open-source, self-hostable S3 store, simpler than MinIO, for geodistributed stores. + The server setup can be automated using + <link linkend="opt-services.garage.enable">services.garage</link>. A + client configured to your local Garage instance is available in + the global environment as <literal>garage-manage</literal>. + </para> + <para> + The current default by NixOS is <package>garage_0_8</package> which is also the latest + major version available. + </para> + <section xml:id="module-services-garage-upgrade-scenarios"> + <title>General considerations on upgrades</title> + + <para> + Garage provides a cookbook documentation on how to upgrade: + <link xlink:href="https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/">https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/</link> + </para> + + <warning> + <para>Garage has two types of upgrades: patch-level upgrades and minor/major version upgrades.</para> + + <para>In all cases, you should read the changelog and ideally test the upgrade on a staging cluster.</para> + + <para>Checking the health of your cluster can be achieved using <literal>garage-manage repair</literal>.</para> + </warning> + + + <warning> + <para>Until 1.0 is released, patch-level upgrades are considered as minor version upgrades. + Minor version upgrades are considered as major version upgrades. + i.e. 0.6 to 0.7 is a major version upgrade.</para> + </warning> + + <itemizedlist> + <listitem> + <formalpara> + <title>Straightforward upgrades (patch-level upgrades)</title> + <para> + Upgrades must be performed one by one, i.e. for each node, stop it, upgrade it : change <link linkend="opt-system.stateVersion">stateVersion</link> or <link linkend="opt-services.garage.package">services.garage.package</link>, restart it if it was not already by switching. + </para> + </formalpara> + </listitem> + + <listitem> + <formalpara> + <title>Multiple version upgrades</title> + <para> + Garage do not provide any guarantee on moving more than one major-version forward. + E.g., if you're on <literal>0.7</literal>, you cannot upgrade to <literal>0.9</literal>. + You need to upgrade to <literal>0.8</literal> first. + + As long as <link linkend="opt-system.stateVersion">stateVersion</link> is declared properly, + this is enforced automatically. The module will issue a warning to remind the user to upgrade to latest + Garage <emphasis>after</emphasis> that deploy. + </para> + </formalpara> + </listitem> +</itemizedlist> +</section> + +<section xml:id="module-services-garage-advanced-upgrades"> + <title>Advanced upgrades (minor/major version upgrades)</title> + <para>Here are some baseline instructions to handle advanced upgrades in Garage, when in doubt, please refer to upstream instructions.</para> + + <itemizedlist> + <listitem><para>Disable API and web access to Garage.</para></listitem> + <listitem><para>Perform <literal>garage-manage repair --all-nodes --yes tables</literal> and <literal>garage-manage repair --all-nodes --yes blocks</literal>.</para></listitem> + <listitem><para>Verify the resulting logs and check that data is synced properly between all nodes. + If you have time, do additional checks (<literal>scrub</literal>, <literal>block_refs</literal>, etc.).</para></listitem> + <listitem><para>Check if queues are empty by <literal>garage-manage stats</literal> or through monitoring tools.</para></listitem> + <listitem><para>Run <literal>systemctl stop garage</literal> to stop the actual Garage version.</para></listitem> + <listitem><para>Backup the metadata folder of ALL your nodes, e.g. for a metadata directory (the default one) in <literal>/var/lib/garage/meta</literal>, + you can run <literal>pushd /var/lib/garage; tar -acf meta-v0.7.tar.zst meta/; popd</literal>.</para></listitem> + <listitem><para>Run the offline migration: <literal>nix-shell -p garage_0_8 --run "garage offline-repair --yes"</literal>, this can take some time depending on how many objects are stored in your cluster.</para></listitem> + <listitem><para>Bump Garage version in your NixOS configuration, either by changing <link linkend="opt-system.stateVersion">stateVersion</link> or bumping <link linkend="opt-services.garage.package">services.garage.package</link>, this should restart Garage automatically.</para></listitem> + <listitem><para>Perform <literal>garage-manage repair --all-nodes --yes tables</literal> and <literal>garage-manage repair --all-nodes --yes blocks</literal>.</para></listitem> + <listitem><para>Wait for a full table sync to run.</para></listitem> + </itemizedlist> + + <para> + Your upgraded cluster should be in a working state, re-enable API and web access. + </para> +</section> + +<section xml:id="module-services-garage-maintainer-info"> + <title>Maintainer information</title> + + <para> + As stated in the previous paragraph, we must provide a clean upgrade-path for Garage + since it cannot move more than one major version forward on a single upgrade. This chapter + adds some notes how Garage updates should be rolled out in the future. + + This is inspired from how Nextcloud does it. + </para> + + <para> + While patch-level updates are no problem and can be done directly in the + package-expression (and should be backported to supported stable branches after that), + major-releases should be added in a new attribute (e.g. Garage <literal>v0.8.0</literal> + should be available in <literal>nixpkgs</literal> as <literal>pkgs.garage_0_8_0</literal>). + To provide simple upgrade paths it's generally useful to backport those as well to stable + branches. As long as the package-default isn't altered, this won't break existing setups. + After that, the versioning-warning in the <literal>garage</literal>-module should be + updated to make sure that the + <link linkend="opt-services.garage.package">package</link>-option selects the latest version + on fresh setups. + </para> + + <para> + If major-releases will be abandoned by upstream, we should check first if those are needed + in NixOS for a safe upgrade-path before removing those. In that case we shold keep those + packages, but mark them as insecure in an expression like this (in + <literal><nixpkgs/pkgs/tools/filesystem/garage/default.nix></literal>): +<programlisting>/* ... */ +{ + garage_0_7_3 = generic { + version = "0.7.3"; + sha256 = "0000000000000000000000000000000000000000000000000000"; + eol = true; + }; +}</programlisting> + </para> + + <para> + Ideally we should make sure that it's possible to jump two NixOS versions forward: + i.e. the warnings and the logic in the module should guard a user to upgrade from a + Garage on e.g. 22.11 to a Garage on 23.11. + </para> + </section> + +</chapter> diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix index 76ab273483eb4..d66bcd7315082 100644 --- a/nixos/modules/services/web-servers/garage.nix +++ b/nixos/modules/services/web-servers/garage.nix @@ -8,7 +8,10 @@ let configFile = toml.generate "garage.toml" cfg.settings; in { - meta.maintainers = [ maintainers.raitobezarius ]; + meta = { + doc = ./garage-doc.xml; + maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + }; options.services.garage = { enable = mkEnableOption (lib.mdDoc "Garage Object Storage (S3 compatible)"); @@ -56,10 +59,12 @@ in }; package = mkOption { - default = pkgs.garage; - defaultText = literalExpression "pkgs.garage"; + # TODO: when 23.05 is released and if Garage 0.9 is the default, put a stateVersion check. + default = if versionAtLeast stateVersion "23.05" then pkgs.garage_0_8_0 + else pkgs.garage_0_7; + defaultText = literalExpression "pkgs.garage_0_7"; type = types.package; - description = lib.mdDoc "Garage package to use."; + description = lib.mdDoc "Garage package to use, if you are upgrading from a major version, please read NixOS and Garage release notes for upgrade instructions."; }; }; diff --git a/nixos/modules/services/web-servers/keter/default.nix b/nixos/modules/services/web-servers/keter/default.nix index 42ab6640b4c9d..9adbe65de69fb 100644 --- a/nixos/modules/services/web-servers/keter/default.nix +++ b/nixos/modules/services/web-servers/keter/default.nix @@ -140,7 +140,7 @@ Keep an old app running and swap the ports when the new one is booted. # On deploy this will load our app, by moving it into the incoming dir # If the bundle content changes, this will run again. - # Because the bundle content contains the nix path to the exectuable, + # Because the bundle content contains the nix path to the executable, # we inherit nix based cache busting. systemd.services.load-keter-bundle = { description = "load keter bundle into incoming folder"; diff --git a/nixos/modules/services/web-servers/lighttpd/default.nix b/nixos/modules/services/web-servers/lighttpd/default.nix index ec847495d7414..811afe8e0af66 100644 --- a/nixos/modules/services/web-servers/lighttpd/default.nix +++ b/nixos/modules/services/web-servers/lighttpd/default.nix @@ -137,7 +137,7 @@ in package = mkOption { default = pkgs.lighttpd; - defaultText = "pkgs.lighttpd"; + defaultText = lib.literalExpression "pkgs.lighttpd"; type = types.package; description = lib.mdDoc '' lighttpd package to use. diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 12afc23592ba1..95e600ea79a5a 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -29,6 +29,43 @@ let ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; + # Mime.types values are taken from brotli sample configuration - https://github.com/google/ngx_brotli + # and Nginx Server Configs - https://github.com/h5bp/server-configs-nginx + compressMimeTypes = [ + "application/atom+xml" + "application/geo+json" + "application/json" + "application/ld+json" + "application/manifest+json" + "application/rdf+xml" + "application/vnd.ms-fontobject" + "application/wasm" + "application/x-rss+xml" + "application/x-web-app-manifest+json" + "application/xhtml+xml" + "application/xliff+xml" + "application/xml" + "font/collection" + "font/otf" + "font/ttf" + "image/bmp" + "image/svg+xml" + "image/vnd.microsoft.icon" + "text/cache-manifest" + "text/calendar" + "text/css" + "text/csv" + "text/html" + "text/javascript" + "text/markdown" + "text/plain" + "text/vcard" + "text/vnd.rim.location.xloc" + "text/vtt" + "text/x-component" + "text/xml" + ]; + defaultFastcgiParams = { SCRIPT_FILENAME = "$document_root$fastcgi_script_name"; QUERY_STRING = "$query_string"; @@ -140,6 +177,16 @@ let ssl_stapling_verify on; ''} + ${optionalString (cfg.recommendedBrotliSettings) '' + brotli on; + brotli_static on; + brotli_comp_level 5; + brotli_window 512k; + brotli_min_length 256; + brotli_types ${lib.concatStringsSep " " compressMimeTypes}; + brotli_buffers 32 8k; + ''} + ${optionalString (cfg.recommendedGzipSettings) '' gzip on; gzip_proxied any; @@ -192,6 +239,14 @@ let server_tokens ${if cfg.serverTokens then "on" else "off"}; + ${optionalString (cfg.proxyCache.enable) '' + proxy_cache_path /var/cache/nginx keys_zone=${cfg.proxyCache.keysZoneName}:${cfg.proxyCache.keysZoneSize} + levels=${cfg.proxyCache.levels} + use_temp_path=${if cfg.proxyCache.useTempPath then "on" else "off"} + inactive=${cfg.proxyCache.inactive} + max_size=${cfg.proxyCache.maxSize}; + ''} + ${cfg.commonHttpConfig} ${vhosts} @@ -233,7 +288,7 @@ let configPath = if cfg.enableReload then "/etc/nginx/nginx.conf" - else configFile; + else finalConfigFile; execCommand = "${cfg.package}/bin/nginx -c '${configPath}'"; @@ -310,7 +365,9 @@ let ${acmeLocation} ${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.globalRedirect != null) '' - return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; + location / { + return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; + } ''} ${optionalString hasSSL '' ssl_certificate ${vhost.sslCertificate}; @@ -383,6 +440,38 @@ let ); mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; + + snakeOilCert = pkgs.runCommand "nginx-config-validate-cert" { nativeBuildInputs = [ pkgs.openssl.bin ]; } '' + mkdir $out + openssl genrsa -des3 -passout pass:xxxxx -out server.pass.key 2048 + openssl rsa -passin pass:xxxxx -in server.pass.key -out $out/server.key + openssl req -new -key $out/server.key -out server.csr \ + -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" + openssl x509 -req -days 1 -in server.csr -signkey $out/server.key -out $out/server.crt + ''; + validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package ]; } '' + # nginx absolutely wants to read the certificates even when told to only validate config, so let's provide fake certs + sed ${configFile} \ + -e "s|ssl_certificate .*;|ssl_certificate ${snakeOilCert}/server.crt;|g" \ + -e "s|ssl_trusted_certificate .*;|ssl_trusted_certificate ${snakeOilCert}/server.crt;|g" \ + -e "s|ssl_certificate_key .*;|ssl_certificate_key ${snakeOilCert}/server.key;|g" \ + > conf + + LD_PRELOAD=${pkgs.libredirect}/lib/libredirect.so \ + NIX_REDIRECTS="/etc/resolv.conf=/dev/null" \ + nginx -t -c $(readlink -f ./conf) > out 2>&1 || true + if ! grep -q "syntax is ok" out; then + echo nginx config validation failed. + echo config was ${configFile}. + echo 'in case of false positive, set `services.nginx.validateConfig` to false.' + echo nginx output: + cat out + exit 1 + fi + cp ${configFile} $out + ''; + + finalConfigFile = if cfg.validateConfig then validatedConfigFile else configFile; in { @@ -414,6 +503,16 @@ in ''; }; + recommendedBrotliSettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended brotli settings. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). + + This adds `pkgs.nginxModules.brotli` to `services.nginx.additionalModules`. + ''; + }; + recommendedGzipSettings = mkOption { default = false; type = types.bool; @@ -481,14 +580,24 @@ in ''; }; + validateConfig = mkOption { + # FIXME: re-enable if we can make of the configurations work. + #default = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; + default = false; + defaultText = literalExpression "pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform"; + type = types.bool; + description = lib.mdDoc '' + Validate the generated nginx config at build time. The check is not very robust and can be disabled in case of false positives. This is notably the case when cross-compiling or when using `include` with files outside of the store. + ''; + }; + additionalModules = mkOption { default = []; type = types.listOf (types.attrsOf types.anything); - example = literalExpression "[ pkgs.nginxModules.brotli ]"; + example = literalExpression "[ pkgs.nginxModules.echo ]"; description = lib.mdDoc '' Additional [third-party nginx modules](https://www.nginx.com/resources/wiki/modules/) - to install. Packaged modules are available in - `pkgs.nginxModules`. + to install. Packaged modules are available in `pkgs.nginxModules`. ''; }; @@ -707,6 +816,72 @@ in ''; }; + proxyCache = mkOption { + type = types.submodule { + options = { + enable = mkEnableOption (lib.mdDoc "Enable proxy cache"); + + keysZoneName = mkOption { + type = types.str; + default = "cache"; + example = "my_cache"; + description = lib.mdDoc "Set name to shared memory zone."; + }; + + keysZoneSize = mkOption { + type = types.str; + default = "10m"; + example = "32m"; + description = lib.mdDoc "Set size to shared memory zone."; + }; + + levels = mkOption { + type = types.str; + default = "1:2"; + example = "1:2:2"; + description = lib.mdDoc '' + The levels parameter defines structure of subdirectories in cache: from + 1 to 3, each level accepts values 1 or 2. Сan be used any combination of + 1 and 2 in these formats: x, x:x and x:x:x. + ''; + }; + + useTempPath = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + Nginx first writes files that are destined for the cache to a temporary + storage area, and the use_temp_path=off directive instructs Nginx to + write them to the same directories where they will be cached. Recommended + that you set this parameter to off to avoid unnecessary copying of data + between file systems. + ''; + }; + + inactive = mkOption { + type = types.str; + default = "10m"; + example = "1d"; + description = lib.mdDoc '' + Cached data that has not been accessed for the time specified by + the inactive parameter is removed from the cache, regardless of + its freshness. + ''; + }; + + maxSize = mkOption { + type = types.str; + default = "1g"; + example = "2048m"; + description = lib.mdDoc "Set maximum cache size"; + }; + }; + }; + default = {}; + description = lib.mdDoc "Configure proxy cache"; + }; + resolver = mkOption { type = types.submodule { options = { @@ -880,6 +1055,8 @@ in groups = config.users.groups; }) dependentCertNames; + services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli; + systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; @@ -953,7 +1130,7 @@ in }; environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload { - source = configFile; + source = finalConfigFile; }; # This service waits for all certificates to be available @@ -972,7 +1149,7 @@ in # certs are updated _after_ config has been reloaded. before = sslTargets; after = sslServices; - restartTriggers = optionals (cfg.enableReload) [ configFile ]; + restartTriggers = optionals (cfg.enableReload) [ finalConfigFile ]; # Block reloading if not all certs exist yet. # Happens when config changes add new vhosts/certs. unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames); diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index e3d4afc074cfa..089decb5f4335 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -29,7 +29,7 @@ with lib; listen = mkOption { type = with types; listOf (submodule { options = { addr = mkOption { type = str; description = lib.mdDoc "IP address."; }; - port = mkOption { type = int; description = lib.mdDoc "Port number."; default = 80; }; + port = mkOption { type = port; description = lib.mdDoc "Port number."; default = 80; }; ssl = mkOption { type = bool; description = lib.mdDoc "Enable SSL."; default = false; }; extraParameters = mkOption { type = listOf str; description = lib.mdDoc "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; }; }; }); @@ -54,8 +54,8 @@ with lib; description = lib.mdDoc '' Listen addresses for this virtual host. - Compared to `listen` this only sets the addreses - and the ports are choosen automatically. + Compared to `listen` this only sets the addresses + and the ports are chosen automatically. Note: This option overrides `enableIPv6` ''; diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix index affd5bbeea3cc..e0a8b5179e06d 100644 --- a/nixos/modules/services/web-servers/ttyd.nix +++ b/nixos/modules/services/web-servers/ttyd.nix @@ -163,7 +163,7 @@ in assertions = [ { assertion = cfg.enableSSL -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null; - message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specefied."; } + message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specified."; } { assertion = ! (cfg.interface != null && cfg.socket != null); message = "Cannot set both interface and socket for ttyd."; } { assertion = (cfg.username != null) == (cfg.passwordFile != null); diff --git a/nixos/modules/services/web-servers/zope2.nix b/nixos/modules/services/web-servers/zope2.nix index a80fe882f1a74..a17fe6bc20823 100644 --- a/nixos/modules/services/web-servers/zope2.nix +++ b/nixos/modules/services/web-servers/zope2.nix @@ -95,7 +95,7 @@ in }; } ''; - description = lib.mdDoc "zope2 instances to be created automaticaly by the system."; + description = lib.mdDoc "zope2 instances to be created automatically by the system."; }; }; diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 2c59ee410d5fb..08c5625fc7ddd 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -67,13 +67,17 @@ in # Taken from mint-artwork.gschema.override theme = mkIf (notExcluded pkgs.cinnamon.mint-themes) { - name = mkDefault "Mint-X"; + name = mkDefault "Mint-Y-Aqua"; package = mkDefault pkgs.cinnamon.mint-themes; }; iconTheme = mkIf (notExcluded pkgs.cinnamon.mint-x-icons) { - name = mkDefault "Mint-X-Dark"; + name = mkDefault "Mint-Y-Aqua"; package = mkDefault pkgs.cinnamon.mint-x-icons; }; + cursorTheme = mkIf (notExcluded pkgs.cinnamon.mint-cursor-themes) { + name = mkDefault "Bibata-Modern-Classic"; + package = mkDefault pkgs.cinnamon.mint-cursor-themes; + }; }; services.xserver.displayManager.sessionCommands = '' if test "$XDG_CURRENT_DESKTOP" = "Cinnamon"; then @@ -101,7 +105,7 @@ in services.dbus.packages = with pkgs.cinnamon; [ cinnamon-common cinnamon-screensaver - nemo + nemo-with-extensions xapp ]; services.cinnamon.apps.enable = mkDefault true; @@ -150,7 +154,7 @@ in polkit_gnome # packages - nemo + nemo-with-extensions cinnamon-control-center cinnamon-settings-daemon libgnomekbd @@ -172,10 +176,10 @@ in sound-theme-freedesktop nixos-artwork.wallpapers.simple-dark-gray mint-artwork + mint-cursor-themes mint-themes mint-x-icons mint-y-icons - vanilla-dmz ] config.environment.cinnamon.excludePackages); xdg.mime.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 112c7e7a922ba..eb30e601dd009 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -389,6 +389,11 @@ in ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ] ++ lib.optional config.services.xserver.wacom.enable pkgs.wacomtablet; + # Extra services for D-Bus activation + services.dbus.packages = [ + plasma5.kactivitymanagerd + ]; + environment.pathsToLink = [ # FIXME: modules should link subdirs of `/share` rather than relying on this "/share" @@ -451,6 +456,9 @@ in xdg.portal.enable = true; xdg.portal.extraPortals = [ plasma5.xdg-desktop-portal-kde ]; + # xdg-desktop-portal-kde expects PipeWire to be running. + # This does not, by default, replace PulseAudio. + services.pipewire.enable = mkDefault true; # Update the start menu for each user that is currently logged in system.userActivationScripts.plasmaSetup = activationScript; @@ -542,7 +550,7 @@ in } { # The user interface breaks without pulse - assertion = config.hardware.pulseaudio.enable; + assertion = config.hardware.pulseaudio.enable || (config.services.pipewire.enable && config.services.pipewire.pulse.enable); message = "Plasma Mobile requires pulseaudio."; } ]; @@ -582,6 +590,8 @@ in hardware.bluetooth.enable = true; hardware.pulseaudio.enable = true; networking.networkmanager.enable = true; + # Required for autorotate + hardware.sensor.iio.enable = lib.mkDefault true; # Recommendations can be found here: # - https://invent.kde.org/plasma-mobile/plasma-phone-settings/-/tree/master/etc/xdg @@ -595,9 +605,9 @@ in }; }; kwinrc = { - Windows = { - # Forces windows to be maximized - Placement = lib.mkDefault "Maximizing"; + "Wayland" = { + "InputMethod[$e]" = "/run/current-system/sw/share/applications/com.github.maliit.keyboard.desktop"; + "VirtualKeyboardEnabled" = "true"; }; "org.kde.kdecoration2" = { # No decorations (title bar) diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix index 00fa8af71dc54..4456374cc569e 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix @@ -11,6 +11,7 @@ let theme = cfg.theme.package; icons = cfg.iconTheme.package; font = cfg.font.package; + cursors = cfg.cursorTheme.package; slickGreeterConf = writeText "slick-greeter.conf" '' [Greeter] @@ -18,6 +19,8 @@ let theme-name=${cfg.theme.name} icon-theme-name=${cfg.iconTheme.name} font-name=${cfg.font.name} + cursor-theme-name=${cfg.cursorTheme.name} + cursor-theme-size=${toString cfg.cursorTheme.size} draw-user-backgrounds=${boolToString cfg.draw-user-backgrounds} ${cfg.extraConfig} ''; @@ -84,6 +87,33 @@ in }; }; + cursorTheme = { + package = mkOption { + type = types.package; + default = pkgs.gnome.adwaita-icon-theme; + defaultText = literalExpression "pkgs.gnome.adwaita-icon-theme"; + description = lib.mdDoc '' + The package path that contains the cursor theme given in the name option. + ''; + }; + + name = mkOption { + type = types.str; + default = "Adwaita"; + description = lib.mdDoc '' + Name of the cursor theme to use for the lightdm-slick-greeter. + ''; + }; + + size = mkOption { + type = types.int; + default = 24; + description = lib.mdDoc '' + Size of the cursor theme to use for the lightdm-slick-greeter. + ''; + }; + }; + draw-user-backgrounds = mkEnableOption (lib.mdDoc "draw user backgrounds"); extraConfig = mkOption { @@ -107,6 +137,7 @@ in }; environment.systemPackages = [ + cursors icons theme ]; diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index e86a18ff618e7..a3f03d7a19a6b 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -123,7 +123,7 @@ in }; }; description = lib.mdDoc '' - Extra settings merged in and overwritting defaults in sddm.conf. + Extra settings merged in and overwriting defaults in sddm.conf. ''; }; diff --git a/nixos/modules/services/x11/hardware/libinput.nix b/nixos/modules/services/x11/hardware/libinput.nix index 0d30b9b5e68de..f77036360e029 100644 --- a/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixos/modules/services/x11/hardware/libinput.nix @@ -171,7 +171,7 @@ let cfg = config.services.xserver.libinput; lib.mdDoc '' Enables or disables drag lock during tapping behavior. When enabled, a finger up during tap- and-drag will not immediately release the button. If the finger is set down again within the - timeout, the draging process continues. + timeout, the dragging process continues. ''; }; diff --git a/nixos/modules/services/x11/imwheel.nix b/nixos/modules/services/x11/imwheel.nix index 03cbdbfb09a4a..133e64c65cdd7 100644 --- a/nixos/modules/services/x11/imwheel.nix +++ b/nixos/modules/services/x11/imwheel.nix @@ -37,8 +37,8 @@ in Window class translation rules. /etc/X11/imwheelrc is generated based on this config which means this config is global for all users. - See [offical man pages](http://imwheel.sourceforge.net/imwheel.1.html) - for more informations. + See [official man pages](http://imwheel.sourceforge.net/imwheel.1.html) + for more information. ''; }; }; diff --git a/nixos/modules/services/x11/picom.nix b/nixos/modules/services/x11/picom.nix index d42cf1d7412fe..4a0578de09cb5 100644 --- a/nixos/modules/services/x11/picom.nix +++ b/nixos/modules/services/x11/picom.nix @@ -47,6 +47,9 @@ in { since picom v6 and was subsequently removed by upstream. See https://github.com/yshui/picom/commit/bcbc410 '') + (mkRemovedOptionModule [ "services" "picom" "experimentalBackends" ] '' + This option was removed by upstream since picom v10. + '') ]; options.services.picom = { @@ -58,14 +61,6 @@ in { ''; }; - experimentalBackends = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to use the unstable new reimplementation of the backends. - ''; - }; - fade = mkOption { type = types.bool; default = false; @@ -204,10 +199,10 @@ in { }; backend = mkOption { - type = types.enum [ "glx" "xrender" "xr_glx_hybrid" ]; + type = types.enum [ "egl" "glx" "xrender" "xr_glx_hybrid" ]; default = "xrender"; description = lib.mdDoc '' - Backend to use: `glx`, `xrender` or `xr_glx_hybrid`. + Backend to use: `egl`, `glx`, `xrender` or `xr_glx_hybrid`. ''; }; @@ -306,8 +301,7 @@ in { }; serviceConfig = { - ExecStart = "${pkgs.picom}/bin/picom --config ${configFile}" - + (optionalString cfg.experimentalBackends " --experimental-backends"); + ExecStart = "${pkgs.picom}/bin/picom --config ${configFile}"; RestartSec = 3; Restart = "always"; }; diff --git a/nixos/modules/services/x11/window-managers/i3.nix b/nixos/modules/services/x11/window-managers/i3.nix index 64109e0c39fdd..5bb73cd0bfb17 100644 --- a/nixos/modules/services/x11/window-managers/i3.nix +++ b/nixos/modules/services/x11/window-managers/i3.nix @@ -31,7 +31,6 @@ in type = types.package; default = pkgs.i3; defaultText = literalExpression "pkgs.i3"; - example = literalExpression "pkgs.i3-gaps"; description = lib.mdDoc '' i3 package to use. ''; @@ -73,6 +72,6 @@ in imports = [ (mkRemovedOptionModule [ "services" "xserver" "windowManager" "i3-gaps" "enable" ] - "Use services.xserver.windowManager.i3.enable and set services.xserver.windowManager.i3.package to pkgs.i3-gaps to use i3-gaps.") + "i3-gaps was merged into i3. Use services.xserver.windowManager.i3.enable instead.") ]; } diff --git a/nixos/modules/services/x11/window-managers/katriawm.nix b/nixos/modules/services/x11/window-managers/katriawm.nix new file mode 100644 index 0000000000000..106631792ff4e --- /dev/null +++ b/nixos/modules/services/x11/window-managers/katriawm.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mdDoc mkEnableOption mkIf mkPackageOption singleton; + cfg = config.services.xserver.windowManager.katriawm; +in +{ + ###### interface + options = { + services.xserver.windowManager.katriawm = { + enable = mkEnableOption (mdDoc "katriawm"); + package = mkPackageOption pkgs "katriawm" {}; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "katriawm"; + start = '' + ${cfg.package}/bin/katriawm & + waitPID=$! + ''; + }; + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/services/x11/xautolock.nix b/nixos/modules/services/x11/xautolock.nix index 8200057660e5b..5b8b748a086bf 100644 --- a/nixos/modules/services/x11/xautolock.nix +++ b/nixos/modules/services/x11/xautolock.nix @@ -71,7 +71,7 @@ in type = types.nullOr types.str; description = lib.mdDoc '' - The script to use when nothing has happend for as long as {option}`killtime` + The script to use when nothing has happened for as long as {option}`killtime` ''; }; diff --git a/nixos/modules/system/activation/bootspec.cue b/nixos/modules/system/activation/bootspec.cue new file mode 100644 index 0000000000000..9f857a1b1cd80 --- /dev/null +++ b/nixos/modules/system/activation/bootspec.cue @@ -0,0 +1,18 @@ +#V1: { + system: string + init: string + initrd?: string + initrdSecrets?: string + kernel: string + kernelParams: [...string] + label: string + toplevel: string + specialisation?: { + [=~"^"]: #V1 + } + extensions?: {...} +} + +Document: { + v1: #V1 +} diff --git a/nixos/modules/system/activation/bootspec.nix b/nixos/modules/system/activation/bootspec.nix new file mode 100644 index 0000000000000..61407ab67558b --- /dev/null +++ b/nixos/modules/system/activation/bootspec.nix @@ -0,0 +1,126 @@ +# Note that these schemas are defined by RFC-0125. +# This document is considered a stable API, and is depended upon by external tooling. +# Changes to the structure of the document, or the semantics of the values should go through an RFC. +# +# See: https://github.com/NixOS/rfcs/pull/125 +{ config +, pkgs +, lib +, ... +}: +let + cfg = config.boot.bootspec; + children = lib.mapAttrs (childName: childConfig: childConfig.configuration.system.build.toplevel) config.specialisation; + schemas = { + v1 = rec { + filename = "boot.json"; + json = + pkgs.writeText filename + (builtins.toJSON + { + v1 = { + system = config.boot.kernelPackages.stdenv.hostPlatform.system; + kernel = "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}"; + kernelParams = config.boot.kernelParams; + label = "NixOS ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"; + + inherit (cfg) extensions; + } // lib.optionalAttrs config.boot.initrd.enable { + initrd = "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}"; + initrdSecrets = "${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets"; + }; + }); + + generator = + let + # NOTE: Be careful to not introduce excess newlines at the end of the + # injectors, as that may affect the pipes and redirects. + + # Inject toplevel and init into the bootspec. + # This can only be done here because we *cannot* depend on $out + # referring to the toplevel, except by living in the toplevel itself. + toplevelInjector = lib.escapeShellArgs [ + "${pkgs.jq}/bin/jq" + '' + .v1.toplevel = $toplevel | + .v1.init = $init + '' + "--sort-keys" + "--arg" "toplevel" "${placeholder "out"}" + "--arg" "init" "${placeholder "out"}/init" + ] + " < ${json}"; + + # We slurp all specialisations and inject them as values, such that + # `.specialisations.${name}` embeds the specialisation's bootspec + # document. + specialisationInjector = + let + specialisationLoader = (lib.mapAttrsToList + (childName: childToplevel: lib.escapeShellArgs [ "--slurpfile" childName "${childToplevel}/${filename}" ]) + children); + in + lib.escapeShellArgs [ + "${pkgs.jq}/bin/jq" + "--sort-keys" + ".v1.specialisation = ($ARGS.named | map_values(. | first | .v1))" + ] + " ${lib.concatStringsSep " " specialisationLoader}"; + in + '' + mkdir -p $out/bootspec + + ${toplevelInjector} | ${specialisationInjector} > $out/${filename} + ''; + + validator = pkgs.writeCueValidator ./bootspec.cue { + document = "Document"; # Universal validator for any version as long the schema is correctly set. + }; + }; + }; +in +{ + options.boot.bootspec = { + enable = lib.mkEnableOption (lib.mdDoc "Enable generation of RFC-0125 bootspec in $system/bootspec, e.g. /run/current-system/bootspec"); + + extensions = lib.mkOption { + type = lib.types.attrsOf lib.types.attrs; # <namespace>: { ...namespace-specific fields } + default = { }; + description = lib.mdDoc '' + User-defined data that extends the bootspec document. + + To reduce incompatibility and prevent names from clashing + between applications, it is **highly recommended** to use a + unique namespace for your extensions. + ''; + }; + + # This will be run as a part of the `systemBuilder` in ./top-level.nix. This + # means `$out` points to the output of `config.system.build.toplevel` and can + # be used for a variety of things (though, for now, it's only used to report + # the path of the `toplevel` itself and the `init` executable). + writer = lib.mkOption { + internal = true; + default = schemas.v1.generator; + }; + + validator = lib.mkOption { + internal = true; + default = schemas.v1.validator; + }; + + filename = lib.mkOption { + internal = true; + default = schemas.v1.filename; + }; + }; + + config = lib.mkIf (cfg.enable) { + warnings = [ + ''RFC-0125 is not merged yet, this is a feature preview of bootspec. + The schema is not definitive and features are not guaranteed to be stable until RFC-0125 is merged. + See: + - https://github.com/NixOS/nixpkgs/pull/172237 to track merge status in nixpkgs. + - https://github.com/NixOS/rfcs/pull/125 to track RFC status. + '' + ]; + }; +} diff --git a/nixos/modules/system/activation/test.nix b/nixos/modules/system/activation/test.nix new file mode 100644 index 0000000000000..8cf000451c6e3 --- /dev/null +++ b/nixos/modules/system/activation/test.nix @@ -0,0 +1,27 @@ +{ lib +, nixos +, expect +, testers +}: +let + node-forbiddenDependencies-fail = nixos ({ ... }: { + system.forbiddenDependenciesRegex = "-dev$"; + environment.etc."dev-dependency" = { + text = "${expect.dev}"; + }; + documentation.enable = false; + fileSystems."