diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/lib/make-squashfs.nix | 3 | ||||
-rw-r--r-- | nixos/modules/installer/cd-dvd/iso-image.nix | 3 | ||||
-rw-r--r-- | nixos/modules/programs/starship.nix | 33 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/c2fmzq-server.nix | 2 | ||||
-rw-r--r-- | nixos/modules/tasks/trackpoint.nix | 2 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/c2fmzq.nix | 3 | ||||
-rw-r--r-- | nixos/tests/nginx-etag-compression.nix | 45 | ||||
-rw-r--r-- | nixos/tests/nixos-rebuild-target-host.nix | 136 | ||||
-rw-r--r-- | nixos/tests/spark/default.nix | 2 |
11 files changed, 222 insertions, 14 deletions
diff --git a/nixos/lib/make-squashfs.nix b/nixos/lib/make-squashfs.nix index 4b6b567399484..f28e2c6715805 100644 --- a/nixos/lib/make-squashfs.nix +++ b/nixos/lib/make-squashfs.nix @@ -14,6 +14,7 @@ let pseudoFilesArgs = lib.concatMapStrings (f: ''-p "${f}" '') pseudoFiles; + compFlag = if comp == null then "-no-compression" else "-comp ${comp}"; in stdenv.mkDerivation { name = "${fileName}.img"; @@ -39,7 +40,7 @@ stdenv.mkDerivation { # Generate the squashfs image. mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $out ${pseudoFilesArgs} \ - -no-hardlinks ${lib.optionalString noStrip "-no-strip"} -keep-as-directory -all-root -b 1048576 -comp ${comp} \ + -no-hardlinks ${lib.optionalString noStrip "-no-strip"} -keep-as-directory -all-root -b 1048576 ${compFlag} \ -processors $NIX_BUILD_CORES ''; } diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 0b5135c088eaf..6adb94e09aff3 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -512,9 +512,10 @@ in + lib.optionalString isAarch "-Xbcj arm" + lib.optionalString (isPower && is32bit && isBigEndian) "-Xbcj powerpc" + lib.optionalString (isSparc) "-Xbcj sparc"; - type = lib.types.str; + type = lib.types.nullOr lib.types.str; description = lib.mdDoc '' Compression settings to use for the squashfs nix store. + `null` disables compression. ''; example = "zstd -Xcompression-level 6"; }; diff --git a/nixos/modules/programs/starship.nix b/nixos/modules/programs/starship.nix index bec3900496fd9..34f6f0882c617 100644 --- a/nixos/modules/programs/starship.nix +++ b/nixos/modules/programs/starship.nix @@ -1,13 +1,21 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.starship; settingsFormat = pkgs.formats.toml { }; - settingsFile = settingsFormat.generate "starship.toml" cfg.settings; + userSettingsFile = settingsFormat.generate "starship.toml" cfg.settings; + + settingsFile = if cfg.presets == [] then userSettingsFile else pkgs.runCommand "starship.toml" + { + nativeBuildInputs = [ pkgs.yq ]; + } '' + tomlq -s -t 'reduce .[] as $item ({}; . * $item)' \ + ${lib.concatStringsSep " " (map (f: "${pkgs.starship}/share/starship/presets/${f}.toml") cfg.presets)} \ + ${userSettingsFile} \ + > $out + ''; initOption = if cfg.interactiveOnly then @@ -18,19 +26,28 @@ let in { options.programs.starship = { - enable = mkEnableOption (lib.mdDoc "the Starship shell prompt"); + enable = lib.mkEnableOption (lib.mdDoc "the Starship shell prompt"); - interactiveOnly = mkOption { + interactiveOnly = lib.mkOption { default = true; example = false; - type = types.bool; + type = lib.types.bool; description = lib.mdDoc '' Whether to enable starship only when the shell is interactive. Some plugins require this to be set to false to function correctly. ''; }; - settings = mkOption { + presets = lib.mkOption { + default = [ ]; + example = [ "nerd-font-symbols" ]; + type = with lib.types; listOf str; + description = lib.mdDoc '' + Presets files to be merged with settings in order. + ''; + }; + + settings = lib.mkOption { inherit (settingsFormat) type; default = { }; description = lib.mdDoc '' @@ -41,7 +58,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.bash.${initOption} = '' if [[ $TERM != "dumb" ]]; then # don't set STARSHIP_CONFIG automatically if there's a user-specified diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index d32712c8243d7..c96439cf2641a 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -565,7 +565,10 @@ in wantedBy = [ "network-online.target" ]; }; - systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; + systemd.services.ModemManager = { + aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; + path = lib.optionals (cfg.fccUnlockScripts != []) [ pkgs.libqmi pkgs.libmbim ]; + }; systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; diff --git a/nixos/modules/services/web-apps/c2fmzq-server.nix b/nixos/modules/services/web-apps/c2fmzq-server.nix index 2749c2a5a87aa..54c4bf1b09ca5 100644 --- a/nixos/modules/services/web-apps/c2fmzq-server.nix +++ b/nixos/modules/services/web-apps/c2fmzq-server.nix @@ -6,7 +6,7 @@ let cfg = config.services.c2fmzq-server; argsFormat = { - type = with lib.types; nullOr (oneOf [ bool int str ]); + type = with lib.types; attrsOf (nullOr (oneOf [ bool int str ])); generate = lib.cli.toGNUCommandLineShell { }; }; in { diff --git a/nixos/modules/tasks/trackpoint.nix b/nixos/modules/tasks/trackpoint.nix index 317613b847927..b3f6f32eaa473 100644 --- a/nixos/modules/tasks/trackpoint.nix +++ b/nixos/modules/tasks/trackpoint.nix @@ -88,7 +88,7 @@ with lib; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; serviceConfig.ExecStart = '' - ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device} + ${config.systemd.package}/bin/udevadm trigger --attr-match=name="${cfg.device}" ''; }; }) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1dc5e1a1ecfd6..33f13c3d1181c 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -583,6 +583,7 @@ in { nginx = handleTest ./nginx.nix {}; nginx-auth = handleTest ./nginx-auth.nix {}; nginx-etag = handleTest ./nginx-etag.nix {}; + nginx-etag-compression = handleTest ./nginx-etag-compression.nix {}; nginx-globalredirect = handleTest ./nginx-globalredirect.nix {}; nginx-http3 = handleTest ./nginx-http3.nix {}; nginx-modsecurity = handleTest ./nginx-modsecurity.nix {}; @@ -604,6 +605,7 @@ in { nixos-generate-config = handleTest ./nixos-generate-config.nix {}; nixos-rebuild-install-bootloader = handleTestOn ["x86_64-linux"] ./nixos-rebuild-install-bootloader.nix {}; nixos-rebuild-specialisations = handleTestOn ["x86_64-linux"] ./nixos-rebuild-specialisations.nix {}; + nixos-rebuild-target-host = handleTest ./nixos-rebuild-target-host.nix {}; nixpkgs = pkgs.callPackage ../modules/misc/nixpkgs/test.nix { inherit evalMinimalConfig; }; nixseparatedebuginfod = handleTest ./nixseparatedebuginfod.nix {}; node-red = handleTest ./node-red.nix {}; diff --git a/nixos/tests/c2fmzq.nix b/nixos/tests/c2fmzq.nix index d8ec816c7d29c..59addbde24ed5 100644 --- a/nixos/tests/c2fmzq.nix +++ b/nixos/tests/c2fmzq.nix @@ -9,6 +9,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { passphraseFile = builtins.toFile "pwfile" "hunter2"; # don't do this on real deployments settings = { verbose = 3; # debug + # make sure multiple freeform options evaluate + allow-new-accounts = true; + auto-approve-new-accounts = true; }; }; environment = { diff --git a/nixos/tests/nginx-etag-compression.nix b/nixos/tests/nginx-etag-compression.nix new file mode 100644 index 0000000000000..67493ae299841 --- /dev/null +++ b/nixos/tests/nginx-etag-compression.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix { + name = "nginx-etag-compression"; + + nodes.machine = { pkgs, lib, ... }: { + services.nginx = { + enable = true; + recommendedGzipSettings = true; + virtualHosts.default = { + root = pkgs.runCommandLocal "testdir" {} '' + mkdir "$out" + cat > "$out/index.html" <<EOF + Hello, world! + Hello, world! + Hello, world! + Hello, world! + Hello, world! + Hello, world! + Hello, world! + Hello, world! + EOF + ${pkgs.gzip}/bin/gzip -k "$out/index.html" + ''; + }; + }; + }; + + testScript = { nodes, ... }: '' + machine.wait_for_unit("nginx") + machine.wait_for_open_port(80) + + etag_plain = machine.succeed("curl -s -w'%header{etag}' -o/dev/null -H 'Accept-encoding:' http://127.0.0.1/") + etag_gzip = machine.succeed("curl -s -w'%header{etag}' -o/dev/null -H 'Accept-encoding:gzip' http://127.0.0.1/") + + with subtest("different representations have different etags"): + assert etag_plain != etag_gzip, f"etags should differ: {etag_plain} == {etag_gzip}" + + with subtest("etag for uncompressed response is reproducible"): + etag_plain_repeat = machine.succeed("curl -s -w'%header{etag}' -o/dev/null -H 'Accept-encoding:' http://127.0.0.1/") + assert etag_plain == etag_plain_repeat, f"etags should be the same: {etag_plain} != {etag_plain_repeat}" + + with subtest("etag for compressed response is reproducible"): + etag_gzip_repeat = machine.succeed("curl -s -w'%header{etag}' -o/dev/null -H 'Accept-encoding:gzip' http://127.0.0.1/") + assert etag_gzip == etag_gzip_repeat, f"etags should be the same: {etag_gzip} != {etag_gzip_repeat}" + ''; +} diff --git a/nixos/tests/nixos-rebuild-target-host.nix b/nixos/tests/nixos-rebuild-target-host.nix new file mode 100644 index 0000000000000..8d60b788abf38 --- /dev/null +++ b/nixos/tests/nixos-rebuild-target-host.nix @@ -0,0 +1,136 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "nixos-rebuild-target-host"; + + nodes = { + deployer = { lib, ... }: let + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; + in { + imports = [ ../modules/profiles/installation-device.nix ]; + + nix.settings = { + substituters = lib.mkForce [ ]; + hashed-mirrors = null; + connect-timeout = 1; + }; + + environment.systemPackages = [ pkgs.passh ]; + + system.includeBuildDependencies = true; + + virtualisation = { + cores = 2; + memorySize = 2048; + }; + + system.build.privateKey = snakeOilPrivateKey; + system.build.publicKey = snakeOilPublicKey; + }; + + target = { nodes, lib, ... }: let + targetConfig = { + documentation.enable = false; + services.openssh.enable = true; + + users.users.root.