diff options
Diffstat (limited to 'nixos')
24 files changed, 475 insertions, 95 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 1e3f269dafb28..6da24e3a8a81a 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -45,6 +45,33 @@ </listitem> <listitem> <para> + <literal>stdenv.mkDerivation</literal> now supports a + self-referencing <literal>finalAttrs:</literal> parameter + containing the final <literal>mkDerivation</literal> arguments + including overrides. <literal>drv.overrideAttrs</literal> now + supports two parameters + <literal>finalAttrs: previousAttrs:</literal>. This allows + packaging configuration to be overridden in a consistent + manner by providing an alternative to + <literal>rec {}</literal> syntax. + </para> + <para> + Additionally, <literal>passthru</literal> can now reference + <literal>finalAttrs.finalPackage</literal> containing the + final package, including attributes such as the output paths + and <literal>overrideAttrs</literal>. + </para> + <para> + New language integrations can be simplified by overriding a + <quote>prototype</quote> package containing the + language-specific logic. This removes the need for a extra + layer of overriding for the <quote>generic builder</quote> + arguments, thus removing a usability problem and source of + error. + </para> + </listitem> + <listitem> + <para> PHP 8.1 is now available </para> </listitem> @@ -124,6 +151,14 @@ default. </para> </listitem> + <listitem> + <para> + The GNOME and Plasma installation CDs now use + <literal>pkgs.calamares</literal> and + <literal>pkgs.calamares-nixos-extensions</literal> to allow + users to easily install and set up NixOS with a GUI. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-new-services"> @@ -842,6 +877,11 @@ to the new location if the <literal>stateVersion</literal> is updated. </para> + <para> + As of Synapse 1.58.0, the old groups/communities feature has + been disabled by default. It will be completely removed with + Synapse 1.61.0. + </para> </listitem> <listitem> <para> diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index dcfabf01ff3dc..90d226437012b 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -17,6 +17,21 @@ In addition to numerous new and upgraded packages, this release has the followin - GNOME has been upgraded to 42. Please take a look at their [Release Notes](https://release.gnome.org/42/) for details. Notably, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross), and GNOME Screenshot with a tool built into the Shell. +- `stdenv.mkDerivation` now supports a self-referencing `finalAttrs:` parameter + containing the final `mkDerivation` arguments including overrides. + `drv.overrideAttrs` now supports two parameters `finalAttrs: previousAttrs:`. + This allows packaging configuration to be overridden in a consistent manner by + providing an alternative to `rec {}` syntax. + + Additionally, `passthru` can now reference `finalAttrs.finalPackage` containing + the final package, including attributes such as the output paths and + `overrideAttrs`. + + New language integrations can be simplified by overriding a "prototype" + package containing the language-specific logic. This removes the need for a + extra layer of overriding for the "generic builder" arguments, thus removing a + usability problem and source of error. + - PHP 8.1 is now available - Mattermost has been updated to extended support release 6.3, as the previously packaged extended support release 5.37 is [reaching its end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). @@ -38,6 +53,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The default GHC version has been updated from 8.10.7 to 9.0.2. `pkgs.haskellPackages` and `pkgs.ghc` will now use this version by default. +- The GNOME and Plasma installation CDs now use `pkgs.calamares` and `pkgs.calamares-nixos-extensions` to allow users to easily install and set up NixOS with a GUI. + ## New Services {#sec-release-22.05-new-services} - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). @@ -345,6 +362,8 @@ In addition to numerous new and upgraded packages, this release