diff options
Diffstat (limited to 'nixos')
24 files changed, 371 insertions, 162 deletions
diff --git a/nixos/doc/manual/configuration/ipv6-config.xml b/nixos/doc/manual/configuration/ipv6-config.xml index 7b89b4092be7d..45e85dbf3dfdb 100644 --- a/nixos/doc/manual/configuration/ipv6-config.xml +++ b/nixos/doc/manual/configuration/ipv6-config.xml @@ -7,8 +7,12 @@ <para> IPv6 is enabled by default. Stateless address autoconfiguration is used to - automatically assign IPv6 addresses to all interfaces. You can disable IPv6 - support globally by setting: + automatically assign IPv6 addresses to all interfaces, and Privacy + Extensions (RFC 4946) are enabled by default. You can adjust the default + for this by setting <xref linkend="opt-networking.tempAddresses"/>. + This option may be overridden on a per-interface basis by + <xref linkend="opt-networking.interfaces._name_.tempAddress"/>. + You can disable IPv6 support globally by setting: <programlisting> <xref linkend="opt-networking.enableIPv6"/> = false; </programlisting> diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index e3e6dc484330c..bee1cddbecfe9 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -27,7 +27,7 @@ <para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para> </listitem> <listitem> - <para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para> + <para>GNOME desktop environment was upgraded to 40, see the release notes for <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link> and <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>.</para> </listitem> <listitem> <para> diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix index 9f9b86ee61cbb..2f0b573e87210 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix @@ -37,15 +37,22 @@ let description = '' Number of tasks to perform simultaneously. - A task is a single derivation build or an evaluation. + A task is a single derivation build, an evaluation or an effect run. At minimum, you need 2 concurrent tasks for <literal>x86_64-linux</literal> in your cluster, to allow for import from derivation. <literal>concurrentTasks</literal> can be around the CPU core count or lower if memory is the bottleneck. + + The optimal value depends on the resource consumption characteristics of your workload, + including memory usage and in-task parallelism. This is typically determined empirically. + + When scaling, it is generally better to have a double-size machine than two machines, + because each split of resources causes inefficiencies; particularly with regards + to build latency because of extra downloads. ''; - type = types.int; - default = 4; + type = types.either types.ints.positive (types.enum [ "auto" ]); + default = "auto"; }; workDirectory = mkOption { description = '' @@ -186,7 +193,18 @@ in # even shortly after the previous lookup. This *also* applies to the daemon. narinfo-cache-negative-ttl = 0 ''; - services.hercules-ci-agent.tomlFile = - format.generate "hercules-ci-agent.toml" cfg.settings; + services.hercules-ci-agent = { + tomlFile = + format.generate "hercules-ci-agent.toml" cfg.settings; + + settings.labels = { + agent.source = + if options.services.hercules-ci-agent.package.highestPrio == (lib.modules.mkOptionDefault { }).priority + then "nixpkgs" + else lib.mkOptionDefault "override"; + pkgs.version = pkgs.lib.version; + lib.version = lib.version; + }; + }; }; } diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix index e8a42e59de0d0..06c174e7d376e 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix @@ -68,7 +68,23 @@ in # Trusted user allows simplified configuration and better performance # when operating in a cluster. nix.trustedUsers = [ config.systemd.services.hercules-ci-agent.serviceConfig.User ]; - services.hercules-ci-agent.settings.nixUserIsTrusted = true; + services.hercules-ci-agent = { + settings = { + nixUserIsTrusted = true; + labels = + let + mkIfNotNull = x: mkIf (x != null) x; + in + { + nixos.configurationRevision = mkIfNotNull config.system.configurationRevision; + nixos.release = config.system.nixos.release; + nixos.label = mkIfNotNull config.system.nixos.label; + nixos.codeName = config.system.nixos.codeName; + nixos.tags = config.system.nixos.tags; + nixos.systemName = mkIfNotNull config.system.name; + }; + }; + }; users.users.hercules-ci-agent = { home = cfg.settings.baseDirectory; diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index c99a7529213d7..6cc29cd717ecb 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -4,24 +4,17 @@ with lib; let cfg = config.services.couchdb; - useVersion2 = strings.versionAtLeast (strings.getVersion cfg.package) "2.0"; configFile = pkgs.writeText "couchdb.ini" ( '' [couchdb] database_dir = ${cfg.databaseDir} uri_file = ${cfg.uriFile} view_index_dir = ${cfg.viewIndexDir} - '' + (if cfg.adminPass != null then - '' + '' + (optionalString (cfg.adminPass != null) '' [admins] ${cfg.adminUser} = ${cfg.adminPass} - '' else - "") + (if useVersion2 then - '' + '' + '' [chttpd] - '' else - '' - [httpd] '') + '' port = ${toString cfg.port} @@ -30,8 +23,7 @@ let [log] file = ${cfg.logFile} ''); - executable = if useVersion2 then "${cfg.package}/bin/couchdb" - else ''${cfg.package}/bin/couchdb -a ${configFile} -a ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} -a ${cfg.configFile}''; + executable = "${cfg.package}/bin/couchdb"; in { @@ -177,8 +169,7 @@ in { environment.systemPackages = [ cfg.package ]; - services.couchdb.configFile = mkDefault - (if useVersion2 then "/var/lib/couchdb/local.ini" else "/var/lib/couchdb/couchdb.ini"); + services.couchdb.configFile = mkDefault "/var/lib/couchdb/local.ini"; systemd.tmpfiles.rules = [ "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -" @@ -195,7 +186,7 @@ in { touch ${cfg.configFile} ''; - environment = mkIf useVersion2 { + environment = { # we are actually specifying 4 configuration files: # 1. the preinstalled default.ini # 2. the module configuration diff --git a/nixos/modules/services/hardware/fancontrol.nix b/nixos/modules/services/hardware/fancontrol.nix index e1ce11a5aef62..3722db5bc5122 100644 --- a/nixos/modules/services/hardware/fancontrol.nix +++ b/nixos/modules/services/hardware/fancontrol.nix @@ -6,21 +6,21 @@ let cfg = config.hardware.fancontrol; configFile = pkgs.writeText "fancontrol.conf" cfg.config; -in{ +in +{ options.hardware.fancontrol = { enable = mkEnableOption "software fan control (requires fancontrol.config)"; config = mkOption { - default = null; - type = types.nullOr types.lines; - description = "Fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; + type = types.lines; + description = "Required fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; example = '' # Configuration file generated by pwmconfig INTERVAL=10 DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656 DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input - FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input + FCFANS=hwmon4/device/pwm1=hwmon4/device/fan1_input MINTEMP=hwmon4/device/pwm1=35 MAXTEMP=hwmon4/device/pwm1=65 MINSTART=hwmon4/device/pwm1=150 @@ -30,16 +30,30 @@ in{ }; config = mkIf cfg.enable { + + users = { + groups.lm_sensors = {}; + + users.fancontrol = { + isSystemUser = true; + group = "lm_sensors"; + description = "fan speed controller"; + }; + }; + systemd.services.fancontrol = { - unitConfig.Documentation = "man:fancontrol(8)"; + documentation = [ "man:fancontrol(8)" ]; description = "software fan control"; wantedBy = [ "multi-user.target" ]; after = [ "lm_sensors.service" ]; serviceConfig = { - Type = "simple"; ExecStart = "${pkgs.lm_sensors}/sbin/fancontrol ${configFile}"; + Group = "lm_sensors"; + User = "fancontrol"; }; }; }; + + meta.maintainers = [ maintainers.evils ]; } diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index 41483d80a2ddb..24a259bb4d2bd 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -37,7 +37,7 @@ in enableProfilePath = mkEnableOption "exposing the Disnix profiles in the system's PATH"; profiles = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ "default" ]; example = [ "default" ]; description = "Names of the Disnix profiles to expose in the system's PATH"; @@ -53,6 +53,7 @@ in environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles); + environment.variables.DISNIX_REMOTE_CLIENT = lib.optionalString (cfg.enableMultiUser) "disnix-client"; services.dbus.enable = true; services.dbus.packages = [ pkgs.disnix ]; diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 1985f13088119..1e33381de24c5 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -298,7 +298,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - ProcSubset = "pid"; + ProcSubset = "all"; ProtectSystem = "strict"; RemoveIPC = true; ReadWritePaths = let @@ -308,9 +308,10 @@ in { allowPaths = if isList value then value else singleton value; in [ "${cfg.configDir}" ] ++ allowPaths; RestrictAddressFamilies = [ - "AF_UNIX" "AF_INET" "AF_INET6" + "AF_NETLINK" + "AF_UNIX" ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ "AF_BLUETOOTH" ]; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 007024c04ce5a..c2ee1c0df7f1d 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -149,8 +149,9 @@ in { description = "Real time performance monitoring"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable - (pkgs.python3.withPackages cfg.python.extraPackages); + path = (with pkgs; [ curl gawk iproute2 which ]) + ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages) + ++ lib.optional config.virtualisation.libvirtd.enable (config.virtualisation.libvirtd.package); environment = { PYTHONPATH = "${cfg.package}/libexec/netdata/python.d/python_modules"; } // lib.optionalAttrs (!cfg.enableAnalyticsReporting) { @@ -182,6 +183,9 @@ in { ConfigurationDirectory = "netdata"; ConfigurationDirectoryMode = "0755"; # Capabilities + AmbientCapabilities = [ + "CAP_SETUID" # is required for cgroups and cgroups-network plugins + ]; CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins "CAP_DAC_READ_SEARCH" # is required for apps plugin @@ -191,6 +195,8 @@ in { "CAP_SYS_PTRACE" # is required for apps plugin "CAP_SYS_RESOURCE" # is required for ebpf plugin "CAP_NET_RAW" # is required for fping app + "CAP_SYS_CHROOT" # is required for cgroups plugin + "CAP_SETUID" # is required for cgroups and cgroups-network plugins ]; # Sandboxing ProtectSystem = "full"; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index bd74e1a9cdb54..1d483627e9e2d 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -112,7 +112,7 @@ let http://tools.ietf.org/html/rfc4366#section-3.1 ''; }; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote read config, which if specified must be unique among remote read configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote read configs. @@ -174,7 +174,7 @@ let write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' List of remote write relabel configurations. ''; - name = mkOpt types.string '' + name = mkOpt types.str '' Name of the remote write config, which if specified must be unique among remote write configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote write configs. diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 61482596763a6..8a0685c3d96b2 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -3,6 +3,10 @@ with lib; let + package = if cfg.allowAuxiliaryImperativeNetworks + then pkgs.wpa_supplicant_ro_ssids + else pkgs.wpa_supplicant; + cfg = config.networking.wireless; configFile = if cfg.networks != {} || cfg.extraConfig != "" || cfg.userControlled.enable then pkgs.writeText "wpa_supplicant.conf" '' ${optionalString cfg.userControlled.enable '' @@ -47,6 +51,16 @@ in { description = "Force a specific wpa_supplicant driver."; }; + allowAuxiliaryImperativeNetworks = mkEnableOption "support for imperative & declarative networks" // { + description = '' + Whether to allow configuring networks "imperatively" (e.g. via + <package>wpa_supplicant_gui</package>) and declaratively via + <xref linkend="opt-networking.wireless.networks" />. + + Please note that this adds a custom patch to <package>wpa_supplicant</package>. + ''; + }; + networks = mkOption { type = types.attrsOf (types.submodule { options = { @@ -211,9 +225,9 @@ in { message = ''options networking.wireless."${name}".