/".device = "ignore-root-device"; + boot.loader.grub.enable = false; + }); + node-forbiddenDependencies-succeed = nixos ({ ... }: { + system.forbiddenDependenciesRegex = "-dev$"; + system.extraDependencies = [ expect.dev ]; + documentation.enable = false; + fileSystems."/".device = "ignore-root-device"; + boot.loader.grub.enable = false; + }); +in +lib.recurseIntoAttrs { + test-forbiddenDependencies-fail = testers.testBuildFailure node-forbiddenDependencies-fail.config.system.build.toplevel; + test-forbiddenDependencies-succeed = node-forbiddenDependencies-succeed.config.system.build.toplevel; +} diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 55ff98db53829..00b11471e1c71 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -77,7 +77,12 @@ let ${config.system.systemBuilderCommands} - echo -n "${toString config.system.extraDependencies}" > $out/extra-dependencies + echo -n "$extraDependencies" > $out/extra-dependencies + + ${optionalString (!config.boot.isContainer && config.boot.bootspec.enable) '' + ${config.boot.bootspec.writer} + ${config.boot.bootspec.validator} "$out/${config.boot.bootspec.filename}" + ''} ${config.system.extraSystemBuilderCmds} ''; @@ -105,6 +110,8 @@ let dryActivationScript = config.system.dryActivationScript; nixosLabel = config.system.nixos.label; + inherit (config.system) extraDependencies; + # Needed by switch-to-configuration. perl = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp ]); } // config.system.systemBuilderArgs); @@ -223,6 +230,16 @@ in ''; }; + system.forbiddenDependenciesRegex = mkOption { + default = ""; + example = "-dev$"; + type = types.str; + description = lib.mdDoc '' + A POSIX Extended Regular Expression that matches store paths that + should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked. + ''; + }; + system.extraSystemBuilderCmds = mkOption { type = types.lines; internal = true; @@ -298,8 +315,26 @@ in config.system.copySystemConfiguration ''ln -s '${import ../../../lib/from-env.nix "NIXOS_CONFIG" <nixos-config>}' \ "$out/configuration.nix" + '' + + optionalString + (config.system.forbiddenDependenciesRegex != "") + '' + if [[ $forbiddenDependenciesRegex != "" && -n $closureInfo ]]; then + if forbiddenPaths="$(grep -E -- "$forbiddenDependenciesRegex" $closureInfo/store-paths)"; then + echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths" + exit 1 + fi + fi ''; + system.systemBuilderArgs = lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") { + inherit (config.system) forbiddenDependenciesRegex; + closureInfo = pkgs.closureInfo { rootPaths = [ + # override to avoid infinite recursion (and to allow using extraDependencies to add forbidden dependencies) + (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; })) + ]; }; + }; + system.build.toplevel = system; }; diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index 87e66f73be0ec..7f817e5d350da 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkOption types optionalString stringAfter; + inherit (lib) mkOption mkDefault types optionalString stringAfter; cfg = config.boot.binfmt; @@ -281,7 +281,7 @@ in { config = { boot.binfmt.registrations = builtins.listToAttrs (map (system: { name = system; - value = let + value = { config, ... }: let interpreter = getEmulator system; qemuArch = getQemuArch system; @@ -292,13 +292,13 @@ in { in if preserveArgvZero then "${wrapper}/bin/${wrapperName}" else interpreter; - in { - inherit preserveArgvZero; + in ({ + preserveArgvZero = mkDefault preserveArgvZero; - interpreter = interpreterReg; - wrapInterpreterInShell = !preserveArgvZero; - interpreterSandboxPath = dirOf (dirOf interpreterReg); - } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}")); + interpreter = mkDefault interpreterReg; + wrapInterpreterInShell = mkDefault (!config.preserveArgvZero); + interpreterSandboxPath = mkDefault (dirOf (dirOf config.interpreter)); + } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}"))); }) cfg.emulatedSystems); nix.settings = lib.mkIf (cfg.emulatedSystems != []) { extra-platforms = cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux"; diff --git a/nixos/modules/system/boot/initrd-openvpn.nix b/nixos/modules/system/boot/initrd-openvpn.nix index b41e7524320e2..cbc61d55d6bb3 100644 --- a/nixos/modules/system/boot/initrd-openvpn.nix +++ b/nixos/modules/system/boot/initrd-openvpn.nix @@ -68,11 +68,8 @@ in $out/bin/openvpn --show-gateway ''; - # Add `iproute /bin/ip` to the config, to ensure that openvpn - # is able to set the routes boot.initrd.network.postCommands = '' - (cat /etc/initrd.ovpn; echo -e '\niproute /bin/ip') | \ - openvpn /dev/stdin & + openvpn /etc/initrd.ovpn & ''; }; diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 673655f20ee84..701d242abc154 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -73,6 +73,15 @@ in ''; }; + ignoreEmptyHostKeys = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Allow leaving {option}`config.boot.initrd.network.ssh` empty, + to deploy ssh host keys out of band. + ''; + }; + authorizedKeys = mkOption { type = types.listOf types.str; default = config.users.users.root.openssh.authorizedKeys.keys; @@ -141,7 +150,7 @@ in } { - assertion = cfg.hostKeys != []; + assertion = (cfg.hostKeys != []) || cfg.ignoreEmptyHostKeys; message = '' You must now pre-generate the host keys for initrd SSH. See the boot.initrd.network.ssh.hostKeys documentation diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 6783f8ec62ff9..b13e50cb17d2d 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -62,6 +62,11 @@ in configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute {var}`nvidia_x11`. + + Please note that we strictly support kernel versions that are + maintained by the Linux developers only. More information on the + availability of kernel versions is documented + [in the Linux section of the manual](https://nixos.org/manual/nixos/unstable/index.html#sec-kernel-config). ''; }; diff --git a/nixos/modules/system/boot/loader/external/external.md b/nixos/modules/system/boot/loader/external/external.md new file mode 100644 index 0000000000000..ba1dfd4d9b9af --- /dev/null +++ b/nixos/modules/system/boot/loader/external/external.md @@ -0,0 +1,26 @@ +# External Bootloader Backends {#sec-bootloader-external} + +NixOS has support for several bootloader backends by default: systemd-boot, grub, uboot, etc. +The built-in bootloader backend support is generic and supports most use cases. +Some users may prefer to create advanced workflows around managing the bootloader and bootable entries. + +You can replace the built-in bootloader support with your own tooling using the "external" bootloader option. + +Imagine you have created a new package called FooBoot. +FooBoot provides a program at `${pkgs.fooboot}/bin/fooboot-install` which takes the system closure's path as its only argument and configures the system's bootloader. + +You can enable FooBoot like this: + +```nix +{ pkgs, ... }: { + boot.loader.external = { + enable = true; + installHook = "${pkgs.fooboot}/bin/fooboot-install"; + }; +} +``` + +## Developing Custom Bootloader Backends + +Bootloaders should use [RFC-0125](https://github.com/NixOS/rfcs/pull/125)'s Bootspec format and synthesis tools to identify the key properties for bootable system generations. + diff --git a/nixos/modules/system/boot/loader/external/external.nix b/nixos/modules/system/boot/loader/external/external.nix new file mode 100644 index 0000000000000..5cf478e6c83cd --- /dev/null +++ b/nixos/modules/system/boot/loader/external/external.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.boot.loader.external; +in +{ + meta = { + maintainers = with maintainers; [ cole-h grahamc raitobezarius ]; + # Don't edit the docbook xml directly, edit the md and generate it: + # `pandoc external.md -t docbook --top-level-division=chapter --extract-media=media -f markdown+smart > external.xml` + doc = ./external.xml; + }; + + options.boot.loader.external = { + enable = mkEnableOption (lib.mdDoc "use an external tool to install your bootloader"); + + installHook = mkOption { + type = with types; path; + description = lib.mdDoc '' + The full path to a program of your choosing which performs the bootloader installation process. + + The program will be called with an argument pointing to the output of the system's toplevel. + ''; + }; + }; + + config = mkIf cfg.enable { + boot.loader = { + grub.enable = mkDefault false; + systemd-boot.enable = mkDefault false; + supportsInitrdSecrets = mkDefault false; + }; + + system.build.installBootLoader = cfg.installHook; + }; +} diff --git a/nixos/modules/system/boot/loader/external/external.xml b/nixos/modules/system/boot/loader/external/external.xml new file mode 100644 index 0000000000000..39ab2156bc8c6 --- /dev/null +++ b/nixos/modules/system/boot/loader/external/external.xml @@ -0,0 +1,41 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-bootloader-external"> + <title>External Bootloader Backends</title> + <para> + NixOS has support for several bootloader backends by default: + systemd-boot, grub, uboot, etc. The built-in bootloader backend + support is generic and supports most use cases. Some users may + prefer to create advanced workflows around managing the bootloader + and bootable entries. + </para> + <para> + You can replace the built-in bootloader support with your own + tooling using the <quote>external</quote> bootloader option. + </para> + <para> + Imagine you have created a new package called FooBoot. FooBoot + provides a program at + <literal>${pkgs.fooboot}/bin/fooboot-install</literal> which takes + the system closure’s path as its only argument and configures the + system’s bootloader. + </para> + <para> + You can enable FooBoot like this: + </para> + <programlisting language="nix"> +{ pkgs, ... }: { + boot.loader.external = { + enable = true; + installHook = "${pkgs.fooboot}/bin/fooboot-install"; + }; +} +</programlisting> + <section xml:id="developing-custom-bootloader-backends"> + <title>Developing Custom Bootloader Backends</title> + <para> + Bootloaders should use + <link xlink:href="https://github.com/NixOS/rfcs/pull/125">RFC-0125</link>’s + Bootspec format and synthesis tools to identify the key properties + for bootable system generations. + </para> + </section> +</chapter> diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index a67b10608aa74..1d266b5a37d56 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -38,7 +38,7 @@ let grubConfig = args: let efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint; - efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint; + efiSysMountPoint' = replaceStrings [ "/" ] [ "-" ] efiSysMountPoint; in pkgs.writeText "grub-config.xml" (builtins.toXML { splashImage = f cfg.splashImage; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 68da20615917b..ad7e2184d2a73 100644..100755 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -16,6 +16,7 @@ import datetime import glob import os.path from typing import NamedTuple, List, Optional +from packaging import version class SystemIdentifier(NamedTuple): profile: Optional[str] @@ -258,12 +259,18 @@ def main() -> None: if available_match is None: raise Exception("could not determine systemd-boot version") - installed_version = installed_match.group(1) - available_version = available_match.group(1) + installed_version = version.parse(installed_match.group(1)) + available_version = version.parse(available_match.group(1)) + # systemd 252 has a regression that leaves some machines unbootable, so we skip that update. + # The fix is in 252.2 + # See https://github.com/systemd/systemd/issues/25363 and https://github.com/NixOS/nixpkgs/pull/201558#issuecomment-1348603263 if installed_version < available_version: - print("updating systemd-boot from %s to %s" % (installed_version, available_version)) - subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@", "update"]) + if version.parse('252') <= available_version < version.parse('252.2'): + print("skipping systemd-boot update to %s because of known regression" % available_version) + else: + print("updating systemd-boot from %s to %s" % (installed_version, available_version)) + subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@", "update"]) mkdir_p("@efiSysMountPoint@/efi/nixos") mkdir_p("@efiSysMountPoint@/loader/entries") diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 8cb7c7b8e47bb..103d6e583c310 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -7,12 +7,14 @@ let efi = config.boot.loader.efi; + python3 = pkgs.python3.withPackages (ps: [ ps.packaging ]); + systemdBootBuilder = pkgs.substituteAll { src = ./systemd-boot-builder.py; isExecutable = true; - inherit (pkgs) python3; + inherit python3; systemd = config.systemd.package; @@ -48,7 +50,7 @@ let }; checkedSystemdBootBuilder = pkgs.runCommand "systemd-boot" { - nativeBuildInputs = [ pkgs.mypy ]; + nativeBuildInputs = [ pkgs.mypy python3 ]; } '' install -m755 ${systemdBootBuilder} $out mypy \ diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index c8ab3b0d8e4af..54bb7ea9ddd76 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -7,6 +7,9 @@ with lib; ###### interface options = { + boot.modprobeConfig.enable = mkEnableOption (lib.mdDoc "modprobe config. This is useful for systemds like containers which do not require a kernel.") // { + default = true; + }; boot.blacklistedKernelModules = mkOption { type = types.listOf types.str; @@ -38,7 +41,7 @@ with lib; ###### implementation - config = mkIf (!config.boot.isContainer) { + config = mkIf config.boot.modprobeConfig.enable { environment.etc."modprobe.d/ubuntu.conf".source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf"; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 28abf820ec097..188f2f64dc848 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -928,6 +928,8 @@ let type = types.bool; description = lib.mdDoc '' Whether to manage network configuration using {command}`systemd-network`. + + This also enables {option}`systemd.networkd.enable`. ''; }; @@ -1900,6 +1902,20 @@ in }; systemd.network.wait-online = { + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc '' + Whether to enable the systemd-networkd-wait-online service. + + systemd-networkd-wait-online can timeout and fail if there are no network interfaces + available for it to manage. When systemd-networkd is enabled but a different service is + responsible for managing the system's internet connection (for example, NetworkManager or + connman are used to manage WiFi connections), this service is unnecessary and can be + disabled. + ''; + }; anyInterface = mkOption { description = lib.mdDoc '' Whether to consider the network online when any interface is online, as opposed to all of them. @@ -1981,6 +1997,7 @@ in }; systemd.services.systemd-networkd-wait-online = { + inherit (cfg.wait-online) enable; wantedBy = [ "network-online.target" ]; serviceConfig.ExecStart = [ "" diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 994aa0e33cbfa..4596c160a9571 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -342,6 +342,14 @@ checkFS() { return 0 } +escapeFstab() { + local original="$1" + + # Replace space + local escaped="${original// /\\040}" + # Replace tab + echo "${escaped//$'\t'/\\011}" +} # Function for mounting a file system. mountFS() { @@ -569,7 +577,7 @@ while read -u 3 mountPoint; do continue fi - mountFS "$device" "$mountPoint" "$options" "$fsType" + mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType" done exec 3>&- diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 28c76fb169f11..95dcdfd7fbe16 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -205,8 +205,9 @@ let # Copy ld manually since it isn't detected correctly cp -pv ${pkgs.stdenv.cc.libc.out}/lib/ld*.so.? $out/lib - # Copy all of the needed libraries - find $out/bin $out/lib -type f | while read BIN; do + # Copy all of the needed libraries in a consistent order so + # duplicates are resolved the same way. + find $out/bin $out/lib -type f | sort | while read BIN; do echo "Copying libs for executable $BIN" for LIB in $(${findLibs}/bin/find-libs $BIN); do TGT="$out/lib/$(basename $LIB)" diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index f2a839d078681..78cc8e8d45a30 100755 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -68,7 +68,7 @@ fi # like squashfs. chown -f 0:30000 /nix/store chmod -f 1775 /nix/store -if [ -n "@readOnlyStore@" ]; then +if [ -n "@readOnlyNixStore@" ]; then if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store)" =~ ro(,|$) ]]; then if [ -z "$container" ]; then mount --bind /nix/store /nix/store diff --git a/nixos/modules/system/boot/stage-2.nix b/nixos/modules/system/boot/stage-2.nix index 6b4193ea29674..6ed915c339e0c 100644 --- a/nixos/modules/system/boot/stage-2.nix +++ b/nixos/modules/system/boot/stage-2.nix @@ -10,9 +10,8 @@ let src = ./stage-2-init.sh; shellDebug = "${pkgs.bashInteractive}/bin/bash"; shell = "${pkgs.bash}/bin/bash"; - inherit (config.boot) systemdExecutable extraSystemdUnitPaths; + inherit (config.boot) readOnlyNixStore systemdExecutable extraSystemdUnitPaths; isExecutable = true; - inherit (config.nix) readOnlyStore; inherit useHostResolvConf; inherit (config.system.build) earlyMountScript; path = lib.makeBinPath ([ @@ -42,6 +41,17 @@ in ''; }; + readOnlyNixStore = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If set, NixOS will enforce the immutability of the Nix store + by making {file}`/nix/store` a read-only bind + mount. Nix will automatically make the store writable when + needed. + ''; + }; + systemdExecutable = mkOption { default = "/run/current-system/systemd/lib/systemd/systemd"; type = types.str; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index d28e6ed0e2770..e37ed8531810e 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -558,7 +558,8 @@ in # Environment of PID 1 systemd.managerEnvironment = { # Doesn't contain systemd itself - everything works so it seems to use the compiled-in value for its tools - PATH = lib.makeBinPath config.system.fsPackages; + # util-linux is needed for the main fsck utility wrapping the fs-specific ones + PATH = lib.makeBinPath (config.system.fsPackages ++ [cfg.package.util-linux]); LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive"; TZDIR = "/etc/zoneinfo"; # If SYSTEMD_UNIT_PATH ends with an empty component (":"), the usual unit load path will be appended to the contents of the variable @@ -611,6 +612,10 @@ in boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0"; + # Avoid potentially degraded system state due to + # "Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)." + systemd.services.systemd-oomd.enable = mkIf (!cfg.enableUnifiedCgroupHierarchy) false; + services.logrotate.settings = { "/var/log/btmp" = mapAttrs (_: mkDefault) { frequency = "monthly"; diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 31702499b0f14..196f44ccd783c 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -148,6 +148,16 @@ in { visible = false; }; + extraConfig = mkOption { + default = ""; + type = types.lines; + example = "DefaultLimitCORE=infinity"; + description = lib.mdDoc '' + Extra config options for systemd. See systemd-system.conf(5) man page + for available options. + ''; + }; + contents = mkOption { description = lib.mdDoc "Set of files that have to be linked into the initrd"; example = literalExpression '' @@ -352,6 +362,7 @@ in { "/etc/systemd/system.conf".text = '' [Manager] DefaultEnvironment=PATH=/bin:/sbin ${optionalString (isBool cfg.emergencyAccess && cfg.emergencyAccess) "SYSTEMD_SULOGIN_FORCE=1"} + ${cfg.extraConfig} ''; "/lib/modules".source = "${modulesClosure}/lib/modules"; diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 97f02a8c963a8..7f2c8a41b20a1 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -33,7 +33,7 @@ let mountPoint = mkOption { example = "/mnt/usb"; type = nonEmptyWithoutTrailingSlash; - description = lib.mdDoc "Location of the mounted the file system."; + description = lib.mdDoc "Location of the mounted file system."; }; device = mkOption { @@ -54,7 +54,7 @@ let default = [ "defaults" ]; example = [ "data=journal" ]; description = lib.mdDoc "Options used to mount the file system."; - type = types.listOf nonEmptyStr; + type = types.nonEmptyListOf nonEmptyStr; }; depends = mkOption { @@ -167,7 +167,7 @@ let else throw "No device specified for mount point ‘${fs.mountPoint}’.") + " " + escape (rootPrefix + fs.mountPoint) + " " + fs.fsType - + " " + builtins.concatStringsSep "," (fs.options ++ (extraOpts fs)) + + " " + escape (builtins.concatStringsSep "," (fs.options ++ (extraOpts fs))) + " " + (optionalString (!excludeChecks) ("0 " + (if skipCheck fs then "0" else if fs.mountPoint == "/" then "1" else "2"))) + "\n" @@ -300,11 +300,7 @@ in boot.supportedFilesystems = map (fs: fs.fsType) fileSystems; # Add the mount helpers to the system path so that `mount' can find them. - system.fsPackages = [ - pkgs.dosfstools - # This is needed for the main fsck utility wrapping the fs-specific ones. - pkgs.util-linux - ]; + system.fsPackages = [ pkgs.dosfstools ]; environment.systemPackages = with pkgs; [ fuse3 fuse ] ++ config.system.fsPackages; diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index ac41ba5f93a4b..e3ad52a7b056f 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -42,7 +42,11 @@ in { config = mkIf (elem "bcachefs" config.boot.supportedFilesystems) (mkMerge [ { - system.fsPackages = [ pkgs.bcachefs-tools ]; + # We do not want to include bachefs in the fsPackages for systemd-initrd + # because we provide the unwrapped version of mount.bcachefs + # through the extraBin option, which will make it available for use. + system.fsPackages = lib.optional (!config.boot.initrd.systemd.enable) pkgs.bcachefs-tools; + environment.systemPackages = lib.optional (config.boot.initrd.systemd.enable) pkgs.bcachefs-tools; # use kernel package with bcachefs support until it's in mainline boot.kernelPackages = pkgs.linuxPackages_testing_bcachefs; @@ -52,7 +56,14 @@ in # chacha20 and poly1305 are required only for decryption attempts boot.initrd.availableKernelModules = [ "bcachefs" "sha256" "chacha20" "poly1305" ]; - boot.initrd.extraUtilsCommands = '' + boot.initrd.systemd.extraBin = { + "bcachefs" = "${pkgs.bcachefs-tools}/bin/bcachefs"; + "mount.bcachefs" = pkgs.runCommand "mount.bcachefs" {} '' + cp -pdv ${pkgs.bcachefs-tools}/bin/.mount.bcachefs.sh-wrapped $out + ''; + }; + + boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/bcachefs ''; boot.initrd.extraUtilsCommandsTest = '' diff --git a/nixos/modules/tasks/filesystems/envfs.nix b/nixos/modules/tasks/filesystems/envfs.nix new file mode 100644 index 0000000000000..ef8f655c532a9 --- /dev/null +++ b/nixos/modules/tasks/filesystems/envfs.nix @@ -0,0 +1,51 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.services.envfs; + mounts = { + "/usr/bin" = { + device = "none"; + fsType = "envfs"; + options = [ + "fallback-path=${pkgs.runCommand "fallback-path" {} '' + mkdir -p $out + ln -s ${pkgs.coreutils}/bin/env $out/env + ln -s ${config.system.build.binsh}/bin/sh $out/sh + ''}" + ]; + }; + "/bin" = { + device = "/usr/bin"; + fsType = "none"; + options = [ "bind" ]; + }; + }; +in { + options = { + services.envfs = { + enable = lib.mkEnableOption (lib.mdDoc "Envfs filesystem") // { + description = lib.mdDoc '' + Fuse filesystem that returns symlinks to executables based on the PATH + of the requesting process. This is useful to execute shebangs on NixOS + that assume hard coded locations in locations like /bin or /usr/bin + etc. + ''; + }; + package = lib.mkOption { + type = lib.types.package; + description = lib.mdDoc "Which package to use for the envfs."; + default = pkgs.envfs; + defaultText = lib.mdDoc "pkgs.envfs"; + }; + }; + }; + config = lib.mkIf (cfg.enable) { + environment.systemPackages = [ cfg.package ]; + # we also want these mounts in virtual machines. + fileSystems = if config.virtualisation ? qemu then lib.mkVMOverride mounts else mounts; + + # We no longer need those when using envfs + system.activationScripts.usrbinenv = lib.mkForce ""; + system.activationScripts.binsh = lib.mkForce ""; + }; +} diff --git a/nixos/modules/tasks/filesystems/ext.nix b/nixos/modules/tasks/filesystems/ext.nix index 9b61f21643aba..edc0efc552136 100644 --- a/nixos/modules/tasks/filesystems/ext.nix +++ b/nixos/modules/tasks/filesystems/ext.nix @@ -3,13 +3,14 @@ let inInitrd = lib.any (fs: fs == "ext2" || fs == "ext3" || fs == "ext4") config.boot.initrd.supportedFilesystems; + inSystem = lib.any (fs: fs == "ext2" || fs == "ext3" || fs == "ext4") config.boot.supportedFilesystems; in { config = { - system.fsPackages = lib.mkIf (config.boot.initrd.systemd.enable -> inInitrd) [ pkgs.e2fsprogs ]; + system.fsPackages = lib.mkIf (config.boot.initrd.systemd.enable -> (inInitrd || inSystem)) [ pkgs.e2fsprogs ]; # As of kernel 4.3, there is no separate ext3 driver (they're also handled by ext4.ko) boot.initrd.availableKernelModules = lib.mkIf (config.boot.initrd.systemd.enable -> inInitrd) [ "ext2" "ext4" ]; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 4b4f4cc801aba..6c77596475170 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -97,10 +97,15 @@ let in map (x: "${mountPoint x}.mount") (getPoolFilesystems pool); - getKeyLocations = pool: - if isBool cfgZfs.requestEncryptionCredentials - then "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}" - else "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)}"; + getKeyLocations = pool: if isBool cfgZfs.requestEncryptionCredentials then { + hasKeys = cfgZfs.requestEncryptionCredentials; + command = "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}"; + } else let + keys = filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials; + in { + hasKeys = keys != []; + command = "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString keys}"; + }; createImportService = { pool, systemd, force, prefix ? "" }: nameValuePair "zfs-import-${pool}" { @@ -124,7 +129,9 @@ let RemainAfterExit = true; }; environment.ZFS_FORCE = optionalString force "-f"; - script = (importLib { + script = let + keyLocations = getKeyLocations pool; + in (importLib { # See comments at importLib definition. zpoolCmd = "${cfgZfs.package}/sbin/zpool"; awkCmd = "${pkgs.gawk}/bin/awk"; @@ -139,10 +146,8 @@ let done poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. if poolImported "${pool}"; then - ${optionalString (if isBool cfgZfs.requestEncryptionCredentials - then cfgZfs.requestEncryptionCredentials - else cfgZfs.requestEncryptionCredentials != []) '' - ${getKeyLocations pool} | while IFS=$'\t' read ds kl ks; do + ${optionalString keyLocations.hasKeys '' + ${keyLocations.command} | while IFS=$'\t' read ds kl ks; do { if [[ "$ks" != unavailable ]]; then continue @@ -503,6 +508,10 @@ in assertion = !cfgZfs.forceImportAll || cfgZfs.forceImportRoot; message = "If you enable boot.zfs.forceImportAll, you must also enable boot.zfs.forceImportRoot"; } + { + assertion = cfgZfs.allowHibernation -> !cfgZfs.forceImportRoot && !cfgZfs.forceImportAll; + message = "boot.zfs.allowHibernation while force importing is enabled will cause data corruption"; + } ]; boot = { @@ -561,7 +570,7 @@ in '' else concatMapStrings (fs: '' zfs load-key -- ${escapeShellArg fs} - '') cfgZfs.requestEncryptionCredentials} + '') (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)} '') rootPools)); # Systemd in stage 1 diff --git a/nixos/modules/tasks/lvm.nix b/nixos/modules/tasks/lvm.nix index 760133fafa29c..a14f26c02e48f 100644 --- a/nixos/modules/tasks/lvm.nix +++ b/nixos/modules/tasks/lvm.nix @@ -5,6 +5,10 @@ let cfg = config.services.lvm; in { options.services.lvm = { + enable = mkEnableOption (lib.mdDoc "lvm2") // { + default = true; + }; + package = mkOption { type = types.package; default = pkgs.lvm2; @@ -30,7 +34,7 @@ in { # minimal configuration file to make lvmconfig/lvm2-activation-generator happy environment.etc."lvm/lvm.conf".text = "config {}"; }) - (mkIf (!config.boot.isContainer) { + (mkIf cfg.enable { systemd.tmpfiles.packages = [ cfg.package.out ]; environment.systemPackages = [ cfg.package ]; systemd.packages = [ cfg.package ]; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index b7a4282f9727f..4d47a56ccca3d 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1377,12 +1377,12 @@ in # networkmanager falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" "net.ipv6.conf.default.use_tempaddr" = tempaddrValues.${cfg.tempAddresses}.sysctl; } // listToAttrs (forEach interfaces - (i: nameValuePair "net.ipv4.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" i.proxyARP)) + (i: nameValuePair "net.ipv4.conf.${replaceStrings ["."] ["/"] i.name}.proxy_arp" i.proxyARP)) // listToAttrs (forEach interfaces (i: let opt = i.tempAddress; val = tempaddrValues.${opt}.sysctl; - in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val)); + in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); security.wrappers = { ping = { @@ -1411,9 +1411,10 @@ in # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, # since it may have been set by dhcpcd in the meantime. - system.activationScripts.hostname = - optionalString (cfg.hostName != "") '' - hostname "${cfg.hostName}" + system.activationScripts.hostname = let + effectiveHostname = config.boot.kernel.sysctl."kernel.hostname" or cfg.hostName; + in optionalString (effectiveHostname != "") '' + hostname "${effectiveHostname}" ''; system.activationScripts.domain = optionalString (cfg.domain != null) '' @@ -1494,7 +1495,7 @@ in in '' # override to ${msg} for ${i.name} - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${val}" + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr=${val}" '') (filter (i: i.tempAddress != cfg.tempAddresses) interfaces); }) ] ++ lib.optional (cfg.wlanInterfaces != {}) diff --git a/nixos/modules/testing/minimal-kernel.nix b/nixos/modules/testing/minimal-kernel.nix deleted file mode 100644 index 7c2b9c05cf9a0..0000000000000 --- a/nixos/modules/testing/minimal-kernel.