has the followin `media_store_path` was changed from `${dataDir}/media` to `${dataDir}/media_store` if `system.stateVersion` is at least `22.05`. Files will need to be manually moved to the new location if the `stateVersion` is updated. + As of Synapse 1.58.0, the old groups/communities feature has been disabled by default. It will be completely removed with Synapse 1.61.0. + - The Keycloak package (`pkgs.keycloak`) has been switched from the Wildfly version, which will soon be deprecated, to the Quarkus based version. The Keycloak service (`services.keycloak`) has been updated diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 176056d0a917a..da2bc8ffef4b0 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -72,7 +72,7 @@ in { }) (mkIf cfg.enableAllFirmware { assertions = [{ - assertion = !cfg.enableAllFirmware || (config.nixpkgs.config.allowUnfree or false); + assertion = !cfg.enableAllFirmware || config.nixpkgs.config.allowUnfree; message = '' the list of hardware.enableAllFirmware contains non-redistributable licensed firmware files. This requires nixpkgs.config.allowUnfree to be true. diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index fa19daf132800..0e4feba228234 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -35,22 +35,28 @@ with lib; # Enable sound in graphical iso's. hardware.pulseaudio.enable = true; - environment.systemPackages = [ + # Spice guest additions + services.spice-vdagentd.enable = true; + + # Enable plymouth + boot.plymouth.enable = true; + + environment.defaultPackages = with pkgs; [ # Include gparted for partitioning disks. - pkgs.gparted + gparted # Include some editors. - pkgs.vim - pkgs.bvi # binary editor - pkgs.joe + vim + nano # Include some version control tools. - pkgs.git + git + rsync # Firefox for reading the manual. - pkgs.firefox + firefox - pkgs.glxinfo + glxinfo ]; } diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix new file mode 100644 index 0000000000000..95aeca1a928a6 --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix @@ -0,0 +1,59 @@ +# This module defines a NixOS installation CD that contains GNOME. + +{ pkgs, ... }: + +{ + imports = [ ./installation-cd-graphical-calamares.nix ]; + + isoImage.edition = "gnome"; + + services.xserver.desktopManager.gnome = { + # Add Firefox and other tools useful for installation to the launcher + favoriteAppsOverride = '' + [org.gnome.shell] + favorite-apps=[ 'firefox.desktop', 'nixos-manual.desktop', 'org.gnome.Console.desktop', 'org.gnome.Nautilus.desktop', 'gparted.desktop', 'io.calamares.calamares.desktop' ] + ''; + + # Override GNOME defaults to disable GNOME tour and disable suspend + extraGSettingsOverrides = '' + [org.gnome.shell] + welcome-dialog-last-shown-version='9999999999' + + [org.gnome.settings-daemon.plugins.power] + sleep-inactive-ac-type='nothing' + sleep-inactive-battery-type='nothing' + ''; + + extraGSettingsOverridePackages = [ pkgs.gnome.gnome-settings-daemon ]; + + enable = true; + }; + + # Theme calamares with GNOME theme + qt5 = { + enable = true; + platformTheme = "gnome"; + }; + + # Fix scaling for calamares on wayland + environment.variables = { + QT_QPA_PLATFORM = "$([[ $XDG_SESSION_TYPE = \"wayland\" ]] && echo \"wayland\")"; + }; + + services.xserver.displayManager = { + gdm = { + enable = true; + # autoSuspend makes the machine automatically suspend after inactivity. + # It's possible someone could/try to ssh'd into the machine and obviously + # have issues because it's inactive. + # See: + # * https://github.com/NixOS/nixpkgs/pull/63790 + # * https://gitlab.gnome.org/GNOME/gnome-control-center/issues/22 + autoSuspend = false; + }; + autoLogin = { + enable = true; + user = "nixos"; + }; + }; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix new file mode 100644 index 0000000000000..a4c46d58c85a4 --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix @@ -0,0 +1,49 @@ +# This module defines a NixOS installation CD that contains X11 and +# Plasma 5. + +{ pkgs, ... }: + +{ + imports = [ ./installation-cd-graphical-calamares.nix ]; + + isoImage.edition = "plasma5"; + + services.xserver = { + desktopManager.plasma5 = { + enable = true; + }; + + # Automatically login as nixos. + displayManager = { + sddm.enable = true; + autoLogin = { + enable = true; + user = "nixos"; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + # Graphical text editor + kate + ]; + + system.activationScripts.installerDesktop = let + + # Comes from documentation.nix when xserver and nixos.enable are true. + manualDesktopFile = "/run/current-system/sw/share/applications/nixos-manual.desktop"; + + homeDir = "/home/nixos/"; + desktopDir = homeDir + "Desktop/"; + + in '' + mkdir -p ${desktopDir} + chown nixos ${homeDir} ${desktopDir} + + ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"} + ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"} + ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"} + ln -sfT ${pkgs.calamares-nixos}/share/applications/io.calamares.calamares.desktop ${desktopDir + "io.calamares.calamares.desktop"} + ''; + +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix new file mode 100644 index 0000000000000..8a6d30d1801a1 --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares.nix @@ -0,0 +1,20 @@ +# This module adds the calamares installer to the basic graphical NixOS +# installation CD. + +{ pkgs, ... }: +let + calamares-nixos-autostart = pkgs.makeAutostartItem { name = "io.calamares.calamares"; package = pkgs.calamares-nixos; }; +in +{ + imports = [ ./installation-cd-graphical-base.nix ]; + + environment.systemPackages = with pkgs; [ + # Calamares for graphical installation + libsForQt5.kpmcore + calamares-nixos + calamares-nixos-autostart + calamares-nixos-extensions + # Needed for calamares QML module packagechooserq + libsForQt5.full + ]; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 303493741f3d0..573b31b439c2d 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -1,8 +1,6 @@ # This module defines a NixOS installation CD that contains GNOME. -{ lib, ... }: - -with lib; +{ ... }: { imports = [ ./installation-cd-graphical-base.nix ]; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix index 098c2b2870b04..5c7617c9f8c1a 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix @@ -1,9 +1,7 @@ # This module defines a NixOS installation CD that contains X11 and # Plasma 5. -{ config, lib, pkgs, ... }: - -with lib; +{ pkgs, ... }: { imports = [ ./installation-cd-graphical-base.nix ]; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index d1cda0d84e96b..9d9f2e9057cc0 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1256,6 +1256,7 @@ ./virtualisation/virtualbox-guest.nix ./virtualisation/virtualbox-host.nix ./virtualisation/vmware-guest.nix + ./virtualisation/vmware-host.nix ./virtualisation/waydroid.nix ./virtualisation/xen-dom0.nix ./virtualisation/xe-guest-utilities.nix diff --git a/nixos/modules/programs/thefuck.nix b/nixos/modules/programs/thefuck.nix index b909916158d38..18d09e26866c1 100644 --- a/nixos/modules/programs/thefuck.nix +++ b/nixos/modules/programs/thefuck.nix @@ -6,9 +6,12 @@ let prg = config.programs; cfg = prg.thefuck; - initScript = '' + bashAndZshInitScript = '' eval $(${pkgs.thefuck}/bin/thefuck --alias ${cfg.alias}) ''; + fishInitScript = '' + ${pkgs.thefuck}/bin/thefuck --alias ${cfg.alias} | source + ''; in { options = { @@ -30,10 +33,8 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ thefuck ]; - programs.bash.interactiveShellInit = initScript; - programs.zsh.interactiveShellInit = mkIf prg.zsh.enable initScript; - programs.fish.interactiveShellInit = mkIf prg.fish.enable '' - ${pkgs.thefuck}/bin/thefuck --alias | source - ''; + programs.bash.interactiveShellInit = bashAndZshInitScript; + programs.zsh.interactiveShellInit = mkIf prg.zsh.enable bashAndZshInitScript; + programs.fish.interactiveShellInit = mkIf prg.fish.enable fishInitScript; }; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 530304b497ae8..b1fcb0b461fda 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -492,7 +492,7 @@ let auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"} '') + (let oath = config.security.pam.oath; in optionalString cfg.oathAuth '' - auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} + auth