{psk,pskRaw,auth} are mutually exclusive''; }); - environment.systemPackages = [ pkgs.wpa_supplicant ]; + environment.systemPackages = [ package ]; - services.dbus.packages = [ pkgs.wpa_supplicant ]; + services.dbus.packages = [ package ]; services.udev.packages = [ pkgs.crda ]; # FIXME: start a separate wpa_supplicant instance per interface. @@ -230,13 +244,17 @@ in { wantedBy = [ "multi-user.target" ]; stopIfChanged = false; - path = [ pkgs.wpa_supplicant ]; + path = [ package ]; - script = '' + script = let + configStr = if cfg.allowAuxiliaryImperativeNetworks + then "-c /etc/wpa_supplicant.conf -I ${configFile}" + else "-c ${configFile}"; + in '' if [ -f /etc/wpa_supplicant.conf -a "/etc/wpa_supplicant.conf" != "${configFile}" ] then echo >&2 "<3>/etc/wpa_supplicant.conf present but ignored. Generated ${configFile} is used instead." fi - iface_args="-s -u -D${cfg.driver} -c ${configFile}" + iface_args="-s -u -D${cfg.driver} ${configStr}" ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 7bec073e26f71..1dec111b82989 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -402,6 +402,7 @@ in mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*, mr ${getLib pkgs.xz}/lib/liblzma*.so*, mr ${getLib pkgs.zlib}/lib/libz*.so*, + mr ${getLib pkgs.brotli}/lib/libbrotli*.so*, r @{PROC}/sys/kernel/random/uuid, r @{PROC}/sys/vm/overcommit_memory, diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 99e6edfba26e2..81203c7622af5 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -273,6 +273,7 @@ in services.accounts-daemon.enable = true; services.dleyna-renderer.enable = mkDefault true; services.dleyna-server.enable = mkDefault true; + services.power-profiles-daemon.enable = mkDefault true; services.gnome3.at-spi2-core.enable = true; services.gnome3.evolution-data-server.enable = true; services.gnome3.gnome-keyring.enable = true; @@ -365,10 +366,10 @@ in gnome-bluetooth gnome-color-manager gnome-control-center - gnome-getting-started-docs gnome-shell gnome-shell-extensions gnome-themes-extra + pkgs.gnome-tour # GNOME Shell detects the .desktop file on first log-in. pkgs.nixos-artwork.wallpapers.simple-dark-gray pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom pkgs.gnome-user-docs diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index f79eb64b5a6a2..a214e91cfd358 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -218,14 +218,14 @@ in # We duplicate upstream's udev rules manually to make wayland with nvidia configurable services.udev.extraRules = '' # disable Wayland on Cirrus chipsets - ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-disable-wayland" + ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" # disable Wayland on Hi1710 chipsets - ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-disable-wayland" + ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ${optionalString (!cfg.gdm.nvidiaWayland) '' - DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-disable-wayland" + DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ''} # disable Wayland when modesetting is disabled - IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-disable-wayland" + IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false" ''; systemd.user.services.dbus.wantedBy = [ "default.target" ]; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 9dbca4e33f383..6751ca3f2ee72 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modules, baseModules, ... }: +{ config, lib, pkgs, modules, baseModules, specialArgs, ... }: with lib; @@ -13,7 +13,7 @@ let # !!! fix this children = mapAttrs (childName: childConfig: (import ../../../lib/eval-config.nix { - inherit baseModules; + inherit baseModules specialArgs; system = config.nixpkgs.initialSystem; modules = (optionals childConfig.inheritParentConfig modules) diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f501f85b2a92c..3d1628d0783d2 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -144,33 +144,20 @@ let }; tempAddress = mkOption { - type = types.enum [ "default" "enabled" "disabled" ]; - default = if cfg.enableIPv6 then "default" else "disabled"; - defaultText = literalExample ''if cfg.enableIPv6 then "default" else "disabled"''; + type = types.enum (lib.attrNames tempaddrValues); + default = cfg.tempAddresses; + defaultText = literalExample ''config.networking.tempAddresses''; description = '' When IPv6 is enabled with SLAAC, this option controls the use of - temporary address (aka privacy extensions). This is used to reduce tracking. - The three possible values are: - - <itemizedlist> - <listitem> - <para> - <literal>"default"</literal> to generate temporary addresses and use - them by default; - </para> - </listitem> - <listitem> - <para> - <literal>"enabled"</literal> to generate temporary addresses but keep - using the standard EUI-64 ones by default; - </para> - </listitem> - <listitem> - <para> - <literal>"disabled"</literal> to completely disable temporary addresses. - </para> - </listitem> - </itemizedlist> + temporary address (aka privacy extensions) on this + interface. This is used to reduce tracking. + + See also the global option + <xref linkend="opt-networking.tempAddresses"/>, which + applies to all interfaces where this is not set. + + Possible values are: + ${tempaddrDoc} ''; }; @@ -366,6 +353,32 @@ let isHexString = s: all (c: elem c hexChars) (stringToCharacters (toLower s)); + tempaddrValues = { + disabled = { + sysctl = "0"; + description = "completely disable IPv6 temporary addresses"; + }; + enabled = { + sysctl = "1"; + description = "generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses"; + }; + default = { + sysctl = "2"; + description = "generate IPv6 temporary addresses and use these as source addresses in routing"; + }; + }; + tempaddrDoc = '' + <itemizedlist> + ${concatStringsSep "\n" (mapAttrsToList (name: { description, ... }: '' + <listitem> + <para> + <literal>"${name}"</literal> to ${description}; + </para> + </listitem> + '') tempaddrValues)} + </itemizedlist> + ''; + in { @@ -1039,6 +1052,21 @@ in ''; }; + networking.tempAddresses = mkOption { + default = if cfg.enableIPv6 then "default" else "disabled"; + type = types.enum (lib.attrNames tempaddrValues); + description = '' + Whether to enable IPv6 Privacy Extensions for interfaces not + configured explicitly in + <xref linkend="opt-networking.interfaces._name_.tempAddress" />. + + This sets the ipv6.conf.*.use_tempaddr sysctl for all + interfaces. Possible values are: + + ${tempaddrDoc} + ''; + }; + }; @@ -1098,7 +1126,7 @@ in // listToAttrs (forEach interfaces (i: let opt = i.tempAddress; - val = { disabled = 0; enabled = 1; default = 2; }.${opt}; + val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val)); # Capabilities won't work unless we have at-least a 4.3 Linux @@ -1188,9 +1216,11 @@ in (pkgs.writeTextFile rec { name = "ipv6-privacy-extensions.rules"; destination = "/etc/udev/rules.d/98-${name}"; - text = '' + text = let + sysctl-value = tempaddrValues.${cfg.tempAddresses}.sysctl; + in '' # enable and prefer IPv6 privacy addresses by default - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo 2 > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo ${sysctl-value} > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" ''; }) (pkgs.writeTextFile rec { @@ -1199,15 +1229,13 @@ in text = concatMapStrings (i: let opt = i.tempAddress; - val = if opt == "disabled" then 0 else 1; - msg = if opt == "disabled" - then "completely disable IPv6 privacy addresses" - else "enable IPv6 privacy addresses but prefer EUI-64 addresses"; + val = tempaddrValues.${opt}.sysctl; + msg = tempaddrValues.${opt}.description; in '' # override to ${msg} for ${i.name} - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${toString val}" - '') (filter (i: i.tempAddress != "default") interfaces); + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=${val}" + '') (filter (i: i.tempAddress != cfg.tempAddresses) interfaces); }) ] ++ lib.optional (cfg.wlanInterfaces != {}) (pkgs.writeTextFile { diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index e39c525a604af..c34bf3623b616 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -387,6 +387,7 @@ in sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {}; strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; sudo = handleTest ./sudo.nix {}; + sway = handleTest ./sway.nix {}; switchTest = handleTest ./switch-test.nix {}; sympa = handleTest ./sympa.nix {}; syncthing = handleTest ./syncthing.nix {}; diff --git a/nixos/tests/couchdb.nix b/nixos/tests/couchdb.nix index d038ee7d890dc..049532481b15f 100644 --- a/nixos/tests/couchdb.nix +++ b/nixos/tests/couchdb.nix @@ -24,8 +24,6 @@ with lib; }; nodes = { - couchdb1 = makeNode pkgs.couchdb testuser testpass; - couchdb2 = makeNode pkgs.couchdb2 testuser testpass; couchdb3 = makeNode pkgs.couchdb3 testuser testpass; }; @@ -41,42 +39,6 @@ with lib; in '' start_all() - couchdb1.wait_for_unit("couchdb.service") - couchdb1.wait_until_succeeds( - "${curlJqCheck "" "GET" "" ".couchdb" "Welcome"}" - ) - couchdb1.wait_until_succeeds( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "2"}" - ) - couchdb1.succeed("${curlJqCheck testlogin "PUT" "foo" ".ok" "true"}") - couchdb1.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "3"}" - ) - couchdb1.succeed( - "${curlJqCheck testlogin "DELETE" "foo" ".ok" "true"}" - ) - couchdb1.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "2"}" - ) - - couchdb2.wait_for_unit("couchdb.service") - couchdb2.wait_until_succeeds( - "${curlJqCheck "" "GET" "" ".couchdb" "Welcome"}" - ) - couchdb2.wait_until_succeeds( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "0"}" - ) - couchdb2.succeed("${curlJqCheck testlogin "PUT" "foo" ".ok" "true"}") - couchdb2.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "1"}" - ) - couchdb2.succeed( - "${curlJqCheck testlogin "DELETE" "foo" ".ok" "true"}" - ) - couchdb2.succeed( - "${curlJqCheck "" "GET" "_all_dbs" ". | length" "0"}" - ) - couchdb3.wait_for_unit("couchdb.service") couchdb3.wait_until_succeeds( "${curlJqCheck testlogin "GET" "" ".couchdb" "Welcome"}" diff --git a/nixos/tests/fancontrol.nix b/nixos/tests/fancontrol.nix index 356cd57ffa1a3..296c680264150 100644 --- a/nixos/tests/fancontrol.nix +++ b/nixos/tests/fancontrol.nix @@ -1,28 +1,34 @@ import ./make-test-python.nix ({ pkgs, ... } : { name = "fancontrol"; + meta = with pkgs.lib.maintainers; { + maintainers = [ evils ]; + }; - machine = - { ... }: - { hardware.fancontrol.enable = true; - hardware.fancontrol.config = '' - INTERVAL=42 - DEVPATH=hwmon1=devices/platform/dummy - DEVNAME=hwmon1=dummy - FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input - FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input - MINTEMP=hwmon1/device/pwm1=25 - MAXTEMP=hwmon1/device/pwm1=65 - MINSTART=hwmon1/device/pwm1=150 - MINSTOP=hwmon1/device/pwm1=0 - ''; + machine = { ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + hardware.fancontrol.enable = true; + hardware.fancontrol.config = '' + INTERVAL=42 + DEVPATH=hwmon1=devices/platform/dummy + DEVNAME=hwmon1=dummy + FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input + FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input + MINTEMP=hwmon1/device/pwm1=25 + MAXTEMP=hwmon1/device/pwm1=65 + MINSTART=hwmon1/device/pwm1=150 + MINSTOP=hwmon1/device/pwm1=0 + ''; }; # This configuration cannot be valid for the test VM, so it's expected to get an 'outdated' error. testScript = '' start_all() - machine.wait_for_unit("fancontrol.service") - machine.wait_until_succeeds( - "journalctl -eu fancontrol | grep 'Configuration appears to be outdated'" + # can't wait for unit fancontrol.service because it doesn't become active due to invalid config + # fancontrol.service is WantedBy multi-user.target + machine.wait_for_unit("multi-user.target") + machine.succeed( + "journalctl -eu fancontrol | tee /dev/stderr | grep 'Configuration appears to be outdated'" ) + machine.shutdown() ''; }) diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix index e5d7009bb7b9a..6c2846a1636bd 100644 --- a/nixos/tests/installed-tests/default.nix +++ b/nixos/tests/installed-tests/default.nix @@ -97,6 +97,7 @@ in gsconnect = callInstalledTest ./gsconnect.nix {}; ibus = callInstalledTest ./ibus.nix {}; libgdata = callInstalledTest ./libgdata.nix {}; + librsvg = callInstalledTest ./librsvg.nix {}; glib-testing = callInstalledTest ./glib-testing.nix {}; libjcat = callInstalledTest ./libjcat.nix {}; libxmlb = callInstalledTest ./libxmlb.nix {}; diff --git a/nixos/tests/installed-tests/librsvg.nix b/nixos/tests/installed-tests/librsvg.nix new file mode 100644 index 0000000000000..378e7cce3ff4c --- /dev/null +++ b/nixos/tests/installed-tests/librsvg.nix @@ -0,0 +1,9 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.librsvg; + + testConfig = { + virtualisation.memorySize = 2047; + }; +} diff --git a/nixos/tests/ipv6.nix b/nixos/tests/ipv6.nix index f9d6d82b54acf..75faa6f602010 100644 --- a/nixos/tests/ipv6.nix +++ b/nixos/tests/ipv6.nix @@ -8,12 +8,34 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { }; nodes = - # Remove the interface configuration provided by makeTest so that the - # interfaces are all configured implicitly - { client = { ... }: { networking.interfaces = lib.mkForce {}; }; + { + # We use lib.mkForce here to remove the interface configuration + # provided by makeTest, so that the interfaces are all configured + # implicitly. + + # This client should use privacy extensions fully, having a + # completely-default network configuration. + client_defaults.networking.interfaces = lib.mkForce {}; + + # Both of these clients should obtain temporary addresses, but + # not use them as the default source IP. We thus run the same + # checks against them — but the configuration resulting in this + # behaviour is different. + + # Here, by using an altered default value for the global setting... + client_global_setting = { + networking.interfaces = lib.mkForce {}; + networking.tempAddresses = "enabled"; + }; + # and here, by setting this on the interface explicitly. + client_interface_setting = { + networking.tempAddresses = "disabled"; + networking.interfaces = lib.mkForce { + eth1.tempAddress = "enabled"; + }; + }; server = - { ... }: { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; @@ -40,9 +62,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { # Start the router first so that it respond to router solicitations. router.wait_for_unit("radvd") + clients = [client_defaults, client_global_setting, client_interface_setting] + start_all() - client.wait_for_unit("network.target") + for client in clients: + client.wait_for_unit("network.target") server.wait_for_unit("network.target") server.wait_for_unit("httpd.service") @@ -64,28 +89,42 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { with subtest("Loopback address can be pinged"): - client.succeed("ping -c 1 ::1 >&2") - client.fail("ping -c 1 ::2 >&2") + client_defaults.succeed("ping -c 1 ::1 >&2") + client_defaults.fail("ping -c 1 2001:db8:: >&2") with subtest("Local link addresses can be obtained and pinged"): - client_ip = wait_for_address(client, "eth1", "link") - server_ip = wait_for_address(server, "eth1", "link") - client.succeed(f"ping -c 1 {client_ip}%eth1 >&2") - client.succeed(f"ping -c 1 {server_ip}%eth1 >&2") + for client in clients: + client_ip = wait_for_address(client, "eth1", "link") + server_ip = wait_for_address(server, "eth1", "link") + client.succeed(f"ping -c 1 {client_ip}%eth1 >&2") + client.succeed(f"ping -c 1 {server_ip}%eth1 >&2") with subtest("Global addresses can be obtained, pinged, and reached via http"): - client_ip = wait_for_address(client, "eth1", "global") - server_ip = wait_for_address(server, "eth1", "global") - client.succeed(f"ping -c 1 {client_ip} >&2") - client.succeed(f"ping -c 1 {server_ip} >&2") - client.succeed(f"curl --fail -g http://[{server_ip}]") - client.fail(f"curl --fail -g http://[{client_ip}]") - - with subtest("Privacy extensions: Global temporary address can be obtained and pinged"): - ip = wait_for_address(client, "eth1", "global", temporary=True) + for client in clients: + client_ip = wait_for_address(client, "eth1", "global") + server_ip = wait_for_address(server, "eth1", "global") + client.succeed(f"ping -c 1 {client_ip} >&2") + client.succeed(f"ping -c 1 {server_ip} >&2") + client.succeed(f"curl --fail -g http://[{server_ip}]") + client.fail(f"curl --fail -g http://[{client_ip}]") + + with subtest( + "Privacy extensions: Global temporary address is used as default source address" + ): + ip = wait_for_address(client_defaults, "eth1", "global", temporary=True) # Default route should have "src <temporary address>" in it - client.succeed(f"ip r g ::2 | grep {ip}") - - # TODO: test reachability of a machine on another network. + client_defaults.