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - configfile = builtins.storePath (builtins.toFile "config" (lib.concatStringsSep "\n" - (map (builtins.getAttr "configLine") config.system.requiredKernelConfig)) - ); - - origKernel = pkgs.buildLinux { - inherit (pkgs.linux) src version stdenv; - inherit configfile; - allowImportFromDerivation = true; - kernelPatches = [ pkgs.kernelPatches.cifs_timeout_2_6_38 ]; - }; - - kernel = origKernel // (derivation (origKernel.drvAttrs // { - configurePhase = '' - runHook preConfigure - mkdir ../build - make $makeFlags "''${makeFlagsArray[@]}" mrproper - make $makeFlags "''${makeFlagsArray[@]}" KCONFIG_ALLCONFIG=${configfile} allnoconfig - runHook postConfigure - ''; - })); - - kernelPackages = pkgs.linuxPackagesFor kernel; -in { - boot.kernelPackages = kernelPackages; -} diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 4ab2578eb81e6..028099c64643c 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -96,6 +96,12 @@ in MaxLevelConsole=debug ''; + boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = '' + [Journal] + ForwardToConsole=yes + MaxLevelConsole=debug + ''; + systemd.extraConfig = '' # Don't clobber the console with duplicate systemd messages. ShowStatus=no @@ -107,6 +113,8 @@ in DefaultTimeoutStartSec=300 ''; + boot.initrd.systemd.extraConfig = config.systemd.extraConfig; + boot.consoleLogLevel = 7; # Prevent tests from accessing the Internet. diff --git a/nixos/modules/virtualisation/amazon-ec2-amis.nix b/nixos/modules/virtualisation/amazon-ec2-amis.nix index 0324c5332cffd..446a1b0ecaab2 100644 --- a/nixos/modules/virtualisation/amazon-ec2-amis.nix +++ b/nixos/modules/virtualisation/amazon-ec2-amis.nix @@ -488,5 +488,53 @@ let self = { "22.05".us-west-1.aarch64-linux.hvm-ebs = "ami-0f96be48071c13ab2"; "22.05".us-west-2.aarch64-linux.hvm-ebs = "ami-084bc5d777585adfb"; - latest = self."22.05"; + # 22.11.466.596a8e828c5 + + "22.11".eu-west-1.x86_64-linux.hvm-ebs = "ami-01aafe08a4e74bd9a"; + "22.11".af-south-1.x86_64-linux.hvm-ebs = "ami-0d937fc7bf7b8c2ed"; + "22.11".ap-east-1.x86_64-linux.hvm-ebs = "ami-020e59f6affef2732"; + "22.11".ap-northeast-1.x86_64-linux.hvm-ebs = "ami-04a7bd7a969506a87"; + "22.11".ap-northeast-2.x86_64-linux.hvm-ebs = "ami-007b9209171e2dcdd"; + "22.11".ap-northeast-3.x86_64-linux.hvm-ebs = "ami-0c4d0b584cd570584"; + "22.11".ap-south-1.x86_64-linux.hvm-ebs = "ami-02aa47f84c215d593"; + "22.11".ap-southeast-1.x86_64-linux.hvm-ebs = "ami-067a7fca4a01c4dda"; + "22.11".ap-southeast-2.x86_64-linux.hvm-ebs = "ami-0638db75ba113c635"; + "22.11".ap-southeast-3.x86_64-linux.hvm-ebs = "ami-08dcda749c59e8747"; + "22.11".ca-central-1.x86_64-linux.hvm-ebs = "ami-09b007688e369f794"; + "22.11".eu-central-1.x86_64-linux.hvm-ebs = "ami-05df1b211df600977"; + "22.11".eu-north-1.x86_64-linux.hvm-ebs = "ami-0427d0897b928e191"; + "22.11".eu-south-1.x86_64-linux.hvm-ebs = "ami-051beda489f0dd109"; + "22.11".eu-west-2.x86_64-linux.hvm-ebs = "ami-0c2090b73fc610ac3"; + "22.11".eu-west-3.x86_64-linux.hvm-ebs = "ami-0d03a150cf6c07022"; + "22.11".me-south-1.x86_64-linux.hvm-ebs = "ami-0443b1af94bff9e3d"; + "22.11".sa-east-1.x86_64-linux.hvm-ebs = "ami-07b2ce95ba17b6bc1"; + "22.11".us-east-1.x86_64-linux.hvm-ebs = "ami-0508167db03652cc4"; + "22.11".us-east-2.x86_64-linux.hvm-ebs = "ami-0e41ac272a7d67029"; + "22.11".us-west-1.x86_64-linux.hvm-ebs = "ami-02f3fb062ee9af563"; + "22.11".us-west-2.x86_64-linux.hvm-ebs = "ami-06b260b3a958948a0"; + + "22.11".eu-west-1.aarch64-linux.hvm-ebs = "ami-0c4132540cabbc7df"; + "22.11".af-south-1.aarch64-linux.hvm-ebs = "ami-0f12780247b337357"; + "22.11".ap-east-1.aarch64-linux.hvm-ebs = "ami-04789617e858da6fb"; + "22.11".ap-northeast-1.aarch64-linux.hvm-ebs = "ami-0f4d8517ab163b274"; + "22.11".ap-northeast-2.aarch64-linux.hvm-ebs = "ami-051a06893bcc696c1"; + "22.11".ap-northeast-3.aarch64-linux.hvm-ebs = "ami-05a086610680a7d8b"; + "22.11".ap-south-1.aarch64-linux.hvm-ebs = "ami-04cd79197824124cd"; + "22.11".ap-southeast-1.aarch64-linux.hvm-ebs = "ami-0437f330961467257"; + "22.11".ap-southeast-2.aarch64-linux.hvm-ebs = "ami-000c2ecbc430c36d7"; + "22.11".ap-southeast-3.aarch64-linux.hvm-ebs = "ami-062e917296b5087c0"; + "22.11".ca-central-1.aarch64-linux.hvm-ebs = "ami-0c91995b735d1b8b6"; + "22.11".eu-central-1.aarch64-linux.hvm-ebs = "ami-0537d704b177a676b"; + "22.11".eu-north-1.aarch64-linux.hvm-ebs = "ami-05f1f532f90d8e16c"; + "22.11".eu-south-1.aarch64-linux.hvm-ebs = "ami-097fe290eafff61ad"; + "22.11".eu-west-2.aarch64-linux.hvm-ebs = "ami-053b6cc7a3394891a"; + "22.11".eu-west-3.aarch64-linux.hvm-ebs = "ami-0a5b6d023afde63c3"; + "22.11".me-south-1.aarch64-linux.hvm-ebs = "ami-024fcb01f8638ed08"; + "22.11".sa-east-1.aarch64-linux.hvm-ebs = "ami-06d72c6e930037236"; + "22.11".us-east-1.aarch64-linux.hvm-ebs = "ami-0b33ffb684d6b07b5"; + "22.11".us-east-2.aarch64-linux.hvm-ebs = "ami-033ff64078c59f378"; + "22.11".us-west-1.aarch64-linux.hvm-ebs = "ami-052d52b9e30a18562"; + "22.11".us-west-2.aarch64-linux.hvm-ebs = "ami-07418b6a4782c9521"; + + latest = self."22.11"; }; in self diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 12fe6fa444793..9751f5755f96d 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -10,11 +10,6 @@ with lib; let cfg = config.ec2; - metadataFetcher = import ./ec2-metadata-fetcher.nix { - inherit (pkgs) curl; - targetRoot = "$targetRoot/"; - wgetExtraOptions = "-q"; - }; in { @@ -31,18 +26,12 @@ in config = { assertions = [ - { assertion = cfg.hvm; - message = "Paravirtualized EC2 instances are no longer supported."; - } - { assertion = cfg.efi -> cfg.hvm; - message = "EC2 instances using EFI must be HVM instances."; - } { assertion = versionOlder config.boot.kernelPackages.kernel.version "5.17"; message = "ENA driver fails to build with kernel >= 5.17"; } ]; - boot.growPartition = cfg.hvm; + boot.growPartition = true; fileSystems."/" = mkIf (!cfg.zfs.enable) { device = "/dev/disk/by-label/nixos"; @@ -64,9 +53,9 @@ in boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; - boot.initrd.kernelModules = [ "xen-blkfront" "xen-netfront" ]; - boot.initrd.availableKernelModules = [ "ixgbevf" "ena" "nvme" ]; - boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; + boot.initrd.kernelModules = [ "xen-blkfront" ]; + boot.initrd.availableKernelModules = [ "nvme" ]; + boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; # Prevent the nouveau kernel module from being loaded, as it # interferes with the nvidia/nvidia-uvm modules needed for CUDA. @@ -74,10 +63,7 @@ in # boot. boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; - # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. - boot.loader.grub.version = if cfg.hvm then 2 else 1; - boot.loader.grub.device = if (cfg.hvm && !cfg.efi) then "/dev/xvda" else "nodev"; - boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)"; + boot.loader.grub.device = if cfg.efi then "nodev" else "/dev/xvda"; boot.loader.grub.efiSupport = cfg.efi; boot.loader.grub.efiInstallAsRemovable = cfg.efi; boot.loader.timeout = 1; @@ -87,67 +73,14 @@ in terminal_input console serial ''; - boot.initrd.network.enable = true; - - # Mount all formatted ephemeral disks and activate all swap devices. - # We cannot do this with the ‘fileSystems’ and ‘swapDevices’ options - # because the set of devices is dependent on the instance type - # (e.g. "m1.small" has one ephemeral filesystem and one swap device, - # while "m1.large" has two ephemeral filesystems and no swap - # devices). Also, put /tmp and /var on /disk0, since it has a lot - # more space than the root device. Similarly, "move" /nix to /disk0 - # by layering a unionfs-fuse mount on top of it so we have a lot more space for - # Nix operations. - boot.initrd.postMountCommands = - '' - ${metadataFetcher} - - diskNr=0 - diskForUnionfs= - for device in /dev/xvd[abcde]*; do - if [ "$device" = /dev/xvda -o "$device" = /dev/xvda1 ]; then continue; fi - fsType=$(blkid -o value -s TYPE "$device" || true) - if [ "$fsType" = swap ]; then - echo "activating swap device $device..." - swapon "$device" || true - elif [ "$fsType" = ext3 ]; then - mp="/disk$diskNr" - diskNr=$((diskNr + 1)) - if mountFS "$device" "$mp" "" ext3; then - if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi - fi - else - echo "skipping unknown device type $device" - fi - done - - if [ -n "$diskForUnionfs" ]; then - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root - - mkdir -m 1777 -p $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp - mount --bind $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp - - if [ "$(cat "$metaDir/ami-manifest-path")" != "(unknown)" ]; then - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/var $targetRoot/var - mount --bind $targetRoot/$diskForUnionfs/root/var $targetRoot/var - - mkdir -p /unionfs-chroot/ro-nix - mount --rbind $targetRoot/nix /unionfs-chroot/ro-nix - - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/nix - mkdir -p /unionfs-chroot/rw-nix - mount --rbind $targetRoot/$diskForUnionfs/root/nix /unionfs-chroot/rw-nix - - unionfs -o allow_other,cow,nonempty,chroot=/unionfs-chroot,max_files=32768 /rw-nix=RW:/ro-nix=RO $targetRoot/nix - fi - fi - ''; - - boot.initrd.extraUtilsCommands = - '' - # We need swapon in the initrd. - copy_bin_and_libs ${pkgs.util-linux}/sbin/swapon - ''; + systemd.services.fetch-ec2-metadata = { + wantedBy = [ "multi-user.target" ]; + after = ["network-online.target"]; + path = [ pkgs.curl ]; + script = builtins.readFile ./ec2-metadata-fetcher.sh; + serviceConfig.Type = "oneshot"; + serviceConfig.StandardOutput = "journal+console"; + }; # Allow root logins only using the SSH key that the user specified # at instance creation time. @@ -166,8 +99,6 @@ in # Always include cryptsetup so that Charon can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - boot.initrd.supportedFilesystems = [ "unionfs-fuse" ]; - # EC2 has its own NTP server provided by the hypervisor networking.timeServers = [ "169.254.169.123" ]; diff --git a/nixos/modules/virtualisation/amazon-options.nix b/nixos/modules/virtualisation/amazon-options.nix index 227f3e433c107..915bbf9763db4 100644 --- a/nixos/modules/virtualisation/amazon-options.nix +++ b/nixos/modules/virtualisation/amazon-options.nix @@ -2,6 +2,9 @@ let inherit (lib) literalExpression types; in { + imports = [ + (lib.mkRemovedOptionModule [ "ec2" "hvm" ] "Only HVM instances are supported, so specifying it is no longer necessary.") + ]; options = { ec2 = { zfs = { @@ -41,13 +44,6 @@ in { }); }; }; - hvm = lib.mkOption { - default = lib.versionAtLeast config.system.stateVersion "17.03"; - internal = true; - description = lib.mdDoc '' - Whether the EC2 instance is a HVM instance. - ''; - }; efi = lib.mkOption { default = pkgs.stdenv.hostPlatform.isAarch64; defaultText = literalExpression "pkgs.stdenv.hostPlatform.isAarch64"; diff --git a/nixos/modules/virtualisation/appvm.nix b/nixos/modules/virtualisation/appvm.nix index b23b321095cf9..9fe2995d37a06 100644 --- a/nixos/modules/virtualisation/appvm.nix +++ b/nixos/modules/virtualisation/appvm.nix @@ -20,7 +20,7 @@ in { user = mkOption { type = types.str; description = lib.mdDoc '' - AppVM user login. Currenly only AppVMs are supported for a single user only. + AppVM user login. Currently only AppVMs are supported for a single user only. ''; }; }; diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index 09a2d9de040a2..2460ec45e3fca 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -8,7 +8,9 @@ with lib; # Disable some features that are not useful in a container. + # containers don't have a kernel boot.kernel.enable = false; + boot.modprobeConfig.enable = false; console.enable = mkDefault false; @@ -24,6 +26,9 @@ with lib; # containers do not need to setup devices services.udev.enable = false; + # containers normally do not need to manage logical volumes + services.lvm.enable = lib.mkDefault false; + # Shut up warnings about not having a boot loader. system.build.installBootLoader = lib.mkDefault "${pkgs.coreutils}/bin/true"; diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 1b764e7e4d80a..0cc6d9938e220 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -18,6 +18,7 @@ with lib; wantedBy = [ "multi-user.target" "sshd.service" ]; before = [ "sshd.service" ]; + after = ["fetch-ec2-metadata.service"]; path = [ pkgs.iproute2 ]; diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix deleted file mode 100644 index 760f024f33fbd..0000000000000 --- a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ curl, targetRoot, wgetExtraOptions }: -# Note: be very cautious about dependencies, each dependency grows -# the closure of the initrd. Ideally we would not even require curl, -# but there is no reasonable way to send an HTTP PUT request without -# it. Note: do not be fooled: the wget referenced in this script -# is busybox's wget, not the fully featured one with --method support. -# -# Make sure that every package you depend on here is already listed as -# a channel blocker for both the full-sized and small channels. -# Otherwise, we risk breaking user deploys in released channels. -# -# Also note: OpenStack's metadata service for its instances aims to be -# compatible with the EC2 IMDS. Where possible, try to keep the set of -# fetched metadata in sync with ./openstack-metadata-fetcher.nix . -'' - metaDir=${targetRoot}etc/ec2-metadata - mkdir -m 0755 -p "$metaDir" - rm -f "$metaDir/*" - - get_imds_token() { - # retry-delay of 1 selected to give the system a second to get going, - # but not add a lot to the bootup time - ${curl}/bin/curl \ - -v \ - --retry 3 \ - --retry-delay 1 \ - --fail \ - -X PUT \ - --connect-timeout 1 \ - -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \ - http://169.254.169.254/latest/api/token - } - - preflight_imds_token() { - # retry-delay of 1 selected to give the system a second to get going, - # but not add a lot to the bootup time - ${curl}/bin/curl \ - -v \ - --retry 3 \ - --retry-delay 1 \ - --fail \ - --connect-timeout 1 \ - -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \ - http://169.254.169.254/1.0/meta-data/instance-id - } - - try=1 - while [ $try -le 3 ]; do - echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..." - IMDS_TOKEN=$(get_imds_token) && break - try=$((try + 1)) - sleep 1 - done - - if [ "x$IMDS_TOKEN" == "x" ]; then - echo "failed to fetch an IMDS2v token." - fi - - try=1 - while [ $try -le 10 ]; do - echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..." - preflight_imds_token && break - try=$((try + 1)) - sleep 1 - done - - echo "getting EC2 instance metadata..." - - wget_imds() { - wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@"; - } - - wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - (umask 077 && wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data) - wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname - wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key -'' diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.sh b/nixos/modules/virtualisation/ec2-metadata-fetcher.sh new file mode 100644 index 0000000000000..9e204d45dbd83 --- /dev/null +++ b/nixos/modules/virtualisation/ec2-metadata-fetcher.sh @@ -0,0 +1,67 @@ +metaDir=/etc/ec2-metadata +mkdir -m 0755 -p "$metaDir" +rm -f "$metaDir/*" + +get_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + curl \ + --silent \ + --show-error \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + -X PUT \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \ + http://169.254.169.254/latest/api/token +} + +preflight_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + curl \ + --silent \ + --show-error \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \ + -o /dev/null \ + http://169.254.169.254/1.0/meta-data/instance-id +} + +try=1 +while [ $try -le 3 ]; do + echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..." + IMDS_TOKEN=$(get_imds_token) && break + try=$((try + 1)) + sleep 1 +done + +if [ "x$IMDS_TOKEN" == "x" ]; then + echo "failed to fetch an IMDS2v token." +fi + +try=1 +while [ $try -le 10 ]; do + echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..." + preflight_imds_token && break + try=$((try + 1)) + sleep 1 +done + +echo "getting EC2 instance metadata..." + +get_imds() { + # Intentionally no --fail here, so that we proceed even if e.g. a + # 404 was returned (but we still fail if we can't reach the IMDS + # server). + curl --silent --show-error --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@" +} + +get_imds -o "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path +(umask 077 && get_imds -o "$metaDir/user-data" http://169.254.169.254/1.0/user-data) +get_imds -o "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname +get_imds -o "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key diff --git a/nixos/modules/virtualisation/hyperv-guest.nix b/nixos/modules/virtualisation/hyperv-guest.nix index 7c73e32be6959..cba4f92abe822 100644 --- a/nixos/modules/virtualisation/hyperv-guest.nix +++ b/nixos/modules/virtualisation/hyperv-guest.nix @@ -56,8 +56,6 @@ in { systemd = { packages = [ config.boot.kernelPackages.hyperv-daemons.lib ]; - services.hv-vss.unitConfig.ConditionPathExists = [ "/dev/vmbus/hv_vss" ]; - targets.hyperv-daemons = { wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 3b30bc8c41658..7c95405ed3189 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -220,6 +220,17 @@ in ''; }; + parallelShutdown = mkOption { + type = types.ints.unsigned; + default = 0; + description = lib.mdDoc '' + Number of guests that will be shutdown concurrently, taking effect when onShutdown + is set to "shutdown". If set to 0, guests will be shutdown one after another. + Number of guests on shutdown at any time will not exceed number set in this + variable. + ''; + }; + allowedBridges = mkOption { type = types.listOf types.str; default = [ "virbr0" ]; @@ -373,6 +384,7 @@ in environment.ON_BOOT = "${cfg.onBoot}"; environment.ON_SHUTDOWN = "${cfg.onShutdown}"; + environment.PARALLEL_SHUTDOWN = "${toString cfg.parallelShutdown}"; }; systemd.sockets.virtlogd = { diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix index f05f04baa35da..4963d9f3f9e4f 100644 --- a/nixos/modules/virtualisation/lxc-container.nix +++ b/nixos/modules/virtualisation/lxc-container.nix @@ -51,8 +51,8 @@ in { imports = [ ../installer/cd-dvd/channel.nix - ../profiles/minimal.nix ../profiles/clone-config.nix + ../profiles/minimal.nix ]; options = { @@ -88,6 +88,16 @@ in }; ''; }; + + privilegedContainer = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether this LXC container will be running as a privileged container or not. If set to `true` then + additional configuration will be applied to the `systemd` instance running within the container as + recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/). + ''; + }; }; }; @@ -146,12 +156,31 @@ in }; # Add the overrides from lxd distrobuilder - systemd.extraConfig = '' - [Service] - ProtectProc=default - ProtectControlGroups=no - ProtectKernelTunables=no - ''; + # https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630 + systemd.packages = [ + (pkgs.writeTextFile { + name = "systemd-lxc-service-overrides"; + destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf"; + text = '' + [Service] + ProcSubset=all + ProtectProc=default + ProtectControlGroups=no + ProtectKernelTunables=no + NoNewPrivileges=no + LoadCredential= + '' + optionalString cfg.privilegedContainer '' + # Additional settings for privileged containers + ProtectHome=no + ProtectSystem=no + PrivateDevices=no + PrivateTmp=no + ProtectKernelLogs=no + ProtectKernelModules=no + ReadWritePaths= + ''; + }) + ]; # Allow the user to login as root without password. users.users.root.initialHashedPassword = mkOverride 150 ""; @@ -170,5 +199,11 @@ in # Containers should be light-weight, so start sshd on demand. services.openssh.enable = mkDefault true; services.openssh.startWhenNeeded = mkDefault true; + + # As this is intended as a standalone image, undo some of the minimal profile stuff + environment.noXlibs = false; + documentation.enable = true; + documentation.nixos.enable = true; + services.logrotate.enable = true; }; } diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 764bb5e3b40ed..c06716e5eb605 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -129,11 +129,19 @@ in { description = "LXD Container Management Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" "lxcfs.service" ]; - requires = [ "network-online.target" "lxd.socket" "lxcfs.service" ]; + after = [ + "network-online.target" + (mkIf config.virtualisation.lxc.lxcfs.enable "lxcfs.service") + ]; + requires = [ + "network-online.target" + "lxd.socket" + (mkIf config.virtualisation.lxc.lxcfs.enable "lxcfs.service") + ]; documentation = [ "man:lxd(1)" ]; - path = optional cfg.zfsSupport config.boot.zfs.package; + path = [ pkgs.util-linux ] + ++ optional cfg.zfsSupport config.boot.zfs.package; serviceConfig = { ExecStart = "@${cfg.package}/bin/lxd lxd --group lxd"; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 02414b7d60e99..e1e640c447425 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -9,6 +9,10 @@ let configurationDirectory = "/etc/${configurationDirectoryName}"; stateDirectory = "/var/lib/${configurationPrefix}containers"; + nixos-container = pkgs.nixos-container.override { + inherit stateDirectory configurationDirectory; + }; + # The container's init script, a small wrapper around the regular # NixOS stage-2 init script. containerInit = (cfg: @@ -250,7 +254,7 @@ let ExecReload = pkgs.writeScript "reload-container" '' #! ${pkgs.runtimeShell} -e - ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ + ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \ bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" ''; @@ -868,9 +872,7 @@ in ''; environment.systemPackages = [ - (pkgs.nixos-container.override { - inherit stateDirectory configurationDirectory; - }) + nixos-container ]; boot.kernelModules = [ diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix index 118bf82cdd663..13bbb4471ea5d 100644 --- a/nixos/modules/virtualisation/podman/default.nix +++ b/nixos/modules/virtualisation/podman/default.nix @@ -109,6 +109,37 @@ in ''; }; + autoPrune = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to periodically prune Podman resources. If enabled, a + systemd timer will run `podman system prune -f` + as specified by the `dates` option. + ''; + }; + + flags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--all" ]; + description = lib.mdDoc '' + Any additional flags passed to {command}`podman system prune`. + ''; + }; + + dates = mkOption { + default = "weekly"; + type = types.str; + description = lib.mdDoc '' + Specification (in the format described by + {manpage}`systemd.time(7)`) of the time at + which the prune will occur. + ''; + }; + }; + package = lib.mkOption { type = types.package; default = podmanPackage; @@ -151,6 +182,23 @@ in ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ]; }; + systemd.services.podman-prune = { + description = "Prune podman resources"; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig.Type = "oneshot"; + + script = '' + ${cfg.package}/bin/podman system prune -f ${toString cfg.autoPrune.flags} + ''; + + startAt = lib.optional cfg.autoPrune.enable cfg.autoPrune.dates; + after = [ "podman.service" ]; + requires = [ "podman.service" ]; + }; + systemd.sockets.podman.wantedBy = [ "sockets.target" ]; systemd.sockets.podman.socketConfig.SocketGroup = "podman"; diff --git a/nixos/modules/virtualisation/proxmox-image.nix b/nixos/modules/virtualisation/proxmox-image.nix index 4fca8ce9e7eb6..6a4220fd265ca 100644 --- a/nixos/modules/virtualisation/proxmox-image.nix +++ b/nixos/modules/virtualisation/proxmox-image.nix @@ -28,7 +28,7 @@ with lib; default = "local-lvm:vm-9999-disk-0"; example = "ceph:vm-123-disk-0"; description = lib.mdDoc '' - Configuration for the default virtio disk. It can be used as a cue for PVE to autodetect the target sotrage. + Configuration for the default virtio disk. It can be used as a cue for PVE to autodetect the target storage. This parameter is required by PVE even if it isn't used. ''; }; @@ -53,6 +53,13 @@ with lib; Guest memory in MB ''; }; + bios = mkOption { + type = types.enum [ "seabios" "ovmf" ]; + default = "seabios"; + description = '' + Select BIOS implementation (seabios = Legacy BIOS, ovmf = UEFI). + ''; + }; # optional configs name = mkOption { @@ -99,6 +106,17 @@ with lib; Additional options appended to qemu-server.conf ''; }; + partitionTableType = mkOption { + type = types.enum [ "efi" "hybrid" "legacy" "legacy+gpt" ]; + description = '' + Partition table type to use. See make-disk-image.nix partitionTableType for details. + Defaults to 'legacy' for 'proxmox.qemuConf.bios="seabios"' (default), other bios values defaults to 'efi'. + Use 'hybrid' to build grub-based hybrid bios+efi images. + ''; + default = if config.proxmox.qemuConf.bios == "seabios" then "legacy" else "efi"; + defaultText = lib.literalExpression ''if config.proxmox.qemuConf.bios == "seabios" then "legacy" else "efi"''; + example = "hybrid"; + }; filenameSuffix = mkOption { type = types.str; default = config.proxmox.qemuConf.name; @@ -122,9 +140,33 @@ with lib; ${lib.concatStrings (lib.mapAttrsToList cfgLine properties)} #qmdump#map:virtio0:drive-virtio0:local-lvm:raw: ''; + inherit (cfg) partitionTableType; + supportEfi = partitionTableType == "efi" || partitionTableType == "hybrid"; + supportBios = partitionTableType == "legacy" || partitionTableType == "hybrid" || partitionTableType == "legacy+gpt"; + hasBootPartition = partitionTableType == "efi" || partitionTableType == "hybrid"; + hasNoFsPartition = partitionTableType == "hybrid" || partitionTableType == "legacy+gpt"; in { + assertions = [ + { + assertion = config.boot.loader.systemd-boot.enable -> config.proxmox.qemuConf.bios == "ovmf"; + message = "systemd-boot requires 'ovmf' bios"; + } + { + assertion = partitionTableType == "efi" -> config.proxmox.qemuConf.bios == "ovmf"; + message = "'efi' disk partitioning requires 'ovmf' bios"; + } + { + assertion = partitionTableType == "legacy" -> config.proxmox.qemuConf.bios == "seabios"; + message = "'legacy' disk partitioning requires 'seabios' bios"; + } + { + assertion = partitionTableType == "legacy+gpt" -> config.proxmox.qemuConf.bios == "seabios"; + message = "'legacy+gpt' disk partitioning requires 'seabios' bios"; + } + ]; system.build.VMA = import ../../lib/make-disk-image.nix { name = "proxmox-${cfg.filenameSuffix}"; + inherit partitionTableType; postVM = let # Build qemu with PVE's patch that adds support for the VMA format vma = (pkgs.qemu_kvm.override { @@ -181,7 +223,18 @@ with lib; boot = { growPartition = true; kernelParams = [ "console=ttyS0" ]; - loader.grub.device = lib.mkDefault "/dev/vda"; + loader.grub = { + device = lib.mkDefault (if (hasNoFsPartition || supportBios) then + # Even if there is a separate no-fs partition ("/dev/disk/by-partlabel/no-fs" i.e. "/dev/vda2"), + # which will be used the bootloader, do not set it as loader.grub.device. + # GRUB installation fails, unless the whole disk is selected. + "/dev/vda" + else + "nodev"); + efiSupport = lib.mkDefault supportEfi; + efiInstallAsRemovable = lib.mkDefault supportEfi; + }; + loader.timeout = 0; initrd.availableKernelModules = [ "uas" "virtio_blk" "virtio_pci" ]; }; @@ -191,6 +244,10 @@ with lib; autoResize = true; fsType = "ext4"; }; + fileSystems."/boot" = lib.mkIf hasBootPartition { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; services.qemuGuest.enable = lib.mkDefault true; }; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index edc6dfdc15ae9..1b3c0e23f97db 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -580,7 +580,7 @@ in virtualisation.host.pkgs = mkOption { type = options.nixpkgs.pkgs.type; default = pkgs; - defaultText = "pkgs"; + defaultText = literalExpression "pkgs"; example = literalExpression '' import pkgs.path { system = "x86_64-darwin"; } ''; @@ -595,7 +595,8 @@ in mkOption { type = types.package; default = cfg.host.pkgs.qemu_kvm; - example = "pkgs.qemu_test"; + defaultText = literalExpression "config.virtualisation.host.pkgs.qemu_kvm"; + example = literalExpression "pkgs.qemu_test"; description = lib.mdDoc "QEMU package to use."; }; @@ -721,7 +722,7 @@ in firmware = mkOption { type = types.path; default = pkgs.OVMF.firmware; - defaultText = "pkgs.OVMF.firmware"; + defaultText = literalExpression "pkgs.OVMF.firmware"; description = lib.mdDoc '' Firmware binary for EFI implementation, defaults to OVMF. @@ -731,7 +732,7 @@ in variables = mkOption { type = types.path; default = pkgs.OVMF.variables; - defaultText = "pkgs.OVMF.variables"; + defaultText = literalExpression "pkgs.OVMF.variables"; description = lib.mdDoc '' Platform-specific flash binary for EFI variables, implementation-dependent to the EFI firmware. @@ -806,7 +807,7 @@ in optional ( cfg.writableStore && cfg.useNixStoreImage && - opt.writableStore.highestPrio > lib.modules.defaultPriority) + opt.writableStore.highestPrio > lib.modules.defaultOverridePriority) '' You have enabled ${opt.useNixStoreImage} = true, without setting ${opt.writableStore} = false. @@ -858,7 +859,8 @@ in # If the disk image appears to be empty, run mke2fs to # initialise. FSTYPE=$(blkid -o value -s TYPE ${cfg.bootDevice} || true) - if test -z "$FSTYPE"; then + PARTTYPE=$(blkid -o value -s PTTYPE ${cfg.bootDevice} || true) + if test -z "$FSTYPE" -a -z "$PARTTYPE"; then mke2fs -t ext4 ${cfg.bootDevice} fi ''; diff --git a/nixos/modules/virtualisation/rosetta.nix b/nixos/modules/virtualisation/rosetta.nix new file mode 100644 index 0000000000000..109b114d649c5 --- /dev/null +++ b/nixos/modules/virtualisation/rosetta.nix @@ -0,0 +1,73 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.virtualisation.rosetta; + inherit (lib) types; +in +{ + options = { + virtualisation.rosetta.enable = lib.mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) support. + + This feature requires the system to be a virtualised guest on an Apple silicon host. + + The default settings are suitable for the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm). + Make sure to select 'Apple Virtualization' as the virtualisation engine and then tick the 'Enable Rosetta' option. + ''; + }; + + virtualisation.rosetta.mountPoint = lib.mkOption { + type = types.str; + default = "/run/rosetta"; + internal = true; + description = lib.mdDoc '' + The mount point for the Rosetta runtime inside the guest system. + + The proprietary runtime is exposed through a VirtioFS directory share and then mounted at this directory. + ''; + }; + + virtualisation.rosetta.mountTag = lib.mkOption { + type = types.str; + default = "rosetta"; + description = lib.mdDoc '' + The VirtioFS mount tag for the Rosetta runtime, exposed by the host's virtualisation software. + + If supported, your virtualisation software should provide instructions on how register the Rosetta runtime inside Linux guests. + These instructions should mention the name of the mount tag used for the VirtioFS directory share that contains the Rosetta runtime. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = pkgs.stdenv.hostPlatform.isAarch64; + message = "Rosetta is only supported on aarch64 systems"; + } + ]; + + fileSystems."${cfg.mountPoint}" = { + device = cfg.mountTag; + fsType = "virtiofs"; + }; + + boot.binfmt.registrations.rosetta = { + interpreter = "${cfg.mountPoint}/rosetta"; + + # The required flags for binfmt are documented by Apple: + # https://developer.apple.com/documentation/virtualization/running_intel_binaries_in_linux_vms_with_rosetta + magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00''; + mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff''; + fixBinary = true; + matchCredentials = true; + preserveArgvZero = false; + + # Remove the shell wrapper and call the runtime directly + wrapInterpreterInShell = false; + }; + }; +} diff --git a/nixos/modules/virtualisation/vmware-host.nix b/nixos/modules/virtualisation/vmware-host.nix index e1d695640be1a..4b2dc28aeac71 100644 --- a/nixos/modules/virtualisation/vmware-host.nix +++ b/nixos/modules/virtualisation/vmware-host.nix @@ -120,7 +120,7 @@ in # Services systemd.services."vmware-authdlauncher" = { - description = "VMware Authentification Daemon"; + description = "VMware Authentication Daemon"; serviceConfig = { Type = "forking"; ExecStart = [ "${cfg.package}/bin/vmware-authdlauncher" ]; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index bd7b452735f1c..337b5192776f8 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -77,6 +77,7 @@ in rec { (onFullSupported "nixos.tests.i3wm") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSimple") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSubvolDefault") + (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSubvolEscape") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSubvols") (onSystems ["x86_64-linux"] "nixos.tests.installer.luksroot") (onSystems ["x86_64-linux"] "nixos.tests.installer.lvm") diff --git a/nixos/release.nix b/nixos/release.nix index 919aa86a2d639..946379bcd6611 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -181,14 +181,22 @@ in rec { inherit system; }); - # A variant with a more recent (but possibly less stable) kernel - # that might support more hardware. + # A variant with a more recent (but possibly less stable) kernel that might support more hardware. + # This variant keeps zfs support enabled, hoping it will build and work. iso_minimal_new_kernel = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: makeIso { module = ./modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix; type = "minimal-new-kernel"; inherit system; }); + # A variant with a more recent (but possibly less stable) kernel that might support more hardware. + # ZFS support disabled since it is unlikely to support the latest kernel. + iso_minimal_new_kernel_no_zfs = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: makeIso { + module = ./modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix; + type = "minimal-new-kernel-no-zfs"; + inherit system; + }); + sd_image = forMatchingSystems [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ] (system: makeSdImage { module = { armv6l-linux = ./modules/installer/sd-card/sd-image-raspberrypi-installer.nix; @@ -206,6 +214,14 @@ in rec { inherit system; }); + sd_image_new_kernel_no_zfs = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage { + module = { + aarch64-linux = ./modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix; + }.