requisite ${pkgs.oath-toolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} '') + (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth '' auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"} @@ -1131,7 +1131,7 @@ in ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] - ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] + ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ]; @@ -1221,7 +1221,7 @@ in mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so, '' + optionalString (isEnabled (cfg: cfg.oathAuth)) '' - "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, + "mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so, '' + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 8257eeb673b92..2f38661718738 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -8,6 +8,24 @@ let cfg = config.services.udev; + initrdUdevRules = pkgs.runCommand "initrd-udev-rules" {} '' + mkdir -p $out/etc/udev/rules.d + for f in 60-cdrom_id 60-persistent-storage 75-net-description 80-drivers 80-net-setup-link; do + ln -s ${config.boot.initrd.systemd.package}/lib/udev/rules.d/$f.rules $out/etc/udev/rules.d + done + ''; + + + # networkd link files are used early by udev to set up interfaces early. + # This must be done in stage 1 to avoid race conditions between udev and + # network daemons. + # TODO move this into the initrd-network module when it exists + initrdLinkUnits = pkgs.runCommand "initrd-link-units" {} '' + mkdir -p $out + ln -s ${udev}/lib/systemd/network/*.link $out/ + ${lib.concatMapStringsSep "\n" (file: "ln -s ${file} $out/") (lib.mapAttrsToList (n: v: "${v.unit}/${n}") (lib.filterAttrs (n: _: hasSuffix ".link" n) config.systemd.network.units))} + ''; + extraUdevRules = pkgs.writeTextFile { name = "extra-udev-rules"; text = cfg.extraRules; @@ -350,7 +368,10 @@ in ]; boot.initrd.systemd.storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-udevd" - "${config.boot.initrd.systemd.package}/lib/udev" + "${config.boot.initrd.systemd.package}/lib/udev/ata_id" + "${config.boot.initrd.systemd.package}/lib/udev/cdrom_id" + "${config.boot.initrd.systemd.package}/lib/udev/scsi_id" + "${config.boot.initrd.systemd.package}/lib/udev/rules.d" ] ++ map (x: "${x}/bin") config.boot.initrd.services.udev.binPackages; # Generate the udev rules for the initrd @@ -364,13 +385,17 @@ in systemd = config.boot.initrd.systemd.package; binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ]; }; + "/etc/systemd/network".source = initrdLinkUnits; }; - # Insert custom rules - boot.initrd.services.udev.packages = mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile { - name = "initrd-udev-rules"; - destination = "/etc/udev/rules.d/99-local.rules"; - text = config.boot.initrd.services.udev.rules; - }); + # Insert initrd rules + boot.initrd.services.udev.packages = [ + initrdUdevRules + (mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile { + name = "initrd-udev-rules"; + destination = "/etc/udev/rules.d/99-local.rules"; + text = config.boot.initrd.services.udev.rules; + })) + ]; environment.etc = { diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 230ab673a9761..d467c3c0471cf 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -441,6 +441,7 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' if ! [ -s "${k.path}" ]; then + rm -f "${k.path}" ssh-keygen \ -t "${k.type}" \ ${if k ? bits then "-b ${toString k.bits}" else ""} \ diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 2d817ca19234b..a1855e1c1a791 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -540,7 +540,8 @@ in db = if cfg.database.type == "postgresql" then "postgres" else cfg.database.type; db-username = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username; db-password._secret = cfg.database.passwordFile; - db-url-host = "${cfg.database.host}:${toString cfg.database.port}"; + db-url-host = cfg.database.host; + db-url-port = toString cfg.database.port; db-url-database = if databaseActuallyCreateLocally then "keycloak" else cfg.database.name; db-url-properties = prefixUnlessEmpty "?" dbProps; db-url = null; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index c07567ec82ead..1a1dcaea9c89a 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -33,7 +33,7 @@ let netbootxyz = if cfg.netbootxyz.enable then pkgs.netbootxyz-efi else ""; copyExtraFiles = pkgs.writeShellScript "copy-extra-files" '' - empty_file=$(mktemp) + empty_file=$(${pkgs.coreutils}/bin/mktemp) ${concatStrings (mapAttrsToList (n: v: '' ${pkgs.coreutils}/bin/install -Dp "${v}" "${efi.efiSysMountPoint}/"${escapeShellArg n} diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 3175836698091..22d5ec76af70b 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -318,11 +318,7 @@ checkFS() { echo "checking $device..." - fsckFlags= - if test "$fsType" != "btrfs"; then - fsckFlags="-V -a" - fi - fsck $fsckFlags "$device" + fsck -V -a "$device" fsckResult=$? if test $(($fsckResult | 2)) = $fsckResult; then diff --git a/nixos/modules/virtualisation/vmware-host.nix b/nixos/modules/virtualisation/vmware-host.nix new file mode 100644 index 0000000000000..faa0d455c9d6b --- /dev/null +++ b/nixos/modules/virtualisation/vmware-host.nix @@ -0,0 +1,166 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.virtualisation.vmware.host; + wrapperDir = "/run/vmware/bin"; # Perfectly fits as /usr/local/bin + parentWrapperDir = dirOf wrapperDir; + vmwareWrappers = # Needed as hardcoded paths workaround + let mkVmwareSymlink = + program: + '' + ln -s "${config.security.wrapperDir}/${program}" $wrapperDir/${program} + ''; + in + [ + (mkVmwareSymlink "pkexec") + (mkVmwareSymlink "mount") + (mkVmwareSymlink "umount") + ]; +in +{ + options = with lib; { + virtualisation.vmware.host = { + enable = mkEnableOption "VMware" // { + description = '' + This enables VMware host virtualisation for running VMs. + + <important><para> + <literal>vmware-vmx</literal> will cause kcompactd0 due to + <literal>Transparent Hugepages</literal> feature in kernel. + Apply <literal>[ "transparent_hugepage=never" ]</literal> in + option <option>boot.kernelParams</option> to disable them. + </para></important> + + <note><para> + If that didn't work disable <literal>TRANSPARENT_HUGEPAGE</literal>, + <literal>COMPACTION</literal> configs and recompile kernel. + </para></note> + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.vmware-workstation; + defaultText = literalExpression "pkgs.vmware-workstation"; + description = "VMware host virtualisation package to use"; + }; + extraPackages = mkOption { + type = with types; listOf package; + default = with pkgs; [ ]; + description = "Extra packages to be used with VMware host."; + example = "with pkgs; [ ntfs3g ]"; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Add extra config to /etc/vmware/config"; + example = '' + # Allow unsupported device's OpenGL and Vulkan acceleration for guest vGPU + mks.gl.allowUnsupportedDrivers = "TRUE" + mks.vk.allowUnsupportedDevices = "TRUE" + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.vmware ]; + boot.extraModprobeConfig = "alias char-major-10-229 fuse"; + boot.kernelModules = [ "vmw_pvscsi" "vmw_vmci" "vmmon" "vmnet" "fuse" ]; + + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; + services.printing.drivers = [ cfg.package ]; + + environment.etc."vmware/config".text = '' + ${builtins.readFile "${cfg.package}/etc/vmware/config"} + ${cfg.extraConfig} + ''; + + environment.etc."vmware/bootstrap".source = "${cfg.package}/etc/vmware/bootstrap"; + environment.etc."vmware/icu".source = "${cfg.package}/etc/vmware/icu"; + environment.etc."vmware-installer".source = "${cfg.package}/etc/vmware-installer"; + + # SUID wrappers + + security.wrappers = { + vmware-vmx = { + setuid = true; + owner = "root"; + group = "root"; + source = "${cfg.package}/lib/vmware/bin/.vmware-vmx-wrapped"; + }; + }; + + ###### wrappers activation script + + system.activationScripts.vmwareWrappers = + lib.stringAfter [ "specialfs" "users" ] + '' + mkdir -p "${parentWrapperDir}" + chmod 755 "${parentWrapperDir}" + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) + chmod a+rx "$wrapperDir" + ${lib.concatStringsSep "\n" (vmwareWrappers)} + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink -f ${wrapperDir}) + if [ -e "${wrapperDir}-tmp" ]; then + rm --force --recursive "${wrapperDir}-tmp" + fi + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" + rm --force --recursive "$old" + else + # For initial setup + ln --symbolic "$wrapperDir" "${wrapperDir}" + fi + ''; + + # Services + + systemd.services."vmware-authdlauncher" = { + description = "VMware Authentification Daemon"; + serviceConfig = { + Type = "forking"; + ExecStart = [ "${cfg.package}/bin/vmware-authdlauncher" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services."vmware-networks-configuration" = { + description = "VMware Networks Configuration Generation"; + unitConfig.ConditionPathExists = "!/etc/vmware/networking"; + serviceConfig = { + UMask = "0077"; + ExecStart = [ + "${cfg.package}/bin/vmware-networks --postinstall vmware-player,0,1" + ]; + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services."vmware-networks" = { + description = "VMware Networks"; + after = [ "vmware-networks-configuration.service" ]; + requires = [ "vmware-networks-configuration.service" ]; + serviceConfig = { + Type = "forking"; + ExecCondition = [ "${pkgs.kmod}/bin/modprobe vmnet" ]; + ExecStart = [ "${cfg.package}/bin/vmware-networks --start" ]; + ExecStop = [ "${cfg.package}/bin/vmware-networks --stop" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services."vmware-usbarbitrator" = { + description = "VMware USB Arbitrator"; + serviceConfig = { + ExecStart = [ "${cfg.package}/bin/vmware-usbarbitrator -f" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index fd8a39cfb92b4..7f81ca1c69b88 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -132,12 +132,14 @@ in rec { # fails with kernel >= 5.15 https://github.com/NixOS/nixpkgs/pull/152505#issuecomment-1005049314 #(onFullSupported "nixos.tests.nfs3.simple") (onFullSupported "nixos.tests.nfs4.simple") + (onSystems ["x86_64-linux"] "nixos.tests.oci-containers.podman") (onFullSupported "nixos.tests.openssh") (onFullSupported "nixos.tests.pantheon") (onFullSupported "nixos.tests.php.fpm") (onFullSupported "nixos.tests.php.httpd") (onFullSupported "nixos.tests.php.pcre") (onFullSupported "nixos.tests.plasma5") + (onSystems ["x86_64-linux"] "nixos.tests.podman") (onFullSupported "nixos.tests.predictable-interface-names.predictableNetworkd") (onFullSupported "nixos.tests.predictable-interface-names.predictable") (onFullSupported "nixos.tests.predictable-interface-names.unpredictableNetworkd") diff --git a/nixos/release.nix b/nixos/release.nix index 6b7564a9b9721..0df443dd204cb 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -150,13 +150,13 @@ in rec { }); iso_plasma5 = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { - module = ./modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix; + module = ./modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix; type = "plasma5"; inherit system; }); iso_gnome = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { - module = ./modules/installer/cd-dvd/installation-cd-graphical-gnome.nix; + module = ./modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix; type = "gnome"; inherit system; }); diff --git a/nixos/tests/matrix-appservice-irc.nix b/nixos/tests/matrix-appservice-irc.nix index d1c561f95dbf2..70d4585239865 100644 --- a/nixos/tests/matrix-appservice-irc.nix +++ b/nixos/tests/matrix-appservice-irc.nix @@ -20,6 +20,9 @@ import ./make-test-python.nix ({ pkgs, ... }: enable_registration = true; + # don't use this in production, always use some form of verification + enable_registration_without_verification = true; + listeners = [ { # The default but tls=false bind_addresses = [ diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 003813379e697..4083f5906d79a 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -80,17 +80,21 @@ in { client.wait_for_unit("network.target") client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024", + timeout=30 ) with subtest("configured-authkey"): @@ -99,10 +103,12 @@ in { ) client.succeed("chmod 600 