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'") + + for client, setting_desc in ( + (client_global_setting, "global"), + (client_interface_setting, "interface"), + ): + with subtest(f'Privacy extensions: "enabled" through {setting_desc} setting)'): + # We should be obtaining both a temporary address and an EUI-64 address... + ip = wait_for_address(client, "eth1", "global") + assert "ff:fe" in ip + ip_temp = wait_for_address(client, "eth1", "global", temporary=True) + # But using the EUI-64 one. + client.succeed(f"ip route get 2001:db8:: | grep 'src {ip}'") ''; }) diff --git a/nixos/tests/sway.nix b/nixos/tests/sway.nix new file mode 100644 index 0000000000000..fad7f7dc4e68f --- /dev/null +++ b/nixos/tests/sway.nix @@ -0,0 +1,92 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "sway"; + meta = { + maintainers = with lib.maintainers; [ primeos synthetica ]; + }; + + machine = { config, ... }: { + # Automatically login on tty1 as a normal user: + imports = [ ./common/user-account.nix ]; + services.getty.autologinUser = "alice"; + + environment = { + # For glinfo and wayland-info: + systemPackages = with pkgs; [ mesa-demos wayland-utils ]; + # Use a fixed SWAYSOCK path (for swaymsg): + variables."SWAYSOCK" = "/tmp/sway-ipc.sock"; + # For convenience: + shellAliases = { + test-x11 = "glinfo | head -n 3 | tee /tmp/test-x11.out && touch /tmp/test-x11-exit-ok"; + test-wayland = "wayland-info | tee /tmp/test-wayland.out && touch /tmp/test-wayland-exit-ok"; + }; + }; + + # Automatically configure and start Sway when logging in on tty1: + programs.bash.loginShellInit = '' + if [ "$(tty)" = "/dev/tty1" ]; then + set -e + + mkdir -p ~/.config/sway + sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config + + sway --validate + sway && touch /tmp/sway-exit-ok + fi + ''; + + programs.sway.enable = true; + + virtualisation.memorySize = 1024; + # Need to switch to a different VGA card / GPU driver than the default one (std) so that Sway can launch: + virtualisation.qemu.options = [ "-vga virtio" ]; + }; + + enableOCR = true; + + testScript = { nodes, ... }: '' + start_all() + machine.wait_for_unit("multi-user.target") + + # To check the version: + print(machine.succeed("sway --version")) + + # Wait for Sway to complete startup: + machine.wait_for_file("/run/user/1000/wayland-1") + machine.wait_for_file("/tmp/sway-ipc.sock") + + # Test XWayland: + machine.succeed( + "su - alice -c 'swaymsg exec WINIT_UNIX_BACKEND=x11 WAYLAND_DISPLAY=invalid alacritty'" + ) + machine.wait_for_text("alice@machine") + machine.send_chars("test-x11\n") + machine.wait_for_file("/tmp/test-x11-exit-ok") + print(machine.succeed("cat /tmp/test-x11.out")) + machine.screenshot("alacritty_glinfo") + machine.succeed("pkill alacritty") + + # Start a terminal (Alacritty) on workspace 3: + machine.send_key("alt-3") + machine.succeed( + "su - alice -c 'swaymsg exec WINIT_UNIX_BACKEND=wayland DISPLAY=invalid alacritty'" + ) + machine.wait_for_text("alice@machine") + machine.send_chars("test-wayland\n") + machine.wait_for_file("/tmp/test-wayland-exit-ok") + print(machine.succeed("cat /tmp/test-wayland.out")) + machine.screenshot("alacritty_wayland_info") + machine.send_key("alt-shift-q") + machine.wait_until_fails("pgrep alacritty") + + # Test swaynag: + machine.send_key("alt-shift-e") + machine.wait_for_text("You pressed the exit shortcut.") + machine.screenshot("sway_exit") + + # Exit Sway and verify process exit status 0: + machine.succeed("su - alice -c 'swaymsg exit || true'") + machine.wait_for_file("/tmp/sway-exit-ok") + ''; +}) diff --git a/nixos/tests/wmderland.nix b/nixos/tests/wmderland.nix index d121ed98b7ac7..6de0cd9212eea 100644 --- a/nixos/tests/wmderland.nix +++ b/nixos/tests/wmderland.nix @@ -1,6 +1,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "wmderland"; - meta = with pkgs.stdenv.lib.maintainers; { + meta = with pkgs.lib.maintainers; { maintainers = [ takagiy ]; }; |