${system}; + type = "minimal-new-kernel-no-zfs"; + inherit system; + }); + # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). ova = forMatchingSystems [ "x86_64-linux" ] (system: diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index d540bc6ec31bb..d62bf0c0fd92d 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -144,7 +144,11 @@ in { name = "acme"; - meta.maintainers = lib.teams.acme.members; + meta = { + maintainers = lib.teams.acme.members; + # Hard timeout in seconds. Average run time is about 7 minutes. + timeout = 1800; + }; nodes = { # The fake ACME server which will respond to client requests @@ -277,7 +281,7 @@ in { }; }; - # Test compatiblity with Caddy + # Test compatibility with Caddy # It only supports useACMEHost, hence not using mkServerConfigs } // (let baseCaddyConfig = { nodes, config, ... }: { @@ -357,6 +361,30 @@ in { import time + TOTAL_RETRIES = 20 + + + class BackoffTracker(object): + delay = 1 + increment = 1 + + def handle_fail(self, retries, message) -> int: + assert retries < TOTAL_RETRIES, message + + print(f"Retrying in {self.delay}s, {retries + 1}/{TOTAL_RETRIES}") + time.sleep(self.delay) + + # Only increment after the first try + if retries == 0: + self.delay += self.increment + self.increment *= 2 + + return retries + 1 + + + backoff = BackoffTracker() + + def switch_to(node, name): # On first switch, this will create a symlink to the current system so that we can # quickly switch between derivations @@ -404,9 +432,7 @@ in { assert False - def check_connection(node, domain, retries=3): - assert retries >= 0, f"Failed to connect to https://{domain}" - + def check_connection(node, domain, retries=0): result = node.succeed( "openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt" f" -servername {domain} -connect {domain}:443 < /dev/null 2>&1" @@ -414,13 +440,11 @@ in { for line in result.lower().split("\n"): if "verification" in line and "error" in line: - time.sleep(3) - return check_connection(node, domain, retries - 1) + retries = backoff.handle_fail(retries, f"Failed to connect to https://{domain}") + return check_connection(node, domain, retries) - def check_connection_key_bits(node, domain, bits, retries=3): - assert retries >= 0, f"Did not find expected number of bits ({bits}) in key" - + def check_connection_key_bits(node, domain, bits, retries=0): result = node.succeed( "openssl s_client -CAfile /tmp/ca.crt" f" -servername {domain} -connect {domain}:443 < /dev/null" @@ -429,13 +453,11 @@ in { print("Key type:", result) if bits not in result: - time.sleep(3) - return check_connection_key_bits(node, domain, bits, retries - 1) - + retries = backoff.handle_fail(retries, f"Did not find expected number of bits ({bits}) in key") + return check_connection_key_bits(node, domain, bits, retries) - def check_stapling(node, domain, retries=3): - assert retries >= 0, "OCSP Stapling check failed" + def check_stapling(node, domain, retries=0): # Pebble doesn't provide a full OCSP responder, so just check the URL result = node.succeed( "openssl s_client -CAfile /tmp/ca.crt" @@ -445,21 +467,19 @@ in { print("OCSP Responder URL:", result) if "${caDomain}:4002" not in result.lower(): - time.sleep(3) - return check_stapling(node, domain, retries - 1) - + retries = backoff.handle_fail(retries, "OCSP Stapling check failed") + return check_stapling(node, domain, retries) - def download_ca_certs(node, retries=5): - assert retries >= 0, "Failed to connect to pebble to download root CA certs" + def download_ca_certs(node, retries=0): exit_code, _ = node.execute("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt") exit_code_2, _ = node.execute( "curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt" ) if exit_code + exit_code_2 > 0: - time.sleep(3) - return download_ca_certs(node, retries - 1) + retries = backoff.handle_fail(retries, "Failed to connect to pebble to download root CA certs") + return download_ca_certs(node, retries) start_all() diff --git a/nixos/tests/adguardhome.nix b/nixos/tests/adguardhome.nix index 5be69e22e5329..ec1cc1e497b50 100644 --- a/nixos/tests/adguardhome.nix +++ b/nixos/tests/adguardhome.nix @@ -2,6 +2,15 @@ name = "adguardhome"; nodes = { + nullConf = { ... }: { services.adguardhome = { enable = true; }; }; + + emptyConf = { lib, ... }: { + services.adguardhome = { + enable = true; + settings = {}; + }; + }; + declarativeConf = { ... }: { services.adguardhome = { enable = true; @@ -34,6 +43,13 @@ }; testScript = '' + with subtest("Minimal (settings = null) config test"): + nullConf.wait_for_unit("adguardhome.service") + + with subtest("Default config test"): + emptyConf.wait_for_unit("adguardhome.service") + emptyConf.wait_for_open_port(3000) + with subtest("Declarative config test, DNS will be reachable"): declarativeConf.wait_for_unit("adguardhome.service") declarativeConf.wait_for_open_port(53) diff --git a/nixos/tests/aesmd.nix b/nixos/tests/aesmd.nix index 5da661afd5480..848e1c5992014 100644 --- a/nixos/tests/aesmd.nix +++ b/nixos/tests/aesmd.nix @@ -1,7 +1,7 @@ { pkgs, lib, ... }: { name = "aesmd"; meta = { - maintainers = with lib.maintainers; [ veehaitch ]; + maintainers = with lib.maintainers; [ trundle veehaitch ]; }; nodes.machine = { lib, ... }: { @@ -25,38 +25,78 @@ # We don't have a real SGX machine in NixOS tests systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ]; + + specialisation = { + withQuoteProvider.configuration = { ... }: { + services.aesmd = { + quoteProviderLibrary = pkgs.sgx-azure-dcap-client; + environment = { + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; + }; + }; + }; + }; }; - testScript = '' - with subtest("aesmd.service starts"): - machine.wait_for_unit("aesmd.service") - status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") - assert status == 0, "Could not get MainPID of aesmd.service" - main_pid = main_pid.strip() - - with subtest("aesmd.service runtime directory permissions"): - runtime_dir = "/run/aesmd"; - res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() - assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" - - with subtest("aesm.socket available on host"): - socket_path = "/var/run/aesmd/aesm.socket" - machine.wait_until_succeeds(f"test -S {socket_path}") - machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") - for op in [ "-r", "-w", "-x" ]: - machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") - machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") - - with subtest("Copies white_list_cert_to_be_verify.bin"): - whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" - whitelist_perms = machine.succeed( - f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" - ).strip() - assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" - - with subtest("Writes and binds aesm.conf in service namespace"): - aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") - - assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" - ''; + testScript = { nodes, ... }: + let + specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; + in + '' + def get_aesmd_pid(): + status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") + assert status == 0, "Could not get MainPID of aesmd.service" + return main_pid.strip() + + with subtest("aesmd.service starts"): + machine.wait_for_unit("aesmd.service") + + main_pid = get_aesmd_pid() + + with subtest("aesmd.service runtime directory permissions"): + runtime_dir = "/run/aesmd"; + res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() + assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" + + with subtest("aesm.socket available on host"): + socket_path = "/var/run/aesmd/aesm.socket" + machine.wait_until_succeeds(f"test -S {socket_path}") + machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") + for op in [ "-r", "-w", "-x" ]: + machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") + machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") + + with subtest("Copies white_list_cert_to_be_verify.bin"): + whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" + whitelist_perms = machine.succeed( + f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" + ).strip() + assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" + + with subtest("Writes and binds aesm.conf in service namespace"): + aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") + + assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" + + with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"): + status, environment = machine.systemctl("show --property Environment --value aesmd.service") + assert status == 0, "Could not get Environment of aesmd.service" + env_by_name = dict(entry.split("=", 1) for entry in environment.split()) + assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty" + + with subtest("aesmd.service with quote provider library starts"): + machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test') + machine.wait_for_unit("aesmd.service") + + main_pid = get_aesmd_pid() + + with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"): + ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH") + assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \ + "LD_LIBRARY_PATH is not set to the configured quote provider library" + + with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"): + azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL") + assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO" + ''; } diff --git a/nixos/tests/akkoma.nix b/nixos/tests/akkoma.nix new file mode 100644 index 0000000000000..7115c0beed34d --- /dev/null +++ b/nixos/tests/akkoma.nix @@ -0,0 +1,121 @@ +/* + End-to-end test for Akkoma. + + Based in part on nixos/tests/pleroma. + + TODO: Test federation. +*/ +import ./make-test-python.nix ({ pkgs, package ? pkgs.akkoma, confined ? false, ... }: +let + userPassword = "4LKOrGo8SgbPm1a6NclVU5Wb"; + + provisionUser = pkgs.writers.writeBashBin "provisionUser" '' + set -eu -o errtrace -o pipefail + + pleroma_ctl user new jamy jamy@nixos.test --password '${userPassword}' --moderator --admin -y + ''; + + tlsCert = pkgs.runCommand "selfSignedCerts" { + nativeBuildInputs = with pkgs; [ openssl ]; + } '' + mkdir -p $out + openssl req -x509 \ + -subj '/CN=akkoma.nixos.test/' -days 49710 \ + -addext 'subjectAltName = DNS:akkoma.nixos.test' \ + -keyout "$out/key.pem" -newkey ed25519 \ + -out "$out/cert.pem" -noenc + ''; + + sendToot = pkgs.writers.writeBashBin "sendToot" '' + set -eu -o errtrace -o pipefail + + export REQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt" + + echo '${userPassword}' | ${pkgs.toot}/bin/toot login_cli -i "akkoma.nixos.test" -e "jamy@nixos.test" + echo "y" | ${pkgs.toot}/bin/toot post "hello world Jamy here" + echo "y" | ${pkgs.toot}/bin/toot timeline | grep -F -q "hello world Jamy here" + + # Test file upload + echo "y" | ${pkgs.toot}/bin/toot upload <(dd if=/dev/zero bs=1024 count=1024 status=none) \ + | grep -F -q "https://akkoma.nixos.test/media" + ''; + + checkFe = pkgs.writers.writeBashBin "checkFe" '' + set -eu -o errtrace -o pipefail + + paths=( / /static/{config,styles}.json /pleroma/admin/ ) + + for path in "''${paths[@]}"; do + diff \ + <(${pkgs.curl}/bin/curl -f -S -s -o /dev/null -w '%{response_code}' "https://akkoma.nixos.test$path") \ + <(echo -n 200) + done + ''; + + hosts = nodes: '' + ${nodes.akkoma.networking.primaryIPAddress} akkoma.nixos.test + ${nodes.client.networking.primaryIPAddress} client.nixos.test + ''; +in +{ + name = "akkoma"; + nodes = { + client = { nodes, pkgs, config, ... }: { + security.pki.certificateFiles = [ "${tlsCert}/cert.pem" ]; + networking.extraHosts = hosts nodes; + }; + + akkoma = { nodes, pkgs, config, ... }: { + networking.extraHosts = hosts nodes; + networking.firewall.allowedTCPPorts = [ 443 ]; + environment.systemPackages = with pkgs; [ provisionUser ]; + systemd.services.akkoma.confinement.enable = confined; + + services.akkoma = { + enable = true; + package = package; + config = { + ":pleroma" = { + ":instance" = { + name = "NixOS test Akkoma server"; + description = "NixOS test Akkoma server"; + email = "akkoma@nixos.test"; + notify_email = "akkoma@nixos.test"; + registration_open = true; + }; + + ":media_proxy" = { + enabled = false; + }; + + "Pleroma.Web.Endpoint" = { + url.host = "akkoma.nixos.test"; + }; + }; + }; + + nginx = { + addSSL = true; + sslCertificate = "${tlsCert}/cert.pem"; + sslCertificateKey = "${tlsCert}/key.pem"; + }; + }; + + services.nginx.enable = true; + services.postgresql.enable = true; + }; + }; + + testScript = { nodes, ... }: '' + start_all() + akkoma.wait_for_unit('akkoma-initdb.service') + akkoma.systemctl('restart akkoma-initdb.service') # test repeated initialisation + akkoma.wait_for_unit('akkoma.service') + akkoma.wait_for_file('/run/akkoma/socket'); + akkoma.succeed('${provisionUser}/bin/provisionUser') + akkoma.wait_for_unit('nginx.service') + client.succeed('${sendToot}/bin/sendToot') + client.succeed('${checkFe}/bin/checkFe') + ''; +}) + diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index bd0fe18c4f8c2..75f01d888b218 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -69,16 +69,20 @@ in { _3proxy = runTest ./3proxy.nix; acme = runTest ./acme.nix; adguardhome = runTest ./adguardhome.nix; - aesmd = runTest ./aesmd.nix; + aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix; agate = runTest ./web-servers/agate.nix; agda = handleTest ./agda.nix {}; airsonic = handleTest ./airsonic.nix {}; + akkoma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./akkoma.nix {}; + akkoma-confined = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./akkoma.nix { confined = true; }; allTerminfo = handleTest ./all-terminfo.nix {}; + alps = handleTest ./alps.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {}; apfs = handleTest ./apfs.nix {}; apparmor = handleTest ./apparmor.nix {}; atd = handleTest ./atd.nix {}; atop = handleTest ./atop.nix {}; + atuin = handleTest ./atuin.nix {}; auth-mysql = handleTest ./auth-mysql.nix {}; avahi = handleTest ./avahi.nix {}; avahi-with-resolved = handleTest ./avahi.nix { networkd = true; }; @@ -94,6 +98,7 @@ in { blockbook-frontend = handleTest ./blockbook-frontend.nix {}; blocky = handleTest ./blocky.nix {}; boot = handleTestOn ["x86_64-linux" "aarch64-linux"] ./boot.nix {}; + bootspec = handleTestOn ["x86_64-linux"] ./bootspec.nix {}; boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; botamusique = handleTest ./botamusique.nix {}; @@ -112,6 +117,7 @@ in { calibre-web = handleTest ./calibre-web.nix {}; cassandra_3_0 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_3_0; }; cassandra_3_11 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_3_11; }; + cassandra_4 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_4; }; ceph-multi-node = handleTestOn ["x86_64-linux"] ./ceph-multi-node.nix {}; ceph-single-node = handleTestOn ["x86_64-linux"] ./ceph-single-node.nix {}; ceph-single-node-bluestore = handleTestOn ["x86_64-linux"] ./ceph-single-node-bluestore.nix {}; @@ -149,6 +155,7 @@ in { coturn = handleTest ./coturn.nix {}; couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {}; + cups-pdf = handleTest ./cups-pdf.nix {}; custom-ca = handleTest ./custom-ca.nix {}; croc = handleTest ./croc.nix {}; deluge = handleTest ./deluge.nix {}; @@ -188,15 +195,18 @@ in { engelsystem = handleTest ./engelsystem.nix {}; enlightenment = handleTest ./enlightenment.nix {}; env = handleTest ./env.nix {}; + envfs = handleTest ./envfs.nix {}; envoy = handleTest ./envoy.nix {}; ergo = handleTest ./ergo.nix {}; ergochat = handleTest ./ergochat.nix {}; etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; }; + activation = pkgs.callPackage ../modules/system/activation/test.nix { }; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; etebase-server = handleTest ./etebase-server.nix {}; etesync-dav = handleTest ./etesync-dav.nix {}; extra-python-packages = handleTest ./extra-python-packages.nix {}; + evcc = handleTest ./evcc.nix {}; fancontrol = handleTest ./fancontrol.nix {}; fcitx = handleTest ./fcitx {}; fenics = handleTest ./fenics.nix {}; @@ -205,19 +215,21 @@ in { firefox-esr = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr; }; # used in `tested` job firefox-esr-102 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-102; }; firejail = handleTest ./firejail.nix {}; - firewall = handleTest ./firewall.nix {}; + firewall = handleTest ./firewall.nix { nftables = false; }; + firewall-nftables = handleTest ./firewall.nix { nftables = true; }; fish = handleTest ./fish.nix {}; flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {}; fluentd = handleTest ./fluentd.nix {}; fluidd = handleTest ./fluidd.nix {}; fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {}; + freenet = handleTest ./freenet.nix {}; freeswitch = handleTest ./freeswitch.nix {}; freshrss = handleTest ./freshrss.nix {}; frr = handleTest ./frr.nix {}; fsck = handleTest ./fsck.nix {}; ft2-clone = handleTest ./ft2-clone.nix {}; mimir = handleTest ./mimir.nix {}; - garage = handleTest ./garage.nix {}; + garage = handleTest ./garage {}; gerrit = handleTest ./gerrit.nix {}; geth = handleTest ./geth.nix {}; ghostunnel = handleTest ./ghostunnel.nix {}; @@ -228,6 +240,7 @@ in { gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {}; glusterfs = handleTest ./glusterfs.nix {}; gnome = handleTest ./gnome.nix {}; + gnome-flashback = handleTest ./gnome-flashback.nix {}; gnome-xorg = handleTest ./gnome-xorg.nix {}; go-neb = handleTest ./go-neb.nix {}; gobgpd = handleTest ./gobgpd.nix {}; @@ -250,9 +263,10 @@ in { haste-server = handleTest ./haste-server.nix {}; haproxy = handleTest ./haproxy.nix {}; hardened = handleTest ./hardened.nix {}; + headscale = handleTest ./headscale.nix {}; healthchecks = handleTest ./web-apps/healthchecks.nix {}; - hbase1 = handleTest ./hbase.nix { package=pkgs.hbase1; }; hbase2 = handleTest ./hbase.nix { package=pkgs.hbase2; }; + hbase_2_4 = handleTest ./hbase.nix { package=pkgs.hbase_2_4; }; hbase3 = handleTest ./hbase.nix { package=pkgs.hbase3; }; hedgedoc = handleTest ./hedgedoc.nix {}; herbstluftwm = handleTest ./herbstluftwm.nix {}; @@ -360,7 +374,7 @@ in { mailhog = handleTest ./mailhog.nix {}; man = handleTest ./man.nix {}; mariadb-galera = handleTest ./mysql/mariadb-galera.nix {}; - mastodon = handleTestOn ["x86_64-linux" "i686-linux" "aarch64-linux"] ./web-apps/mastodon.nix {}; + mastodon = discoverTests (import ./web-apps/mastodon { inherit handleTestOn; }); matomo = handleTest ./matomo.nix {}; matrix-appservice-irc = handleTest ./matrix/appservice-irc.nix {}; matrix-conduit = handleTest ./matrix/conduit.nix {}; @@ -405,6 +419,9 @@ in { nat.firewall = handleTest ./nat.nix { withFirewall = true; }; nat.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; }; nat.standalone = handleTest ./nat.nix { withFirewall = false; }; + nat.nftables.firewall = handleTest ./nat.nix { withFirewall = true; nftables = true; }; + nat.nftables.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; nftables = true; }; + nat.nftables.standalone = handleTest ./nat.nix { withFirewall = false; nftables = true; }; nats = handleTest ./nats.nix {}; navidrome = handleTest ./navidrome.nix {}; nbd = handleTest ./nbd.nix {}; @@ -429,6 +446,7 @@ in { nginx = handleTest ./nginx.nix {}; nginx-auth = handleTest ./nginx-auth.nix {}; nginx-etag = handleTest ./nginx-etag.nix {}; + nginx-globalredirect = handleTest ./nginx-globalredirect.nix {}; nginx-http3 = handleTest ./nginx-http3.nix {}; nginx-modsecurity = handleTest ./nginx-modsecurity.nix {}; nginx-njs = handleTest ./nginx-njs.nix {}; @@ -478,21 +496,24 @@ in { pam-u2f = handleTest ./pam/pam-u2f.nix {}; pam-ussh = handleTest ./pam/pam-ussh.nix {}; pass-secret-service = handleTest ./pass-secret-service.nix {}; - patroni = handleTest ./patroni.nix {}; + patroni = handleTestOn ["x86_64-linux"] ./patroni.nix {}; pantalaimon = handleTest ./matrix/pantalaimon.nix {}; pantheon = handleTest ./pantheon.nix {}; paperless = handleTest ./paperless.nix {}; parsedmarc = handleTest ./parsedmarc {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; peerflix = handleTest ./peerflix.nix {}; + peering-manager = handleTest ./web-apps/peering-manager.nix {}; peertube = handleTestOn ["x86_64-linux"] ./web-apps/peertube.nix {}; pgadmin4 = handleTest ./pgadmin4.nix {}; pgadmin4-standalone = handleTest ./pgadmin4-standalone.nix {}; pgjwt = handleTest ./pgjwt.nix {}; pgmanage = handleTest ./pgmanage.nix {}; + phosh = handleTest ./phosh.nix {}; php = handleTest ./php {}; php80 = handleTest ./php { php = pkgs.php80; }; php81 = handleTest ./php { php = pkgs.php81; }; + php82 = handleTest ./php { php = pkgs.php82; }; phylactery = handleTest ./web-apps/phylactery.nix {}; pict-rs = handleTest ./pict-rs.nix {}; pinnwand = handleTest ./pinnwand.nix {}; @@ -582,6 +603,7 @@ in { sourcehut = handleTest ./sourcehut.nix {}; spacecookie = handleTest ./spacecookie.nix {}; spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {}; + sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {}; sslh = handleTest ./sslh.nix {}; sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {}; sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {}; @@ -632,6 +654,7 @@ in { systemd-misc = handleTest ./systemd-misc.nix {}; tandoor-recipes = handleTest ./tandoor-recipes.nix {}; taskserver = handleTest ./taskserver.nix {}; + tayga = handleTest ./tayga.nix {}; teeworlds = handleTest ./teeworlds.nix {}; telegraf = handleTest ./telegraf.nix {}; teleport = handleTest ./teleport.nix {}; @@ -661,6 +684,7 @@ in { tuxguitar = handleTest ./tuxguitar.nix {}; ucarp = handleTest ./ucarp.nix {}; udisks2 = handleTest ./udisks2.nix {}; + ulogd = handleTest ./ulogd.nix {}; unbound = handleTest ./unbound.nix {}; unifi = handleTest ./unifi.nix {}; unit-php = handleTest ./web-servers/unit-php.nix {}; @@ -685,7 +709,9 @@ in { virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; vscodium = discoverTests (import ./vscodium.nix); vsftpd = handleTest ./vsftpd.nix {}; + warzone2100 = handleTest ./warzone2100.nix {}; wasabibackend = handleTest ./wasabibackend.nix {}; + webhook = runTest ./webhook.nix; wiki-js = handleTest ./wiki-js.nix {}; wine = handleTest ./wine.nix {}; wireguard = handleTest ./wireguard {}; diff --git a/nixos/tests/alps.nix b/nixos/tests/alps.nix new file mode 100644 index 0000000000000..9756f2d4da155 --- /dev/null +++ b/nixos/tests/alps.nix @@ -0,0 +1,108 @@ +let + certs = import ./common/acme/server/snakeoil-certs.nix; + domain = certs.domain; +in +import ./make-test-python.nix ({ pkgs, ... }: { + name = "alps"; + meta = with pkgs.lib.maintainers; { + maintainers = [ hmenke ]; + }; + + nodes = { + server = { + imports = [ ./common/user-account.nix ]; + security.pki.certificateFiles = [ + certs.ca.cert + ]; + networking.extraHosts = '' + 127.0.0.1 ${domain} + ''; + networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + services.postfix = { + enable = true; + enableSubmission = true; + enableSubmissions = true; + tlsTrustedAuthorities = "${certs.ca.cert}"; + sslCert = "${certs.${domain}.cert}"; + sslKey = "${certs.${domain}.key}"; + }; + services.dovecot2 = { + enable = true; + enableImap = true; + sslCACert = "${certs.ca.cert}"; + sslServerCert = "${certs.${domain}.cert}"; + sslServerKey = "${certs.${domain}.key}"; + }; + }; + + client = { nodes, config, ... }: { + security.pki.certificateFiles = [ + certs.ca.cert + ]; + networking.extraHosts = '' + ${nodes.server.config.networking.primaryIPAddress} ${domain} + ''; + services.alps = { + enable = true; + theme = "alps"; + imaps = { + host = domain; + port = 993; + }; + smtps = { + host = domain; + port = 465; + }; + }; + environment.systemPackages = [ + (pkgs.writers.writePython3Bin "test-alps-login" { } '' + from urllib.request import build_opener, HTTPCookieProcessor, Request + from urllib.parse import urlencode, urljoin + from http.cookiejar import CookieJar + + baseurl = "http://localhost:${toString config.services.alps.port}" + username = "alice" + password = "${nodes.server.config.users.users.alice.password}" + cookiejar = CookieJar() + cookieprocessor = HTTPCookieProcessor(cookiejar) + opener = build_opener(cookieprocessor) + + data = urlencode({"username": username, "password": password}).encode() + req = Request(urljoin(baseurl, "login"), data=data, method="POST") + with opener.open(req) as ret: + # Check that the alps_session cookie is set + print(cookiejar) + assert any(cookie.name == "alps_session" for cookie in cookiejar) + + req = Request(baseurl) + with opener.open(req) as ret: + # Check that the alps_session cookie is still there... + print(cookiejar) + assert any(cookie.name == "alps_session" for cookie in cookiejar) + # ...and that we have not been redirected back to the login page + print(ret.url) + assert ret.url == urljoin(baseurl, "mailbox/INBOX") + + req = Request(urljoin(baseurl, "logout")) + with opener.open(req) as ret: + # Check that the alps_session cookie is now gone + print(cookiejar) + assert all(cookie.name != "alps_session" for cookie in cookiejar) + '') + ]; + }; + }; + + testScript = { nodes, ... }: '' + server.start() + server.wait_for_unit("postfix.service") + server.wait_for_unit("dovecot2.service") + server.wait_for_open_port(465) + server.wait_for_open_port(993) + + client.start() + client.wait_for_unit("alps.service") + client.wait_for_open_port(${toString nodes.client.config.services.alps.port}) + client.succeed("test-alps-login") + ''; +}) diff --git a/nixos/tests/atuin.nix b/nixos/tests/atuin.nix new file mode 100644 index 0000000000000..85213d1e53eac --- /dev/null +++ b/nixos/tests/atuin.nix @@ -0,0 +1,65 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: + +let + testPort = 8888; + testUser = "testerman"; + testPass = "password"; + testEmail = "test.testerman@test.com"; +in +with lib; +{ + name = "atuin"; + meta.maintainers = with pkgs.lib.maintainers; [ devusb ]; + + nodes = { + server = + { ... }: + { + services.atuin = { + enable = true; + port = testPort; + host = "0.0.0.0"; + openFirewall = true; + openRegistration = true; + }; + }; + + client = + { ... }: + { }; + + }; + + testScript = with pkgs; '' + start_all() + + # wait for atuin server startup + server.wait_for_unit("atuin.service") + server.wait_for_open_port(${toString testPort}) + + # configure atuin client on server node + server.execute("mkdir -p ~/.config/atuin") + server.execute("echo 'sync_address = \"http://localhost:${toString testPort}\"' > ~/.config/atuin/config.toml") + + # register with atuin server on server node + server.succeed("${atuin}/bin/atuin register -u ${testUser} -p ${testPass} -e ${testEmail}") + _, key = server.execute("${atuin}/bin/atuin key") + + # store test record in atuin server and sync + server.succeed("ATUIN_SESSION=$(${atuin}/bin/atuin uuid) ${atuin}/bin/atuin history start 'shazbot'") + server.succeed("${atuin}/bin/atuin sync") + + # configure atuin client on client node + client.execute("mkdir -p ~/.config/atuin") + client.execute("echo 'sync_address = \"http://server:${toString testPort}\"' > ~/.config/atuin/config.toml") + + # log in to atuin server on client node + client.succeed(f"${atuin}/bin/atuin login -u ${testUser} -p ${testPass} -k {key}") + + # pull records from atuin server + client.succeed("${atuin}/bin/atuin sync -f") + + # check for test record + client.succeed("ATUIN_SESSION=$(${atuin}/bin/atuin uuid) ${atuin}/bin/atuin history list | grep shazbot") + ''; +}) diff --git a/nixos/tests/bazarr.nix b/nixos/tests/bazarr.nix index 13b27bb530c04..e59833e5e945d 100644 --- a/nixos/tests/bazarr.nix +++ b/nixos/tests/bazarr.nix @@ -16,10 +16,6 @@ in enable = true; listenPort = port; }; - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["unrar"]; - # Workaround for https://github.com/morpheus65535/bazarr/issues/1983 - # ("Crash when running without timezone info"). - time.timeZone = "UTC"; }; testScript = '' diff --git a/nixos/tests/bootspec.nix b/nixos/tests/bootspec.nix new file mode 100644 index 0000000000000..077dff918e0d2 --- /dev/null +++ b/nixos/tests/bootspec.nix @@ -0,0 +1,170 @@ +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let + baseline = { + virtualisation.useBootLoader = true; + }; + grub = { + boot.loader.grub.enable = true; + }; + systemd-boot = { + boot.loader.systemd-boot.enable = true; + }; + uefi = { + virtualisation.useEFIBoot = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = true; + environment.systemPackages = [ pkgs.efibootmgr ]; + }; + standard = { + boot.bootspec.enable = true; + + imports = [ + baseline + systemd-boot + uefi + ]; + }; +in +{ + basic = makeTest { + name = "systemd-boot-with-bootspec"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = standard; + + testScript = '' + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/boot.json") + ''; + }; + + grub = makeTest { + name = "grub-with-bootspec"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { + boot.bootspec.enable = true; + + imports = [ + baseline + grub + uefi + ]; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/boot.json") + ''; + }; + + legacy-boot = makeTest { + name = "legacy-boot-with-bootspec"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { + boot.bootspec.enable = true; + + imports = [ + baseline + grub + ]; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/boot.json") + ''; + }; + + # Check that initrd create corresponding entries in bootspec. + initrd = makeTest { + name = "bootspec-with-initrd"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { + imports = [ standard ]; + environment.systemPackages = [ pkgs.jq ]; + # It's probably the case, but we want to make it explicit here. + boot.initrd.enable = true; + }; + + testScript = '' + import json + + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/bootspec/boot.json") + + bootspec = json.loads(machine.succeed("jq -r '.v1' /run/current-system/bootspec/boot.json")) + + assert all(key in bootspec for key in ('initrd', 'initrdSecrets')), "Bootspec should contain initrd or initrdSecrets field when initrd is enabled" + ''; + }; + + # Check that specialisations create corresponding entries in bootspec. + specialisation = makeTest { + name = "bootspec-with-specialisation"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { + imports = [ standard ]; + environment.systemPackages = [ pkgs.jq ]; + specialisation.something.configuration = {}; + }; + + testScript = '' + import json + + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/boot.json") + machine.succeed("test -e /run/current-system/specialisation/something/boot.json") + + sp_in_parent = json.loads(machine.succeed("jq -r '.v1.specialisation.something' /run/current-system/boot.json")) + sp_in_fs = json.loads(machine.succeed("cat /run/current-system/specialisation/something/boot.json")) + + assert sp_in_parent == sp_in_fs['v1'], "Bootspecs of the same specialisation are different!" + ''; + }; + + # Check that extensions are propagated. + extensions = makeTest { + name = "bootspec-with-extensions"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { config, ... }: { + imports = [ standard ]; + environment.systemPackages = [ pkgs.jq ]; + boot.bootspec.extensions = { + osRelease = config.environment.etc."os-release".source; + }; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("multi-user.target") + + current_os_release = machine.succeed("cat /etc/os-release") + bootspec_os_release = machine.succeed("cat $(jq -r '.v1.extensions.osRelease' /run/current-system/boot.json)") + + assert current_os_release == bootspec_os_release, "Filename referenced by extension has unexpected contents" + ''; + }; + +} diff --git a/nixos/tests/borgbackup.nix b/nixos/tests/borgbackup.nix index d3cd6c66bfebe..9afe4d537da44 100644 --- a/nixos/tests/borgbackup.nix +++ b/nixos/tests/borgbackup.nix @@ -99,6 +99,18 @@ in { environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519"; }; + sleepInhibited = { + inhibitsSleep = true; + # Blocks indefinitely while "backing up" so that we can try to suspend the local system while it's hung + dumpCommand = pkgs.writeScript "sleepInhibited" '' + cat /dev/zero + ''; + repo = remoteRepo; + encryption.mode = "none"; + startAt = [ ]; + environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519"; + }; + }; }; @@ -204,5 +216,13 @@ in { client.wait_for_unit("network.target") client.systemctl("start --wait borgbackup-job-commandFail") client.succeed("systemctl is-failed borgbackup-job-commandFail") + + with subtest("sleepInhibited"): + server.wait_for_unit("sshd.service") + client.wait_for_unit("network.target") + client.fail("systemd-inhibit --list | grep -q borgbackup") + client.systemctl("start borgbackup-job-sleepInhibited") + client.wait_until_succeeds("systemd-inhibit --list | grep -q borgbackup") + client.systemctl("stop borgbackup-job-sleepInhibited") ''; }) diff --git a/nixos/tests/cockroachdb.nix b/nixos/tests/cockroachdb.nix index d793842f0ab2d..5b1e1a7dee1f9 100644 --- a/nixos/tests/cockroachdb.nix +++ b/nixos/tests/cockroachdb.nix @@ -8,7 +8,7 @@ # Cluster joins that are outside this window will fail, and nodes that skew # outside the window after joining will promptly get kicked out. # -# To accomodate this, we use QEMU/virtio infrastructure and load the 'ptp_kvm' +# To accommodate this, we use QEMU/virtio infrastructure and load the 'ptp_kvm' # driver inside a guest. This driver allows the host machine to pass its clock # through to the guest as a hardware clock that appears as a Precision Time # Protocol (PTP) Clock device, generally /dev/ptp0. PTP devices can be measured diff --git a/nixos/tests/common/acme/server/acme.test.cert.pem b/nixos/tests/common/acme/server/acme.test.cert.pem index 76b0d916a8175..48f488ab8f908 100644 --- a/nixos/tests/common/acme/server/acme.test.cert.pem +++ b/nixos/tests/common/acme/server/acme.test.cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDLDCCAhSgAwIBAgIIRDAN3FHH//IwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE -AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMB4XDTIwMTAyMTEzMjgzNloXDTIyMTEy -MDEzMjgzNlowFDESMBAGA1UEAxMJYWNtZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9 -Z4Xu5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeH -pImHO/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCN -Xf/LjIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/l -EnHrkcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOY -H+RfQfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABo3YwdDAOBgNVHQ8B +MIIDLDCCAhSgAwIBAgIIajCXIUnozqQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMjMwYjU4MB4XDTIyMTEyMTE3MTcxMFoXDTQyMTEy +MTE3MTcxMFowFDESMBAGA1UEAxMJYWNtZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA5INxJwKDVYNfTnkXwvKM/SufBNjvxWZxlkaMFbkAN5wJ +6HwuesRZE9IgfRO9N+rSq1U2lDBm9gFPERqsQJVZHHJ5kkaNUr89h25+wgX5emGy +UV2KEpCFssDD4aSBF+b0sryguCa1ZRj9b+pdfRxiYaORjSh5UzlXZoRm9iwHdzHT +oKLlmqozqzEt0o9qpZL8gv+rv8C5BGOY6hfXAHYmkWRt87FN5BkSjgEWiY++DOAU +X0TdobdSTrs/xJP+IbadRchqTH2kiG0g2BoCSXUsl7Mdh4IOUeQGDz/F5tH8PAtz +p3dyjdQEFex2J5tlScLfVHoCBKV3gpCg+Keuum2j8QIDAQABo3YwdDAOBgNVHQ8B Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB -/wQCMAAwHwYDVR0jBBgwFoAU+8IZlLV/Qp5CXqpXMLvtxWlxcJwwFAYDVR0RBA0w -C4IJYWNtZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQB0pe8I5/VDkB5VMgQB2GJV -GKzyigfWbVez9uLmqMj9PPP/zzYKSYeq+91aMuOZrnH7NqBxSTwanULkmqAmhbJJ -YkXw+FlFekf9FyxcuArzwzzNZDSGcjcdXpN8S2K1qkBd00iSJF9kU7pdZYCIKR20 -QirdBrELEfsJ3GU62a6N3a2YsrisZUvq5TbjGJDcytAtt+WG3gmV7RInLdFfPwbw -bEHPCnx0uiV0nxLjd/aVT+RceVrFQVt4hR99jLoMlBitSKluZ1ljsrpIyroBhQT0 -pp/pVi6HJdijG0fsPrC325NEGAwcpotLUhczoeM/rffKJd54wLhDkfYxOyRZXivs +/wQCMAAwHwYDVR0jBBgwFoAUvTCE3Lj/P6OWkmOGtsjcTcIDzkAwFAYDVR0RBA0w +C4IJYWNtZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQAvZM4Ik1NOXQfbPRgbolyL +b3afsSHbhHl9B2f0HGi5EAPdwyeWZsK3BF+SKFGAW5BlXr2SSlW/MQOMiUKTadnS +8xTOFc1Ws8JWWc82zQqWcOWEXhU+AI8p70sTVFeXPWwLFy3nBRwDH4ZPU8UFHeje +YXqbfxrsdEFXrbCfWSzPQP24xqVt7n9Am/5XFGtDkRsYlVgLwq/F6lN9hO0/gYIx +8NsZ8Xy+QvBlGL+z9Zo7EylB8bP9OBtOtEv9fZcnxgughieiTDs36GwdQRE2aI+d +cG3lQX8NGxgcpDoH8+rNx7Uw7odg0gVbI3agyyvax6DPht+/bzXmHm8ogklGTOoG -----END CERTIFICATE----- diff --git a/nixos/tests/common/acme/server/acme.test.key.pem b/nixos/tests/common/acme/server/acme.test.key.pem index 741df99a372e3..4837f19b3024f 100644 --- a/nixos/tests/common/acme/server/acme.test.key.pem +++ b/nixos/tests/common/acme/server/acme.test.key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9Z4Xu -5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeHpImH -O/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCNXf/L -jIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/lEnHr -kcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOYH+Rf -QfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABAoIBADox/2FwVFo8ioS4 -R+Ex5OZjMAcjU6sX/516jTmlT05q2+UFerYgqB/YqXqtW/V9/brulN8VhmRRuRbO -grq9TBu5o3hMDK0f18EkZB/MBnLbx594H033y6gEkPBZAyhRYtuNOEH3VwxdZhtW -1Lu1EoiYSUqLcNMBy6+KWJ8GRaXyacMYBlj2lMHmyzkA/t1+2mwTGC3lT6zN0F5Y -E5umXOxsn6Tb6q3KM9O5IvtmMMKpgj4HIHZLZ6j40nNgHwGRaAv4Sha/vx0DeBw3 -6VlNiTTPdShEkhESlM5/ocqTfI92VHJpM5gkqTYOWBi2aKIPfAopXoqoJdWl4pQ/ -NCFIu2ECgYEAzntNKIcQtf0ewe0/POo07SIFirvz6jVtYNMTzeQfL6CoEjYArJeu -Vzc4wEQfA4ZFVerBb1/O6M449gI3zex1PH4AX0h8q8DSjrppK1Jt2TnpVh97k7Gg -Tnat/M/yW3lWYkcMVJJ3AYurXLFTT1dYP0HvBwZN04yInrEcPNXKfmcCgYEAywyJ -51d4AE94PrANathKqSI/gk8sP+L1gzylZCcUEAiGk/1r45iYB4HN2gvWbS+CvSdp -F7ShlDWrTaNh2Bm1dgTjc4pWb4J+CPy/KN2sgLwIuM4+ZWIZmEDcio6khrM/gNqK -aR7xUsvWsqU26O84woY/xR8IHjSNF7cFWE1H2c8CgYEAt6SSi2kVQ8dMg84uYE8t -o3qO00U3OycpkOQqyQQLeKC62veMwfRl6swCfX4Y11mkcTXJtPTRYd2Ia8StPUkB -PDwUuKoPt/JXUvoYb59wc7M+BIsbrdBdc2u6cw+/zfutCNuH6/AYSBeg4WAVaIuW -wSwzG1xP+8cR+5IqOzEqWCECgYATweeVTCyQEyuHJghYMi2poXx+iIesu7/aAkex -pB/Oo5W8xrb90XZRnK7UHbzCqRHWqAQQ23Gxgztk9ZXqui2vCzC6qGZauV7cLwPG -zTMg36sVmHP314DYEM+k59ZYiQ6P0jQPoIQo407D2VGrfsOOIhQIcUmP7tsfyJ5L -hlGMfwKBgGq4VNnnuX8I5kl03NpaKfG+M8jEHmVwtI9RkPTCCX9bMjeG0cDxqPTF -TRkf3r8UWQTZ5QfAfAXYAOlZvmGhHjSembRbXMrMdi3rGsYRSrQL6n5NHnORUaMy -FCWo4gyAnniry7tx9dVNgmHmbjEHuQnf8AC1r3dibRCjvJWUiQ8H +MIIEpQIBAAKCAQEA5INxJwKDVYNfTnkXwvKM/SufBNjvxWZxlkaMFbkAN5wJ6Hwu +esRZE9IgfRO9N+rSq1U2lDBm9gFPERqsQJVZHHJ5kkaNUr89h25+wgX5emGyUV2K +EpCFssDD4aSBF+b0sryguCa1ZRj9b+pdfRxiYaORjSh5UzlXZoRm9iwHdzHToKLl +mqozqzEt0o9qpZL8gv+rv8C5BGOY6hfXAHYmkWRt87FN5BkSjgEWiY++DOAUX0Td +obdSTrs/xJP+IbadRchqTH2kiG0g2BoCSXUsl7Mdh4IOUeQGDz/F5tH8PAtzp3dy +jdQEFex2J5tlScLfVHoCBKV3gpCg+Keuum2j8QIDAQABAoIBAHfnUHQ7qVYxfMzc +VU+BneEqBmKwwf8+ZdOIaPDtBeQoCDrpDip05Ji15T48IUk5+hjUubLAQwZKYYaE +DGZG918p4giS5IzKtCpgHDsKj4FbyglPn6dmFgFZjG7VtrcoBLXUrDB0fzHxDuqu +eyeuwSCihzkeR6sXp3iveKcrKy+rA31aqWvJZb24qyAu1y8KIcf2ZMUiYcJF2kpL +XZz4uyx4x/B9NE+PmLqo7x/9iS+p5aT2kWVCVUGmhII0ChFnWSnjxqecBMhWFY1O +3U0lKhloj6UKBya91hGospEJdaLHpHCWUgYPvA5mG+48kqYkPkecmTf8Xha3TxPf +g1qv3sECgYEA+hMO1qTlnqhBajCMcAGIlpRHwr97hQMdSylHBXob1xCnuTEJKHOo +7UmQw9hJgD4JgYxcivg/OFErXdefbSae9NqSNdOshxmrxz6DFTN3Ms3WR1I1be3c +B2mpGllMPbxJ3CKFet2CQSvOM9jfbK68R7Jlhiap0bESvWrT9ztUCWUCgYEA6e2Y +iMNNo1dWushSMVvCkWR9CLAsnWnjFG4FYIPz/iuxJjRXDiWyR6x4WYjUx3ZBhpf5 +wVFUK7VaPJBfOn7KCan59dqOvL3LSB/5SupwRMecCEhYPQvSaxn4MNrx0Vi83O4C +togyD9/UJ4ji+TXwMj2eMzwRspmO/26hXkQGzZ0CgYEA0qlLTrYKWOUUdgf/xjsE +fRTcfsofm6VMAAz9rzd2TG3TXMZaGKGWJI5cTR7ejBG2oFNFgiwt1ZtLFPqXarOm +JE4b7QwrwoN1mZqngiygtUOAxwQRzlEZkYUI1xFykG8VKURLfX0sRQpJ4pNHY56v +LRazP5dCZ0rrpnVfql1oJaECgYEAxtvT728XcOOuNtpUBOGcZTynjds2EhsRjyx4 +JbQGlutNjMyxtLUW+RcEuBg5ydYdne1Tw6L/iqiALTwNuAxQdCaq9vT0oj41sPp9 +UdI53j5Rxji5yitilOlesylsqCpnYuhyJflhlV0RXQpg6LmRlyQKeEN4R/uCNGI3 +i4sIvYECgYEA4DC2qObfB0UkN81uGluwwM5rR04qvIc5xX3QIvHuIJOs/uP54daD +OiEDTxTpiqDNsFL0Pyl07aL7jubHNqU/eQpQIEZRlDy4Mr31QSbQ9R2/NNBwHu22 +BnnNKzZ97T0NVgxJXOqcOlRGjwb/5OUDpaIClJY+GqilEdOeu7Pl3aA= -----END RSA PRIVATE KEY----- diff --git a/nixos/tests/common/acme/server/ca.cert.pem b/nixos/tests/common/acme/server/ca.cert.pem index 5c33e879b675b..b6f2b9e3a91f0 100644 --- a/nixos/tests/common/acme/server/ca.cert.pem +++ b/nixos/tests/common/acme/server/ca.cert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDSzCCAjOgAwIBAgIIeHRvRrNvbGQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE -AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMCAXDTIwMTAyMTEzMjgzNloYDzIxMjAx -MDIxMTMyODM2WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3ODc0NmYwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrNTzVLDJOKtGYGLU98EEcLKps -tXHCLC6G54LKbEcU80fn+ArX8qsPSHyhdXQkcYjq6Vh/EDJ1TctyRSnvAjwyG4Aa -1Zy1QFc/JnjMjvzimCkUc9lQ+wkLwHSM/KGwR1cGjmtQ/EMClZTA0NwulJsXMKVz -bd5asXbq/yJTQ5Ww25HtdNjwRQXTvB7r3IKcY+DsED9CvFvC9oG/ZhtZqZuyyRdC -kFUrrv8WNUDkWSN+lMR6xMx8v0583IN6f11IhX0b+svK98G81B2eswBdkzvVyv9M -unZBO0JuJG8sdM502KhWLmzBC1ZbvgUBF9BumDRpMFH4DCj7+qQ2taWeGyc7AgMB +MIIDSzCCAjOgAwIBAgIIIwtYp+WlBbswDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMjMwYjU4MCAXDTIyMTEyMTE3MTcxMFoYDzIxMjIx +MTIxMTcxNzEwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAyMzBiNTgwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvqAoAyV8igrmBnU6T1nQDfkkQ +HjQp+ANCthNCi4kGPOoTxrYrUMWa6d/aSIv5hKO2A+r2GdTeM1RvSo6GUr3GmsJc +WUMbIsJ0SJSLQEyvmFPpzfV3NdfIt6vZRiqJbLt7yuDiZil33GdQEKYywJxIsCb2 +CSd55V1cZSiLItWEIURAhHhSxHabMRmIF/xZWxKFEDeagzXOxUBPAvIwzzqQroBv +3vZhfgcAjCyS0crJ/E2Wa6GLKfFvaXGEj/KlXftwpbvFtnNBtmtJcNy9a8LJoOcA +E+ZjD21hidnCc+Yag7LaR3ZtAVkpeRJ9rRNBkVP4rv2mq2skIkgDfY/F8smPAgMB AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr -BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBT7whmUtX9CnkJe -qlcwu+3FaXFwnDAfBgNVHSMEGDAWgBT7whmUtX9CnkJeqlcwu+3FaXFwnDANBgkq -hkiG9w0BAQsFAAOCAQEARMe1wKmF33GjEoLLw0oDDS4EdAv26BzCwtrlljsEtwQN -95oSzUNd6o4Js7WCG2o543OX6cxzM+yju8TES3+vJKDgsbNMU0bWCv//tdrb0/G8 -OkU3Kfi5q4fOauZ1pqGv/pXdfYhZ5ieB/zwis3ykANe5JfB0XqwCb1Vd0C3UCIS2 -NPKngRwNSzphIsbzfvxGDkdM1enuGl5CVyDhrwTMqGaJGDSOv6U5jKFxKRvigqTN -Ls9lPmT5NXYETduWLBR3yUIdH6kZXrcozZ02B9vjOB2Cv4RMDc+9eM30CLIWpf1I -097e7JkhzxFhfC/bMMt3P1FeQc+fwH91wdBmNi7tQw== +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS9MITcuP8/o5aS +Y4a2yNxNwgPOQDAfBgNVHSMEGDAWgBS9MITcuP8/o5aSY4a2yNxNwgPOQDANBgkq +hkiG9w0BAQsFAAOCAQEADCcgaxrI/pqjkYb0c3QHwfKCNz4khSWs/9tBpBfdxdUX +uvG7rZzVW7pkzML+m4tSo2wm9sHRAgG+dIpzbSoRTouMntWlvYEnrr1SCw4NyBo1 +cwmNUz4JL+E3dnpI4FSOpyFyO87qL9ep0dxQEADWSppyCA762wfFpY+FvT6b/he8 +eDEc/Umjfm+X0tqNWx3aVoeyIJT46AeElry2IRLAk7z/vEPGFFzgd2Jh6Qsdeagk +YkU0tFl9q9BotPYGlCMtVjmzbJtxh4uM9YCgiz1THzFjrUvfaTM8VjuBxbpoCZkS +85mNhFZvNq8/cgYc0kYZOg8+jRdy87xmTRp64LBd6w== -----END CERTIFICATE----- diff --git a/nixos/tests/common/acme/server/ca.key.pem b/nixos/tests/common/acme/server/ca.key.pem index ed46f5dccf467..5d46c025788fa 100644 --- a/nixos/tests/common/acme/server/ca.key.pem +++ b/nixos/tests/common/acme/server/ca.key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAqzU81SwyTirRmBi1PfBBHCyqbLVxwiwuhueCymxHFPNH5/gK -1/KrD0h8oXV0JHGI6ulYfxAydU3LckUp7wI8MhuAGtWctUBXPyZ4zI784pgpFHPZ -UPsJC8B0jPyhsEdXBo5rUPxDApWUwNDcLpSbFzClc23eWrF26v8iU0OVsNuR7XTY -8EUF07we69yCnGPg7BA/QrxbwvaBv2YbWambsskXQpBVK67/FjVA5FkjfpTEesTM -fL9OfNyDen9dSIV9G/rLyvfBvNQdnrMAXZM71cr/TLp2QTtCbiRvLHTOdNioVi5s -wQtWW74FARfQbpg0aTBR+Awo+/qkNrWlnhsnOwIDAQABAoIBAA3ykVkgd5ysmlSU -trcsCnHcJaojgff6l3PACoSpG4VWaGY6a8+54julgRm6MtMBONFCX0ZCsImj484U -Wl0xRmwil2YYPuL5MeJgJPktMObY1IfpBCw3tz3w2M3fiuCMf0d2dMGtO1xLiUnH -+hgFXTkfamsj6ThkOrbcQBSebeRxbKM5hqyCaQoieV+0IJnyxUVq/apib8N50VsH -SHd4oqLUuEZgg6N70+l5DpzedJUb4nrwS/KhUHUBgnoPItYBCiGPmrwLk7fUhPs6 -kTDqJDtc/xW/JbjmzhWEpVvtumcC/OEKULss7HLdeQqwVBrRQkznb0M9AnSra3d0 -X11/Y4ECgYEA3FC8SquLPFb2lHK4+YbJ4Ac6QVWeYFEHiZ0Rj+CmONmjcAvOGLPE -SblRLm3Nbrkxbm8FF6/AfXa/rviAKEVPs5xqGfSDw/3n1uInPcmShiBCLwM/jHH5 -NeVG+R5mTg5zyQ/pQMLWRcs+Ail+ZAnZuoGpW3Cdc8OtCUYFQ7XB6nsCgYEAxvBJ -zFxcTtsDzWbMWXejugQiUqJcEbKWwEfkRbf3J2rAVO2+EFr7LxdRfN2VwPiTQcWc -LnN2QN+ouOjqBMTh3qm5oQY+TLLHy86k9g1k0gXWkMRQgP2ZdfWH1HyrwjLUgLe1 -VezFN7N1azgy6xFkInAAvuA4loxElZNvkGBgekECgYA/Xw26ILvNIGqO6qzgQXAh -+5I7JsiGheg4IjDiBMlrQtbrLMoceuD0H9UFGNplhel9DXwWgxxIOncKejpK2x0A -2fX+/0FDh+4+9hA5ipiV8gN3iGSoHkSDxy5yC9d7jlapt+TtFt4Rd1OfxZWwatDw -/8jaH3t6yAcmyrhK8KYVrwKBgAE5KwsBqmOlvyE9N5Z5QN189wUREIXfVkP6bTHs -jq2EX4hmKdwJ4y+H8i1VY31bSfSGlY5HkXuWpH/2lrHO0CDBZG3UDwADvWzIaYVF -0c/kz0v2mRQh+xaZmus4lQnNrDbaalgL666LAPbW0qFVaws3KxoBYPe0BxvwWyhF -H3LBAoGBAKRRNsq2pWQ8Gqxc0rVoH0FlexU9U2ci3lsLmgEB0A/o/kQkSyAxaRM+ -VdKp3sWfO8o8lX5CVQslCNBSjDTNcat3Co4NEBLg6Xv1yKN/WN1GhusnchP9szsP -oU47gC89QhUyWSd6vvr2z2NG9C3cACxe4dhDSHQcE4nHSldzCKv2 +MIIEowIBAAKCAQEAr6gKAMlfIoK5gZ1Ok9Z0A35JEB40KfgDQrYTQouJBjzqE8a2 +K1DFmunf2kiL+YSjtgPq9hnU3jNUb0qOhlK9xprCXFlDGyLCdEiUi0BMr5hT6c31 +dzXXyLer2UYqiWy7e8rg4mYpd9xnUBCmMsCcSLAm9gkneeVdXGUoiyLVhCFEQIR4 +UsR2mzEZiBf8WVsShRA3moM1zsVATwLyMM86kK6Ab972YX4HAIwsktHKyfxNlmuh +iynxb2lxhI/ypV37cKW7xbZzQbZrSXDcvWvCyaDnABPmYw9tYYnZwnPmGoOy2kd2 +bQFZKXkSfa0TQZFT+K79pqtrJCJIA32PxfLJjwIDAQABAoIBAErEFJXnIIY47Cq+ +QS7t7e16uDCTGpLujLy9cQ83AzjTfrKyNuHS/HkGqRBpJqMrEN+tZTohHpkBciP4 +sRd9amd5gdb663RGZExIhGmNEdb/2F/BGYUHNvSpMQ1HL13VGSwE25mh8G6jMppC +q+sYTq0lxT+d/96DgSyNpicqyYT2S2CTCRkWGAsc6KQwRpBYqoEqUeakyGfe2k85 +pj32H53Si/49fkWkQ9RciPdg7qcu7u/iegwAkkjKoATeEjNf0NqBlkWag1qU0UHR +r2xDin+3ffEU2GQEwSvnGwlo7uyAN0UsryEWa9suuhX5T4eSWAMgTL4iVkh8Aa24 ++YEFOGkCgYEA0DUb++31+nuxU8N+GPaPQXiob8C0RmSzSzSHJ3daJpzq8k576jqs +3TgkhLDzQepcTYVU2ucn6+9ziXEsz4H06W3FNGktnyK4BRqYitt5TjZvPc+WTPhR +0U+iUqBZilCAhUkIsNUiGvnMhz9VfcS/gn+NqhL7kvYi11/jAc4bbB0CgYEA1/oh ++t1ZKVLkbANrma/M8AX27Vl3k4jgOWGzFwAVD10zN31gGyVjv1knmG22pmL2+N+Z +8CnVmdHQQQIWV1pYbgwRkvpnZWyH7AvHd9l1XLYyOU3VEpz+e2bpMtzesaza3UWW +k8NELNE5sBopY939XkQ9G3aMXtbkx01zX+0BZJsCgYB+MdJ2TfKrEVGXfYPuSXLm +seUVZu1dRSfOy1WnvBVuFenpV1yPyWSA6MhpjH7EUvIDIm8eBsERpZ6XjXslgpUY +7ql6bM10CK0UmtwePYw2tZOTGUD2AgRFI0k1X28mAEkFgBC+bVAwnXsz9lUw15Fj +3T/V9493savIcpu6uluwmQKBgQCE/I4jzFv0aAgiwlBlB6znNqT/LRHGFIgMjS4b +QX+2QCsjRd4BmRo8XodVAmlvNozgXb6J9RiDaIAVJ1XeX9EHogLIP8ue1h8zp2Uh +VRNBDScLxfMnTOgd0BZTrVCqkscJbKn1Pk0iU4pz9wf5aF10yAvgdzSjySqB1hzu +uh8bdQKBgEpFIyhqfXf/NzchI5y23Cok14LFIPJ1yERD/B8taS7muVQwpgffy+Ld +BH7dhafWSDVqIk1e6yl+82b4amleTEmDfopgc6FR7uPid1JoFxrwhnEfC3FjZamp +1OzXAOE/mX3jHf1spqpB2J/rDVPKi934ocQVoWnBeRopGTXxzbed -----END RSA PRIVATE KEY----- diff --git a/nixos/tests/common/acme/server/generate-certs.nix b/nixos/tests/common/acme/server/generate-certs.nix index cd8fe0dffca17..85c751c56ad5c 100644 --- a/nixos/tests/common/acme/server/generate-certs.nix +++ b/nixos/tests/common/acme/server/generate-certs.nix @@ -10,7 +10,11 @@ let domain = conf.domain; in mkDerivation { name = "test-certs"; - buildInputs = [ minica ]; + buildInputs = [ (minica.overrideAttrs (old: { + prePatch = '' + sed -i 's_NotAfter: time.Now().AddDate(2, 0, 30),_NotAfter: time.Now().AddDate(20, 0, 0),_' main.go + ''; + })) ]; phases = [ "buildPhase" "installPhase" ]; buildPhase = '' diff --git a/nixos/tests/common/ec2.nix b/nixos/tests/common/ec2.nix index 64b0a91ac1f72..6ed420e0aae75 100644 --- a/nixos/tests/common/ec2.nix +++ b/nixos/tests/common/ec2.nix @@ -46,7 +46,7 @@ with pkgs.lib; # Note: we use net=169.0.0.0/8 rather than # net=169.254.0.0/16 to prevent dhcpcd from getting horribly # confused. (It would get a DHCP lease in the 169.254.* - # range, which it would then configure and prompty delete + # range, which it would then configure and promptly delete # again when it deletes link-local addresses.) Ideally we'd # turn off the DHCP server, but qemu does not have an option # to do that. diff --git a/nixos/tests/cups-pdf.nix b/nixos/tests/cups-pdf.nix new file mode 100644 index 0000000000000..70d14f29e2e5d --- /dev/null +++ b/nixos/tests/cups-pdf.nix @@ -0,0 +1,40 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "cups-pdf"; + + nodes.machine = { pkgs, ... }: { + imports = [ ./common/user-account.nix ]; + environment.systemPackages = [ pkgs.poppler_utils ]; + fonts.fonts = [ pkgs.dejavu_fonts ]; # yields more OCR-able pdf + services.printing.cups-pdf.enable = true; + services.printing.cups-pdf.instances = { + opt = {}; + noopt.installPrinter = false; + }; + hardware.printers.ensurePrinters = [{ + name = "noopt"; + model = "CUPS-PDF_noopt.ppd"; + deviceUri = "cups-pdf:/noopt"; + }]; + }; + + # we cannot check the files with pdftotext, due to + # https://github.com/alexivkin/CUPS-PDF-to-PDF/issues/7 + # we need `imagemagickBig` as it has ghostscript support + + testScript = '' + from subprocess import run + machine.wait_for_unit("cups.service") + for name in ("opt", "noopt"): + text = f"test text {name}".upper() + machine.wait_until_succeeds(f"lpstat -v {name}") + machine.succeed(f"su - alice -c 'echo -e \"\n {text}\" | lp -d {name}'") + # wait until the pdf files are completely produced and readable by alice + machine.wait_until_succeeds(f"su - alice -c 'pdfinfo /var/spool/cups-pdf-{name}/users/alice/*.pdf'") + machine.succeed(f"cp /var/spool/cups-pdf-{name}/users/alice/*.pdf /tmp/{name}.pdf") + machine.copy_from_vm(f"/tmp/{name}.pdf", "") + run(f"${pkgs.imagemagickBig}/bin/convert -density 300 $out/{name}.pdf $out/{name}.jpeg", shell=True, check=True) + assert text.encode() in run(f"${lib.getExe pkgs.tesseract} $out/{name}.jpeg stdout", shell=True, check=True, capture_output=True).stdout + ''; + + meta.maintainers = [ lib.maintainers.yarny ]; +}) diff --git a/nixos/tests/deluge.nix b/nixos/tests/deluge.nix index 0cd1d21870adf..e8945fdea003a 100644 --- a/nixos/tests/deluge.nix +++ b/nixos/tests/deluge.nix @@ -54,8 +54,10 @@ import ./make-test-python.nix ({ pkgs, ...} : { declarative.wait_for_unit("deluged") declarative.wait_for_unit("delugeweb") declarative.wait_until_succeeds("curl --fail http://declarative:3142") + + # deluge-console always exits with 1. https://dev.deluge-torrent.org/ticket/3291 declarative.succeed( - "deluge-console 'connect 127.0.0.1:58846 andrew password; help' | grep -q 'rm.*Remove a torrent'" + "(deluge-console 'connect 127.0.0.1:58846 andrew password; help' || true) | grep -q 'rm.*Remove a torrent'" ) ''; }) diff --git a/nixos/tests/dnscrypt-proxy2.nix b/nixos/tests/dnscrypt-proxy2.nix index 4435d77bbf3b2..a75a745d3553c 100644 --- a/nixos/tests/dnscrypt-proxy2.nix +++ b/nixos/tests/dnscrypt-proxy2.nix @@ -26,7 +26,7 @@ in { }; services.dnsmasq.enable = true; - services.dnsmasq.servers = [ "127.0.0.1#${toString localProxyPort}" ]; + services.dnsmasq.settings.server = [ "127.0.0.1#${toString localProxyPort}" ]; }; }; diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 21a727dbd97c9..98704ecb2fb65 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -419,6 +419,20 @@ import ./make-test-python.nix ({ pkgs, ... }: { "docker rmi layered-image-with-path", ) + with subtest("Ensure correct architecture is present in manifests."): + docker.succeed(""" + docker load --input='${examples.build-image-with-architecture}' + docker inspect build-image-with-architecture \ + | ${pkgs.jq}/bin/jq -er '.[] | select(.Architecture=="arm64").Architecture' + docker rmi build-image-with-architecture + """) + docker.succeed(""" + ${examples.layered-image-with-architecture} | docker load + docker inspect layered-image-with-architecture \ + | ${pkgs.jq}/bin/jq -er '.[] | select(.Architecture=="arm64").Architecture' + docker rmi layered-image-with-architecture + """) + with subtest("etc"): docker.succeed("${examples.etc} | docker load") docker.succeed("docker run --rm etc | grep localhost") @@ -431,5 +445,58 @@ import ./make-test-python.nix ({ pkgs, ... }: { docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt") docker.succeed("docker image rm image-with-certs:latest") + with subtest("buildNixShellImage: Can build a basic derivation"): + docker.succeed( + "${examples.nix-shell-basic} | docker load", + "docker run --rm nix-shell-basic bash -c 'buildDerivation && $out/bin/hello' | grep '^Hello, world!$'" + ) + + with subtest("buildNixShellImage: Runs the shell hook"): + docker.succeed( + "${examples.nix-shell-hook} | docker load", + "docker run --rm -it nix-shell-hook | grep 'This is the shell hook!'" + ) + + with subtest("buildNixShellImage: Sources stdenv, making build inputs available"): + docker.succeed( + "${examples.nix-shell-inputs} | docker load", + "docker run --rm -it nix-shell-inputs | grep 'Hello, world!'" + ) + + with subtest("buildNixShellImage: passAsFile works"): + docker.succeed( + "${examples.nix-shell-pass-as-file} | docker load", + "docker run --rm -it nix-shell-pass-as-file | grep 'this is a string'" + ) + + with subtest("buildNixShellImage: run argument works"): + docker.succeed( + "${examples.nix-shell-run} | docker load", + "docker run --rm -it nix-shell-run | grep 'This shell is not interactive'" + ) + + with subtest("buildNixShellImage: command argument works"): + docker.succeed( + "${examples.nix-shell-command} | docker load", + "docker run --rm -it nix-shell-command | grep 'This shell is interactive'" + ) + + with subtest("buildNixShellImage: home directory is writable by default"): + docker.succeed( + "${examples.nix-shell-writable-home} | docker load", + "docker run --rm -it nix-shell-writable-home" + ) + + with subtest("buildNixShellImage: home directory can be made non-existent"): + docker.succeed( + "${examples.nix-shell-nonexistent-home} | docker load", + "docker run --rm -it nix-shell-nonexistent-home" + ) + + with subtest("buildNixShellImage: can build derivations"): + docker.succeed( + "${examples.nix-shell-build-derivation} | docker load", + "docker run --rm -it nix-shell-build-derivation" + ) ''; }) diff --git a/nixos/tests/ec2.nix b/nixos/tests/ec2.nix index aa3c2b7051f6c..e649761d029df 100644 --- a/nixos/tests/ec2.nix +++ b/nixos/tests/ec2.nix @@ -16,8 +16,6 @@ let ../modules/testing/test-instrumentation.nix ../modules/profiles/qemu-guest.nix { - ec2.hvm = true; - # Hack to make the partition resizing work in QEMU. boot.initrd.postDeviceCommands = mkBefore '' ln -s vda /dev/xvda diff --git a/nixos/tests/envfs.nix b/nixos/tests/envfs.nix new file mode 100644 index 0000000000000..3f9cd1edb595a --- /dev/null +++ b/nixos/tests/envfs.nix @@ -0,0 +1,42 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: +let + pythonShebang = pkgs.writeScript "python-shebang" '' + #!/usr/bin/python + print("OK") + ''; + + bashShebang = pkgs.writeScript "bash-shebang" '' + #!/usr/bin/bash + echo "OK" + ''; +in +{ + name = "envfs"; + nodes.machine.services.envfs.enable = true; + + testScript = '' + start_all() + machine.wait_until_succeeds("mountpoint -q /usr/bin/") + machine.succeed( + "PATH=${pkgs.coreutils}/bin /usr/bin/cp --version", + # check fallback paths + "PATH= /usr/bin/sh --version", + "PATH= /usr/bin/env --version", + "PATH= test -e /usr/bin/sh", + "PATH= test -e /usr/bin/env", + # no stat + "! test -e /usr/bin/cp", + # also picks up PATH that was set after execve + "! /usr/bin/hello", + "PATH=${pkgs.hello}/bin /usr/bin/hello", + ) + + out = machine.succeed("PATH=${pkgs.python3}/bin ${pythonShebang}") + print(out) + assert out == "OK\n" + + out = machine.succeed("PATH=${pkgs.bash}/bin ${bashShebang}") + print(out) + assert out == "OK\n" + ''; +}) diff --git a/nixos/tests/evcc.nix b/nixos/tests/evcc.nix new file mode 100644 index 0000000000000..c223977a9d827 --- /dev/null +++ b/nixos/tests/evcc.nix @@ -0,0 +1,97 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "evcc"; + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + machine = { config, ... }: { + services.evcc = { + enable = true; + settings = { + network = { + schema = "http"; + host = "localhost"; + port = 7070; + }; + + log = "info"; + + site = { + title = "NixOS Test"; + meters = { + grid = "grid"; + pv = "pv"; + }; + }; + + meters = [ { + type = "custom"; + name = "grid"; + power = { + source = "script"; + cmd = "/bin/sh -c 'echo -4500'"; + }; + } { + type = "custom"; + name = "pv"; + power = { + source = "script"; + cmd = "/bin/sh -c 'echo 7500'"; + }; + } ]; + + chargers = [ { + name = "dummy-charger"; + type = "custom"; + status = { + source = "script"; + cmd = "/bin/sh -c 'echo charger status F'"; + }; + enabled = { + source = "script"; + cmd = "/bin/sh -c 'echo charger enabled state false'"; + }; + enable = { + source = "script"; + cmd = "/bin/sh -c 'echo set charger enabled state true'"; + }; + maxcurrent = { + source = "script"; + cmd = "/bin/sh -c 'echo set charger max current 7200'"; + }; + } ]; + + loadpoints = [ { + title = "Dummy"; + charger = "dummy-charger"; + } ]; + }; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("evcc.service") + machine.wait_for_open_port(7070) + + with subtest("Check package version propagates into frontend"): + machine.fail( + "curl --fail http://localhost:7070 | grep '0.0.1-alpha'" + ) + machine.succeed( + "curl --fail http://localhost:7070 | grep '${pkgs.evcc.version}'" + ) + + with subtest("Check journal for errors"): + _, output = machine.execute("journalctl -o cat -u evcc.service") + assert "FATAL" not in output + assert "ERROR" not in output + + with subtest("Check systemd hardening"): + _, output = machine.execute("systemd-analyze security evcc.service | grep -v '✓'") + machine.log(output) + ''; +}) diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix index 5c434c1cb6d68..dd7551f143a5e 100644 --- a/nixos/tests/firewall.nix +++ b/nixos/tests/firewall.nix @@ -1,7 +1,7 @@ # Test the firewall module. -import ./make-test-python.nix ( { pkgs, ... } : { - name = "firewall"; +import ./make-test-python.nix ( { pkgs, nftables, ... } : { + name = "firewall" + pkgs.lib.optionalString nftables "-nftables"; meta = with pkgs.lib.maintainers; { maintainers = [ eelco ]; }; @@ -11,6 +11,7 @@ import ./make-test-python.nix ( { pkgs, ... } : { { ... }: { networking.firewall.enable = true; networking.firewall.logRefusedPackets = true; + networking.nftables.enable = nftables; services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; }; @@ -23,6 +24,7 @@ import ./make-test-python.nix ( { pkgs, ... } : { { ... }: { networking.firewall.enable = true; networking.firewall.rejectPackets = true; + networking.nftables.enable = nftables; }; attacker = @@ -35,10 +37,11 @@ import ./make-test-python.nix ( { pkgs, ... } : { testScript = { nodes, ... }: let newSystem = nodes.walled2.config.system.build.toplevel; + unit = if nftables then "nftables" else "firewall"; in '' start_all() - walled.wait_for_unit("firewall") + walled.wait_for_unit("${unit}") walled.wait_for_unit("httpd") attacker.wait_for_unit("network.target") @@ -54,12 +57,12 @@ import ./make-test-python.nix ( { pkgs, ... } : { walled.succeed("ping -c 1 attacker >&2") # If we stop the firewall, then connections should succeed. - walled.stop_job("firewall") + walled.stop_job("${unit}") attacker.succeed("curl -v http://walled/ >&2") # Check whether activation of a new configuration reloads the firewall. walled.succeed( - "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF firewall.service" + "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service" ) ''; }) diff --git a/nixos/tests/freenet.nix b/nixos/tests/freenet.nix new file mode 100644 index 0000000000000..96dbb4caa1293 --- /dev/null +++ b/nixos/tests/freenet.nix @@ -0,0 +1,19 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "freenet"; + meta = with pkgs.lib.maintainers; { + maintainers = [ nagy ]; + }; + + nodes = { + machine = { ... }: { + services.freenet.enable = true; + }; + }; + + testScript = '' + machine.wait_for_unit("freenet.service") + machine.wait_for_open_port(8888) + machine.wait_until_succeeds("curl -sfL http://localhost:8888/ | grep Freenet") + machine.succeed("systemctl stop freenet") + ''; +}) diff --git a/nixos/tests/garage/basic.nix b/nixos/tests/garage/basic.nix new file mode 100644 index 0000000000000..b6df1e72af983 --- /dev/null +++ b/nixos/tests/garage/basic.nix @@ -0,0 +1,98 @@ +args@{ mkNode, ... }: +(import ../make-test-python.nix ({ pkgs, ...} : { + name = "garage-basic"; + meta = { + maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + }; + + nodes = { + single_node = mkNode { replicationMode = "none"; }; + }; + + testScript = '' + from typing import List + from dataclasses import dataclass + import re + + start_all() + + cur_version_regex = re.compile('Current cluster layout version: (?P<ver>\d*)') + key_creation_regex = re.compile('Key name: (?P<key_name>.*)\nKey ID: (?P<key_id>.*)\nSecret key: (?P<secret_key>.*)') + + @dataclass + class S3Key: + key_name: str + key_id: str + secret_key: str + + @dataclass + class GarageNode: + node_id: str + host: str + + def get_node_fqn(machine: Machine) -> GarageNode: + node_id, host = machine.succeed("garage node id").split('@') + return GarageNode(node_id=node_id, host=host) + + def get_node_id(machine: Machine) -> str: + return get_node_fqn(machine).node_id + + def get_layout_version(machine: Machine) -> int: + version_data = machine.succeed("garage layout show") + m = cur_version_regex.search(version_data) + if m and m.group('ver') is not None: + return int(m.group('ver')) + 1 + else: + raise ValueError('Cannot find current layout version') + + def apply_garage_layout(machine: Machine, layouts: List[str]): + for layout in layouts: + machine.succeed(f"garage layout assign {layout}") + version = get_layout_version(machine) + machine.succeed(f"garage layout apply --version {version}") + + def create_api_key(machine: Machine, key_name: str) -> S3Key: + output = machine.succeed(f"garage key new --name {key_name}") + m = key_creation_regex.match(output) + if not m or not m.group('key_id') or not m.group('secret_key'): + raise ValueError('Cannot parse API key data') + return S3Key(key_name=key_name, key_id=m.group('key_id'), secret_key=m.group('secret_key')) + + def get_api_key(machine: Machine, key_pattern: str) -> S3Key: + output = machine.succeed(f"garage key info {key_pattern}") + m = key_creation_regex.match(output) + if not m or not m.group('key_name') or not m.group('key_id') or not m.group('secret_key'): + raise ValueError('Cannot parse API key data') + return S3Key(key_name=m.group('key_name'), key_id=m.group('key_id'), secret_key=m.group('secret_key')) + + def test_bucket_writes(node): + node.succeed("garage bucket create test-bucket") + s3_key = create_api_key(node, "test-api-key") + node.succeed("garage bucket allow --read --write test-bucket --key test-api-key") + other_s3_key = get_api_key(node, 'test-api-key') + assert other_s3_key.secret_key == other_s3_key.secret_key + node.succeed( + f"mc alias set test-garage http://[::1]:3900 {s3_key.key_id} {s3_key.secret_key} --api S3v4" + ) + node.succeed("echo test | mc pipe test-garage/test-bucket/test.txt") + assert node.succeed("mc cat test-garage/test-bucket/test.txt").strip() == "test" + + def test_bucket_over_http(node, bucket='test-bucket', url=None): + if url is None: + url = f"{bucket}.web.garage" + + node.succeed(f'garage bucket website --allow {bucket}') + node.succeed(f'echo hello world | mc pipe test-garage/{bucket}/index.html') + assert (node.succeed(f"curl -H 'Host: {url}' http://localhost:3902")).strip() == 'hello world' + + with subtest("Garage works as a single-node S3 storage"): + single_node.wait_for_unit("garage.service") + single_node.wait_for_open_port(3900) + # Now Garage is initialized. + single_node_id = get_node_id(single_node) + apply_garage_layout(single_node, [f'-z qemutest -c 1 "{single_node_id}"']) + # Now Garage is operational. + test_bucket_writes(single_node) + test_bucket_over_http(single_node) + ''; +})) args diff --git a/nixos/tests/garage/default.nix b/nixos/tests/garage/default.nix new file mode 100644 index 0000000000000..4c38ea1bc898e --- /dev/null +++ b/nixos/tests/garage/default.nix @@ -0,0 +1,53 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../../.. { inherit system config; } +}: +with pkgs.lib; + +let + mkNode = package: { replicationMode, publicV6Address ? "::1" }: { pkgs, ... }: { + networking.interfaces.eth1.ipv6.addresses = [{ + address = publicV6Address; + prefixLength = 64; + }]; + + networking.firewall.allowedTCPPorts = [ 3901 3902 ]; + + services.garage = { + enable = true; + inherit package; + settings = { + replication_mode = replicationMode; + + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "[${publicV6Address}]:3901"; + rpc_secret = "5c1915fa04d0b6739675c61bf5907eb0fe3d9c69850c83820f51b4d25d13868c"; + + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.garage"; + }; + + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.garage"; + index = "index.html"; + }; + }; + }; + environment.systemPackages = [ pkgs.minio-client ]; + + # Garage requires at least 1GiB of free disk space to run. + virtualisation.diskSize = 2 * 1024; + }; +in + foldl + (matrix: ver: matrix // { + "basic${toString ver}" = import ./basic.nix { inherit system pkgs; mkNode = mkNode pkgs."garage_${ver}"; }; + "with-3node-replication${toString ver}" = import ./with-3node-replication.nix { inherit system pkgs; mkNode = mkNode pkgs."garage_${ver}"; }; + }) + {} + [ + "0_8_0" + ] diff --git a/nixos/tests/garage.nix b/nixos/tests/garage/with-3node-replication.nix index dc1f83e7f8f3c..d372ad1aa000f 100644 --- a/nixos/tests/garage.nix +++ b/nixos/tests/garage/with-3node-replication.nix @@ -1,50 +1,12 @@ -import ./make-test-python.nix ({ pkgs, ...} : -let - mkNode = { replicationMode, publicV6Address ? "::1" }: { pkgs, ... }: { - networking.interfaces.eth1.ipv6.addresses = [{ - address = publicV6Address; - prefixLength = 64; - }]; - - networking.firewall.allowedTCPPorts = [ 3901 3902 ]; - - services.garage = { - enable = true; - settings = { - replication_mode = replicationMode; - - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "[${publicV6Address}]:3901"; - rpc_secret = "5c1915fa04d0b6739675c61bf5907eb0fe3d9c69850c83820f51b4d25d13868c"; - - s3_api = { - s3_region = "garage"; - api_bind_addr = "[::]:3900"; - root_domain = ".s3.garage"; - }; - - s3_web = { - bind_addr = "[::]:3902"; - root_domain = ".web.garage"; - index = "index.html"; - }; - }; - }; - environment.systemPackages = [ pkgs.minio-client ]; - - # Garage requires at least 1GiB of free disk space to run. - virtualisation.diskSize = 2 * 1024; - }; - - -in { - name = "garage"; +args@{ mkNode, ... }: +(import ../make-test-python.nix ({ pkgs, ...