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ]; + users.users.alice.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ]; + users.users.bob.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ]; + + users.users.alice.extraGroups = [ "wheel" ]; + users.users.bob.extraGroups = [ "wheel" ]; + + # Disable sudo for root to ensure sudo isn't called without `--use-remote-sudo` + security.sudo.extraRules = lib.mkForce [ + { groups = [ "wheel" ]; commands = [ { command = "ALL"; } ]; } + { users = [ "alice" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + + nix.settings.trusted-users = [ "@wheel" ]; + }; + in { + imports = [ ./common/user-account.nix ]; + + config = lib.mkMerge [ + targetConfig + { + system.build = { + inherit targetConfig; + }; + + networking.hostName = "target"; + } + ]; + }; + }; + + testScript = { nodes, ... }: + let + sshConfig = builtins.toFile "ssh.conf" '' + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no + ''; + + targetConfigJSON = pkgs.writeText "target-configuration.json" + (builtins.toJSON nodes.target.system.build.targetConfig); + + targetNetworkJSON = pkgs.writeText "target-network.json" + (builtins.toJSON nodes.target.system.build.networkConfig); + + configFile = hostname: pkgs.writeText "configuration.nix" '' + { lib, modulesPath, ... }: { + imports = [ + (modulesPath + "/virtualisation/qemu-vm.nix") + (modulesPath + "/testing/test-instrumentation.nix") + (modulesPath + "/../tests/common/user-account.nix") + (lib.modules.importJSON ./target-configuration.json) + (lib.modules.importJSON ./target-network.json) + ./hardware-configuration.nix + ]; + + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + forceInstall = true; + }; + + # this will be asserted + networking.hostName = "${hostname}"; + } + ''; + in + '' + start_all() + target.wait_for_open_port(22) + + deployer.wait_until_succeeds("ping -c1 target") + deployer.succeed("install -Dm 600 ${nodes.deployer.system.build.privateKey} ~root/.ssh/id_ecdsa") + deployer.succeed("install ${sshConfig} ~root/.ssh/config") + + target.succeed("nixos-generate-config") + deployer.succeed("scp alice@target:/etc/nixos/hardware-configuration.nix /root/hardware-configuration.nix") + + deployer.copy_from_host("${configFile "config-1-deployed"}", "/root/configuration-1.nix") + deployer.copy_from_host("${configFile "config-2-deployed"}", "/root/configuration-2.nix") + deployer.copy_from_host("${configFile "config-3-deployed"}", "/root/configuration-3.nix") + deployer.copy_from_host("${targetNetworkJSON}", "/root/target-network.json") + deployer.copy_from_host("${targetConfigJSON}", "/root/target-configuration.json") + + # Ensure sudo is disabled for root + target.fail("sudo true") + + # This test also ensures that sudo is not called without --use-remote-sudo + with subtest("Deploy to root@target"): + deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console") + target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() + assert target_hostname == "config-1-deployed", f"{target_hostname=}" + + with subtest("Deploy to alice@target with passwordless sudo"): + deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --use-remote-sudo &>/dev/console") + target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() + assert target_hostname == "config-2-deployed", f"{target_hostname=}" + + with subtest("Deploy to bob@target with password based sudo"): + deployer.succeed("passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P \"\[sudo\] password\" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --use-remote-sudo &>/dev/console") + target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() + assert target_hostname == "config-3-deployed", f"{target_hostname=}" + ''; +}) diff --git a/nixos/tests/spark/default.nix b/nixos/tests/spark/default.nix index eed7db35bf4f1..034e9711bed52 100644 --- a/nixos/tests/spark/default.nix +++ b/nixos/tests/spark/default.nix @@ -10,7 +10,7 @@ let sparkCluster = testSparkCluster args; passthru.override = args': testsForPackage (args // args'); }; - testSparkCluster = { sparkPackage, ... }: pkgs.nixosTest ({ + testSparkCluster = { sparkPackage, ... }: pkgs.testers.nixosTest ({ name = "spark"; nodes = { |