privkey.snakeoil") client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true", + timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true" + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true", + timeout=30 ) with subtest("localhost-only"): diff --git a/nixos/tests/pam/pam-oath-login.nix b/nixos/tests/pam/pam-oath-login.nix index 8fb7553de9073..c532e81e674d7 100644 --- a/nixos/tests/pam/pam-oath-login.nix +++ b/nixos/tests/pam/pam-oath-login.nix @@ -7,7 +7,7 @@ let # how many passwords have been made. In this env, we'll always be on # the 0th counter, so the password is static. # - # Generated in nix-shell -p oathToolkit + # Generated in nix-shell -p oath-toolkit # via: oathtool -v -d6 -w10 cdd4083ef8ff1fa9178c6d46bfb1a3 # and picking a the first 4: oathSnakeOilPassword1 = "143349"; diff --git a/nixos/tests/pgadmin4.nix b/nixos/tests/pgadmin4.nix index 2f6dc3bd569ff..b30299d307eb9 100644 --- a/nixos/tests/pgadmin4.nix +++ b/nixos/tests/pgadmin4.nix @@ -1,53 +1,27 @@ -import ./make-test-python.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, buildDeps ? [ ], pythonEnv ? [ ], ... }: + + /* + This test suite replaces the typical pytestCheckHook function in python + packages. Pgadmin4 test suite needs a running and configured postgresql + server. This is why this test exists. + + To not repeat all the python dependencies needed, this test is called directly + from the pgadmin4 derivation, which also passes the currently + used propagatedBuildInputs and any python overrides. + + Unfortunately, there doesn't seem to be an easy way to otherwise include + the needed packages here. + + Due the the needed parameters a direct call to "nixosTests.pgadmin4" fails + and needs to be called as "pgadmin4.tests" + + */ let pgadmin4SrcDir = "/pgadmin"; pgadmin4Dir = "/var/lib/pgadmin"; pgadmin4LogDir = "/var/log/pgadmin"; - python-with-needed-packages = pkgs.python3.withPackages (ps: with ps; [ - selenium - testtools - testscenarios - flask - flask-babelex - flask-babel - flask-gravatar - flask_login - flask_mail - flask_migrate - flask_sqlalchemy - flask_wtf - flask-compress - passlib - pytz - simplejson - six - sqlparse - wtforms - flask-paranoid - psutil - psycopg2 - python-dateutil - sqlalchemy - itsdangerous - flask-security-too - bcrypt - cryptography - sshtunnel - ldap3 - gssapi - flask-socketio - eventlet - httpagentparser - user-agents - wheel - authlib - qrcode - pillow - pyotp - boto3 - ]); in { name = "pgadmin4"; @@ -55,12 +29,27 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: nodes.machine = { pkgs, ... }: { imports = [ ./common/x11.nix ]; + # needed because pgadmin 6.8 will fail, if those dependencies get updated + nixpkgs.overlays = [ + (self: super: { + pythonPackages = pythonEnv; + }) + ]; + environment.systemPackages = with pkgs; [ pgadmin4 postgresql - python-with-needed-packages chromedriver chromium + # include the same packages as in pgadmin minus speaklater3 + (python3.withPackages + (ps: buildDeps ++ + [ + # test suite package requirements + pythonPackages.testscenarios + pythonPackages.selenium + ]) + ) ]; services.postgresql = { enable = true; @@ -121,7 +110,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: with subtest("run browser test"): machine.succeed( 'cd ${pgadmin4SrcDir}/pgadmin4-${pkgs.pgadmin4.version}/web \ - && ${python-with-needed-packages.interpreter} regression/runtests.py --pkg browser --exclude \ + && python regression/runtests.py --pkg browser --exclude \ browser.tests.test_ldap_login.LDAPLoginTestCase,browser.tests.test_ldap_login' ) @@ -131,13 +120,13 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: machine.succeed( 'cd ${pgadmin4SrcDir}/pgadmin4-${pkgs.pgadmin4.version}/web \ && export FONTCONFIG_FILE=${pkgs.makeFontsConf { fontDirectories = [];}} \ - && ${python-with-needed-packages.interpreter} regression/runtests.py --pkg feature_tests' + && python regression/runtests.py --pkg feature_tests' ) with subtest("run resql test"): machine.succeed( 'cd ${pgadmin4SrcDir}/pgadmin4-${pkgs.pgadmin4.version}/web \ - && ${python-with-needed-packages.interpreter} regression/runtests.py --pkg resql' + && python regression/runtests.py --pkg resql' ) ''; }) |