} : +{ + name = "garage-3node-replication"; meta = { maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; }; nodes = { - single_node = mkNode { replicationMode = "none"; }; node1 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::1"; }; node2 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::2"; }; node3 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::3"; }; @@ -126,16 +88,6 @@ in { node.succeed(f'echo hello world | mc pipe test-garage/{bucket}/index.html') assert (node.succeed(f"curl -H 'Host: {url}' http://localhost:3902")).strip() == 'hello world' - with subtest("Garage works as a single-node S3 storage"): - single_node.wait_for_unit("garage.service") - single_node.wait_for_open_port(3900) - # Now Garage is initialized. - single_node_id = get_node_id(single_node) - apply_garage_layout(single_node, [f'-z qemutest -c 1 "{single_node_id}"']) - # Now Garage is operational. - test_bucket_writes(single_node) - test_bucket_over_http(single_node) - with subtest("Garage works as a multi-node S3 storage"): nodes = ('node1', 'node2', 'node3', 'node4') rev_machines = {m.name: m for m in machines} @@ -166,4 +118,4 @@ in { for node in nodes: test_bucket_over_http(get_machine(node)) ''; -}) +})) args diff --git a/nixos/tests/gnome-flashback.nix b/nixos/tests/gnome-flashback.nix new file mode 100644 index 0000000000000..c97264e6928a0 --- /dev/null +++ b/nixos/tests/gnome-flashback.nix @@ -0,0 +1,51 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : { + name = "gnome-flashback"; + meta = with lib; { + maintainers = teams.gnome.members ++ [ maintainers.chpatrick ]; + }; + + nodes.machine = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in + + { imports = [ ./common/user-account.nix ]; + + services.xserver.enable = true; + + services.xserver.displayManager = { + gdm.enable = true; + gdm.debug = true; + autoLogin = { + enable = true; + user = user.name; + }; + }; + + services.xserver.desktopManager.gnome.enable = true; + services.xserver.desktopManager.gnome.debug = true; + services.xserver.desktopManager.gnome.flashback.enableMetacity = true; + services.xserver.displayManager.defaultSession = "gnome-flashback-metacity"; + }; + + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + uid = toString user.uid; + xauthority = "/run/user/${uid}/gdm/Xauthority"; + in '' + with subtest("Login to GNOME Flashback with GDM"): + machine.wait_for_x() + # Wait for alice to be logged in" + machine.wait_for_unit("default.target", "${user.name}") + machine.wait_for_file("${xauthority}") + machine.succeed("xauth merge ${xauthority}") + # Check that logging in has given the user ownership of devices + assert "alice" in machine.succeed("getfacl -p /dev/snd/timer") + + with subtest("Wait for Metacity"): + machine.wait_until_succeeds( + "pgrep metacity" + ) + machine.sleep(20) + machine.screenshot("screen") + ''; +}) diff --git a/nixos/tests/grafana/basic.nix b/nixos/tests/grafana/basic.nix index f6566d4497098..8bf4caad7fbfc 100644 --- a/nixos/tests/grafana/basic.nix +++ b/nixos/tests/grafana/basic.nix @@ -25,6 +25,22 @@ let extraNodeConfs = { sqlite = {}; + socket = { config, ... }: { + services.grafana.settings.server = { + protocol = "socket"; + socket = "/run/grafana/sock"; + socket_gid = config.users.groups.nginx.gid; + }; + + users.users.grafana.extraGroups = [ "nginx" ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."_".locations."/".proxyPass = "http://unix:/run/grafana/sock"; + }; + }; + declarativePlugins = { services.grafana.declarativePlugins = [ pkgs.grafanaPlugins.grafana-clock-panel ]; }; @@ -92,6 +108,17 @@ in { ) sqlite.shutdown() + with subtest("Successful API query as admin user with sqlite db listening on socket"): + socket.wait_for_unit("grafana.service") + socket.wait_for_open_port(80) + print(socket.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1/api/org/users -i" + )) + socket.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1/api/org/users | grep admin\@localhost" + ) + socket.shutdown() + with subtest("Successful API query as admin user with postgresql db"): postgresql.wait_for_unit("grafana.service") postgresql.wait_for_unit("postgresql.service") diff --git a/nixos/tests/grafana/provision/default.nix b/nixos/tests/grafana/provision/default.nix index 7a707ab9fed1f..1eb927632eb7a 100644 --- a/nixos/tests/grafana/provision/default.nix +++ b/nixos/tests/grafana/provision/default.nix @@ -17,7 +17,7 @@ let security = { admin_user = "testadmin"; - admin_password = "snakeoilpwd"; + admin_password = "$__file{${pkgs.writeText "pwd" "snakeoilpwd"}}"; }; }; }; @@ -28,17 +28,24 @@ let }; extraNodeConfs = { - provisionOld = { + provisionLegacyNotifiers = { services.grafana.provision = { - datasources = [{ - name = "Test Datasource"; - type = "testdata"; - access = "proxy"; - uid = "test_datasource"; - }]; - - dashboards = [{ options.path = "/var/lib/grafana/dashboards"; }]; - + datasources.settings = { + apiVersion = 1; + datasources = [{ + name = "Test Datasource"; + type = "testdata"; + access = "proxy"; + uid = "test_datasource"; + }]; + }; + dashboards.settings = { + apiVersion = 1; + providers = [{ + name = "default"; + options.path = "/var/lib/grafana/dashboards"; + }]; + }; notifiers = [{ uid = "test_notifiers"; name = "Test Notifiers"; @@ -50,7 +57,6 @@ let }]; }; }; - provisionNix = { services.grafana.provision = { datasources.settings = { @@ -157,6 +163,22 @@ let }; }; }; + + provisionYamlDirs = let + mkdir = p: pkgs.writeTextDir (baseNameOf p) (builtins.readFile p); + in { + services.grafana.provision = { + datasources.path = mkdir ./datasources.yaml; + dashboards.path = mkdir ./dashboards.yaml; + alerting = { + rules.path = mkdir ./rules.yaml; + contactPoints.path = mkdir ./contact-points.yaml; + policies.path = mkdir ./policies.yaml; + templates.path = mkdir ./templates.yaml; + muteTimings.path = mkdir ./mute-timings.yaml; + }; + }; + }; }; nodes = builtins.mapAttrs (_: val: mkMerge [ val baseGrafanaConf ]) extraNodeConfs; @@ -172,58 +194,58 @@ in { testScript = '' start_all() - nodeOld = ("Nix (old format)", provisionOld) nodeNix = ("Nix (new format)", provisionNix) nodeYaml = ("Nix (YAML)", provisionYaml) + nodeYamlDir = ("Nix (YAML in dirs)", provisionYamlDirs) - for nodeInfo in [nodeOld, nodeNix, nodeYaml]: - with subtest(f"Should start provision node: {nodeInfo[0]}"): - nodeInfo[1].wait_for_unit("grafana.service") - nodeInfo[1].wait_for_open_port(3000) + for description, machine in [nodeNix, nodeYaml, nodeYamlDir]: + with subtest(f"Should start provision node: {description}"): + machine.wait_for_unit("grafana.service") + machine.wait_for_open_port(3000) - with subtest(f"Successful datasource provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful datasource provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/datasources/uid/test_datasource | grep Test\ Datasource" ) - with subtest(f"Successful dashboard provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful dashboard provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/dashboards/uid/test_dashboard | grep Test\ Dashboard" ) - - - with subtest(f"Successful notifiers provision with {nodeOld[0]}"): - nodeOld[1].succeed( - "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers | grep Test\ Notifiers" - ) - - - - for nodeInfo in [nodeNix, nodeYaml]: - with subtest(f"Successful rule provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful rule provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/alert-rules/test_rule | grep Test\ Rule" ) - with subtest(f"Successful contact point provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful contact point provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/contact-points | grep Test\ Contact\ Point" ) - with subtest(f"Successful policy provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful policy provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/policies | grep Test\ Contact\ Point" ) - with subtest(f"Successful template provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest(f"Successful template provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/templates | grep Test\ Template" ) - with subtest("Successful mute timings provision with {nodeInfo[0]}"): - nodeInfo[1].succeed( + with subtest("Successful mute timings provision with {description}"): + machine.succeed( "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/mute-timings | grep Test\ Mute\ Timing" ) + + with subtest("Successful notifiers provision"): + provisionLegacyNotifiers.wait_for_unit("grafana.service") + provisionLegacyNotifiers.wait_for_open_port(3000) + print(provisionLegacyNotifiers.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers" + )) + provisionLegacyNotifiers.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers | grep Test\ Notifiers" + ) ''; }) diff --git a/nixos/tests/graphite.nix b/nixos/tests/graphite.nix index c534d45428e19..de6cd8a50e179 100644 --- a/nixos/tests/graphite.nix +++ b/nixos/tests/graphite.nix @@ -13,7 +13,7 @@ import ./make-test-python.nix ({ pkgs, ... } : ''; }; carbon.enableCache = true; - seyren.enable = false; # Implicitely requires openssl-1.0.2u which is marked insecure + seyren.enable = false; # Implicitly requires openssl-1.0.2u which is marked insecure }; }; }; diff --git a/nixos/tests/grocy.nix b/nixos/tests/grocy.nix index fe0ddd341486b..48bbc9f7d3fa2 100644 --- a/nixos/tests/grocy.nix +++ b/nixos/tests/grocy.nix @@ -14,6 +14,9 @@ import ./make-test-python.nix ({ pkgs, ... }: { }; testScript = '' + from base64 import b64encode + from urllib.parse import quote + machine.start() machine.wait_for_open_port(80) machine.wait_for_unit("multi-user.target") @@ -42,6 +45,29 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.succeed("curl -sSI http://localhost/api/tasks 2>&1 | grep '401 Unauthorized'") + file_name = "test.txt" + file_name_base64 = b64encode(file_name.encode('ascii')).decode('ascii') + file_name_base64_urlencode = quote(file_name_base64) + + machine.succeed( + f"echo Sample equipment manual > /tmp/{file_name}" + ) + + machine.succeed( + f"curl -sSf -X 'PUT' -b 'grocy_session={cookie}' " + + f" 'http://localhost/api/files/equipmentmanuals/{file_name_base64_urlencode}' " + + " --header 'Accept: */*' " + + " --header 'Content-Type: application/octet-stream' " + + f" --data-binary '@/tmp/{file_name}' " + ) + + machine.succeed( + f"curl -sSf -X 'GET' -b 'grocy_session={cookie}' " + + f" 'http://localhost/api/files/equipmentmanuals/{file_name_base64_urlencode}' " + + " --header 'Accept: application/octet-stream' " + + f" | cmp /tmp/{file_name}" + ) + machine.shutdown() ''; }) diff --git a/nixos/tests/headscale.nix b/nixos/tests/headscale.nix new file mode 100644 index 0000000000000..48658b5dade42 --- /dev/null +++ b/nixos/tests/headscale.nix @@ -0,0 +1,17 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "headscale"; + meta.maintainers = with lib.maintainers; [ misterio77 ]; + + nodes.machine = { ... }: { + services.headscale.enable = true; + environment.systemPackages = [ pkgs.headscale ]; + }; + + testScript = '' + machine.wait_for_unit("headscale") + machine.wait_for_open_port(8080) + # Test basic funcionality + machine.succeed("headscale namespaces create test") + machine.succeed("headscale preauthkeys -n test create") + ''; +}) diff --git a/nixos/tests/hibernate.nix b/nixos/tests/hibernate.nix index 7a4b331169a39..cb75322ca5f92 100644 --- a/nixos/tests/hibernate.nix +++ b/nixos/tests/hibernate.nix @@ -26,8 +26,9 @@ let powerManagement.resumeCommands = "systemctl --no-block restart backdoor.service"; - fileSystems = { - "/".device = "/dev/vda2"; + fileSystems."/" = { + device = "/dev/vda2"; + fsType = "ext3"; }; swapDevices = mkOverride 0 [ { device = "/dev/vda1"; } ]; boot.resumeDevice = mkIf systemdStage1 "/dev/vda1"; diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 0bbeffd18cf0d..8d58de75eabc3 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -120,7 +120,7 @@ in { start_all() # Parse the package path out of the systemd unit, as we cannot - # access the final package, that is overriden inside the module, + # access the final package, that is overridden inside the module, # by any other means. pattern = re.compile(r"path=(?P<path>[\/a-z0-9-.]+)\/bin\/hass") response = hass.execute("systemctl show -p ExecStart home-assistant.service")[1] diff --git a/nixos/tests/initrd-network-openvpn/default.nix b/nixos/tests/initrd-network-openvpn/default.nix index bb4c41e6d7095..dbb34c28eea74 100644 --- a/nixos/tests/initrd-network-openvpn/default.nix +++ b/nixos/tests/initrd-network-openvpn/default.nix @@ -91,6 +91,7 @@ import ../make-test-python.nix ({ lib, ...}: config = '' dev tun0 ifconfig 10.8.0.1 10.8.0.2 + cipher AES-256-CBC ${secretblock} ''; }; diff --git a/nixos/tests/initrd-network-openvpn/initrd.ovpn b/nixos/tests/initrd-network-openvpn/initrd.ovpn index 5926a48af00f4..3ada4130e8682 100644 --- a/nixos/tests/initrd-network-openvpn/initrd.ovpn +++ b/nixos/tests/initrd-network-openvpn/initrd.ovpn @@ -3,6 +3,7 @@ dev tun ifconfig 10.8.0.2 10.8.0.1 # Only force VLAN 2 through the VPN route 192.168.2.0 255.255.255.0 10.8.0.1 +cipher AES-256-CBC secret [inline] <secret> # @@ -26,4 +27,4 @@ be5a69522a8e60ccb217f8521681b45d e7811584363597599cce2040a68ac00e f2125540e0f7f4adc37cb3f0d922eeb7 -----END OpenVPN Static key V1----- -</secret> \ No newline at end of file +</secret> diff --git a/nixos/tests/installer-systemd-stage-1.nix b/nixos/tests/installer-systemd-stage-1.nix index d02387ee80e09..03f0ec8d746b8 100644 --- a/nixos/tests/installer-systemd-stage-1.nix +++ b/nixos/tests/installer-systemd-stage-1.nix @@ -8,9 +8,10 @@ # them when fixed. inherit (import ./installer.nix { inherit system config pkgs; systemdStage1 = true; }) # bcache - # btrfsSimple - # btrfsSubvolDefault - # btrfsSubvols + btrfsSimple + btrfsSubvolDefault + btrfsSubvolEscape + btrfsSubvols # encryptedFSWithKeyfile # grub1 # luksroot diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index d9f64a781c57e..5f3f61632f070 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -57,7 +57,7 @@ let hardware.enableAllFirmware = lib.mkForce false; - ${replaceChars ["\n"] ["\n "] extraConfig} + ${replaceStrings ["\n"] ["\n "] extraConfig} } ''; @@ -465,8 +465,12 @@ let ''; testSpecialisationConfig = true; }; - - + # disable zfs so we can support latest kernel if needed + no-zfs-module = { + nixpkgs.overlays = [(final: super: { + zfs = super.zfs.overrideAttrs(_: {meta.platforms = [];});} + )]; + }; in { # !!! `parted mkpart' seems to silently create overlapping partitions. @@ -714,6 +718,7 @@ in { bcachefsSimple = makeInstallerTest "bcachefs-simple" { extraInstallerConfig = { boot.supportedFilesystems = [ "bcachefs" ]; + imports = [ no-zfs-module ]; }; createPartitions = '' @@ -737,13 +742,22 @@ in { bcachefsEncrypted = makeInstallerTest "bcachefs-encrypted" { extraInstallerConfig = { boot.supportedFilesystems = [ "bcachefs" ]; + + # disable zfs so we can support latest kernel if needed + imports = [ no-zfs-module ]; + environment.systemPackages = with pkgs; [ keyutils ]; }; - # We don't want to use the normal way of unlocking bcachefs defined in tasks/filesystems/bcachefs.nix. - # So, override initrd.postDeviceCommands completely and simply unlock with the predefined password. extraConfig = '' - boot.initrd.postDeviceCommands = lib.mkForce "echo password | bcachefs unlock /dev/vda3"; + boot.kernelParams = lib.mkAfter [ "console=tty0" ]; + ''; + + enableOCR = true; + preBootCommands = '' + machine.start() + machine.wait_for_text("enter passphrase for ") + machine.send_chars("password\n") ''; createPartitions = '' @@ -769,6 +783,9 @@ in { bcachefsMulti = makeInstallerTest "bcachefs-multi" { extraInstallerConfig = { boot.supportedFilesystems = [ "bcachefs" ]; + + # disable zfs so we can support latest kernel if needed + imports = [ no-zfs-module ]; }; createPartitions = '' @@ -911,4 +928,25 @@ in { ) ''; }; + + # Test to see if we can deal with subvols that need to be escaped in fstab + btrfsSubvolEscape = makeInstallerTest "btrfsSubvolEscape" { + createPartitions = '' + machine.succeed( + "sgdisk -Z /dev/vda", + "sgdisk -n 1:0:+1M -n 2:0:+1G -N 3 -t 1:ef02 -t 2:8200 -t 3:8300 -c 3:root /dev/vda", + "mkswap /dev/vda2 -L swap", + "swapon -L swap", + "mkfs.btrfs -L root /dev/vda3", + "btrfs device scan", + "mount LABEL=root /mnt", + "btrfs subvol create '/mnt/nixos in space'", + "btrfs subvol create /mnt/boot", + "umount /mnt", + "mount -o 'defaults,subvol=nixos in space' LABEL=root /mnt", + "mkdir /mnt/boot", + "mount -o defaults,subvol=boot LABEL=root /mnt/boot", + ) + ''; + }; } diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix index 7f8a4e501777e..33c65026b9b1a 100644 --- a/nixos/tests/kanidm.nix +++ b/nixos/tests/kanidm.nix @@ -13,26 +13,17 @@ import ./make-test-python.nix ({ pkgs, ... }: serverSettings = { origin = "https://${serverDomain}"; domain = serverDomain; - bindaddress = "[::1]:8443"; + bindaddress = "[::]:443"; ldapbindaddress = "[::1]:636"; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts."${serverDomain}" = { - forceSSL = true; - sslCertificate = certs."${serverDomain}".cert; - sslCertificateKey = certs."${serverDomain}".key; - locations."/".proxyPass = "http://[::1]:8443"; + tls_chain = certs."${serverDomain}".cert; + tls_key = certs."${serverDomain}".key; }; }; security.pki.certificateFiles = [ certs.ca.cert ]; networking.hosts."::1" = [ serverDomain ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 443 ]; users.users.kanidm.shell = pkgs.bashInteractive; @@ -73,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, ... }: start_all() server.wait_for_unit("kanidm.service") server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm") - server.succeed("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'") + server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'") client.succeed("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}") rv, result = server.execute("kanidmd recover_account -c ${serverConfigFile} idm_admin 2>&1 | rg -o '[A-Za-z0-9]{48}'") assert rv == 0 diff --git a/nixos/tests/kerberos/mit.nix b/nixos/tests/kerberos/mit.nix index b475b7e4c92bb..7e427ffef0ba8 100644 --- a/nixos/tests/kerberos/mit.nix +++ b/nixos/tests/kerberos/mit.nix @@ -9,7 +9,7 @@ import ../make-test-python.nix ({pkgs, ...}: { }; krb5 = { enable = true; - kerberos = pkgs.krb5Full; + kerberos = pkgs.krb5; libdefaults = { default_realm = "FOO.BAR"; }; diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 6ce136330d438..228e57d1cdd6f 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -5,10 +5,13 @@ let certs = import ./common/acme/server/snakeoil-certs.nix; frontendUrl = "https://${certs.domain}"; - initialAdminPassword = "h4IhoJFnt2iQIR9"; keycloakTest = import ./make-test-python.nix ( { pkgs, databaseType, ... }: + let + initialAdminPassword = "h4Iho\"JFn't2>iQIR9"; + adminPasswordFile = pkgs.writeText "admin-password" "${initialAdminPassword}"; + in { name = "keycloak"; meta = with pkgs.lib.maintainers; { @@ -37,7 +40,7 @@ let type = databaseType; username = "bogus"; name = "also bogus"; - passwordFile = "${pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"}"; + passwordFile = "${pkgs.writeText "dbPassword" ''wzf6\"vO"Cb\nP>p#6;c&o?eu=q'THE'''H''''E''}"; }; plugins = with config.services.keycloak.package.plugins; [ keycloak-discord @@ -111,7 +114,7 @@ let keycloak.succeed(""" curl -sSf -d 'client_id=admin-cli' \ -d 'username=admin' \ - -d 'password=${initialAdminPassword}' \ + -d "password=$(<${adminPasswordFile})" \ -d 'grant_type=password' \ '${frontendUrl}/realms/master/protocol/openid-connect/token' \ | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header @@ -119,10 +122,10 @@ let # Register the metrics SPI keycloak.succeed( - "${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt", - "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password '${initialAdminPassword}'", - "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'", - "curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'" + """${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""", + """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """, + """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""", + """curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'""" ) # Publish the realm, including a test OIDC client and user diff --git a/nixos/tests/keymap.nix b/nixos/tests/keymap.nix index 4306a9ae2cf94..0bde21093b0a2 100644 --- a/nixos/tests/keymap.nix +++ b/nixos/tests/keymap.nix @@ -64,7 +64,6 @@ let # wait for reader to be ready machine.wait_for_file("${readyFile}") - machine.sleep(1) # send all keys for key in inputs: @@ -78,9 +77,18 @@ let with open("${pkgs.writeText "tests.json" (builtins.toJSON tests)}") as json_file: tests = json.load(json_file) + # These environments used to run in the opposite order, causing the + # following error at openvt startup. + # + # openvt: Couldn't deallocate console 1 + # + # This error did not appear in successful runs. + # I don't know the exact cause, but I it seems that openvt and X are + # fighting over the virtual terminal. This does not appear to be a problem + # when the X test runs first. keymap_environments = { - "VT Keymap": "openvt -sw --", "Xorg Keymap": "DISPLAY=:0 xterm -title testterm -class testterm -fullscreen -e", + "VT Keymap": "openvt -sw --", } machine.wait_for_x() diff --git a/nixos/tests/krb5/example-config.nix b/nixos/tests/krb5/example-config.nix index 1125b02f01ca8..9a5c3b2af2490 100644 --- a/nixos/tests/krb5/example-config.nix +++ b/nixos/tests/krb5/example-config.nix @@ -11,7 +11,7 @@ import ../make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { krb5 = { enable = true; - kerberos = pkgs.krb5Full; + kerberos = pkgs.krb5; libdefaults = { default_realm = "ATHENA.MIT.EDU"; }; diff --git a/nixos/tests/kubernetes/dns.nix b/nixos/tests/kubernetes/dns.nix index 6299b7ff988af..1b7145eb5d5e3 100644 --- a/nixos/tests/kubernetes/dns.nix +++ b/nixos/tests/kubernetes/dns.nix @@ -69,7 +69,7 @@ let extraConfiguration = { config, pkgs, lib, ... }: { environment.systemPackages = [ pkgs.bind.host ]; services.dnsmasq.enable = true; - services.dnsmasq.servers = [ + services.dnsmasq.settings.server = [ "/cluster.local/${config.services.kubernetes.addons.dns.clusterIp}#53" ]; }; diff --git a/nixos/tests/make-test-python.nix b/nixos/tests/make-test-python.nix index 7a96f538d8d7a..28569f1d2955a 100644 --- a/nixos/tests/make-test-python.nix +++ b/nixos/tests/make-test-python.nix @@ -1,6 +1,6 @@ f: { system ? builtins.currentSystem, - pkgs ? import ../.. { inherit system; }, + pkgs ? import ../.. { inherit system; config = {}; overlays = []; }, ... } @ args: diff --git a/nixos/tests/mongodb.nix b/nixos/tests/mongodb.nix index edd074f5163c2..67347541dd66a 100644 --- a/nixos/tests/mongodb.nix +++ b/nixos/tests/mongodb.nix @@ -33,8 +33,6 @@ import ./make-test-python.nix ({ pkgs, ... }: nodes = { node = {...}: { environment.systemPackages = with pkgs; [ - mongodb-3_4 - mongodb-3_6 mongodb-4_0 mongodb-4_2 mongodb-4_4 @@ -46,8 +44,6 @@ import ./make-test-python.nix ({ pkgs, ... }: testScript = '' node.start() '' - + runMongoDBTest pkgs.mongodb-3_4 - + runMongoDBTest pkgs.mongodb-3_6 + runMongoDBTest pkgs.mongodb-4_0 + runMongoDBTest pkgs.mongodb-4_2 + runMongoDBTest pkgs.mongodb-4_4 diff --git a/nixos/tests/musescore.nix b/nixos/tests/musescore.nix index 18de0a5502390..ac2f4ba74c0f6 100644 --- a/nixos/tests/musescore.nix +++ b/nixos/tests/musescore.nix @@ -69,6 +69,10 @@ in # Wait until the export dialogue appears. machine.wait_for_window("Export") machine.screenshot("MuseScore1") + machine.send_key("shift-tab") + machine.sleep(1) + machine.send_key("shift-tab") + machine.sleep(1) machine.send_key("ret") machine.sleep(1) machine.send_key("ret") diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 545eb46f2bf59..912a04deae8b3 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,14 +3,16 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. -import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: +import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, nftables ? false, ... }: let - unit = if withFirewall then "firewall" else "nat"; + unit = if nftables then "nftables" else (if withFirewall then "firewall" else "nat"); routerBase = lib.mkMerge [ { virtualisation.vlans = [ 2 1 ]; networking.firewall.enable = withFirewall; + networking.firewall.filterForward = nftables; + networking.nftables.enable = nftables; networking.nat.internalIPs = [ "192.168.1.0/24" ]; networking.nat.externalInterface = "eth1"; } @@ -21,7 +23,8 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? ]; in { - name = "nat" + (if withFirewall then "WithFirewall" else "Standalone") + name = "nat" + (lib.optionalString nftables "Nftables") + + (if withFirewall then "WithFirewall" else "Standalone") + (lib.optionalString withConntrackHelpers "withConntrackHelpers"); meta = with pkgs.lib.maintainers; { maintainers = [ eelco rob ]; @@ -34,6 +37,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? { virtualisation.vlans = [ 1 ]; networking.defaultGateway = (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address; + networking.nftables.enable = nftables; } (lib.optionalAttrs withConntrackHelpers { networking.firewall.connectionTrackingModules = [ "ftp" ]; @@ -111,7 +115,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? # FIXME: this should not be necessary, but nat.service is not started because # network.target is not triggered # (https://github.com/NixOS/nixpkgs/issues/16230#issuecomment-226408359) - ${lib.optionalString (!withFirewall) '' + ${lib.optionalString (!withFirewall && !nftables) '' router.succeed("systemctl start nat.service") ''} client.succeed("curl --fail http://server/ >&2") diff --git a/nixos/tests/networking-proxy.nix b/nixos/tests/networking-proxy.nix index fcb2558cf3b08..330bac2588a5a 100644 --- a/nixos/tests/networking-proxy.nix +++ b/nixos/tests/networking-proxy.nix @@ -37,7 +37,7 @@ in import ./make-test-python.nix ({ pkgs, ...} : { default-config // { networking.proxy = { - # useless because overriden by the next options + # useless because overridden by the next options default = "http://user:pass@host:port"; # advanced proxy setup httpProxy = "123-http://user:pass@http-host:port"; diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index eb37470a4c7bb..a475049e7b264 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -37,6 +37,8 @@ in { "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" ]; + system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3 + services.nextcloud = { enable = true; datadir = "/var/lib/nextcloud-data"; @@ -99,6 +101,10 @@ in { # This is just to ensure the nextcloud-occ program is working nextcloud.succeed("nextcloud-occ status") nextcloud.succeed("curl -sSf http://nextcloud/login") + # Ensure that no OpenSSL 1.1 is used. + nextcloud.succeed( + "${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1" + ) nextcloud.succeed( "${withRcloneEnv} ${copySharedFile}" ) @@ -108,5 +114,6 @@ in { "${withRcloneEnv} ${diffSharedFile}" ) assert "hi" in client.succeed("cat /mnt/dav/test-shared-file") + nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file") ''; })) args diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index 7dbdff9882387..b8d3ba75b51a9 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -8,6 +8,10 @@ with pkgs.lib; foldl (matrix: ver: matrix // { "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; + "openssl-sse${toString ver}" = import ./openssl-sse.nix { + inherit system pkgs; + nextcloudVersion = ver; + }; "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { inherit system pkgs; nextcloudVersion = ver; diff --git a/nixos/tests/nextcloud/openssl-sse.nix b/nixos/tests/nextcloud/openssl-sse.nix new file mode 100644 index 0000000000000..7595ee2c67e31 --- /dev/null +++ b/nixos/tests/nextcloud/openssl-sse.nix @@ -0,0 +1,105 @@ +args@{ pkgs, nextcloudVersion ? 25, ... }: + +(import ../make-test-python.nix ({ pkgs, ...}: let + adminuser = "root"; + adminpass = "notproduction"; + nextcloudBase = { + networking.firewall.allowedTCPPorts = [ 80 ]; + system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default + services.nextcloud = { + enable = true; + config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; + package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; + }; + }; +in { + name = "nextcloud-openssl"; + meta = with pkgs.lib.maintainers; { + maintainers = [ ma27 ]; + }; + nodes.nextcloudwithopenssl1 = { + imports = [ nextcloudBase ]; + services.nextcloud.hostName = "nextcloudwithopenssl1"; + }; + nodes.nextcloudwithopenssl3 = { + imports = [ nextcloudBase ]; + services.nextcloud = { + hostName = "nextcloudwithopenssl3"; + enableBrokenCiphersForSSE = false; + }; + }; + testScript = { nodes, ... }: let + withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' + #!${pkgs.runtimeShell} + export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav + export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" + export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" + export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" + export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" + "''${@}" + ''; + withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; + withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; + copySharedFile1 = pkgs.writeScript "copy-shared-file" '' + #!${pkgs.runtimeShell} + echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file + ''; + copySharedFile3 = pkgs.writeScript "copy-shared-file" '' + #!${pkgs.runtimeShell} + echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 + ''; + openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; + openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; + in '' + nextcloudwithopenssl1.start() + nextcloudwithopenssl1.wait_for_unit("multi-user.target") + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") + + with subtest("With OpenSSL 1 SSE can be enabled and used"): + nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") + + with subtest("Upload file and ensure it's encrypted"): + nextcloudwithopenssl1.succeed("${copySharedFile1}") + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + + with subtest("Switch to OpenSSL 3"): + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + + with subtest("Existing encrypted files cannot be read, but new files can be added"): + nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") + nextcloudwithopenssl1.succeed("${copySharedFile3}") + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + + with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): + nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") + + with subtest("Ensure that everything can be decrypted"): + nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + + with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + + nextcloudwithopenssl1.shutdown() + ''; +})) args diff --git a/nixos/tests/nginx-globalredirect.nix b/nixos/tests/nginx-globalredirect.nix new file mode 100644 index 0000000000000..5f5f4f344d825 --- /dev/null +++ b/nixos/tests/nginx-globalredirect.nix @@ -0,0 +1,24 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "nginx-globalredirect"; + + nodes = { + webserver = { pkgs, lib, ... }: { + services.nginx = { + enable = true; + virtualHosts.localhost = { + globalRedirect = "other.example.com"; + # Add an exception + locations."/noredirect".return = "200 'foo'"; + }; + }; + }; + }; + + testScript = '' + webserver.wait_for_unit("nginx") + webserver.wait_for_open_port(80) + + webserver.succeed("curl --fail -si http://localhost/alf | grep '^Location:.*/alf'") + webserver.fail("curl --fail -si http://localhost/noredirect | grep '^Location:'") + ''; +}) diff --git a/nixos/tests/nginx-modsecurity.nix b/nixos/tests/nginx-modsecurity.nix index 5ceee3787297d..3c41da3e8d9bc 100644 --- a/nixos/tests/nginx-modsecurity.nix +++ b/nixos/tests/nginx-modsecurity.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { nodes.machine = { config, lib, pkgs, ... }: { services.nginx = { enable = true; - additionalModules = [ pkgs.nginxModules.modsecurity-nginx ]; + additionalModules = [ pkgs.nginxModules.modsecurity ]; virtualHosts.localhost = let modsecurity_conf = pkgs.writeText "modsecurity.conf" '' SecRuleEngine On diff --git a/nixos/tests/nginx.nix b/nixos/tests/nginx.nix index d9d073822a145..73f1133bd6ca9 100644 --- a/nixos/tests/nginx.nix +++ b/nixos/tests/nginx.nix @@ -61,7 +61,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { specialisation.reloadWithErrorsSystem.configuration = { services.nginx.package = pkgs.nginxMainline; - services.nginx.virtualHosts."!@$$(#*%".locations."~@#*$*!)".proxyPass = ";;;"; + services.nginx.virtualHosts."hello".extraConfig = "access_log /does/not/exist.log;"; }; }; }; diff --git a/nixos/tests/nix-ld.nix b/nixos/tests/nix-ld.nix index ae5297ab87eaa..8733f5b0c3978 100644 --- a/nixos/tests/nix-ld.nix +++ b/nixos/tests/nix-ld.nix @@ -12,9 +12,6 @@ import ./make-test-python.nix ({ lib, pkgs, ...} : }; testScript = '' start_all() - path = "${pkgs.stdenv.cc}/nix-support/dynamic-linker" - with open(path) as f: - real_ld = f.read().strip() - machine.succeed(f"NIX_LD={real_ld} hello") + machine.succeed("hello") ''; }) diff --git a/nixos/tests/ntfy-sh.nix b/nixos/tests/ntfy-sh.nix index c0c289b904b6e..9a36fcdf3922d 100644 --- a/nixos/tests/ntfy-sh.nix +++ b/nixos/tests/ntfy-sh.nix @@ -1,4 +1,5 @@ import ./make-test-python.nix { + name = "ntfy-sh"; nodes.machine = { ... }: { services.ntfy-sh.enable = true; diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index 1c89cf8c1c677..8f3e2494047c3 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({pkgs, lib, ...}: let # A filesystem image with a (presumably) bootable debian - debianImage = pkgs.vmTools.diskImageFuns.debian9i386 { + debianImage = pkgs.vmTools.diskImageFuns.debian11i386 { # os-prober cannot detect systems installed on disks without a partition table # so we create the disk ourselves createRootFS = with pkgs; '' diff --git a/nixos/tests/paperless.nix b/nixos/tests/paperless.nix index b97834835c2c9..7f36de4c29b71 100644 --- a/nixos/tests/paperless.nix +++ b/nixos/tests/paperless.nix @@ -26,6 +26,10 @@ import ./make-test-python.nix ({ lib, ... }: { # Wait until server accepts connections machine.wait_until_succeeds("curl -fs localhost:28981") + # Required for consuming documents via the web interface + with subtest("Task-queue gets ready"): + machine.wait_for_unit("paperless-task-queue.service") + with subtest("Add a document via the web interface"): machine.succeed( "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " diff --git a/nixos/tests/parsedmarc/default.nix b/nixos/tests/parsedmarc/default.nix index 50b977723e9c7..837cf9d7e6dce 100644 --- a/nixos/tests/parsedmarc/default.nix +++ b/nixos/tests/parsedmarc/default.nix @@ -155,7 +155,6 @@ in ssl = true; user = "alice"; password = "${pkgs.writeText "imap-password" "foobar"}"; - watch = true; }; }; diff --git a/nixos/tests/patroni.nix b/nixos/tests/patroni.nix index f512fddcdbdd4..1f15cd59677ad 100644 --- a/nixos/tests/patroni.nix +++ b/nixos/tests/patroni.nix @@ -166,6 +166,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: start_all() + etcd.wait_for_unit("etcd.service") + with subtest("should bootstrap a new patroni cluster"): wait_for_all_nodes_ready() diff --git a/nixos/tests/pgadmin4-standalone.nix b/nixos/tests/pgadmin4-standalone.nix index 442570c5306be..5aa17fcb5bb9d 100644 --- a/nixos/tests/pgadmin4-standalone.nix +++ b/nixos/tests/pgadmin4-standalone.nix @@ -1,5 +1,5 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: - # This is seperate from pgadmin4 since we don't want both running at once + # This is separate from pgadmin4 since we don't want both running at once { name = "pgadmin4-standalone"; diff --git a/nixos/tests/pgadmin4.nix b/nixos/tests/pgadmin4.nix index bec2554a3f041..2a2b5aaa2841d 100644 --- a/nixos/tests/pgadmin4.nix +++ b/nixos/tests/pgadmin4.nix @@ -106,7 +106,7 @@ import ./make-test-python.nix ({ pkgs, lib, buildDeps ? [ ], pythonEnv ? [ ], .. && sed -i 's|driver_local.maximize_window()||' web/regression/runtests.py" ) - # Don't bother to test LDAP or kerberos authentification + # Don't bother to test LDAP or kerberos authentication with subtest("run browser test"): machine.succeed( 'cd ${pgadmin4SrcDir}/pgadmin4-${pkgs.pgadmin4.version}/web \ diff --git a/nixos/tests/phosh.nix b/nixos/tests/phosh.nix new file mode 100644 index 0000000000000..25bf4848542e6 --- /dev/null +++ b/nixos/tests/phosh.nix @@ -0,0 +1,70 @@ +import ./make-test-python.nix ({ pkgs, ...}: let + pin = "1234"; +in { + name = "phosh"; + meta = with pkgs.lib.maintainers; { + maintainers = [ zhaofengli ]; + }; + + nodes = { + phone = { config, pkgs, ... }: { + users.users.nixos = { + isNormalUser = true; + password = pin; + }; + + services.xserver.desktopManager.phosh = { + enable = true; + user = "nixos"; + group = "users"; + + phocConfig = { + outputs.Virtual-1 = { + scale = 2; + }; + }; + }; + + systemd.services.phosh = { + environment = { + # Accelerated graphics fail on phoc 0.20 (wlroots 0.15) + "WLR_RENDERER" = "pixman"; + }; + }; + + virtualisation.resolution = { x = 720; y = 1440; }; + virtualisation.qemu.options = [ "-vga none -device virtio-gpu-pci,xres=720,yres=1440" ]; + }; + }; + + enableOCR = true; + + testScript = '' + import time + + start_all() + phone.wait_for_unit("phosh.service") + + with subtest("Check that we can see the lock screen info page"): + # Saturday, January 1 + phone.succeed("timedatectl set-time '2022-01-01 07:00'") + + phone.wait_for_text("Saturday") + phone.screenshot("01lockinfo") + + with subtest("Check that we can unlock the screen"): + phone.send_chars("${pin}", delay=0.2) + time.sleep(1) + phone.screenshot("02unlock") + + phone.send_chars("\n") + + phone.wait_for_text("All Apps") + phone.screenshot("03launcher") + + with subtest("Check the on-screen keyboard shows"): + phone.send_chars("setting", delay=0.2) + phone.wait_for_text("123") # A button on the OSK + phone.screenshot("04osk") + ''; +}) diff --git a/nixos/tests/php/pcre.nix b/nixos/tests/php/pcre.nix index 57407477f4b8e..8e37d5dcf97be 100644 --- a/nixos/tests/php/pcre.nix +++ b/nixos/tests/php/pcre.nix @@ -1,7 +1,7 @@ let testString = "can-use-subgroups"; in -import ../make-test-python.nix ({ lib, php, ... }: { +import ../make-test-python.nix ({ pkgs, lib, php, ... }: { name = "php-${php.version}-httpd-pcre-jit-test"; meta.maintainers = lib.teams.php.members; @@ -31,12 +31,22 @@ import ../make-test-python.nix ({ lib, php, ... }: { ''; }; }; - testScript = { ... }: - '' + testScript = let + # PCRE JIT SEAlloc feature does not play well with fork() + # The feature needs to either be disabled or PHP configured correctly + # More information in https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630 + pcreJitSeallocForkIssue = pkgs.writeText "pcre-jit-sealloc-issue.php" '' + <?php + preg_match('/nixos/', 'nixos'); + $pid = pcntl_fork(); + pcntl_wait($pid); + ''; + in '' machine.wait_for_unit("httpd.service") # Ensure php evaluation by matching on the var_dump syntax response = machine.succeed("curl -fvvv -s http://127.0.0.1:80/index.php") expected = 'string(${toString (builtins.stringLength testString)}) "${testString}"' assert expected in response, "Does not appear to be able to use subgroups." + machine.succeed("${php}/bin/php -f ${pcreJitSeallocForkIssue}") ''; }) diff --git a/nixos/tests/pinnwand.nix b/nixos/tests/pinnwand.nix index 0391c4133111b..42b26e08c189b 100644 --- a/nixos/tests/pinnwand.nix +++ b/nixos/tests/pinnwand.nix @@ -1,27 +1,7 @@ import ./make-test-python.nix ({ pkgs, ...}: let - pythonEnv = pkgs.python3.withPackages (py: with py; [ appdirs toml ]); - port = 8000; baseUrl = "http://server:${toString port}"; - - configureSteck = pkgs.writeScript "configure.py" '' - #!${pythonEnv.interpreter} - import appdirs - import toml - import os - - CONFIG = { - "base": "${baseUrl}/", - "confirm": False, - "magic": True, - "ignore": True - } - - os.makedirs(appdirs.user_config_dir('steck')) - with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd: - toml.dump(CONFIG, fd) - ''; in { name = "pinnwand"; @@ -44,7 +24,32 @@ in client = { pkgs, ... }: { - environment.systemPackages = [ pkgs.steck ]; + environment.systemPackages = [ + pkgs.steck + + (pkgs.writers.writePython3Bin "setup-steck.py" { + libraries = with pkgs.python3.pkgs; [ appdirs toml ]; + flakeIgnore = [ + "E501" + ]; + } + '' + import appdirs + import toml + import os + + CONFIG = { + "base": "${baseUrl}/", + "confirm": False, + "magic": True, + "ignore": True + } + + os.makedirs(appdirs.user_config_dir('steck')) + with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd: + toml.dump(CONFIG, fd) + '') + ]; }; }; @@ -55,7 +60,7 @@ in client.wait_for_unit("network.target") # create steck.toml config file - client.succeed("${configureSteck}") + client.succeed("setup-steck.py") # wait until the server running pinnwand is reachable client.wait_until_succeeds("ping -c1 server") @@ -75,12 +80,6 @@ in if line.startswith("Removal link:"): removal_link = line.split(":", 1)[1] - - # start the reaper, it shouldn't do anything meaningful here - server.systemctl("start pinnwand-reaper.service") - server.wait_until_fails("systemctl is-active -q pinnwand-reaper.service") - server.log(server.execute("journalctl -u pinnwand-reaper -e --no-pager")[1]) - # check whether paste matches what we sent client.succeed(f"curl {raw_url} > /tmp/machine-id") client.succeed("diff /tmp/machine-id /etc/machine-id") @@ -89,6 +88,6 @@ in client.succeed(f"curl {removal_link}") client.fail(f"curl --fail {raw_url}") - server.log(server.succeed("systemd-analyze security pinnwand")) + server.log(server.execute("systemd-analyze security pinnwand | grep '✗'")[1]) ''; }) diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix index 7864f5d6ff32c..7e0a82c388288 100644 --- a/nixos/tests/postgresql.nix +++ b/nixos/tests/postgresql.nix @@ -130,8 +130,97 @@ let ''; }; + + mk-ensure-clauses-test = postgresql-name: postgresql-package: makeTest { + name = postgresql-name; + meta = with pkgs.lib.maintainers; { + maintainers = [ zagy ]; + }; + + machine = {...}: + { + services.postgresql = { + enable = true; + package = postgresql-package; + ensureUsers = [ + { + name = "all-clauses"; + ensureClauses = { + superuser = true; + createdb = true; + createrole = true; + "inherit" = true; + login = true; + replication = true; + bypassrls = true; + }; + } + { + name = "default-clauses"; + } + ]; + }; + }; + + testScript = let + getClausesQuery = user: pkgs.lib.concatStringsSep " " + [ + "SELECT row_to_json(row)" + "FROM (" + "SELECT" + "rolsuper," + "rolinherit," + "rolcreaterole," + "rolcreatedb," + "rolcanlogin," + "rolreplication," + "rolbypassrls" + "FROM pg_roles" + "WHERE rolname = '${user}'" + ") row;" + ]; + in '' + import json + machine.start() + machine.wait_for_unit("postgresql") + + with subtest("All user permissions are set according to the ensureClauses attr"): + clauses = json.loads( + machine.succeed( + "sudo -u postgres psql -tc \"${getClausesQuery "all-clauses"}\"" + ) + ) + print(clauses) + assert clauses['rolsuper'], 'expected user with clauses to have superuser clause' + assert clauses['rolinherit'], 'expected user with clauses to have inherit clause' + assert clauses['rolcreaterole'], 'expected user with clauses to have create role clause' + assert clauses['rolcreatedb'], 'expected user with clauses to have create db clause' + assert clauses['rolcanlogin'], 'expected user with clauses to have login clause' + assert clauses['rolreplication'], 'expected user with clauses to have replication clause' + assert clauses['rolbypassrls'], 'expected user with clauses to have bypassrls clause' + + with subtest("All user permissions default when ensureClauses is not provided"): + clauses = json.loads( + machine.succeed( + "sudo -u postgres psql -tc \"${getClausesQuery "default-clauses"}\"" + ) + ) + assert not clauses['rolsuper'], 'expected user with no clauses set to have default superuser clause' + assert clauses['rolinherit'], 'expected user with no clauses set to have default inherit clause' + assert not clauses['rolcreaterole'], 'expected user with no clauses set to have default create role clause' + assert not clauses['rolcreatedb'], 'expected user with no clauses set to have default create db clause' + assert clauses['rolcanlogin'], 'expected user with no clauses set to have default login clause' + assert not clauses['rolreplication'], 'expected user with no clauses set to have default replication clause' + assert not clauses['rolbypassrls'], 'expected user with no clauses set to have default bypassrls clause' + + machine.shutdown() + ''; + }; in - (mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // { + concatMapAttrs (name: package: { + ${name} = make-postgresql-test name package false; + ${name + "-clauses"} = mk-ensure-clauses-test name package; + }) postgresql-versions + // { postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true; } - diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index d91fc52f1cb45..5f50a3f87d5d2 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -6,7 +6,7 @@ let inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; inherit (pkgs.lib) concatStringsSep maintainers mapAttrs mkMerge - removeSuffix replaceChars singleton splitString; + removeSuffix replaceStrings singleton splitString; /* * The attrset `exporterTests` contains one attribute @@ -182,7 +182,7 @@ let enable = true; extraFlags = [ "--web.collectd-push-path /collectd" ]; }; - exporterTest = let postData = replaceChars [ "\n" ] [ "" ] '' + exporterTest = let postData = replaceStrings [ "\n" ] [ "" ] '' [{ "values":[23], "dstypes":["gauge"], @@ -1086,13 +1086,8 @@ let ]; }; exporterTest = '' - wait_for_unit("prometheus-smartctl-exporter.service") - wait_for_open_port(9633) wait_until_succeeds( - "curl -sSf 'localhost:9633/metrics'" - ) - wait_until_succeeds( - 'journalctl -eu prometheus-smartctl-exporter.service -o cat | grep "/dev/vda: Unable to detect device type"' + 'journalctl -eu prometheus-smartctl-exporter.service -o cat | grep "Device unavailable"' ) ''; }; @@ -1177,6 +1172,25 @@ let ''; }; + statsd = { + exporterConfig = { + enable = true; + }; + exporterTest = '' + wait_for_unit("prometheus-statsd-exporter.service") + wait_for_open_port(9102) + succeed("curl http://localhost:9102/metrics | grep 'statsd_exporter_build_info{'") + succeed( + "echo 'test.udp:1|c' > /dev/udp/localhost/9125", + "curl http://localhost:9102/metrics | grep 'test_udp 1'", + ) + succeed( + "echo 'test.tcp:1|c' > /dev/tcp/localhost/9125", + "curl http://localhost:9102/metrics | grep 'test_tcp 1'", + ) + ''; + }; + surfboard = { exporterConfig = { enable = true; @@ -1244,15 +1258,13 @@ let ''; }; - unifi-poller = { - nodeName = "unifi_poller"; + unpoller = { + nodeName = "unpoller"; exporterConfig.enable = true; exporterConfig.controllers = [{ }]; exporterTest = '' - wait_for_unit("prometheus-unifi-poller-exporter.service") - wait_for_open_port(9130) - succeed( - "curl -sSf localhost:9130/metrics | grep 'unifipoller_build_info{.\\+} 1'" + wait_until_succeeds( + 'journalctl -eu prometheus-unpoller-exporter.service -o cat | grep "Connection Error"' ) ''; }; diff --git a/nixos/tests/restic.nix b/nixos/tests/restic.nix index 16dd5f8c5c8a3..3681c4cf190e3 100644 --- a/nixos/tests/restic.nix +++ b/nixos/tests/restic.nix @@ -2,9 +2,8 @@ import ./make-test-python.nix ( { pkgs, ... }: let - password = "some_password"; - repository = "/tmp/restic-backup"; - repositoryFile = "${pkgs.writeText "repositoryFile" "/tmp/restic-backup-from-file"}"; + remoteRepository = "/tmp/restic-backup"; + remoteFromFileRepository = "/tmp/restic-backup-from-file"; rcloneRepository = "rclone:local:/tmp/restic-rclone-backup"; backupPrepareCommand = '' @@ -18,7 +17,6 @@ import ./make-test-python.nix ( ''; passwordFile = "${pkgs.writeText "password" "correcthorsebatterystaple"}"; - initialize = true; paths = [ "/opt" ]; pruneOpts = [ "--keep-daily 2" @@ -40,12 +38,18 @@ import ./make-test-python.nix ( { services.restic.backups = { remotebackup = { - inherit repository passwordFile initialize paths pruneOpts backupPrepareCommand backupCleanupCommand; + inherit passwordFile paths pruneOpts backupPrepareCommand backupCleanupCommand; + repository = remoteRepository; + initialize = true; }; - remotebackup-from-file = { - inherit repositoryFile passwordFile initialize paths pruneOpts; + remote-from-file-backup = { + inherit passwordFile paths pruneOpts; + initialize = true; + repositoryFile = pkgs.writeText "repositoryFile" remoteFromFileRepository; }; rclonebackup = { + inherit passwordFile paths pruneOpts; + initialize = true; repository = rcloneRepository; rcloneConfig = { type = "local"; @@ -57,14 +61,15 @@ import ./make-test-python.nix ( [local] type=ftp ''; - inherit passwordFile initialize paths pruneOpts; }; remoteprune = { - inherit repository passwordFile; + inherit passwordFile; + repository = remoteRepository; pruneOpts = [ "--keep-last 1" ]; }; custompackage = { - inherit repository passwordFile paths; + inherit passwordFile paths; + repository = "some-fake-repository"; package = pkgs.writeShellScriptBin "restic" '' echo "$@" >> /tmp/fake-restic.log; ''; @@ -82,50 +87,69 @@ import ./make-test-python.nix ( server.start() server.wait_for_unit("dbus.socket") server.fail( - "${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots", - '${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots"', + "${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots", + '${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"', "${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots", "grep 'backup .* /opt' /tmp/fake-restic.log", ) server.succeed( + # set up "mkdir -p /opt", "touch /opt/some_file", "mkdir -p /tmp/restic-rclone-backup", + + # test that remotebackup runs custom commands and produces a snapshot "timedatectl set-time '2016-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /opt/backupCleanupCommand", - "systemctl start restic-backups-remotebackup-from-file.service", + '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + + # test that remote-from-file-backup produces a snapshot + "systemctl start restic-backups-remote-from-file-backup.service", + '${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + + # test that rclonebackup produces a snapshot "systemctl start restic-backups-rclonebackup.service", - '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', - '${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', - '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', + '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + + # test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines "systemctl start restic-backups-custompackage.service", "grep 'backup .* /opt' /tmp/fake-restic.log", "grep 'check .* --some-check-option' /tmp/fake-restic.log", + + # test that we can create four snapshots in remotebackup and rclonebackup "timedatectl set-time '2017-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /opt/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /opt/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-14 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /opt/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-15 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /opt/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", + "timedatectl set-time '2018-12-16 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /opt/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", - '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"', - '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"', + + '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', + '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', + + # test that remoteprune brings us back to 1 snapshot in remotebackup "systemctl start restic-backups-remoteprune.service", - '${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', + '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + ) ''; } diff --git a/nixos/tests/schleuder.nix b/nixos/tests/schleuder.nix index a9e4cc325bc76..e57ef66bb8f9d 100644 --- a/nixos/tests/schleuder.nix +++ b/nixos/tests/schleuder.nix @@ -82,9 +82,7 @@ import ./make-test-python.nix { # Since we don't have internet here, use dnsmasq to provide MX records from /etc/hosts services.dnsmasq = { enable = true; - extraConfig = '' - selfmx - ''; + settings.selfmx = true; }; networking.extraHosts = '' diff --git a/nixos/tests/sourcehut.nix b/nixos/tests/sourcehut.nix index d52fbddd20f39..9caa1bcd98f50 100644 --- a/nixos/tests/sourcehut.nix +++ b/nixos/tests/sourcehut.nix @@ -35,7 +35,7 @@ let }; security.sudo.wheelNeedsPassword = false; - nix.trustedUsers = [ "root" "build" ]; + nix.settings.trusted-users = [ "root" "build" ]; documentation.nixos.enable = false; # builds.sr.ht-image-specific network settings diff --git a/nixos/tests/sqlite3-to-mysql.nix b/nixos/tests/sqlite3-to-mysql.nix new file mode 100644 index 0000000000000..029058187df37 --- /dev/null +++ b/nixos/tests/sqlite3-to-mysql.nix @@ -0,0 +1,65 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: + +/* + This test suite replaces the typical pytestCheckHook function in + sqlite3-to-mysql due to the need of a running mysql instance. +*/ + +{ + name = "sqlite3-to-mysql"; + meta.maintainers = with lib.maintainers; [ gador ]; + + nodes.machine = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ + sqlite3-to-mysql + # create one coherent python environment + (python3.withPackages + (ps: sqlite3-to-mysql.propagatedBuildInputs ++ + [ + python3Packages.pytest + python3Packages.pytest-mock + python3Packages.pytest-timeout + python3Packages.factory_boy + python3Packages.docker # only needed so import does not fail + sqlite3-to-mysql + ]) + ) + ]; + services.mysql = { + package = pkgs.mariadb; + enable = true; + # from https://github.com/techouse/sqlite3-to-mysql/blob/master/tests/conftest.py + # and https://github.com/techouse/sqlite3-to-mysql/blob/master/.github/workflows/test.yml + initialScript = pkgs.writeText "mysql-init.sql" '' + create database test_db DEFAULT CHARACTER SET utf8mb4; + create user tester identified by 'testpass'; + grant all on test_db.* to tester; + create user tester@localhost identified by 'testpass'; + grant all on test_db.* to tester@localhost; + ''; + settings = { + mysqld = { + character-set-server = "utf8mb4"; + collation-server = "utf8mb4_unicode_ci"; + log_warnings = 1; + }; + }; + }; + }; + + testScript = '' + machine.wait_for_unit("mysql") + + machine.succeed( + "sqlite3mysql --version | grep ${pkgs.sqlite3-to-mysql.version}" + ) + + # invalid_database_name: assert '1045 (28000): Access denied' in "1044 (42000): Access denied [...] + # invalid_database_user: does not return non-zero exit for some reason + # test_version: has problems importing sqlite3_to_mysql and determining the version + machine.succeed( + "cd ${pkgs.sqlite3-to-mysql.src} \ + && pytest -v --no-docker -k \"not test_invalid_database_name and not test_invalid_database_user and not test_version\"" + ) + ''; +}) diff --git a/nixos/tests/stratis/encryption.nix b/nixos/tests/stratis/encryption.nix index 3faa3171843f7..a555ff8a8e854 100644 --- a/nixos/tests/stratis/encryption.nix +++ b/nixos/tests/stratis/encryption.nix @@ -26,8 +26,7 @@ import ../make-test-python.nix ({ pkgs, ... }: # test rebinding encrypted pool machine.succeed("stratis pool rebind keyring testpool testkey2") # test restarting encrypted pool - uuid = machine.succeed("stratis pool list | grep -oE '[0-9a-fA-F-]{36}'").rstrip('\n') - machine.succeed(" stratis pool stop testpool") - machine.succeed(f"stratis pool start {uuid} --unlock-method keyring") + machine.succeed("stratis pool stop testpool") + machine.succeed("stratis pool start --name testpool --unlock-method keyring") ''; }) diff --git a/nixos/tests/systemd-initrd-luks-password.nix b/nixos/tests/systemd-initrd-luks-password.nix index e8e651f7b35f8..55d0b4324b400 100644 --- a/nixos/tests/systemd-initrd-luks-password.nix +++ b/nixos/tests/systemd-initrd-luks-password.nix @@ -23,6 +23,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { cryptroot2.device = "/dev/vdd"; }; virtualisation.bootDevice = "/dev/mapper/cryptroot"; + # test mounting device unlocked in initrd after switching root + virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2"; }; }; @@ -31,6 +33,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { machine.wait_for_unit("multi-user.target") machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdd -") + machine.succeed("echo -n supersecret | cryptsetup luksOpen -q /dev/vdd cryptroot2") + machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2") # Boot from the encrypted disk machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") @@ -44,5 +48,6 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { machine.wait_for_unit("multi-user.target") assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount") ''; }) diff --git a/nixos/tests/tayga.nix b/nixos/tests/tayga.nix new file mode 100644 index 0000000000000..44974f6efea83 --- /dev/null +++ b/nixos/tests/tayga.nix @@ -0,0 +1,235 @@ +# This test verifies that we can ping an IPv4-only server from an IPv6-only +# client via a NAT64 router. The hosts and networks are configured as follows: +# +# +------ +# Client | eth1 Address: 2001:db8::2/64 +# | | Route: 64:ff9b::/96 via 2001:db8::1 +# +--|--- +# | VLAN 3 +# +--|--- +# | eth2 Address: 2001:db8::1/64 +# Router | +# | nat64 Address: 64:ff9b::1/128 +# | Route: 64:ff9b::/96 +# | Address: 192.0.2.0/32 +# | Route: 192.0.2.0/24 +# | +# | eth1 Address: 100.64.0.1/24 +# +--|--- +# | VLAN 2 +# +--|--- +# Server | eth1 Address: 100.64.0.2/24 +# | Route: 192.0.2.0/24 via 100.64.0.1 +# +------ + +import ./make-test-python.nix ({ pkgs, lib, ... }: + +{ + name = "tayga"; + meta = with pkgs.lib.maintainers; { + maintainers = [ hax404 ]; + }; + + nodes = { + # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1 + # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the + # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of + # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from + # RFC 6589 (Carrier Grade NAT) is used here. + # To reach the IPv4 address pool of the NAT64 gateway, there is a static + # route configured. In normal cases, where the router would also source NAT + # the pool addresses to one IPv4 addresses, this would not be needed. + server = { + virtualisation.vlans = [ + 2 # towards router + ]; + networking = { + useDHCP = false; + interfaces.eth1 = lib.mkForce {}; + }; + systemd.network = { + enable = true; + networks."vlan1" = { + matchConfig.Name = "eth1"; + address = [ + "100.64.0.2/24" + ]; + routes = [ + { routeConfig = { Destination = "192.0.2.0/24"; Gateway = "100.64.0.1"; }; } + ]; + }; + }; + }; + + # The router is configured with static IPv4 addresses towards the server + # and IPv6 addresses towards the client. For NAT64, the Well-Known prefix + # 64:ff9b::/96 is used. NAT64 is done with TAYGA which provides the + # tun-interface nat64 and does the translation over it. The IPv6 packets + # are sent to this interfaces and received as IPv4 packets and vice versa. + # As TAYGA only translates IPv6 addresses to dedicated IPv4 addresses, it + # needs a pool of IPv4 addresses which must be at least as big as the + # expected amount of clients. In this test, the packets from the pool are + # directly routed towards the client. In normal cases, there would be a + # second source NAT44 to map all clients behind one IPv4 address. + router_systemd = { + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + virtualisation.vlans = [ + 2 # towards server + 3 # towards client + ]; + + networking = { + useDHCP = false; + useNetworkd = true; + firewall.enable = false; + interfaces.eth1 = lib.mkForce { + ipv4 = { + addresses = [ { address = "100.64.0.1"; prefixLength = 24; } ]; + }; + }; + interfaces.eth2 = lib.mkForce { + ipv6 = { + addresses = [ { address = "2001:db8::1"; prefixLength = 64; } ]; + }; + }; + }; + + services.tayga = { + enable = true; + ipv4 = { + address = "192.0.2.0"; + router = { + address = "192.0.2.1"; + }; + pool = { + address = "192.0.2.0"; + prefixLength = 24; + }; + }; + ipv6 = { + address = "2001:db8::1"; + router = { + address = "64:ff9b::1"; + }; + pool = { + address = "64:ff9b::"; + prefixLength = 96; + }; + }; + }; + }; + + router_nixos = { + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + virtualisation.vlans = [ + 2 # towards server + 3 # towards client + ]; + + networking = { + useDHCP = false; + firewall.enable = false; + interfaces.eth1 = lib.mkForce { + ipv4 = { + addresses = [ { address = "100.64.0.1"; prefixLength = 24; } ]; + }; + }; + interfaces.eth2 = lib.mkForce { + ipv6 = { + addresses = [ { address = "2001:db8::1"; prefixLength = 64; } ]; + }; + }; + }; + + services.tayga = { + enable = true; + ipv4 = { + address = "192.0.2.0"; + router = { + address = "192.0.2.1"; + }; + pool = { + address = "192.0.2.0"; + prefixLength = 24; + }; + }; + ipv6 = { + address = "2001:db8::1"; + router = { + address = "64:ff9b::1"; + }; + pool = { + address = "64:ff9b::"; + prefixLength = 96; + }; + }; + }; + }; + + # The client is configured with static IPv6 addresses. It has also a static + # route for the NAT64 IP space where the IPv4 addresses are mapped in. In + # normal cases, there would be only a default route. + client = { + virtualisation.vlans = [ + 3 # towards router + ]; + + networking = { + useDHCP = false; + interfaces.eth1 = lib.mkForce {}; + }; + + systemd.network = { + enable = true; + networks."vlan1" = { + matchConfig.Name = "eth1"; + address = [ + "2001:db8::2/64" + ]; + routes = [ + { routeConfig = { Destination = "64:ff9b::/96"; Gateway = "2001:db8::1"; }; } + ]; + }; + }; + environment.systemPackages = [ pkgs.mtr ]; + }; + }; + + testScript = '' + # start client and server + for machine in client, server: + machine.wait_for_unit("network-online.target") + machine.log(machine.execute("ip addr")[1]) + machine.log(machine.execute("ip route")[1]) + machine.log(machine.execute("ip -6 route")[1]) + + # test systemd-networkd and nixos-scripts based router + for router in router_systemd, router_nixos: + router.start() + router.wait_for_unit("network-online.target") + router.wait_for_unit("tayga.service") + router.log(machine.execute("ip addr")[1]) + router.log(machine.execute("ip route")[1]) + router.log(machine.execute("ip -6 route")[1]) + + with subtest("Wait for tayga"): + router.wait_for_unit("tayga.service") + + with subtest("Test ICMP"): + client.wait_until_succeeds("ping -c 3 64:ff9b::100.64.0.2 >&2") + + with subtest("Test ICMP and show a traceroute"): + client.wait_until_succeeds("mtr --show-ips --report-wide 64:ff9b::100.64.0.2 >&2") + + router.log(router.execute("systemd-analyze security tayga.service")[1]) + router.shutdown() + ''; +}) diff --git a/nixos/tests/trafficserver.nix b/nixos/tests/trafficserver.nix index 983ded4f172e2..e4557c6c50e54 100644 --- a/nixos/tests/trafficserver.nix +++ b/nixos/tests/trafficserver.nix @@ -172,6 +172,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { assert re.fullmatch(expected, out) is not None, "no matching logs" out = json.loads(ats.succeed(f"traffic_logstats -jf {access_log_path}")) + assert isinstance(out, dict) assert out["total"]["error.total"]["req"] == "0", "unexpected log stat" ''; }) diff --git a/nixos/tests/ulogd.nix b/nixos/tests/ulogd.nix new file mode 100644 index 0000000000000..ce52d855ffc28 --- /dev/null +++ b/nixos/tests/ulogd.nix @@ -0,0 +1,84 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "ulogd"; + + meta = with lib; { + maintainers = with maintainers; [ p-h ]; + }; + + nodes.machine = { ... }: { + networking.firewall.enable = false; + networking.nftables.enable = true; + networking.nftables.ruleset = '' + table inet filter { + chain input { + type filter hook input priority 0; + log group 2 accept + } + + chain output { + type filter hook output priority 0; policy accept; + log group 2 accept + } + + chain forward { + type filter hook forward priority 0; policy drop; + log group 2 accept + } + + } + ''; + services.ulogd = { + enable = true; + settings = { + global = { + logfile = "/var/log/ulogd.log"; + stack = "log1:NFLOG,base1:BASE,pcap1:PCAP"; + }; + + log1.group = 2; + + pcap1 = { + file = "/var/log/ulogd.pcap"; + sync = 1; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + tcpdump + ]; + }; + + testScript = '' + start_all() + machine.wait_for_unit("ulogd.service") + machine.wait_for_unit("network-online.target") + + with subtest("Ulogd is running"): + machine.succeed("pgrep ulogd >&2") + + # All packets show up twice in the logs + with subtest("Logs are collected"): + machine.succeed("ping -f 127.0.0.1 -c 5 >&2") + machine.succeed("sleep 2") + machine.wait_until_succeeds("du /var/log/ulogd.pcap >&2") + _, echo_request_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 8 and host 127.0.0.1") + expected, actual = 5*2, len(echo_request_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + _, echo_reply_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 0 and host 127.0.0.1") + expected, actual = 5*2, len(echo_reply_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + + with subtest("Reloading service reopens log file"): + machine.succeed("mv /var/log/ulogd.pcap /var/log/old_ulogd.pcap") + machine.succeed("systemctl reload ulogd.service") + machine.succeed("ping -f 127.0.0.1 -c 5 >&2") + machine.succeed("sleep 2") + _, echo_request_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 8 and host 127.0.0.1") + expected, actual = 5*2, len(echo_request_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + _, echo_reply_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 0 and host 127.0.0.1") + expected, actual = 5*2, len(echo_reply_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + ''; +}) diff --git a/nixos/tests/vaultwarden.nix b/nixos/tests/vaultwarden.nix index 408019666da3a..c0e1d0585b931 100644 --- a/nixos/tests/vaultwarden.nix +++ b/nixos/tests/vaultwarden.nix @@ -87,6 +87,9 @@ let testRunner = pkgs.writers.writePython3Bin "test-runner" { libraries = [ pkgs.python3Packages.selenium ]; + flakeIgnore = [ + "E501" + ]; } '' from selenium.webdriver.common.by import By @@ -106,25 +109,25 @@ let wait.until(EC.title_contains("Create Account")) - driver.find_element(By.CSS_SELECTOR, 'input#email').send_keys( - '${userEmail}' + driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_email').send_keys( + '${userEmail}' ) - driver.find_element(By.CSS_SELECTOR, 'input#name').send_keys( - 'A Cat' + driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_name').send_keys( + 'A Cat' ) - driver.find_element(By.CSS_SELECTOR, 'input#masterPassword').send_keys( - '${userPassword}' + driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_master-password').send_keys( + '${userPassword}' ) - driver.find_element(By.CSS_SELECTOR, 'input#masterPasswordRetype').send_keys( - '${userPassword}' + driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_confirm-master-password').send_keys( + '${userPassword}' ) - driver.find_element(By.XPATH, "//button[contains(., 'Submit')]").click() + driver.find_element(By.XPATH, "//button[contains(., 'Create Account')]").click() wait.until_not(EC.title_contains("Create Account")) - driver.find_element(By.CSS_SELECTOR, 'input#masterPassword').send_keys( - '${userPassword}' + driver.find_element(By.CSS_SELECTOR, 'input#login_input_master-password').send_keys( + '${userPassword}' ) driver.find_element(By.XPATH, "//button[contains(., 'Log In')]").click() @@ -133,10 +136,10 @@ let driver.find_element(By.XPATH, "//button[contains(., 'Add Item')]").click() driver.find_element(By.CSS_SELECTOR, 'input#name').send_keys( - 'secrets' + 'secrets' ) driver.find_element(By.CSS_SELECTOR, 'input#loginPassword').send_keys( - '${storedPassword}' + '${storedPassword}' ) driver.find_element(By.XPATH, "//button[contains(., 'Save')]").click() @@ -161,7 +164,7 @@ let with subtest("configure the cli"): client.succeed("bw --nointeraction config server http://server") - with subtest("can't login to nonexistant account"): + with subtest("can't login to nonexistent account"): client.fail( "bw --nointeraction --raw login ${userEmail} ${userPassword}" ) diff --git a/nixos/tests/vector.nix b/nixos/tests/vector.nix index ecf94e33ff17e..9309f6a14dd78 100644 --- a/nixos/tests/vector.nix +++ b/nixos/tests/vector.nix @@ -21,7 +21,7 @@ with pkgs.lib; type = "file"; inputs = [ "journald" ]; path = "/var/lib/vector/logs.log"; - encoding = { codec = "ndjson"; }; + encoding = { codec = "json"; }; }; }; }; diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 1c1b0dac7f37c..0be22bdcaea6f 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -28,8 +28,8 @@ let messagebus:x:1: EOF - "${pkgs.dbus.daemon}/bin/dbus-daemon" --fork \ - --config-file="${pkgs.dbus.daemon}/share/dbus-1/system.conf" + "${pkgs.dbus}/bin/dbus-daemon" --fork \ + --config-file="${pkgs.dbus}/share/dbus-1/system.conf" ${guestAdditions}/bin/VBoxService ${(attrs.vmScript or (const "")) pkgs} diff --git a/nixos/tests/vscodium.nix b/nixos/tests/vscodium.nix index ee884cc4295dd..37bb649889b45 100644 --- a/nixos/tests/vscodium.nix +++ b/nixos/tests/vscodium.nix @@ -49,8 +49,8 @@ let start_all() machine.wait_for_unit('graphical.target') - machine.wait_until_succeeds('pgrep -x codium') + codium_running.wait() with codium_running: # Wait until vscodium is visible. "File" is in the menu bar. machine.wait_for_text('Get Started') diff --git a/nixos/tests/warzone2100.nix b/nixos/tests/warzone2100.nix new file mode 100644 index 0000000000000..568e04a46999d --- /dev/null +++ b/nixos/tests/warzone2100.nix @@ -0,0 +1,26 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "warzone2100"; + meta = with pkgs.lib.maintainers; { + maintainers = [ fgaz ]; + }; + + nodes.machine = { config, pkgs, ... }: { + imports = [ + ./common/x11.nix + ]; + + services.xserver.enable = true; + environment.systemPackages = [ pkgs.warzone2100 ]; + }; + + enableOCR = true; + + testScript = + '' + machine.wait_for_x() + machine.execute("warzone2100 >&2 &") + machine.wait_for_window("Warzone 2100") + machine.wait_for_text(r"(Single Player|Multi Player|Tutorial|Options|Quit Game)") + machine.screenshot("screen") + ''; +}) diff --git a/nixos/tests/web-apps/mastodon.nix b/nixos/tests/web-apps/mastodon.nix deleted file mode 100644 index 05cc727476d67..0000000000000 --- a/nixos/tests/web-apps/mastodon.nix +++ /dev/null @@ -1,173 +0,0 @@ -import ../make-test-python.nix ({pkgs, ...}: -let - test-certificates = pkgs.runCommandLocal "test-certificates" { } '' - mkdir -p $out - echo insecure-root-password > $out/root-password-file - echo insecure-intermediate-password > $out/intermediate-password-file - ${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca - ${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key - ''; - - hosts = '' - 192.168.2.10 ca.local - 192.168.2.11 mastodon.local - ''; - -in -{ - name = "mastodon"; - meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ]; - - nodes = { - ca = { pkgs, ... }: { - networking = { - interfaces.eth1 = { - ipv4.addresses = [ - { address = "192.168.2.10"; prefixLength = 24; } - ]; - }; - extraHosts = hosts; - }; - services.step-ca = { - enable = true; - address = "0.0.0.0"; - port = 8443; - openFirewall = true; - intermediatePasswordFile = "${test-certificates}/intermediate-password-file"; - settings = { - dnsNames = [ "ca.local" ]; - root = "${test-certificates}/root_ca.crt"; - crt = "${test-certificates}/intermediate_ca.crt"; - key = "${test-certificates}/intermediate_ca.key"; - db = { - type = "badger"; - dataSource = "/var/lib/step-ca/db"; - }; - authority = { - provisioners = [ - { - type = "ACME"; - name = "acme"; - } - ]; - }; - }; - }; - }; - - server = { pkgs, ... }: { - networking = { - interfaces.eth1 = { - ipv4.addresses = [ - { address = "192.168.2.11"; prefixLength = 24; } - ]; - }; - extraHosts = hosts; - firewall.allowedTCPPorts = [ 80 443 ]; - }; - - security = { - acme = { - acceptTerms = true; - defaults.server = "https://ca.local:8443/acme/acme/directory"; - defaults.email = "mastodon@mastodon.local"; - }; - pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; - }; - - services.redis.servers.mastodon = { - enable = true; - bind = "127.0.0.1"; - port = 31637; - }; - - services.mastodon = { - enable = true; - configureNginx = true; - localDomain = "mastodon.local"; - enableUnixSocket = false; - redis = { - createLocally = true; - host = "127.0.0.1"; - port = 31637; - }; - database = { - createLocally = true; - host = "/run/postgresql"; - port = 5432; - }; - smtp = { - createLocally = false; - fromAddress = "mastodon@mastodon.local"; - }; - extraConfig = { - EMAIL_DOMAIN_ALLOWLIST = "example.com"; - }; - }; - }; - - client = { pkgs, ... }: { - environment.systemPackages = [ pkgs.jq ]; - networking = { - interfaces.eth1 = { - ipv4.addresses = [ - { address = "192.168.2.12"; prefixLength = 24; } - ]; - }; - extraHosts = hosts; - }; - - security = { - pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; - }; - }; - }; - - testScript = '' - start_all() - - ca.wait_for_unit("step-ca.service") - ca.wait_for_open_port(8443) - - # Check that mastodon-media-auto-remove is scheduled - server.succeed("systemctl status mastodon-media-auto-remove.timer") - - server.wait_for_unit("nginx.service") - server.wait_for_unit("redis-mastodon.service") - server.wait_for_unit("postgresql.service") - server.wait_for_unit("mastodon-sidekiq.service") - server.wait_for_unit("mastodon-streaming.service") - server.wait_for_unit("mastodon-web.service") - server.wait_for_open_port(55000) - server.wait_for_open_port(55001) - - # Check Mastodon version from remote client - client.succeed("curl --fail https://mastodon.local/api/v1/instance | jq -r '.version' | grep '${pkgs.mastodon.version}'") - - # Check using admin CLI - # Check Mastodon version - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl version' | grep '${pkgs.mastodon.version}'") - - # Manage accounts - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks add example.com'") - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks list' | grep 'example.com'") - server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks list' | grep 'mastodon.local'") - server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts create alice --email=alice@example.com'") - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks remove example.com'") - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts create bob --email=bob@example.com'") - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts approve bob'") - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts delete bob'") - - # Manage IP access - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks add 192.168.0.0/16 --severity=no_access'") - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks export' | grep '192.168.0.0/16'") - server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl p_blocks export' | grep '172.16.0.0/16'") - client.fail("curl --fail https://mastodon.local/about") - server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks remove 192.168.0.0/16'") - client.succeed("curl --fail https://mastodon.local/about") - - ca.shutdown() - server.shutdown() - client.shutdown() - ''; -}) diff --git a/nixos/tests/web-apps/mastodon/default.nix b/nixos/tests/web-apps/mastodon/default.nix new file mode 100644 index 0000000000000..411ebfcd731b2 --- /dev/null +++ b/nixos/tests/web-apps/mastodon/default.nix @@ -0,0 +1,9 @@ +{ system ? builtins.currentSystem, handleTestOn }: +let + supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ]; + +in +{ + standard = handleTestOn supportedSystems ./standard.nix { inherit system; }; + remote-postgresql = handleTestOn supportedSystems ./remote-postgresql.nix { inherit system; }; +} diff --git a/nixos/tests/web-apps/mastodon/remote-postgresql.nix b/nixos/tests/web-apps/mastodon/remote-postgresql.nix new file mode 100644 index 0000000000000..2fd3983e13ec3 --- /dev/null +++ b/nixos/tests/web-apps/mastodon/remote-postgresql.nix @@ -0,0 +1,160 @@ +import ../../make-test-python.nix ({pkgs, ...}: +let + cert = pkgs: pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=mastodon.local' -days 36500 + mkdir -p $out + cp key.pem cert.pem $out + ''; + + hosts = '' + 192.168.2.103 mastodon.local + ''; + +in +{ + name = "mastodon-remote-postgresql"; + meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin turion ]; + + nodes = { + database = { + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.102"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 5432 ]; + }; + + services.postgresql = { + enable = true; + enableTCPIP = true; + authentication = '' + hostnossl mastodon_local mastodon_test 192.168.2.201/32 md5 + ''; + initialScript = pkgs.writeText "postgresql_init.sql" '' + CREATE ROLE mastodon_test LOGIN PASSWORD 'SoDTZcISc3f1M1LJsRLT'; + CREATE DATABASE mastodon_local TEMPLATE template0 ENCODING UTF8; + GRANT ALL PRIVILEGES ON DATABASE mastodon_local TO mastodon_test; + ''; + }; + }; + + nginx = { + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.103"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 80 443 ]; + }; + + security = { + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."mastodon.local" = { + root = "/var/empty"; + forceSSL = true; + enableACME = pkgs.lib.mkForce false; + sslCertificate = "${cert pkgs}/cert.pem"; + sslCertificateKey = "${cert pkgs}/key.pem"; + locations."/" = { + tryFiles = "$uri @proxy"; + }; + locations."@proxy" = { + proxyPass = "http://192.168.2.201:55001"; + proxyWebsockets = true; + }; + locations."/api/v1/streaming/" = { + proxyPass = "http://192.168.2.201:55002"; + proxyWebsockets = true; + }; + }; + }; + }; + + server = { pkgs, ... }: { + virtualisation.memorySize = 2048; + + environment = { + etc = { + "mastodon/password-posgressql-db".text = '' + SoDTZcISc3f1M1LJsRLT + ''; + }; + }; + + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.201"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 55001 55002 ]; + }; + + services.mastodon = { + enable = true; + configureNginx = false; + localDomain = "mastodon.local"; + enableUnixSocket = false; + database = { + createLocally = false; + host = "192.168.2.102"; + port = 5432; + name = "mastodon_local"; + user = "mastodon_test"; + passwordFile = "/etc/mastodon/password-posgressql-db"; + }; + smtp = { + createLocally = false; + fromAddress = "mastodon@mastodon.local"; + }; + extraConfig = { + BIND = "0.0.0.0"; + EMAIL_DOMAIN_ALLOWLIST = "example.com"; + RAILS_SERVE_STATIC_FILES = "true"; + TRUSTED_PROXY_IP = "192.168.2.103"; + }; + }; + }; + + client = { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.202"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + }; + + security = { + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; + }; + }; + }; + + testScript = import ./script.nix { + inherit pkgs; + extraInit = '' + nginx.wait_for_unit("nginx.service") + nginx.wait_for_open_port(443) + database.wait_for_unit("postgresql.service") + database.wait_for_open_port(5432) + ''; + extraShutdown = '' + nginx.shutdown() + database.shutdown() + ''; + }; +}) diff --git a/nixos/tests/web-apps/mastodon/script.nix b/nixos/tests/web-apps/mastodon/script.nix new file mode 100644 index 0000000000000..cdb1d4379b645 --- /dev/null +++ b/nixos/tests/web-apps/mastodon/script.nix @@ -0,0 +1,54 @@ +{ pkgs +, extraInit ? "" +, extraShutdown ? "" +}: + +'' + start_all() + + ${extraInit} + + server.wait_for_unit("redis-mastodon.service") + server.wait_for_unit("mastodon-sidekiq.service") + server.wait_for_unit("mastodon-streaming.service") + server.wait_for_unit("mastodon-web.service") + server.wait_for_open_port(55000) + server.wait_for_open_port(55001) + + # Check that mastodon-media-auto-remove is scheduled + server.succeed("systemctl status mastodon-media-auto-remove.timer") + + # Check Mastodon version from remote client + client.succeed("curl --fail https://mastodon.local/api/v1/instance | jq -r '.version' | grep '${pkgs.mastodon.version}'") + + # Check access from remote client + client.succeed("curl --fail https://mastodon.local/about | grep 'Mastodon hosted on mastodon.local'") + client.succeed("curl --fail $(curl https://mastodon.local/api/v1/instance 2> /dev/null | jq -r .thumbnail) --output /dev/null") + + # Simple check tootctl commands + # Check Mastodon version + server.succeed("mastodon-tootctl version | grep '${pkgs.mastodon.version}'") + + # Manage accounts + server.succeed("mastodon-tootctl email_domain_blocks add example.com") + server.succeed("mastodon-tootctl email_domain_blocks list | grep example.com") + server.fail("mastodon-tootctl email_domain_blocks list | grep mastodon.local") + server.fail("mastodon-tootctl accounts create alice --email=alice@example.com") + server.succeed("mastodon-tootctl email_domain_blocks remove example.com") + server.succeed("mastodon-tootctl accounts create bob --email=bob@example.com") + server.succeed("mastodon-tootctl accounts approve bob") + server.succeed("mastodon-tootctl accounts delete bob") + + # Manage IP access + server.succeed("mastodon-tootctl ip_blocks add 192.168.0.0/16 --severity=no_access") + server.succeed("mastodon-tootctl ip_blocks export | grep 192.168.0.0/16") + server.fail("mastodon-tootctl ip_blocks export | grep 172.16.0.0/16") + client.fail("curl --fail https://mastodon.local/about") + server.succeed("mastodon-tootctl ip_blocks remove 192.168.0.0/16") + client.succeed("curl --fail https://mastodon.local/about") + + server.shutdown() + client.shutdown() + + ${extraShutdown} +'' diff --git a/nixos/tests/web-apps/mastodon/standard.nix b/nixos/tests/web-apps/mastodon/standard.nix new file mode 100644 index 0000000000000..14311afea3f78 --- /dev/null +++ b/nixos/tests/web-apps/mastodon/standard.nix @@ -0,0 +1,92 @@ +import ../../make-test-python.nix ({pkgs, ...}: +let + cert = pkgs: pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=mastodon.local' -days 36500 + mkdir -p $out + cp key.pem cert.pem $out + ''; + + hosts = '' + 192.168.2.101 mastodon.local + ''; + +in +{ + name = "mastodon-standard"; + meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin turion ]; + + nodes = { + server = { pkgs, ... }: { + + virtualisation.memorySize = 2048; + + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.101"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 80 443 ]; + }; + + security = { + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; + }; + + services.redis.servers.mastodon = { + enable = true; + bind = "127.0.0.1"; + port = 31637; + }; + + services.mastodon = { + enable = true; + configureNginx = true; + localDomain = "mastodon.local"; + enableUnixSocket = false; + smtp = { + createLocally = false; + fromAddress = "mastodon@mastodon.local"; + }; + extraConfig = { + EMAIL_DOMAIN_ALLOWLIST = "example.com"; + }; + }; + + services.nginx = { + virtualHosts."mastodon.local" = { + enableACME = pkgs.lib.mkForce false; + sslCertificate = "${cert pkgs}/cert.pem"; + sslCertificateKey = "${cert pkgs}/key.pem"; + }; + }; + }; + + client = { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.102"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + }; + + security = { + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; + }; + }; + }; + + testScript = import ./script.nix { + inherit pkgs; + extraInit = '' + server.wait_for_unit("nginx.service") + server.wait_for_open_port(443) + server.wait_for_unit("postgresql.service") + server.wait_for_open_port(5432) + ''; + }; +}) diff --git a/nixos/tests/web-apps/peering-manager.nix b/nixos/tests/web-apps/peering-manager.nix new file mode 100644 index 0000000000000..56b7eebfadffd --- /dev/null +++ b/nixos/tests/web-apps/peering-manager.nix @@ -0,0 +1,40 @@ +import ../make-test-python.nix ({ lib, pkgs, ... }: { + name = "peering-manager"; + + meta = with lib.maintainers; { + maintainers = [ yuka ]; + }; + + nodes.machine = { ... }: { + services.peering-manager = { + enable = true; + secretKeyFile = pkgs.writeText "secret" '' + abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 + ''; + }; + }; + + testScript = { nodes }: '' + machine.start() + machine.wait_for_unit("peering-manager.target") + machine.wait_until_succeeds("journalctl --since -1m --unit peering-manager --grep Listening") + + print(machine.succeed( + "curl -sSfL http://[::1]:8001" + )) + with subtest("Home screen loads"): + machine.succeed( + "curl -sSfL http://[::1]:8001 | grep '<title>Home - Peering Manager</title>'" + ) + with subtest("checks succeed"): + machine.succeed( + "systemctl stop peering-manager peering-manager-rq" + ) + machine.succeed( + "sudo -u postgres psql -c 'ALTER USER \"peering-manager\" WITH SUPERUSER;'" + ) + machine.succeed( + "cd ${nodes.machine.config.system.build.peeringManagerPkg}/opt/peering-manager ; peering-manager-manage test --no-input" + ) + ''; +}) diff --git a/nixos/tests/web-apps/peertube.nix b/nixos/tests/web-apps/peertube.nix index ecc45bff2e2ca..0e5f39c08a023 100644 --- a/nixos/tests/web-apps/peertube.nix +++ b/nixos/tests/web-apps/peertube.nix @@ -41,6 +41,9 @@ import ../make-test-python.nix ({pkgs, ...}: server = { pkgs, ... }: { environment = { etc = { + "peertube/secrets-peertube".text = '' + 063d9c60d519597acef26003d5ecc32729083965d09181ef3949200cbe5f09ee + ''; "peertube/password-posgressql-db".text = '' 0gUN0C1mgST6czvjZ8T9 ''; @@ -67,6 +70,10 @@ import ../make-test-python.nix ({pkgs, ...}: localDomain = "peertube.local"; enableWebHttps = false; + secrets = { + secretsFile = "/etc/peertube/secrets-peertube"; + }; + database = { host = "192.168.2.10"; name = "peertube_local"; diff --git a/nixos/tests/webhook.nix b/nixos/tests/webhook.nix new file mode 100644 index 0000000000000..ed70514086405 --- /dev/null +++ b/nixos/tests/webhook.nix @@ -0,0 +1,65 @@ +{ pkgs, ... }: +let + forwardedPort = 19000; + internalPort = 9000; +in +{ + name = "webhook"; + + nodes = { + webhookMachine = { pkgs, ... }: { + virtualisation.forwardPorts = [{ + host.port = forwardedPort; + guest.port = internalPort; + }]; + services.webhook = { + enable = true; + port = internalPort; + openFirewall = true; + hooks = { + echo = { + execute-command = "echo"; + response-message = "Webhook is reachable!"; + }; + }; + hooksTemplated = { + echoTemplate = '' + { + "id": "echo-template", + "execute-command": "echo", + "response-message": "{{ getenv "WEBHOOK_MESSAGE" }}" + } + ''; + }; + environment.WEBHOOK_MESSAGE = "Templates are working!"; + }; + }; + }; + + extraPythonPackages = p: [ + p.requests + p.types-requests + ]; + + testScript = { nodes, ... }: '' + import requests + webhookMachine.wait_for_unit("webhook") + webhookMachine.wait_for_open_port(${toString internalPort}) + + with subtest("Check that webhooks can be called externally"): + response = requests.get("http://localhost:${toString forwardedPort}/hooks/echo") + print(f"Response code: {response.status_code}") + print("Response: %r" % response.content) + + assert response.status_code == 200 + assert response.content == b"Webhook is reachable!" + + with subtest("Check that templated webhooks can be called externally"): + response = requests.get("http://localhost:${toString forwardedPort}/hooks/echo-template") + print(f"Response code: {response.status_code}") + print("Response: %r" % response.content) + + assert response.status_code == 200 + assert response.content == b"Templates are working!" + ''; +} diff --git a/nixos/tests/wireguard/basic.nix b/nixos/tests/wireguard/basic.nix index 36ab226cde0e4..96b0a681c364d 100644 --- a/nixos/tests/wireguard/basic.nix +++ b/nixos/tests/wireguard/basic.nix @@ -1,5 +1,4 @@ -{ kernelPackages ? null }: -import ../make-test-python.nix ({ pkgs, lib, ...} : +import ../make-test-python.nix ({ pkgs, lib, kernelPackages ? null, ...} : let wg-snakeoil-keys = import ./snakeoil-keys.nix; peer = (import ./make-peer.nix) { inherit lib; }; diff --git a/nixos/tests/wireguard/default.nix b/nixos/tests/wireguard/default.nix index dedb321ff2ef9..c30f1b74770b8 100644 --- a/nixos/tests/wireguard/default.nix +++ b/nixos/tests/wireguard/default.nix @@ -7,10 +7,11 @@ with pkgs.lib; let - tests = let callTest = p: flip (import p) { inherit system pkgs; }; in { + tests = let callTest = p: args: import p ({ inherit system pkgs; } // args); in { basic = callTest ./basic.nix; namespaces = callTest ./namespaces.nix; wg-quick = callTest ./wg-quick.nix; + wg-quick-nftables = args: callTest ./wg-quick.nix ({ nftables = true; } // args); generated = callTest ./generated.nix; }; in diff --git a/nixos/tests/wireguard/generated.nix b/nixos/tests/wireguard/generated.nix index 84a35d29b4535..c58f7a75071ec 100644 --- a/nixos/tests/wireguard/generated.nix +++ b/nixos/tests/wireguard/generated.nix @@ -1,5 +1,4 @@ -{ kernelPackages ? null }: -import ../make-test-python.nix ({ pkgs, lib, ... } : { +import ../make-test-python.nix ({ pkgs, lib, kernelPackages ? null, ... } : { name = "wireguard-generated"; meta = with pkgs.lib.maintainers; { maintainers = [ ma27 grahamc ]; diff --git a/nixos/tests/wireguard/namespaces.nix b/nixos/tests/wireguard/namespaces.nix index 93dc84a8768e5..1790c45bb1f65 100644 --- a/nixos/tests/wireguard/namespaces.nix +++ b/nixos/tests/wireguard/namespaces.nix @@ -1,5 +1,3 @@ -{ kernelPackages ? null }: - let listenPort = 12345; socketNamespace = "foo"; @@ -15,7 +13,7 @@ let in -import ../make-test-python.nix ({ pkgs, lib, ... } : { +import ../make-test-python.nix ({ pkgs, lib, kernelPackages ? null, ... } : { name = "wireguard-with-namespaces"; meta = with pkgs.lib.maintainers; { maintainers = [ asymmetric ]; diff --git a/nixos/tests/wireguard/wg-quick.nix b/nixos/tests/wireguard/wg-quick.nix index bc2cba9118889..ec2b8d7f2d9d1 100644 --- a/nixos/tests/wireguard/wg-quick.nix +++ b/nixos/tests/wireguard/wg-quick.nix @@ -1,9 +1,13 @@ -{ kernelPackages ? null }: - -import ../make-test-python.nix ({ pkgs, lib, ... }: +import ../make-test-python.nix ({ pkgs, lib, kernelPackages ? null, nftables ? false, ... }: let wg-snakeoil-keys = import ./snakeoil-keys.nix; - peer = (import ./make-peer.nix) { inherit lib; }; + peer = import ./make-peer.nix { inherit lib; }; + commonConfig = { + boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages; + networking.nftables.enable = nftables; + # Make sure iptables doesn't work with nftables enabled + boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ]; + }; in { name = "wg-quick"; @@ -15,47 +19,51 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: peer0 = peer { ip4 = "192.168.0.1"; ip6 = "fd00::1"; - extraConfig = { - boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; - networking.firewall.allowedUDPPorts = [ 23542 ]; - networking.wg-quick.interfaces.wg0 = { - address = [ "10.23.42.1/32" "fc00::1/128" ]; - listenPort = 23542; + extraConfig = lib.mkMerge [ + commonConfig + { + networking.firewall.allowedUDPPorts = [ 23542 ]; + networking.wg-quick.interfaces.wg0 = { + address = [ "10.23.42.1/32" "fc00::1/128" ]; + listenPort = 23542; - inherit (wg-snakeoil-keys.peer0) privateKey; + inherit (wg-snakeoil-keys.peer0) privateKey; - peers = lib.singleton { - allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ]; + peers = lib.singleton { + allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ]; - inherit (wg-snakeoil-keys.peer1) publicKey; - }; + inherit (wg-snakeoil-keys.peer1) publicKey; + }; - dns = [ "10.23.42.2" "fc00::2" "wg0" ]; - }; - }; + dns = [ "10.23.42.2" "fc00::2" "wg0" ]; + }; + } + ]; }; peer1 = peer { ip4 = "192.168.0.2"; ip6 = "fd00::2"; - extraConfig = { - boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; - networking.useNetworkd = true; - networking.wg-quick.interfaces.wg0 = { - address = [ "10.23.42.2/32" "fc00::2/128" ]; - inherit (wg-snakeoil-keys.peer1) privateKey; + extraConfig = lib.mkMerge [ + commonConfig + { + networking.useNetworkd = true; + networking.wg-quick.interfaces.wg0 = { + address = [ "10.23.42.2/32" "fc00::2/128" ]; + inherit (wg-snakeoil-keys.peer1) privateKey; - peers = lib.singleton { - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "192.168.0.1:23542"; - persistentKeepalive = 25; + peers = lib.singleton { + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "192.168.0.1:23542"; + persistentKeepalive = 25; - inherit (wg-snakeoil-keys.peer0) publicKey; - }; + inherit (wg-snakeoil-keys.peer0) publicKey; + }; - dns = [ "10.23.42.1" "fc00::1" "wg0" ]; - }; - }; + dns = [ "10.23.42.1" "fc00::1" "wg0" ]; + }; + } + ]; }; }; diff --git a/nixos/tests/xmpp/prosody.nix b/nixos/tests/xmpp/prosody.nix index 14eab56fb821f..045ae6430fd48 100644 --- a/nixos/tests/xmpp/prosody.nix +++ b/nixos/tests/xmpp/prosody.nix @@ -42,7 +42,7 @@ in import ../make-test-python.nix { ${nodes.server.config.networking.primaryIPAddress} uploads.example.com ''; environment.systemPackages = [ - (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; }) + (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = "example.com"; }) ]; }; server = { config, pkgs, ... }: { @@ -82,6 +82,7 @@ in import ../make-test-python.nix { testScript = { nodes, ... }: '' # Check with sqlite storage + start_all() server.wait_for_unit("prosody.service") server.succeed('prosodyctl status | grep "Prosody is running"') diff --git a/nixos/tests/xmpp/xmpp-sendmessage.nix b/nixos/tests/xmpp/xmpp-sendmessage.nix index 4c009464b7041..8ccac06124913 100644 --- a/nixos/tests/xmpp/xmpp-sendmessage.nix +++ b/nixos/tests/xmpp/xmpp-sendmessage.nix @@ -12,6 +12,7 @@ in writeScriptBin "send-message" '' #!${(python3.withPackages (ps: [ ps.slixmpp ])).interpreter} import logging import sys +import signal from types import MethodType from slixmpp import ClientXMPP @@ -64,8 +65,13 @@ class CthonTest(ClientXMPP): log.info('MUC join success!') log.info('XMPP SCRIPT TEST SUCCESS') +def timeout_handler(signalnum, stackframe): + print('ERROR: xmpp-sendmessage timed out') + sys.exit(1) if __name__ == '__main__': + signal.signal(signal.SIGALRM, timeout_handler) + signal.alarm(120) logging.basicConfig(level=logging.DEBUG, format='%(levelname)-8s %(message)s') @@ -76,7 +82,7 @@ if __name__ == '__main__': ct.register_plugin('xep_0363') # MUC ct.register_plugin('xep_0045') - ct.connect(("server", 5222)) + ct.connect(("${connectTo}", 5222)) ct.process(forever=False) if not ct.test_succeeded: diff --git a/nixos/tests/zfs.nix b/nixos/tests/zfs.nix index 29df691cecbed..3e55369daa06a 100644 --- a/nixos/tests/zfs.nix +++ b/nixos/tests/zfs.nix @@ -17,103 +17,151 @@ let makeTest { name = "zfs-" + name; meta = with pkgs.lib.maintainers; { - maintainers = [ adisbladis ]; + maintainers = [ adisbladis elvishjerricco ]; }; nodes.machine = { pkgs, lib, ... }: let usersharePath = "/var/lib/samba/usershares"; in { - virtualisation.emptyDiskImages = [ 4096 ]; + virtualisation = { + emptyDiskImages = [ 4096 4096 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + boot.loader.timeout = 0; + boot.loader.efi.canTouchEfiVariables = true; networking.hostId = "deadbeef"; boot.kernelPackages = kernelPackage; boot.supportedFilesystems = [ "zfs" ]; boot.zfs.enableUnstable = enableUnstable; - services.samba = { - enable = true; - extraConfig = '' - registry shares = yes - usershare path = ${usersharePath} - usershare allow guests = yes - usershare max shares = 100 - usershare owner only = no - ''; + environment.systemPackages = [ pkgs.parted ]; + + # /dev/disk/by-id doesn't get populated in the NixOS test framework + boot.zfs.devNodes = "/dev/disk/by-uuid"; + + specialisation.samba.configuration = { + services.samba = { + enable = true; + extraConfig = '' + registry shares = yes + usershare path = ${usersharePath} + usershare allow guests = yes + usershare max shares = 100 + usershare owner only = no + ''; + }; + systemd.services.samba-smbd.serviceConfig.ExecStartPre = + "${pkgs.coreutils}/bin/mkdir -m +t -p ${usersharePath}"; + virtualisation.fileSystems = { + "/tmp/mnt" = { + device = "rpool/root"; + fsType = "zfs"; + }; + }; }; - systemd.services.samba-smbd.serviceConfig.ExecStartPre = - "${pkgs.coreutils}/bin/mkdir -m +t -p ${usersharePath}"; - environment.systemPackages = [ pkgs.parted ]; + specialisation.encryption.configuration = { + boot.zfs.requestEncryptionCredentials = [ "automatic" ]; + virtualisation.fileSystems."/automatic" = { + device = "automatic"; + fsType = "zfs"; + }; + virtualisation.fileSystems."/manual" = { + device = "manual"; + fsType = "zfs"; + }; + virtualisation.fileSystems."/manual/encrypted" = { + device = "manual/encrypted"; + fsType = "zfs"; + options = [ "noauto" ]; + }; + }; - # Setup regular fileSystems machinery to ensure forceImportAll can be - # tested via the regular service units. - virtualisation.fileSystems = { - "/forcepool" = { + specialisation.forcepool.configuration = { + systemd.services.zfs-import-forcepool.wantedBy = lib.mkVMOverride [ "forcepool.mount" ]; + systemd.targets.zfs.wantedBy = lib.mkVMOverride []; + boot.zfs.forceImportAll = true; + virtualisation.fileSystems."/forcepool" = { device = "forcepool"; fsType = "zfs"; options = [ "noauto" ]; }; }; - - # forcepool doesn't exist at first boot, and we need to manually test - # the import after tweaking the hostId. - systemd.services.zfs-import-forcepool.wantedBy = lib.mkVMOverride []; - systemd.targets.zfs.wantedBy = lib.mkVMOverride []; - boot.zfs.forceImportAll = true; - # /dev/disk/by-id doesn't get populated in the NixOS test framework - boot.zfs.devNodes = "/dev/disk/by-uuid"; }; testScript = '' + machine.wait_for_unit("multi-user.target") machine.succeed( - "modprobe zfs", "zpool status", - "ls /dev", - "mkdir /tmp/mnt", - "udevadm settle", - "parted --script /dev/vdb mklabel msdos", - "parted --script /dev/vdb -- mkpart primary 1024M -1s", - "udevadm settle", - "zpool create rpool /dev/vdb1", - "zfs create -o mountpoint=legacy rpool/root", - # shared datasets cannot have legacy mountpoint - "zfs create rpool/shared_smb", - "mount -t zfs rpool/root /tmp/mnt", - "udevadm settle", - # wait for samba services - "systemctl is-system-running --wait", - "zfs set sharesmb=on rpool/shared_smb", - "zfs share rpool/shared_smb", - "smbclient -gNL localhost | grep rpool_shared_smb", - "umount /tmp/mnt", - "zpool destroy rpool", - "udevadm settle", + "parted --script /dev/vdc mklabel msdos", + "parted --script /dev/vdc -- mkpart primary 1024M -1s", + "parted --script /dev/vdd mklabel msdos", + "parted --script /dev/vdd -- mkpart primary 1024M -1s", ) - machine.succeed( - 'echo password | zpool create -o altroot="/tmp/mnt" ' - + "-O encryption=aes-256-gcm -O keyformat=passphrase rpool /dev/vdb1", - "zfs create -o mountpoint=legacy rpool/root", - "mount -t zfs rpool/root /tmp/mnt", - "udevadm settle", - "umount /tmp/mnt", - "zpool destroy rpool", - "udevadm settle", - ) + with subtest("sharesmb works"): + machine.succeed( + "zpool create rpool /dev/vdc1", + "zfs create -o mountpoint=legacy rpool/root", + # shared datasets cannot have legacy mountpoint + "zfs create rpool/shared_smb", + "bootctl set-default nixos-generation-1-specialisation-samba.conf", + "sync", + ) + machine.crash() + machine.wait_for_unit("multi-user.target") + machine.succeed( + "zfs set sharesmb=on rpool/shared_smb", + "zfs share rpool/shared_smb", + "smbclient -gNL localhost | grep rpool_shared_smb", + "umount /tmp/mnt", + "zpool destroy rpool", + ) + + with subtest("encryption works"): + machine.succeed( + 'echo password | zpool create -O mountpoint=legacy ' + + "-O encryption=aes-256-gcm -O keyformat=passphrase automatic /dev/vdc1", + "zpool create -O mountpoint=legacy manual /dev/vdd1", + "echo otherpass | zfs create " + + "-o encryption=aes-256-gcm -o keyformat=passphrase manual/encrypted", + "bootctl set-default nixos-generation-1-specialisation-encryption.conf", + "sync", + "zpool export automatic", + "zpool export manual", + ) + machine.crash() + machine.start() + machine.wait_for_console_text("Starting password query on") + machine.send_console("password\n") + machine.wait_for_unit("multi-user.target") + machine.succeed( + "zfs get keystatus manual/encrypted | grep unavailable", + "echo otherpass | zfs load-key manual/encrypted", + "systemctl start manual-encrypted.mount", + "umount /automatic /manual/encrypted /manual", + "zpool destroy automatic", + "zpool destroy manual", + ) with subtest("boot.zfs.forceImportAll works"): machine.succeed( "rm /etc/hostid", "zgenhostid deadcafe", - "zpool create forcepool /dev/vdb1 -O mountpoint=legacy", + "zpool create forcepool /dev/vdc1 -O mountpoint=legacy", + "bootctl set-default nixos-generation-1-specialisation-forcepool.conf", + "rm /etc/hostid", + "sync", ) - machine.shutdown() - machine.start() - machine.succeed("udevadm settle") + machine.crash() + machine.wait_for_unit("multi-user.target") machine.fail("zpool import forcepool") machine.succeed( - "systemctl start zfs-import-forcepool.service", - "mount -t zfs forcepool /tmp/mnt", + "systemctl start forcepool.mount", + "mount | grep forcepool", ) '' + extraTest; |